MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 374bd46f94cdf56eb2775ec23f0b70e8179541f348de2959a4a885b8f22af99c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BluStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 374bd46f94cdf56eb2775ec23f0b70e8179541f348de2959a4a885b8f22af99c
SHA3-384 hash: 2b2306c53d5542c937bb83f6caa5b1787becbdc24994af7ea743348b33e89cc00a2701d5821ac90d355f893fa9a58727
SHA1 hash: 511e1e3646ad2ca0012709c56544ca9497b969e0
MD5 hash: 235c2d00b691656b63a715eac1e7511b
humanhash: angel-william-summer-mirror
File name:Request for Quotation.exe
Download: download sample
Signature BluStealer
Create hunting rule
File size:1'428'480 bytes
First seen:2023-05-08 13:29:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'612 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:AR8UY0b6vrCWFHojNYhS8vE1BiCJQwcGJVdOeyYZ3pnFchs1D3x3PWh:28emvrCmIjNYJv+BxHcGJy+3pnFcWpNP
Threatray 22 similar samples on MalwareBazaar
TLSH T15265232572F2CAD7E85944F44A3CB05816767197E4D1EAE83FB3440D9FEAF406E80A4B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 285430d4d0305428 (10 x Loki, 7 x AgentTesla, 6 x SnakeKeylogger)
Reporter threatcat_ch
Tags:BluStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
263
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Request for Quotation.exe
Verdict:
Malicious activity
Analysis date:
2023-05-08 13:31:05 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/09ce9741-dfb4-43cf-be6e-34ef728185db

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
A310Logger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/387551/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6458f95b1c5e67171207416d/reports/c1fb9265-ff0a-4311-a235-9a42797b11f0/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/374bd46f94cdf56eb2775ec23f0b70e8179541f348de2959a4a885b8f22af99c
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/28e12d03-4a51-4d91-93d0-d39a8b1108fe
Result
Threat name:
BluStealer, ThunderFox Stealer, a310Logg
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1228296
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates files inside the volume driver (system volume information)
Drops executable to a common third party application directory
Found malware configuration
Infects executable files (exe, dll, sys, html)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to download HTTP data from a sinkholed server
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected a310Logger
Yara detected BluStealer
Yara detected ThunderFox Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 861261 Sample: Request_for_Quotation.exe Startdate: 08/05/2023 Architecture: WINDOWS Score: 100 45 xlfhhhm.biz 2->45 47 saytjshyf.biz 2->47 55 Tries to download HTTP data from a sinkholed server 2->55 57 Snort IDS alert for network traffic 2->57 59 Found malware configuration 2->59 61 12 other signatures 2->61 8 Request_for_Quotation.exe 3 2->8         started        11 FXSSVC.exe 14 5 2->11         started        14 perfhost.exe 2->14         started        16 16 other processes 2->16 signatures3 process4 dnsIp5 37 C:\Users\...\Request_for_Quotation.exe.log, ASCII 8->37 dropped 19 Request_for_Quotation.exe 1 8 8->19         started        24 Request_for_Quotation.exe 8->24         started        77 Antivirus detection for dropped file 11->77 79 Machine Learning detection for dropped file 11->79 39 xlfhhhm.biz 173.231.189.15, 49734, 80 VOXEL-DOT-NETUS United States 16->39 41 cvgrf.biz 206.191.152.58, 49700, 49715, 80 VOXEL-DOT-NETUS United States 16->41 43 14 other IPs or domains 16->43 81 Creates files inside the volume driver (system volume information) 16->81 file6 signatures7 process8 dnsIp9 49 pywolwnvd.biz 173.231.184.122, 49698, 49699, 49714 VOXEL-DOT-NETUS United States 19->49 51 api.telegram.org 149.154.167.220, 443, 49713, 49716 TELEGRAMRU United Kingdom 19->51 53 14 other IPs or domains 19->53 29 C:\Windows\System32\xbgmsvc.exe, PE32+ 19->29 dropped 31 C:\Windows\System32\wbengine.exe, PE32+ 19->31 dropped 33 C:\Windows\System32\wbem\WmiApSrv.exe, PE32+ 19->33 dropped 35 34 other malicious files 19->35 dropped 63 Writes to foreign memory regions 19->63 65 Allocates memory in foreign processes 19->65 67 Drops executable to a common third party application directory 19->67 69 2 other signatures 19->69 26 AppLaunch.exe 2 19->26         started        file10 signatures11 process12 signatures13 71 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 26->71 73 Tries to steal Mail credentials (via file / registry access) 26->73 75 Tries to harvest and steal browser information (history, passwords, etc) 26->75
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/374bd46f94cdf56eb2775ec23f0b70e8179541f348de2959a4a885b8f22af99c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-08 06:25:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=g5f5i34uzx2w5mtxl3bd6c3q5alzkqptjdpcswnevcc3r4rk7goa._file
Verdict:
malicious
Similar samples:
1d4eb9077c97b5ad001206eff72789b01386a2c253d34875fa1c1acb716e2e56
BluStealer
35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097
BluStealer
59171f457fb4915d408fa293f0ca3cdfeb613a20d6fadc50ae88b1cf58f0b004
BluStealer
8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5
BluStealer
90382d070f58dd0a9f21d05327c2589116e2271e2cce2cce69018e1f4d836c0f
BluStealer
b79720c1133b12a4ed824d20602fb14b0b736a1c0e60fe23c1b96d57ee031ba0
BluStealer
e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998
BluStealer
e65641bdd1d31a37d1caa1cbf41d05fa9e7b0caf3c5b531ba66d32c0a3a94406
BluStealer
e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef
BluStealer
f91550582e9e831cba0a8ee62a9a47b3f9a4f1f24e228353d6f5050bc1b52509
BluStealer
+ 12 additional samples on MalwareBazaar
Result
Malware family:
blustealer
Create hunting rule
Score:
  10/10
Tags:
family:blustealer collection spyware stealer
Link:
https://tria.ge/reports/230508-qrsqyscf4w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
outlook_office_path
outlook_win_path
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Script User-Agent
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Executes dropped EXE
Reads user/profile data of web browsers
BluStealer
Malware Config
C2 Extraction:
https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325
Unpacked files
SH256 hash:
2b6bb9637f7134c2eccd8b4dc740d1445fac04710abc04f8823bce2b63042ac9
MD5 hash:
6fa615f675dd4a68b9a1d527effc5d80
SHA1 hash:
7901c4dad10c87456b8b06ec4bea3a50f822b934
Link:
https://www.unpac.me/results/3999cd02-bc4f-4f0a-aaa2-7af72746635d/
SH256 hash:
fc9bb9746aaa4e07944b2c1338d26ac852531a6e6c97e98f6a56202d27ff607c
MD5 hash:
d2ec533f8b40a8224d79c87c2291f943
SHA1 hash:
f305fa4c5c8525e853fbdbcf5c8cedad9ba08fd2
Link:
https://www.unpac.me/results/3999cd02-bc4f-4f0a-aaa2-7af72746635d/
SH256 hash:
f55f48d7e2d91778512eeb4149b99bacbff4d47bfd5faa5c565838c66d5b756f
MD5 hash:
afaf1bf8cfd1a957dc112cc58da52b2e
SHA1 hash:
bf53b464279b8e1a0f6d9167769ae0de37ba1831
Link:
https://www.unpac.me/results/3999cd02-bc4f-4f0a-aaa2-7af72746635d/
SH256 hash:
b96a21432b9409e73f041605da587955f066f4657bd4db564ec1a85beae9a0cc
MD5 hash:
bf199875927ad73bbdda1e3037abbc2e
SHA1 hash:
9aff4d74e10242887aa885e6274cdfe1a93c4369
Link:
https://www.unpac.me/results/3999cd02-bc4f-4f0a-aaa2-7af72746635d/
SH256 hash:
6e35e7e0b8d00ad3195de1c2061fee2e596d56d3439bfb830f492f05edcbd42c
MD5 hash:
4d57b281ee22a46dfaaff021653bedcf
SHA1 hash:
9a341d788752a530072c8e974d8076cd8c884ab3
Link:
https://www.unpac.me/results/3999cd02-bc4f-4f0a-aaa2-7af72746635d/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/3999cd02-bc4f-4f0a-aaa2-7af72746635d/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
7d4d2727af16bd43a8b84684fcf9471ffac7adb5a99bab3476951c16dcdfa4c3
MD5 hash:
48f25f70764858909ab7fa96721f9d01
SHA1 hash:
1a8628d1c7ea6cf1d06dbfc58cbca14d32139fbd
Link:
https://www.unpac.me/results/3999cd02-bc4f-4f0a-aaa2-7af72746635d/
SH256 hash:
9870dbb37050b9de21aa65dec30e7094bb34775e2b8a2ee5d37481ce924ecd5c
MD5 hash:
53cd50750accb95e275c7a00c43712e9
SHA1 hash:
b45c7fbb26bb2a25c746764b9ea2272b8227f8bc
Link:
https://www.unpac.me/results/3999cd02-bc4f-4f0a-aaa2-7af72746635d/
SH256 hash:
374bd46f94cdf56eb2775ec23f0b70e8179541f348de2959a4a885b8f22af99c
MD5 hash:
235c2d00b691656b63a715eac1e7511b
SHA1 hash:
511e1e3646ad2ca0012709c56544ca9497b969e0
Link:
https://www.unpac.me/results/3999cd02-bc4f-4f0a-aaa2-7af72746635d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/374bd46f94cd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Expiro
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/374bd46f94cdf56eb2775ec23f0b70e8179541f348de2959a4a885b8f22af99c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

BluStealer

Executable exe 374bd46f94cdf56eb2775ec23f0b70e8179541f348de2959a4a885b8f22af99c

(this sample)

  
Dropped by
BluStealer
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/387551/

Comments