MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 708f366019c67cdec28a6950aa2a24f4ba274ebdadc35339ce1208ea971fc668. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BluStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	708f366019c67cdec28a6950aa2a24f4ba274ebdadc35339ce1208ea971fc668
SHA3-384 hash:	c3336b4990be11fc9133c410e727c50ebd93790823ca8ef82615932882fc097853c0fea9efecbb1108f69494bcd59ded
SHA1 hash:	a3f27af6b4ba853cc85cd9e8b6e0a26b44e41a8e
MD5 hash:	a01c97c35665af7491d2f458e36fd520
humanhash:	steak-carolina-jig-blue
File name:	document approval_Pdf.exe
Download:	download sample
Signature	BluStealer Create hunting rule
File size:	1'080'832 bytes
First seen:	2023-04-06 10:06:33 UTC
Last seen:	2023-04-11 04:37:36 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:47a2iNpVDhqX5KNS9+IUsvT77D8zdARM8hQDTau0DmcOeZmk/5DizSwNUs2naFaP:47a1jfKbrIzGml0tOgmADi4sDaQI
Threatray	96 similar samples on MalwareBazaar
TLSH	T1B2359D211D6745C2C9B90FB444B97A4807B4AC538FE4903E3D82797E8FFAB9B54893D2
TrID	60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.8% (.SCR) Windows screen saver (13097/50/3) 8.7% (.EXE) Win64 Executable (generic) (10523/12/4) 5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	abuse_ch
Tags:	BluStealer exe Telegram

Intelligence

File Origin

# of uploads :

# of downloads :

269

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

document approval_Pdf.exe

Verdict:

Malicious activity

Analysis date:

2023-04-06 10:08:33 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/2c132ff2-c56f-4700-b855-ea562e8c1745

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

A310Logger

Link:

https://www.capesandbox.com/analysis/380596/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Launching a process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

clipbanker coinminer packed

Link:

https://www.filescan.io/uploads/642e99c7612ecb08a4cadd07/reports/e3223afb-c7fc-405a-b34f-40592caa618a/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/708f366019c67cdec28a6950aa2a24f4ba274ebdadc35339ce1208ea971fc668

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e999dd75-e8a7-4e1e-987d-96645d791a52

Result

Threat name:

BluStealer, ThunderFox Stealer, a310Logg

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1209560

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Allocates memory in foreign processes

Contains functionality to inject code into remote processes

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected a310Logger

Yara detected BluStealer

Yara detected ThunderFox Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/708f366019c67cdec28a6950aa2a24f4ba274ebdadc35339ce1208ea971fc668/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-04-06 03:24:05 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 36 (47.22%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ochtmyazyz6n5quknfikukre6s5cotv5vxbvgooocieovfy7yzua._file

Verdict:

malicious

BluStealer

4c1286920e0fbb0e4269f4b64ec6ca052076414a24af72f2e1a82f516a21bf52

BluStealer

58d5286e5694f883d2452a81e5f6e77413292ba388300a6e44dd0f91e217aff1

BluStealer

9842d23cef4dc305ab6b8cd1ade477e1186d94cfd18861e1c87a55aff4d04c40

BluStealer

c269b1931db163462343d0ecd8ef501e35e4da91c91f1464c8d526ef07a041bd

BluStealer

d50e53128afae84f81f41fce22e7ce3f13442485d7c7ce3bb1417afaba6c9c05

BluStealer

ed9b8b2727090a9a786fd014f3716eda74f0943e02c215c04c07613c3f271de9

BluStealer

+ 86 additional samples on MalwareBazaar

Result

Malware family:

blustealer

Score:

10/10

Tags:

family:blustealer collection stealer

Link:

https://tria.ge/reports/230406-l5m1eace73/

Behaviour

Script User-Agent

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

BluStealer

Malware Config

C2 Extraction:

https://api.telegram.org/bot5450700540:AAEJyEEV8BKgYUKmnCPZxp19kD9GVSRup5M/sendMessage?chat_id=5422342474

Unpacked files

SH256 hash:

fc9bb9746aaa4e07944b2c1338d26ac852531a6e6c97e98f6a56202d27ff607c

MD5 hash:

d2ec533f8b40a8224d79c87c2291f943

SHA1 hash:

f305fa4c5c8525e853fbdbcf5c8cedad9ba08fd2

Link:

https://www.unpac.me/results/49a80552-edd1-4032-8fb4-8c46b74f65b5/

SH256 hash:

038b4ccfc242b377da9772cb0480bebe0475b084ce22228d0692d8de1a06a166

MD5 hash:

5925caa844d589efb34726d1e400900d

SHA1 hash:

f5dfceb186d4826c9dc57058f3378b9f89dbd3bf

Link:

https://www.unpac.me/results/49a80552-edd1-4032-8fb4-8c46b74f65b5/

SH256 hash:

a28d2e63b09f39bbb8c10b5f3d5822bb4766f41051c9a3994eb34390b9e8622a

MD5 hash:

01b2943dbcbdf1e1acd323cca6a5498a

SHA1 hash:

ead525d7bdb4c8c315e4c5d3b0f2580e0648aa96

Link:

https://www.unpac.me/results/49a80552-edd1-4032-8fb4-8c46b74f65b5/

SH256 hash:

789fa51added434a8366b5c561ff25aa35a9736dfe8046760c74a894a8a18e48

MD5 hash:

f3f8c528fd69a8808bf0e44da9a97e4c

SHA1 hash:

beb9c8db43ae7046d1368b0483fb90dd257f784b

Link:

https://www.unpac.me/results/49a80552-edd1-4032-8fb4-8c46b74f65b5/

SH256 hash:

3c507afadbb1c31a9ebdd24baac5739d47576159e01c5e84f973c951885100aa

MD5 hash:

e79bf0e7e9d52d398e0b23b352394c68

SHA1 hash:

682325763a0ec77e0fd475ea3a4021b4651eceac

Link:

https://www.unpac.me/results/49a80552-edd1-4032-8fb4-8c46b74f65b5/

SH256 hash:

b967724312730d3b4226039ace2d71cd12cba329d8495ffcc119784c39360417

MD5 hash:

7da4c6d2dcb94fca71e2319a27c71e26

SHA1 hash:

1253fd3c105bba36dfa703a30bedac02f4278cb8

Link:

https://www.unpac.me/results/49a80552-edd1-4032-8fb4-8c46b74f65b5/

SH256 hash:

9dc7c5f5d889aebb2e0f63d5b5a7887c37a2cf002bd1aa66229bffbc5fcb4717

MD5 hash:

3a24c7f9a1246d99f52edc9251227a1e

SHA1 hash:

47a0072ffc1daa0b7537a0fbc99d67ca880560c3

Link:

https://www.unpac.me/results/49a80552-edd1-4032-8fb4-8c46b74f65b5/

SH256 hash:

708f366019c67cdec28a6950aa2a24f4ba274ebdadc35339ce1208ea971fc668

MD5 hash:

a01c97c35665af7491d2f458e36fd520

SHA1 hash:

a3f27af6b4ba853cc85cd9e8b6e0a26b44e41a8e

Link:

https://www.unpac.me/results/49a80552-edd1-4032-8fb4-8c46b74f65b5/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/708f366019c6/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/708f366019c67cdec28a6950aa2a24f4ba274ebdadc35339ce1208ea971fc668

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

BluStealer

exe 708f366019c67cdec28a6950aa2a24f4ba274ebdadc35339ce1208ea971fc668

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/380596/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample