MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c26bf76c00885577a5aeacd05387893d936bf122aaf3999dcb0dee3be14fcfcd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BluStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c26bf76c00885577a5aeacd05387893d936bf122aaf3999dcb0dee3be14fcfcd
SHA3-384 hash: ebea740d577eef230afd907fe03825c93dc179932a84ad0ab9d2cec849143b6e9e88e1f3d16a43a1a822a61bfc8f8157
SHA1 hash: 4385230e53f255d7db8b91844f2c67f1b16c1c96
MD5 hash: 3b156e7eab24fbf17d682c7d889b85d6
humanhash: neptune-blossom-lamp-salami
File name:Purchase order_pdf.exe
Download: download sample
Signature BluStealer
Create hunting rule
File size:811'008 bytes
First seen:2023-04-17 23:17:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 12288:XAOsOorAeJPzsJnxfBN9UpRQQ2FDTm3U+o1N68vlU0WhmtVSkYRUVmU:XAOcr5axfBYp6fDMkzRiQVSkYqm
Threatray 99 similar samples on MalwareBazaar
TLSH T15B05232E1778CBB1F51D2735245899413979D3C0A9F4CC2C806267AE8BF7EC6905CBEA
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter Anonymous
Tags:BluStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
249
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purchase order_pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-04-17 23:20:22 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/86aa9060-ef73-4508-a52e-72bb950db06e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
A310Logger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/382880/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
clipbanker comodo darkkomet packed remcos
Link:
https://www.filescan.io/uploads/643dd3ab5e1ef31d26328fd3/reports/ca04ee0c-7130-4cd2-b82c-7f4c7fe1510b/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/c26bf76c00885577a5aeacd05387893d936bf122aaf3999dcb0dee3be14fcfcd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b25abc2f-4bab-4a21-934f-7a047e7a6821
Result
Threat name:
BluStealer, ThunderFox Stealer, a310Logg
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1215552
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Contains functionality to inject code into remote processes
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected a310Logger
Yara detected BluStealer
Yara detected ThunderFox Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c26bf76c00885577a5aeacd05387893d936bf122aaf3999dcb0dee3be14fcfcd/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yjv7o3aarbkxpjnovtifhb4jhwjwx4jcvlzztholbxxdxykpz7gq._file
Verdict:
malicious
Similar samples:
0f71aedb95163de525fa395b1a444f48222bc28b70521bff45467cbf98b63b9a
BluStealer
1cd904a688c0d0f13f06c5c113ad638649ab10c1ed756dc65933f34bbf22014b
BluStealer
58d5286e5694f883d2452a81e5f6e77413292ba388300a6e44dd0f91e217aff1
BluStealer
642788b753c8802d30666e5d6d2a2e4c9d810583e3af7fcb2983dd219c4526e7
BluStealer
6d4991fcf138200aacef788de1bdef481b0bef6200652e64348285614c2d7f20
BluStealer
708f366019c67cdec28a6950aa2a24f4ba274ebdadc35339ce1208ea971fc668
BluStealer
83972d5474a1d807a1197cdaeb64b0e190a13c6f2cd69772c847feccf1517260
BluStealer
9842d23cef4dc305ab6b8cd1ade477e1186d94cfd18861e1c87a55aff4d04c40
BluStealer
b0b430c82cc574323d38d65365540472f3f0e6133dcb36e20ee9fcf5483769fa
BluStealer
f91550582e9e831cba0a8ee62a9a47b3f9a4f1f24e228353d6f5050bc1b52509
BluStealer
+ 89 additional samples on MalwareBazaar
Result
Malware family:
blustealer
Create hunting rule
Score:
  10/10
Tags:
family:blustealer collection stealer
Link:
https://tria.ge/reports/230417-299b7sab6t/
Behaviour
Script User-Agent
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
BluStealer
Malware Config
C2 Extraction:
https://api.telegram.org/bot5450700540:AAEJyEEV8BKgYUKmnCPZxp19kD9GVSRup5M/sendMessage?chat_id=5422342474
Unpacked files
SH256 hash:
fc9bb9746aaa4e07944b2c1338d26ac852531a6e6c97e98f6a56202d27ff607c
MD5 hash:
d2ec533f8b40a8224d79c87c2291f943
SHA1 hash:
f305fa4c5c8525e853fbdbcf5c8cedad9ba08fd2
Link:
https://www.unpac.me/results/11b78c3e-254d-4c52-958a-1bd2bb6ab01e/
SH256 hash:
ead896ff47c459121d1b66f057823e5f99b006a17a7940e3bd4550a962895828
MD5 hash:
d1112dcc5e9bd2d485c3a261edbd2f21
SHA1 hash:
f65c9b92cd6ed6b0fd84ae51f71e1f9d1d35f629
Link:
https://www.unpac.me/results/11b78c3e-254d-4c52-958a-1bd2bb6ab01e/
SH256 hash:
a28d2e63b09f39bbb8c10b5f3d5822bb4766f41051c9a3994eb34390b9e8622a
MD5 hash:
01b2943dbcbdf1e1acd323cca6a5498a
SHA1 hash:
ead525d7bdb4c8c315e4c5d3b0f2580e0648aa96
Link:
https://www.unpac.me/results/11b78c3e-254d-4c52-958a-1bd2bb6ab01e/
SH256 hash:
2a0a4843493974da79fd786a81d45cb4cfb076f29bc889295d7d3d2f83baf7e4
MD5 hash:
ec98d22c18dc8fa1fc704d00f9a405d6
SHA1 hash:
e20711e85a04b848627ac5dad467860916c9328b
Link:
https://www.unpac.me/results/11b78c3e-254d-4c52-958a-1bd2bb6ab01e/
SH256 hash:
38b1bfe1cc2f1ea9211bf943a4bdb4a325ff9ab8ba937b1903183caac44fe63e
MD5 hash:
3cb9b57d88ae6e5ce8988e88db92f0b4
SHA1 hash:
bfe7b5716c230e7149ca8846096d06612a3a366f
Link:
https://www.unpac.me/results/11b78c3e-254d-4c52-958a-1bd2bb6ab01e/
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/11b78c3e-254d-4c52-958a-1bd2bb6ab01e/
SH256 hash:
6413c60502ba771163bb96527a5b8fdf5d765cd19f89bca13c6442bbd8bdb4bd
MD5 hash:
d52609f7faa0c91840a49a848a476000
SHA1 hash:
268d289f07cd7f58d0c4db7d785fa350a3ed431a
Link:
https://www.unpac.me/results/11b78c3e-254d-4c52-958a-1bd2bb6ab01e/
SH256 hash:
c26bf76c00885577a5aeacd05387893d936bf122aaf3999dcb0dee3be14fcfcd
MD5 hash:
3b156e7eab24fbf17d682c7d889b85d6
SHA1 hash:
4385230e53f255d7db8b91844f2c67f1b16c1c96
Link:
https://www.unpac.me/results/11b78c3e-254d-4c52-958a-1bd2bb6ab01e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c26bf76c0088/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.73
Link:
https://yomi.yoroi.company/submissions/c26bf76c00885577a5aeacd05387893d936bf122aaf3999dcb0dee3be14fcfcd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:Dotnet_Hidden_Executables_Detect
Create hunting rule
Author:Mehmet Ali Kerimoglu (@CYB3RMX)
Description:This rule detects hidden PE file presence.
Reference:https://github.com/CYB3RMX/Qu1cksc0pe
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

BluStealer

Executable exe c26bf76c00885577a5aeacd05387893d936bf122aaf3999dcb0dee3be14fcfcd

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/382880/

Comments