MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dceab4eabbcf9787ac9a36c289afaa036782a24edd35523fb3072b030029faf2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BluStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dceab4eabbcf9787ac9a36c289afaa036782a24edd35523fb3072b030029faf2
SHA3-384 hash: 0f751c4c2a3ac921e2d22db2a6c88d882880750ac25e401605f7175f46ab07c839f19f0ccc8fc61d2fdc70fa00fbb216
SHA1 hash: 31cb4829e6ded8a4633642cecf5c42a4fbadc1b2
MD5 hash: 11e1af92f7cceed0e7b989b40c6be67e
humanhash: aspen-fourteen-mirror-rugby
File name:Micro tunneling Drawings.pdf1.4MB.exe
Download: download sample
Signature BluStealer
Create hunting rule
File size:75'544 bytes
First seen:2022-08-03 07:44:18 UTC
Last seen:2022-08-03 07:44:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 1536:o6Dz+mVYsCsxyA/oJN77d90NktVCbczEdUfj:BDiGvCsxyA/oJNvdoktVCbw
Threatray 1'414 similar samples on MalwareBazaar
TLSH T1BB73C58C7A5039CFC85BC9729EA81C64AB60B477971BC243E05751AD8E0CA9BDF191F3
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter cocaman
Tags:BluStealer exe QUOTATION

Intelligence

File Origin
# of uploads :
2
# of downloads :
304
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Micro tunneling Drawings.pdf1.4MB.exe
Verdict:
Malicious activity
Analysis date:
2022-08-03 08:03:15 UTC
Tags:
opendir
Link:
https://app.any.run/tasks/33c038b8-7003-42fc-811c-5c73e8a258c5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
A310Logger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/296101/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.HUF.genEldorado.20066.16648.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Creating a window
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Reading critical registry keys
DNS request
Сreating synchronization primitives
Sending an HTTP GET request
Launching a process
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/62ea27825c07b66577f19b77/reports/e5516cbc-265a-4e53-8929-d8c04402aaca/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BluStealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/970644d6-22df-42f4-b80b-6bcd9469d62c
Result
Threat name:
SpyEx, StormKitty
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1045452
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for URL or domain
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected SpyEx stealer
Yara detected StormKitty Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 677946 Sample: Micro tunneling Drawings.pd... Startdate: 03/08/2022 Architecture: WINDOWS Score: 100 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus detection for URL or domain 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 8 other signatures 2->44 7 Micro tunneling Drawings.pdf1.4MB.exe 15 3 2->7         started        process3 dnsIp4 26 208.67.105.125, 49744, 80 GRAYSON-COLLIN-COMMUNICATIONSUS United States 7->26 20 Micro tunneling Dr...gs.pdf1.4MB.exe.log, ASCII 7->20 dropped 46 Writes to foreign memory regions 7->46 48 Allocates memory in foreign processes 7->48 50 Injects a PE file into a foreign processes 7->50 12 aspnet_compiler.exe 1 17 7->12         started        file5 signatures6 process7 dnsIp8 28 mail.charlescross-london.co.uk 80.209.224.144, 465, 49757, 49762 RACKRAYUABRakrejusLT Lithuania 12->28 52 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 12->52 54 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 12->54 16 AppLaunch.exe 14 3 12->16         started        signatures9 process10 dnsIp11 22 icanhazip.com 104.18.115.97, 49746, 80 CLOUDFLARENETUS United States 16->22 24 10.76.9.0.in-addr.arpa 16->24 30 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->30 32 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->32 34 May check the online IP address of the machine 16->34 36 2 other signatures 16->36 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dceab4eabbcf9787ac9a36c289afaa036782a24edd35523fb3072b030029faf2/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-08-03 00:03:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3tvlj2v3z6lyple2g3bitl5kantyfiso3u2vep5ta4vqgabj7lza._file
Verdict:
malicious
Similar samples:
133ff6cdcb6a5fcd2e8c850d0bdd7c35fa5caa702f3e96622c84c319f8b2cf4a
BluStealer
226abb03563c18970c9c94a4ab6e348d635504ae596a6e52b08d200eb7aa9b06
BluStealer
31ba919a8640e87dc1a63fd6029e3920c01ea87bba6a2d3dca8074097525e0fa
BluStealer
59b646e15716cec57916f75006361b3e369b243918fcd5cc3fffb9be230acda7
BluStealer
a5e9d790b1d375e91942201622ac9cf4a02d168b9b91284468ce8347af562a3c
BluStealer
a9e441722bbaab6eb53c633f5a6e54a0a51ee2c540ab0bf34b78582c3a9ad5a8
BluStealer
b52602e4a3c6f3b8e0921d70e7a7a3ab45f045e0753ac1738ab9841fdba0f16a
BluStealer
c54563d40991a77fb85520052ba60e4061dd4880b3a72c57b09533327cc76d03
BluStealer
dcaf120e941d5170bad07fabfc54cb4419021781e34801e88cc6342d447e2bd4
BluStealer
+ 1'404 additional samples on MalwareBazaar
Result
Malware family:
blustealer
Create hunting rule
Score:
  10/10
Tags:
family:blustealer stealer
Link:
https://tria.ge/reports/220803-jld72shgcj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
BluStealer
Unpacked files
SH256 hash:
14b3cb8ed040700476018f22f6d3b7fc782eb0849d2fef19cdffcbc31d351ef3
MD5 hash:
b1310db1e984b14d15dbe032f69bda7d
SHA1 hash:
a17979d791991900f04181e7fb5030e48e6853c9
Link:
https://www.unpac.me/results/3f695f0a-6660-4d69-b5eb-46820dbb43ed/
SH256 hash:
dceab4eabbcf9787ac9a36c289afaa036782a24edd35523fb3072b030029faf2
MD5 hash:
11e1af92f7cceed0e7b989b40c6be67e
SHA1 hash:
31cb4829e6ded8a4633642cecf5c42a4fbadc1b2
Link:
https://www.unpac.me/results/3f695f0a-6660-4d69-b5eb-46820dbb43ed/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dceab4eabbcf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/dceab4eabbcf9787ac9a36c289afaa036782a24edd35523fb3072b030029faf2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

BluStealer

rar 39783276f1af854d10a9ab527fc362c912a51e487e726c97ebfd69419526db8e

BluStealer

Executable exe dceab4eabbcf9787ac9a36c289afaa036782a24edd35523fb3072b030029faf2

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 39783276f1af854d10a9ab527fc362c912a51e487e726c97ebfd69419526db8e
  
Dropped by
SHA256 cfd47d618a2b834721c1d92e04fde437f102317abfadd716b308ff6e85251733
Cape
Cape
https://www.capesandbox.com/analysis/296101/
  
Dropped by
MD5 a8643fe2ffa8f2e775c07707f7f3c9b9
  
Dropped by
MD5 bd2911bbd384af389decdba086b7c19b

Comments