MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f38e461404e7085d3b0372b10dd26a7fc8397383afd51dc119705d003f3eade. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BluStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f38e461404e7085d3b0372b10dd26a7fc8397383afd51dc119705d003f3eade
SHA3-384 hash: ed118dd058e6888ebfafb3c9aaaf2f5f9e35bb3dba36f9bbe5b92e28f26f72f68ce592513d1d65029d55a281091d00e3
SHA1 hash: 219b3cf5e69a2aef57f4565ec914652f8d285612
MD5 hash: c04e99a3f7c169773a1fec0d98be2d5f
humanhash: lima-diet-nevada-nebraska
File name:SecuriteInfo.com.Trojan.MSIL.FormBook.IZFA.MTB.26806.4182
Download: download sample
Signature BluStealer
Create hunting rule
File size:2'400'256 bytes
First seen:2022-08-05 05:51:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 49152:4K36TCfr79vbjPKTmRaQ/+S5FmA80Z5Cq8RZ8O2bG6CbtAn:136Ofn9jbKTmRaQ/+SP80HCq8/8O16yA
TLSH T161B5BEC9507B5F8FE474DE6C4A812B523A4A49178C688F17C3E25BD4411B088B7EB9BF
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 182b4d5d84f0f0b2 (9 x Formbook, 8 x AgentTesla, 6 x RemcosRAT)
Reporter SecuriteInfoCom
Tags:a310logger BluStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
290
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.MSIL.FormBook.IZFA.MTB.26806.4182
Verdict:
Malicious activity
Analysis date:
2022-08-05 05:51:59 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/78d2c9cb-70e8-4643-8d95-5b8330f54060

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/296552/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.FormBook.IZFA.MTB.26806.4182.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Сreating synchronization primitives
Creating a window
Reading critical registry keys
Creating a file in the %AppData% subdirectories
DNS request
Sending a custom TCP request
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62ecb005d40ca366615dec73/reports/f0cc282f-35df-4ec6-879c-500a777a8473/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b5d4f0d1-7b34-4a4c-904d-fd0e31562b4b
Result
Threat name:
BluStealer, ThunderFox Stealer, a310Logg
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1046566
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected a310Logger
Yara detected BluStealer
Yara detected Generic Downloader
Yara detected ThunderFox Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3f38e461404e7085d3b0372b10dd26a7fc8397383afd51dc119705d003f3eade/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-08-05 05:52:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h44oiykajzyilu5qg4vrbxjgu76ihfzyhl6vdxars4c5aa7t5lpa._file
Result
Malware family:
blustealer
Create hunting rule
Score:
  10/10
Tags:
family:blustealer collection stealer
Link:
https://tria.ge/reports/220805-gkqtcaffd6/
Behaviour
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
BluStealer
Malware Config
C2 Extraction:
https://api.telegram.org/bot5446953292:AAFkDq-HVam91vjV2SXkAWjbhfkBnxaPoa4/sendMessage?chat_id=1269002131
Unpacked files
SH256 hash:
fc9bb9746aaa4e07944b2c1338d26ac852531a6e6c97e98f6a56202d27ff607c
MD5 hash:
d2ec533f8b40a8224d79c87c2291f943
SHA1 hash:
f305fa4c5c8525e853fbdbcf5c8cedad9ba08fd2
Link:
https://www.unpac.me/results/5df9aa15-4eda-4344-8fb1-97e987c2bc42/
SH256 hash:
6bb4182ea7611836d46f3425443691fba12aa6ab14171d332b421414d3bb9be7
MD5 hash:
7fe300d029019491907d2ab1a7f9b971
SHA1 hash:
e6abcf4b21ec5c8e2a0c7c31661c567760789473
Link:
https://www.unpac.me/results/5df9aa15-4eda-4344-8fb1-97e987c2bc42/
SH256 hash:
7ce909d1507de5f0f10b1d93a7b05362361592e7dfc03a5cb54499eeedbff92e
MD5 hash:
abbe2b671e0290c00ed5bd1cfcef23c9
SHA1 hash:
82545bacad44fff3b2c7bbe16a9e73143642e492
Link:
https://www.unpac.me/results/5df9aa15-4eda-4344-8fb1-97e987c2bc42/
SH256 hash:
d437087b08a9a3f31bbc72c2bb1cfcce62b12c6dee690df61e4dffe1322556ae
MD5 hash:
3d56f985b17c6ec3e3fad93e09c9953b
SHA1 hash:
6ac6d9caaa75ecc8461ee41aedf2486c4f3ab84f
Link:
https://www.unpac.me/results/5df9aa15-4eda-4344-8fb1-97e987c2bc42/
SH256 hash:
96acbe0620cc91c21ba808cf66fdebfee998e2ac8240b22af1ef163d71382bb3
MD5 hash:
b93a7f5b7015c9413d2141640365956f
SHA1 hash:
5d8f75084614ecb181588529f2a56c1c0c4363b5
Link:
https://www.unpac.me/results/5df9aa15-4eda-4344-8fb1-97e987c2bc42/
SH256 hash:
ccdd35d300f578d210da5d90e57961a206f2a89d8c47be240bbf7ecf14f64559
MD5 hash:
1972b997c83051cf64daf024ba83c1a0
SHA1 hash:
335d9a7a896d16f0ae0e62fc302d48094949c29b
Link:
https://www.unpac.me/results/5df9aa15-4eda-4344-8fb1-97e987c2bc42/
SH256 hash:
3f38e461404e7085d3b0372b10dd26a7fc8397383afd51dc119705d003f3eade
MD5 hash:
c04e99a3f7c169773a1fec0d98be2d5f
SHA1 hash:
219b3cf5e69a2aef57f4565ec914652f8d285612
Link:
https://www.unpac.me/results/5df9aa15-4eda-4344-8fb1-97e987c2bc42/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3f38e461404e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3f38e461404e7085d3b0372b10dd26a7fc8397383afd51dc119705d003f3eade

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_A310Logger
Create hunting rule
Author:ditekSHen
Description:Detects A310Logger
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/296552/

Comments