MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1de1c385fac0c850ee30233c971a76beee78824500899f5c64db03c70ac2e03. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BluStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f1de1c385fac0c850ee30233c971a76beee78824500899f5c64db03c70ac2e03
SHA3-384 hash: e2617bd5196cefabcea9d60bace6139313dc4e51f4754649d3ccd6c5f7b863b60b2ccdcb5c0b1f8eaef4bd05626168ae
SHA1 hash: 40c8fca01c37d1f1592dacc06f48b918311e37e7
MD5 hash: 09338b623f4473341a54191980901783
humanhash: kilo-oscar-monkey-winner
File name:Purchase Order 202319876.exe
Download: download sample
Signature BluStealer
Create hunting rule
File size:1'740'288 bytes
First seen:2023-05-10 10:22:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:+b3IBXM8LcvUtY+FGkacy9RjdMD84XKpJKbJ6byq0TyJN8Wo+uOZakN:WQXZcvUtYRcGLoHvJQb8WoIN
Threatray 33 similar samples on MalwareBazaar
TLSH T13885E03C61C66C22C31277FA4999C5E00339AF10AFABD26A257E30CD9971B93ED9550F
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9d9e1969696b0646 (9 x SnakeKeylogger, 8 x AgentTesla, 4 x Loki)
Reporter threatcat_ch
Tags:BluStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
286
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purchase Order 202319876.exe
Verdict:
Malicious activity
Analysis date:
2023-05-10 10:23:20 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/fa11677b-f541-4c42-925d-6ee4e6db2232

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
A310Logger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/388124/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/645b7087d860ee3e1ca6a472/reports/cf6cea3a-0945-4bdf-b3aa-582b68b2b684/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/f1de1c385fac0c850ee30233c971a76beee78824500899f5c64db03c70ac2e03
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/512c5c25-107f-4bd6-9746-fcdcef498969
Result
Threat name:
BluStealer, ThunderFox Stealer, a310Logg
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1229924
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates files inside the volume driver (system volume information)
Drops executable to a common third party application directory
Found malware configuration
Infects executable files (exe, dll, sys, html)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries random domain names (often used to prevent blacklisting and sinkholes)
Snort IDS alert for network traffic
Tries to download HTTP data from a sinkholed server
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected a310Logger
Yara detected BluStealer
Yara detected ThunderFox Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 862906 Sample: Purchase_Order_202319876.exe Startdate: 10/05/2023 Architecture: WINDOWS Score: 100 50 Tries to download HTTP data from a sinkholed server 2->50 52 Snort IDS alert for network traffic 2->52 54 Multi AV Scanner detection for domain / URL 2->54 56 14 other signatures 2->56 7 Purchase_Order_202319876.exe 3 2->7         started        11 TieringEngineService.exe 2->11         started        13 armsvc.exe 1 2->13         started        16 16 other processes 2->16 process3 dnsIp4 36 C:\Users\...\Purchase_Order_202319876.exe.log, ASCII 7->36 dropped 66 Injects a PE file into a foreign processes 7->66 18 Purchase_Order_202319876.exe 1 8 7->18         started        23 Purchase_Order_202319876.exe 7->23         started        68 Creates files inside the volume driver (system volume information) 11->68 44 yhqqc.biz 107.6.74.76, 49733, 49752, 49776 VOXEL-DOT-NETUS United States 13->44 46 vyome.biz 162.217.98.146, 49773, 49787, 80 VOXEL-DOT-NETUS United States 13->46 48 49 other IPs or domains 13->48 file5 signatures6 process7 dnsIp8 38 dwrqljrr.biz 173.231.184.122, 49697, 49698, 49727 VOXEL-DOT-NETUS United States 18->38 40 zlenh.biz 18->40 42 35 other IPs or domains 18->42 28 C:\Windows\System32\xbgmsvc.exe, PE32+ 18->28 dropped 30 C:\Windows\System32\wbengine.exe, PE32+ 18->30 dropped 32 C:\Windows\System32\wbem\WmiApSrv.exe, PE32+ 18->32 dropped 34 84 other malicious files 18->34 dropped 58 Writes to foreign memory regions 18->58 60 Allocates memory in foreign processes 18->60 62 Drops executable to a common third party application directory 18->62 64 2 other signatures 18->64 25 AppLaunch.exe 2 18->25         started        file9 signatures10 process11 signatures12 70 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 25->70 72 Tries to steal Mail credentials (via file / registry access) 25->72 74 Tries to harvest and steal browser information (history, passwords, etc) 25->74
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f1de1c385fac0c850ee30233c971a76beee78824500899f5c64db03c70ac2e03/
Threat name:
ByteCode-MSIL.Trojan.RemLoader
Create hunting rule
Status:
Malicious
First seen:
2023-05-10 04:04:25 UTC
File Type:
PE (.Net Exe)
Extracted files:
33
AV detection:
18 of 37 (48.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6hpbyoc7vqgikdxdaiz4s4nhnpxopcbekaejt5ogjwydy4fmfybq._file
Verdict:
malicious
Similar samples:
2bfafdc20b461ef574d77bd7c29d586c6a7c3ad6b3ad9bbecab8c014308b07d9
BluStealer
35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097
BluStealer
374bd46f94cdf56eb2775ec23f0b70e8179541f348de2959a4a885b8f22af99c
BluStealer
59171f457fb4915d408fa293f0ca3cdfeb613a20d6fadc50ae88b1cf58f0b004
BluStealer
90382d070f58dd0a9f21d05327c2589116e2271e2cce2cce69018e1f4d836c0f
BluStealer
e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998
BluStealer
e65641bdd1d31a37d1caa1cbf41d05fa9e7b0caf3c5b531ba66d32c0a3a94406
BluStealer
e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef
BluStealer
f91550582e9e831cba0a8ee62a9a47b3f9a4f1f24e228353d6f5050bc1b52509
BluStealer
fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b
BluStealer
+ 23 additional samples on MalwareBazaar
Result
Malware family:
blustealer
Create hunting rule
Score:
  10/10
Tags:
family:blustealer collection spyware stealer
Link:
https://tria.ge/reports/230510-meszeafd88/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
BluStealer
Malware Config
C2 Extraction:
https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325
Unpacked files
SH256 hash:
6ae663ec910191c883f9f9d3db7031eadb0a7a7b745b28ee7c5a7321ca20a98c
MD5 hash:
ad6471702ec11528ea7bbbaf94cfa7ea
SHA1 hash:
e683f798bb8779b67b28ad859b156460a26f89f3
Link:
https://www.unpac.me/results/25ac6b2e-a490-46e0-b31d-b6936ced6b9c/
SH256 hash:
3ab1dcc37e7c5c643bf41e9f0f81f816f24974fbddde95e2af52426e3374dd35
MD5 hash:
8a2c496875c0871aecc16aae768b323f
SHA1 hash:
f5423a32125c70b512de301c5616c7b75477e2e7
Link:
https://www.unpac.me/results/25ac6b2e-a490-46e0-b31d-b6936ced6b9c/
SH256 hash:
2c09f1662c3326e8262b1092430c8384616d41f63553785c5cd91c2079a6e0fd
MD5 hash:
a6730ab86e2c5ab92f954398530a6160
SHA1 hash:
9c0b3ed6c8c3f38132b97c54aeb11b867bc83a70
Link:
https://www.unpac.me/results/25ac6b2e-a490-46e0-b31d-b6936ced6b9c/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/25ac6b2e-a490-46e0-b31d-b6936ced6b9c/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
a262657b06b4fd27c3a36bc1ed6a9033573ac997752af31b47ad29b8934f4515
MD5 hash:
b46a3b0bba368f7dec1af2e8872dd1f6
SHA1 hash:
56fd0ec6009db1f00a4912136e1a7ae7bbd178ec
Link:
https://www.unpac.me/results/25ac6b2e-a490-46e0-b31d-b6936ced6b9c/
SH256 hash:
355388f192b798f7d6c2b20207feb591972b294d1fb26a770363b5e0067b0271
MD5 hash:
958b9935937f063daed89032639e4490
SHA1 hash:
4aa4fcb2d04baaac9da4783991eeeaad80b21705
Link:
https://www.unpac.me/results/25ac6b2e-a490-46e0-b31d-b6936ced6b9c/
SH256 hash:
f1de1c385fac0c850ee30233c971a76beee78824500899f5c64db03c70ac2e03
MD5 hash:
09338b623f4473341a54191980901783
SHA1 hash:
40c8fca01c37d1f1592dacc06f48b918311e37e7
Link:
https://www.unpac.me/results/25ac6b2e-a490-46e0-b31d-b6936ced6b9c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f1de1c385fac/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Expiro
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f1de1c385fac0c850ee30233c971a76beee78824500899f5c64db03c70ac2e03

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

BluStealer

Executable exe f1de1c385fac0c850ee30233c971a76beee78824500899f5c64db03c70ac2e03

(this sample)

  
Dropped by
BluStealer
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/388124/

Comments