MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51ccdddefb214c8c80d410f0872ad18d2d08d2396fc49e0d850086f2dd7f4583. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BluStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 6 File information Comments 1

SHA256 hash:	51ccdddefb214c8c80d410f0872ad18d2d08d2396fc49e0d850086f2dd7f4583
SHA3-384 hash:	bb219e00fc95d20846222520b1fae6f99ccfc7e1cd9246f38851bcf97557ee67690b3dff116e6752f955f798d93cf022
SHA1 hash:	b7598c3c8754d21f5b34b7fc74ea4ff4053648a5
MD5 hash:	d192f0d7f70c0f0f57e2af7d87ae3000
humanhash:	mars-finch-winner-muppet
File name:	d192f0d7f70c0f0f57e2af7d87ae3000
Download:	download sample
Signature	BluStealer Create hunting rule
File size:	450'560 bytes
First seen:	2022-09-11 07:26:18 UTC
Last seen:	2022-09-11 07:48:35 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	df8fbcbe90e1e305a660f0ac2aa4fae4 (6 x a310Logger, 5 x BluStealer)
ssdeep	12288:qWnxfgsRL4u/1AlLK6FRY2n8OPKxGvYmBZ:BxgsRftD0C2nKGP
TLSH	T164A4011527B6F319D2148BB513FB836401A4FB315FA34D0BBB0C6B5AA236D92D2B9317
TrID	78.7% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 1.9% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	1003873d31213f10 (142 x DarkCloud, 132 x GuLoader, 35 x a310Logger)
Reporter	zbetcheckin
Tags:	32 BluStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

337

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

d192f0d7f70c0f0f57e2af7d87ae3000

Verdict:

Malicious activity

Analysis date:

2022-09-11 07:29:33 UTC

Tags:

stealer

Link:

https://app.any.run/tasks/f282d16b-6a9a-4d9f-8d95-6963a5608159

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/309245/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen3.21985.6493.1052.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Launching a process

Reading critical registry keys

Creating a file in the %AppData% subdirectories

Creating a file

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed shell32.dll

Link:

https://www.filescan.io/uploads/631d8e085264d5b74d1eae1c/reports/8456f679-5b41-47cf-8ce2-6ab8d74eb0b5/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/72f2b1b8-468a-448f-9e74-96f19bc8a2cf

Result

Threat name:

BluStealer, ThunderFox Stealer, a310Logg

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1068387

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Potential malicious icon found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected a310Logger

Yara detected BluStealer

Yara detected ThunderFox Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/51ccdddefb214c8c80d410f0872ad18d2d08d2396fc49e0d850086f2dd7f4583/

Threat name:

Win32.Trojan.Lazy

Status:

Malicious

First seen:

2022-09-06 19:37:18 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

31 of 40 (77.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=khgn3xx3efgizagucdyiokwrruwqrurzn7cj4dmfacdpfxl7iwbq._file

Verdict:

malicious

Result

Malware family:

blustealer

Score:

10/10

Tags:

family:blustealer collection

Link:

https://tria.ge/reports/220911-h94beaehgp/

Behaviour

Script User-Agent

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Malware Config

C2 Extraction:

https://api.telegram.org/bot5310184325:AAFI3fSQ6VcGu_NSTmv7d-qK2WCVhYY_qfg/sendMessage?chat_id=1293496579

Unpacked files

SH256 hash:

fc9bb9746aaa4e07944b2c1338d26ac852531a6e6c97e98f6a56202d27ff607c

MD5 hash:

d2ec533f8b40a8224d79c87c2291f943

SHA1 hash:

f305fa4c5c8525e853fbdbcf5c8cedad9ba08fd2

Link:

https://www.unpac.me/results/216c14a1-2b7c-436e-bb67-4706b8fa39ab/

SH256 hash:

9dc7c5f5d889aebb2e0f63d5b5a7887c37a2cf002bd1aa66229bffbc5fcb4717

MD5 hash:

3a24c7f9a1246d99f52edc9251227a1e

SHA1 hash:

47a0072ffc1daa0b7537a0fbc99d67ca880560c3

Link:

https://www.unpac.me/results/216c14a1-2b7c-436e-bb67-4706b8fa39ab/

SH256 hash:

51ccdddefb214c8c80d410f0872ad18d2d08d2396fc49e0d850086f2dd7f4583

MD5 hash:

d192f0d7f70c0f0f57e2af7d87ae3000

SHA1 hash:

b7598c3c8754d21f5b34b7fc74ea4ff4053648a5

Link:

https://www.unpac.me/results/216c14a1-2b7c-436e-bb67-4706b8fa39ab/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/51ccdddefb21/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/51ccdddefb214c8c80d410f0872ad18d2d08d2396fc49e0d850086f2dd7f4583

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.