MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c7cedb95836f41cb10d2f6a87d10c9eb68e643359e2d2fa1c3029b43a971b4f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BluStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2c7cedb95836f41cb10d2f6a87d10c9eb68e643359e2d2fa1c3029b43a971b4f
SHA3-384 hash: cbab0c4e339260c4823c96a57c0e965d5ffc9eb034667d0f610c994a1738a3a570d1cdf34f31fbb4608c0debbac7cca6
SHA1 hash: b4b6ae1e349e02d8fda4eee999cdbda18ca78fda
MD5 hash: f839b45cde430422fdadf7c1748f1d1f
humanhash: mango-eleven-yankee-fix
File name:RINI - BP220097.exe
Download: download sample
Signature BluStealer
Create hunting rule
File size:936'960 bytes
First seen:2022-06-23 08:57:34 UTC
Last seen:2022-06-27 09:35:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 24576:nQkPRrhOVQU/hpQXrlS+GmUpyOzzYysZxXmrIFTsjhwOzVkTQ:QkeVQU/kXRhbUplzvsZdFTShXpkTQ
Threatray 1'380 similar samples on MalwareBazaar
TLSH T1D01523D022F843DAEADADBFB24ECD6041F34A00895C4D95FB8A620DAFD517E188917D7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 02616868e0e4e800 (8 x Formbook, 7 x Loki, 4 x AgentTesla)
Reporter GovCERT_CH
Tags:BluStealer exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
233
Origin country :
n/a
Vendor Threat Intelligence
Detection:
A310Logger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/282583/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Сreating synchronization primitives
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/62b42b1c78c72835188c05b5/reports/e868dca4-3da7-462b-90e7-43138aa9ac4d/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3b6e1550-bd75-47a2-b118-5d079485bd26
Result
Threat name:
BluStealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1018524
Signature
.NET source code contains potential unpacker
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes or reads registry keys via WMI
Yara detected AntiVM3
Yara detected BluStealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 651020 Sample: RINI - BP220097.exe Startdate: 23/06/2022 Architecture: WINDOWS Score: 100 36 Malicious sample detected (through community Yara rule) 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 Yara detected BluStealer 2->40 42 8 other signatures 2->42 6 firebreaks.exe 3 2->6         started        9 RINI - BP220097.exe 3 2->9         started        12 firebreaks.exe 2 2->12         started        process3 file4 44 Multi AV Scanner detection for dropped file 6->44 46 Machine Learning detection for dropped file 6->46 48 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->48 52 2 other signatures 6->52 14 firebreaks.exe 1 6->14         started        18 firebreaks.exe 6->18         started        28 C:\Users\user\...\RINI - BP220097.exe.log, ASCII 9->28 dropped 20 RINI - BP220097.exe 4 12 9->20         started        22 RINI - BP220097.exe 9->22         started        50 Injects a PE file into a foreign processes 12->50 24 firebreaks.exe 12->24         started        26 firebreaks.exe 12->26         started        signatures5 process6 file7 30 C:\Users\Public\...\firebreaks.exe, PE32 14->30 dropped 54 Tries to harvest and steal browser information (history, passwords, etc) 14->54 56 Tries to steal Crypto Currency Wallets 14->56 32 C:\Users\Public\...\sqlite3.dll, PE32 20->32 dropped 34 C:\Users\Public\...\SQLite3_StdCall.dll, PE32 20->34 dropped signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2c7cedb95836f41cb10d2f6a87d10c9eb68e643359e2d2fa1c3029b43a971b4f/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-06-23 02:11:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fr6o3okyg32bzminf5vipuimt23i4zbtlhrnf6q4gau3iouxdnhq._file
Verdict:
malicious
Similar samples:
3f451fdd5185ccea1db515d38890b1ceb3df83ff5234d1fa9d02d55e37dc9da3
BluStealer
4068367bc59ad89c43c9024b63d4057942626c13d4cb4233ba14218a5f1d2ee8
BluStealer
43c7a6a2753a823e9588d72776b4a660d33b8890414fff82d6741132346d8abb
BluStealer
6763e49817ea21780b5ef91de68800096ffdfe15d460fdae711bfb57f94c9def
BluStealer
6dcaf9e7d7010fee930008c76ba0bba674cfb67f54390ac0fa04bcc75877f568
BluStealer
76dc51c2ea31d175e7bcc427655232e875b718309b444d8e6730834424faea0e
BluStealer
7db93b2a8d85934f23c15b78a321dc71dcac4cb146d9dbe8df3d22c5d91fdad1
BluStealer
8cf4d9a55d80942fbdf18648f7fa01768efc4783b439503d39d9ef98a85fb193
BluStealer
b1b617a8548ffc045b300542b71fbf05496d6c7eef5e1ffdf66a596b012667ae
BluStealer
c2aa6f1c088f58989849749905fd795eb7bf920d6482fcb49bf3a3a3d0d7c8ca
BluStealer
+ 1'370 additional samples on MalwareBazaar
Result
Malware family:
blustealer
Create hunting rule
Score:
  10/10
Tags:
family:blustealer stealer
Link:
https://tria.ge/reports/220623-kw59yscdcl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
BluStealer
Unpacked files
SH256 hash:
6ea6c3c28b0261c1c793234763551dd7e84c81c12cc43751f85cd79d352bf52d
MD5 hash:
cd8c2284c40770e409382bc4e71a0925
SHA1 hash:
9f734930d46e05954a5c14228e00fcd191d458fb
Link:
https://www.unpac.me/results/6ccca68c-92e2-419e-b3e8-c5048b5bf8fa/
SH256 hash:
0cb6aef1fa57d11408e47ae071485ef8f48c2982997b8d74b47a4151d85b978c
MD5 hash:
843aa6edf83bff7b61c6a5369ef41e95
SHA1 hash:
d1bfeec8eaac9a1dacf2f7062ce964d8e7d77085
Link:
https://www.unpac.me/results/6ccca68c-92e2-419e-b3e8-c5048b5bf8fa/
SH256 hash:
844929d347b7af5f31c1d893d3f814624252c2b90eb6ef000e52d9538fca1e27
MD5 hash:
5ee01952396cb500bbbb0fbe4e839985
SHA1 hash:
b2dd9fa837a10d713de97f759b5d311ebb30ecf3
Link:
https://www.unpac.me/results/6ccca68c-92e2-419e-b3e8-c5048b5bf8fa/
SH256 hash:
cbd18c08152928c2b61d2db9a4b38fad2057a4b35420f21e3a9c85d95c5520ed
MD5 hash:
d758d28247bea73c05e89541e0e95c3d
SHA1 hash:
69f4addbf498b78c5349f70a69e46819a833cef2
Link:
https://www.unpac.me/results/6ccca68c-92e2-419e-b3e8-c5048b5bf8fa/
SH256 hash:
87577e6c69af07ba0e6383a2a152b59a39d6b336631ce4baa250bd9f8adce03d
MD5 hash:
9b17d560e68eff0da30f79b3c391c9a3
SHA1 hash:
5ceda263b1ea13401f652c709dd884d58945fe57
Link:
https://www.unpac.me/results/6ccca68c-92e2-419e-b3e8-c5048b5bf8fa/
SH256 hash:
2c7cedb95836f41cb10d2f6a87d10c9eb68e643359e2d2fa1c3029b43a971b4f
MD5 hash:
f839b45cde430422fdadf7c1748f1d1f
SHA1 hash:
b4b6ae1e349e02d8fda4eee999cdbda18ca78fda
Link:
https://www.unpac.me/results/6ccca68c-92e2-419e-b3e8-c5048b5bf8fa/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/2c7cedb95836f41cb10d2f6a87d10c9eb68e643359e2d2fa1c3029b43a971b4f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

BluStealer

Executable exe 2c7cedb95836f41cb10d2f6a87d10c9eb68e643359e2d2fa1c3029b43a971b4f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/282583/

Comments