MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6dcaf9e7d7010fee930008c76ba0bba674cfb67f54390ac0fa04bcc75877f568. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BluStealer


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6dcaf9e7d7010fee930008c76ba0bba674cfb67f54390ac0fa04bcc75877f568
SHA3-384 hash: 7b9fde063425ac85ae47e385137136a7d36b07adffdcbd045d89243e870c04bf40ef75e30ca040eb7f3ad02d2d10222f
SHA1 hash: a6421afd18561adce0e0c6c2b5e59457df465b60
MD5 hash: 1114f04c0013d6ace1c5ae1d0367f5ef
humanhash: missouri-mike-stream-earth
File name:DWK Order - 889545422.exe
Download: download sample
Signature BluStealer
Create hunting rule
File size:652'325 bytes
First seen:2022-04-11 12:40:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (720 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 12288:kNT+wFc0uXKHb93LgeghsH101osz6hUTOkYS1PiFLytudwYzAo:kNT+w6MbNgva7/iQLytudwi
Threatray 2'848 similar samples on MalwareBazaar
TLSH T118D4F0B2230A99CECDB0F475872271DD99F02FDBC01C6D8236E1697B37219314EE5AA5
File icon (PE):PE icon
dhash icon 64e4ccdcb2c2d4cc (9 x Formbook, 4 x BluStealer, 3 x RemcosRAT)
Reporter adrian__luca
Tags:BluStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
261
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DWK Order - 889545422.exe
Verdict:
Malicious activity
Analysis date:
2022-04-12 03:40:43 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/d0d157f1-0ace-4c10-8fc5-c1a363f72403

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/262687/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.6896.UNOFFICIAL
Create hunting rule

Sanesecurity.Rogue.0hr.20220407-1601.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Creating a file
Reading critical registry keys
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/13468/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62542224d149c40acb24411e/reports/76f2a660-63da-4c21-aab7-05f8d7bfbc89/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BluStealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cc924118-2d06-4988-9546-e1254bf19487
Result
Threat name:
BluStealer SpyEx
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/974626
Signature
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes or reads registry keys via WMI
Yara detected BluStealer
Yara detected Generic Dropper
Yara detected SpyEx stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 607137 Sample: DWK Order - 889545422.exe Startdate: 11/04/2022 Architecture: WINDOWS Score: 100 37 Found malware configuration 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 Yara detected BluStealer 2->41 43 4 other signatures 2->43 7 DWK Order - 889545422.exe 18 2->7         started        10 misguise.exe 2->10         started        13 misguise.exe 2->13         started        process3 file4 27 C:\Users\user\AppData\Local\Temp\zacwop.exe, PE32 7->27 dropped 15 zacwop.exe 7->15         started        49 Multi AV Scanner detection for dropped file 10->49 18 WerFault.exe 23 9 10->18         started        20 WerFault.exe 2 9 13->20         started        signatures5 process6 signatures7 51 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 15->51 53 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 15->53 55 Writes or reads registry keys via WMI 15->55 57 Injects a PE file into a foreign processes 15->57 22 zacwop.exe 4 29 15->22         started        process8 dnsIp9 35 premium12.web-hosting.com 198.54.126.159, 465, 49752, 49760 NAMECHEAP-NETUS United States 22->35 29 C:\Users\Public\...\misguise.exe, PE32 22->29 dropped 31 C:\Users\Public\...\sqlite3.dll, PE32 22->31 dropped 33 C:\Users\Public\...\SQLite3_StdCall.dll, PE32 22->33 dropped 45 Tries to harvest and steal browser information (history, passwords, etc) 22->45 47 Tries to steal Crypto Currency Wallets 22->47 file10 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6dcaf9e7d7010fee930008c76ba0bba674cfb67f54390ac0fa04bcc75877f568/
Threat name:
Win32.Trojan.NSISInject
Create hunting rule
Status:
Malicious
First seen:
2022-04-07 19:47:34 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nxfptz6xaeh65eyabddwxif3uz2m7nt7kq4qvqh2as6mowdx6vua._file
Verdict:
malicious
Similar samples:
4068367bc59ad89c43c9024b63d4057942626c13d4cb4233ba14218a5f1d2ee8
BluStealer
42432fd4bcdfd6d3228b6d691437775f19b282ed0d4f5b622acc066f53e83c8d
BluStealer
43c7a6a2753a823e9588d72776b4a660d33b8890414fff82d6741132346d8abb
BluStealer
66769c84eafe1b9aa9dfeab6bfefc0b1fcd1362f5115619f749316f2a1353a3f
BluStealer
7642c30cee6aa8c2ca74e267f4522ec280ae3fc402056eb07187a10dd0d92885
BluStealer
8cf4d9a55d80942fbdf18648f7fa01768efc4783b439503d39d9ef98a85fb193
BluStealer
ec6cb0a51fe3d020e3989762f1b449f45413695c9ea7db67d3a2cf31c9e26ef1
BluStealer
+ 2'838 additional samples on MalwareBazaar
Result
Malware family:
blustealer
Create hunting rule
Score:
  10/10
Tags:
family:blustealer persistence spyware stealer
Link:
https://tria.ge/reports/220411-pwrh1sabc2/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
BluStealer
Unpacked files
SH256 hash:
b1b617a8548ffc045b300542b71fbf05496d6c7eef5e1ffdf66a596b012667ae
MD5 hash:
953b2013a8b0d4be5368a65fc74c93f4
SHA1 hash:
22cadd03c23e3440b8bec25cd5ec52c18b68521b
Link:
https://www.unpac.me/results/36f4f066-bd10-4f1a-989d-00b191897765/
SH256 hash:
accc0b84ecabc5605ca9e71c0167bfb9d25df7036fee6e7d8500b572fbe52d0c
MD5 hash:
04a113677151299093e033c9c7904dfe
SHA1 hash:
e6add6d723d32ade49f9587c26d569d5445d28d1
Link:
https://www.unpac.me/results/36f4f066-bd10-4f1a-989d-00b191897765/
SH256 hash:
6dcaf9e7d7010fee930008c76ba0bba674cfb67f54390ac0fa04bcc75877f568
MD5 hash:
1114f04c0013d6ace1c5ae1d0367f5ef
SHA1 hash:
a6421afd18561adce0e0c6c2b5e59457df465b60
Link:
https://www.unpac.me/results/36f4f066-bd10-4f1a-989d-00b191897765/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6dcaf9e7d7010fee930008c76ba0bba674cfb67f54390ac0fa04bcc75877f568

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

BluStealer

Executable exe 6dcaf9e7d7010fee930008c76ba0bba674cfb67f54390ac0fa04bcc75877f568

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/262687/

Comments