MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a05733793bb58c48330cb03af5e007ecc5bfbcf9a4da47fc0c2833f8e9e1904. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BluStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5a05733793bb58c48330cb03af5e007ecc5bfbcf9a4da47fc0c2833f8e9e1904
SHA3-384 hash: a79789074306e9db80b1bdfc7f973617fbaf3f6b28bd7310933637509fb9007bed3818dd47e1685198240ae10c63d592
SHA1 hash: 833a95ea5f288386a6a5989ca97e129d95888e9f
MD5 hash: 147b50b9915aab6359f94cbefe850e2c
humanhash: pip-white-pip-princess
File name:147b50b9915aab6359f94cbefe850e2c
Download: download sample
Signature BluStealer
Create hunting rule
File size:680'609 bytes
First seen:2022-04-19 07:39:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (720 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 12288:kNT+wNnrjaevFnlQfmUI5iYGCNEo3FCtzvpazlZM1khAHoH8aH:kNT+wVvFlQfmo37o3szvolYJFi
Threatray 475 similar samples on MalwareBazaar
TLSH T171E4F0B2231B99CEDCB0F47A972271DD15F91EC7C01C6D8632E0953B77608358EDAA92
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 64e4ccdcb2c2d4cc (9 x Formbook, 4 x BluStealer, 3 x RemcosRAT)
Reporter zbetcheckin
Tags:32 BluStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
271
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/264529/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.6896.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Searching for the window
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Creating a file
Reading critical registry keys
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe formbook overlay packed python shell32.dll
Link:
https://www.filescan.io/uploads/625e6754eab80a7a6c3f7c79/reports/2dbca1ba-3796-40dc-b94b-5ee8442826df/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BluStealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b28fb972-00b8-496a-a9d0-3c475a97ce83
Result
Threat name:
BluStealer SpyEx
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/978681
Signature
Creates multiple autostart registry keys
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Writes or reads registry keys via WMI
Yara detected BluStealer
Yara detected Generic Dropper
Yara detected SpyEx stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 611168 Sample: aReN2n2SgT Startdate: 19/04/2022 Architecture: WINDOWS Score: 100 59 Found malware configuration 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 Yara detected BluStealer 2->63 65 2 other signatures 2->65 7 aReN2n2SgT.exe 18 2->7         started        10 qofcviuohrs.exe 1 2->10         started        13 misguise.exe 1 2->13         started        15 2 other processes 2->15 process3 file4 47 C:\Users\user\AppData\Local\...\khjerdhr.exe, PE32 7->47 dropped 17 khjerdhr.exe 1 3 7->17         started        79 Multi AV Scanner detection for dropped file 10->79 21 WerFault.exe 23 9 10->21         started        23 conhost.exe 10->23         started        25 conhost.exe 13->25         started        27 WerFault.exe 13->27         started        29 WerFault.exe 2 9 15->29         started        32 conhost.exe 15->32         started        34 conhost.exe 15->34         started        36 WerFault.exe 15->36         started        signatures5 process6 dnsIp7 45 C:\Users\user\AppData\...\qofcviuohrs.exe, PE32 17->45 dropped 67 Multi AV Scanner detection for dropped file 17->67 69 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 17->69 71 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 17->71 73 3 other signatures 17->73 38 khjerdhr.exe 4 29 17->38         started        43 conhost.exe 17->43         started        57 192.168.2.1 unknown unknown 29->57 file8 signatures9 process10 dnsIp11 55 premium12.web-hosting.com 198.54.126.159, 465, 49788, 49791 NAMECHEAP-NETUS United States 38->55 49 C:\Users\Public\...\misguise.exe, PE32 38->49 dropped 51 C:\Users\Public\...\sqlite3.dll, PE32 38->51 dropped 53 C:\Users\Public\...\SQLite3_StdCall.dll, PE32 38->53 dropped 75 Creates multiple autostart registry keys 38->75 77 Tries to harvest and steal browser information (history, passwords, etc) 38->77 file12 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5a05733793bb58c48330cb03af5e007ecc5bfbcf9a4da47fc0c2833f8e9e1904/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-04-19 00:08:06 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=licxgn4txnmmjazqzmb26xqap3gfx66ptjg2i76aykbt7du6deca._file
Verdict:
malicious
Similar samples:
3d3b6b64ac6d617d239daf44b19160a88844802014f7e7ec993df79c673d992a
BluStealer
5d0a8a5478876026ee661b50518e44f95308bf20e1e512c3608f97f97aed3384
BluStealer
6dcaf9e7d7010fee930008c76ba0bba674cfb67f54390ac0fa04bcc75877f568
BluStealer
c3d161f4e83f33738a48161f6a70e3dce8572f9d720d313cf633204d02ccc037
BluStealer
e9f08fb27479f796c6fc4acb74759336ea2a426b1282d89fe78764a7680c758c
BluStealer
ebb69ac4f43e0167713961ddca07755eedabc9c40310ca5a07b01ed7b62f3ab9
BluStealer
+ 465 additional samples on MalwareBazaar
Result
Malware family:
blustealer
Create hunting rule
Score:
  10/10
Tags:
family:blustealer persistence spyware stealer
Link:
https://tria.ge/reports/220419-jhjncsdhd5/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
BluStealer
Unpacked files
SH256 hash:
c852ae1f9f9e1574c0fb700be448fff26bb64e0c1f7798ea18c5a19720e6548f
MD5 hash:
6a14f02957003462e9a030eb69557270
SHA1 hash:
162a227e0248b3147e25715663dca404c1b32724
Link:
https://www.unpac.me/results/185bbb1a-c6af-4e0e-b111-4640cf1d380a/
SH256 hash:
bdd72ffde75d9b60e30c5b089f05d6607fe9d98bbb28324c658642f556a1c7fd
MD5 hash:
00716779c340bed81b0194b842c005e0
SHA1 hash:
b71f40a92d52ae3ae8a844ef70538a612b02dece
Link:
https://www.unpac.me/results/185bbb1a-c6af-4e0e-b111-4640cf1d380a/
SH256 hash:
5a05733793bb58c48330cb03af5e007ecc5bfbcf9a4da47fc0c2833f8e9e1904
MD5 hash:
147b50b9915aab6359f94cbefe850e2c
SHA1 hash:
833a95ea5f288386a6a5989ca97e129d95888e9f
Link:
https://www.unpac.me/results/185bbb1a-c6af-4e0e-b111-4640cf1d380a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5a05733793bb58c48330cb03af5e007ecc5bfbcf9a4da47fc0c2833f8e9e1904

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BluStealer

Executable exe 5a05733793bb58c48330cb03af5e007ecc5bfbcf9a4da47fc0c2833f8e9e1904

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/264529/
  
URLhaus
https://urlhaus.abuse.ch/url/2153786/

Comments


Avatar
zbet commented on 2022-04-19 07:39:54 UTC

url : hxxp://f0662140.xsph.ru/Arito.exe