BluStealer IOC

Anh Ho · Anh Ho · commit cad293b058c1 · 2021-09-20T03:42:57.000+07:00
diff --git a/BluStealer/README.md b/BluStealer/README.md
@@ -0,0 +1,113 @@
+# IoC for BluStealer
+
+Malware analysis and more technical information at <https://decoded.avast.io/anhho/blustealer/>
+
+
+### Table of Contents
+* [BluStealer](#samples-sha-256)
+* [Network indicators](#network-indicators)
+
+
+## BluStealer
+#### SHA-256
+```
+678e9028caccb74ee81779c5dd6627fb6f336b2833e9a99c4099898527b0d481
+3151ddec325ffc6269e6704d04ef206d62bba338f50a4ea833740c4b6fe770ea
+7603f8e827ab78d5ff15be1b04b9a02821edf3bf90475295e0c7c792bc328f63
+7abe87a6b675d3601a4014ac6da84392442159a68992ce0b24e709d4a1d20690
+49da8145f85c63063230762826aa8d85d80399454339e47f788127dafc62ac22
+5ff29232adcc335d007ee55421d2d6bb4ac171becf2b9b9a7595d6e4b9fc13e1
+edab175c91e078e92b57446111cb07c61e357d9a12274cab33872e14d4511ea9
+8ba38dfdaed05011a8f9d19eec1670efa63cce30f23609a3c00afb265aa22ad8
+c52a0ce16c6db82bf194988a0094a4b18aec550f1953b5e9ab127c0b84f4ecca
+1885c2faae1cf90783c7fc9ea93506e8241232e90bdaeae4ca04a5cb305e13f3
+e6ed1d0f3827d5a2e6fd38ec812456b62ee702bdaa460f7f6ef5298db5136df5
+61560f470822a249950e3d35574aae0ee9c93da31c1fd6f001c0cec97069a4fb
+1e41442f28a2328a8cec90459483ae5da9b21484b2bdd2b2e206e34a8f5672bc
+6384e3d112dfb4f7d3f2761764e491383f20cffbb7a180a087b22ef903bcc9a6
+037815f51ba857c16a5c98aa37a2acba3430b0d27de3abf558cda2bff50fa35e
+b9dcf75696ba71f292246a31877cc8c833676c5c8c241e65c741711388d99bcb
+d1c69a54577f5c6491b2979279b04c5db668e20968363d7476848d152bb94362
+e6ed1d0f3827d5a2e6fd38ec812456b62ee702bdaa460f7f6ef5298db5136df5
+fbab6f778d521589e9371227f25112fed34c19efa9f3cc068bdcffe304d67111
+620ce6c90baeaba37fb4e4ad1edcb0a862e12e1b058eaa8c41bed7439c3bd983
+0872abe29cc9231cdded3a44e02a7ea17f09cf2ac2bdbd7077065858829c3723
+b340e287c5c5cd48a5d27c71808dc75c3fd3a69a6cad029db2332e19d998bb82
+aef52ead2a03729f95962c511947226d78fe856d29ccfaacf25e1c002c0c9f92
+35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0
+c783bdf31d6ee3782d05fde9e87f70e9f3a9b39bf1684504770ce02f29d5b7e1
+42fe72df91aa852b257cc3227329eb5bf4fce5dabff34cd0093f1298e3b5454e
+1c29ee414b011a411db774015a98a8970bf90c3475f91f7547a16a8946cd5a81
+81bbcc887017cc47015421c38703c9c261e986c3fdcd7fef5ca4c01bcf997007
+6322ebb240ba18119193412e0ed7b325af171ec9ad48f61ce532cc120418c8d5
+4932ea0c29c86544f03f9425b8088886d68a5965be8541a8d9c36a9b95eeacf9
+7b1fc82d47470ee3c7f8de53a959eb55febe3c4c6ba408190a877396907f8293
+5d5e9bc60284b01bc75bec81489654b56a739d81acce580cdff735070d9e831f
+43c2649b8f43a3a39f3d5f93347ac0460b9ccf910bda544e84a07769e1af34bd
+bc52d9795f801ca6872502c6e8af05cf3730384062f3b90113abc30ff9395879
+304c188b1452beea8b8a1f8bd4ac64b02781665792b46df692762b18685b1ccb
+75839121c06dd5f7ea7a32ced2755c8913ae81f7225ef6e790c131a5554034fa
+b2a74a9349ed9ebe01b89786e5472ac4cb437cec7bfb7107e135baa69d41e11a
+21f75377b964d884a9c32849b766d52f43dc05a5e53a3bf5665473abc15d7740
+efd63437050cbce03fb4e13c4be8858d0793ceaf678ffed8e6369578037fb6e1
+274bcc8a907b7f1bbfceb5b0e9f0f8f6d0dbdc65d774ce135467b704f755db81
+7881a0b4a3b923ae091c09e3498e1513ff8872a56fbf7977777ad6776a781b0b
+b9933e298be75df66ed2eee62207815a20ec36cbfae9b098c24739f0d712aacf
+add711e10bfde4da3e2048a27d8c8eab084e2df5bde714437ff2dd5dc0baa505
+```
+
+#### Crypto Address List
+```
+1ARtkKzd18Z4QhvHVijrVFTgerYEoopjLP (1.67227860 BTC)
+1AfFoww2ajt5g1YyrrfNYQfKJAjnRwVUsX (0.06755943 BTC)
+1MEf31xHgNKqyB7HEeAbcU6BhofMdwLE3r
+38atNsForzrDRhJoVAhyXsQLqWYfYgodd5
+bc1qrjl4ksg5h7p70jjtypr8s6cjpngzd3kerfj9rt
+bc1qjg3y4d4t6hwg6h22khknlxcstevjg2qkrxt6qu
+1KfRWVcShzwE2Atp1njogAqH8qodsif3pi
+3P6JnvWtubxbCxgPW7GAAj8u6CLV2h9MkY
+13vZcoMYRcKrDRDYUyH9Cd4kCRMZVjFkyn
+qrej5ltx0sgk5c7aygdsvt2gh7fq04umvusxhxl7wq
+qrzakt59udz893u2uuwtgrwrjj9dhtk0gc3m4m2sj5
+0xd070c48cd3bdeb8a6ca90310249aae90a7f26303 (0.10 ETH) 
+0x95d3763546235393B77aC188E5B08dD4Af68d89D
+0xcfE71c720b7E99e555c0e98b725919B7a69f8Bb0
+46W5WHQG2B1Df9uKrkyuhoLNVtJouMfPR9wMkhrzRiEtD2PmdcXMvQt52jQVWKXUC45hwYRXhBYVjLRbpDu8CK2UN2xzenr
+43Q4G9CdM3iNbkwhujAQJ7TedSLxYQ8hJJHYqsqns7qz696gkPgMvUvDcDfZJ7bMzcaQeoSF86eFE2fL9njU59dQRfPHFnv
+LfADbqTZoQhCPBr39mqQpf9myUiUiFrDBG
+LY5jmjdFnvgFjJET2wX5fVV6Gv89QdQRv3
+GCGIOH2DY63P3EX4UIKXDN757DFGHWAYRBFZ5FD7QOJTXAOUTHF64RIA
+GBQAOVKWPEY3M373CZSN2EQSIGRXWG3J4SNLOQNVCWRUYK7S4RJXKTOJ
+r3xDYvq9FEqk37aDmS8S1WWSst58AiykVq
+rKJedgqQy12s8Y7y4ziL9kWkMMzfJ2wfAm
+```
+
+## Network indicators
+#### Download URL
+```
+hxxps://cdn[.]discordapp.com/attachments/829530662406193185/881703391888281630/TME_delivery_status.iso
+hxxps://cdn[.]discordapp.com/attachments/829530662406193185/882099214866333706/Shipment_Receipt.pdf.iso
+```
+
+#### SMTP
+```
+andres.galarraga@sismode.com (smtp.1and1.com)
+saleseuropower@yandex.com
+info@starkgulf.com (mail.starkgulf.com )
+etopical@bojtai.club (mail.bojtai.club)
+fernando@digitaldirecto.es (smtp.ionos.es)
+baerbelscheibll1809@gmail.com
+dashboard@grandamishabot.ru (shepherd.myhostcpl.com)
+logs@grandamishabot.ru
+shan@farm-finn.com (mail.farm-finn.com)
+info@starkgulf.com (mail.starkgulf.com)
+netline@netjul.shop (mail.restd.club)
+```
+
+#### Telegram Token
+```
+1901905375:AAFoPAvBxaWxmDiYbdJWH-OdsUuObDY0pjs 
+1989667182:AAFx2Rti45m06IscLpGbHo8v4659Q8swfkQ
+```
+
+
diff --git a/BluStealer/extras/ida-decrypt.py b/BluStealer/extras/ida-decrypt.py
@@ -0,0 +1,172 @@
+import idautils
+from Cryptodome.Cipher import AES
+from Cryptodome.Util.Padding import pad
+import hashlib
+import base64
+
+def KSA(key: bytes) -> bytes:
+    S = bytearray(256)
+    for i in range(256):
+        S[i] = i
+    j = 0
+    for i in range(256):
+        j = (j + S[i] + key[i % len(key)]) % 256
+        temp = S[i]
+        S[i] = S[j]
+        S[j] = temp
+    return S
+
+def PRGA(key: bytes, ci: bytes) -> bytes:
+    S = KSA(key)
+    a = 0
+    b = 0
+    pl = bytearray(len(ci))
+    for i in range(len(ci)):
+        a = (a+1) % 256
+        b = (b + S[a]) % 256
+        temp = S[a]
+        S[a] = S[b]
+        S[b] = temp
+        K = S[(S[a] + S[b]) % 256]
+        pl[i] = ci[i] ^ K
+    return pl
+
+def rc4_decrypt_str(citext, key):
+    citext = bytearray.fromhex(citext.decode('utf-8'))
+    pltext = PRGA(key, citext)
+    return pltext
+
+   
+    return pltext
+
+def xor_decrypt_str(citext, key):
+    citext = bytearray.fromhex(citext.decode('utf-8'))
+    pltext = bytearray()
+
+    for i in range(0, len(citext)):
+        pltext.append(citext[i] ^ key[(i+1) % len(key)])
+
+    return pltext
+
+def prepad(size):
+    pre_pad = []
+    nonce = 0
+    for i in range(0, size, 16) :
+        nonce +=1
+        padding = nonce.to_bytes(16, 'little')
+        pre_pad += padding
+    return bytearray(pre_pad)
+
+def aes_decrypt(citext, password):
+    salt = b'SaltVb6CryptoAes'
+    key = hashlib.pbkdf2_hmac('sha1', password, salt, 1000, dklen=32)
+    aes_stream = prepad(len(citext))
+    aes_stream.extend(citext)
+    cipher = AES.new(key, AES.MODE_ECB)
+    xor_key = cipher.encrypt(pad(aes_stream, 16))
+    plaintext = bytearray(len(citext))
+    for i in range(len(citext)) : plaintext[i] = xor_key[i] ^ citext[i]
+    return plaintext
+
+def aes_decrypt_str(citext, password):
+    citext = bytearray.fromhex(citext.decode('utf-8'))
+    citext = base64.b64decode(citext)
+    return aes_decrypt(citext, password)
+
+def get_str(addr):
+    res = bytearray()
+    length = 0
+    data = idc.get_wide_word(addr+length)
+
+    while data:
+        res.append(data)
+        length += 2
+        data = idc.get_wide_word(addr+length)
+    return res
+
+def decrypt_all_strs(hex_func, decrypt_func, algo=0, patch=1):
+    #List of addreses required manual provision
+    citext_exception = []
+    key_exception = []
+    citext_addrs = []
+    key_addrs = []
+    strings = []
+
+    for addr in idautils.XrefsTo(hex_func, flags=0):
+        citext_addr = addr.frm
+        while True:
+              citext_addr = idc.prev_head(citext_addr)
+              if idc.print_insn_mnem(citext_addr) == "mov" and idc.get_operand_type(citext_addr, 1) == 0x5 :
+                  temp = idc.get_operand_value(citext_addr, 1)
+                  if temp not in citext_exception:
+                      citext_addrs.append(temp)
+                  break
+
+    for addr in idautils.XrefsTo(decrypt_func, flags=0):
+        key_addr = addr.frm
+        while True:
+              key_addr = idc.prev_head(key_addr)   
+              if idc.print_insn_mnem(key_addr) == "mov" and idc.get_operand_type(key_addr, 1) == 0x5 and idc.get_operand_value(key_addr, 0) == 0x2:
+                  temp = idc.get_operand_value(key_addr, 1)
+                  if temp not in key_exception:
+                      key_addrs.append(temp)
+                  break
+
+    decrypted = []
+    size = min(len(key_addrs), len(citext_addrs))
+    citext_addrs = citext_addrs[:size]
+    citext_addrs.extend(citext_exception)
+    key_addrs = key_addrs[:size]
+    key_addrs.extend(key_exception)
+
+    for i in range(0, size+len(citext_exception)) :
+        if citext_addrs[i] not in decrypted:
+            decrypted.append(citext_addrs[i])
+        else:
+            continue
+
+        print(f"{hex(citext_addrs[i])} {hex(key_addrs[i])}")
+        if algo == 1:
+            pltext = xor_decrypt_str(get_str(citext_addrs[i]), get_str(key_addrs[i]))
+        elif algo == 2:
+            pltext = rc4_decrypt_str(get_str(citext_addrs[i]), get_str(key_addrs[i]))
+        else:
+            pltext = aes_decrypt_str(get_str(citext_addrs[i]), get_str(key_addrs[i]))
+        print(pltext)
+
+        if pltext not in strings:
+            idc.set_cmt(citext_addrs[i], pltext.decode('utf-8'), 1)
+            strings.append(pltext)
+            if patch:
+                for idx in range(len(pltext)) :
+                    idc.patch_word(citext_addrs[i] + idx*2, pltext[idx])
+                    for pad_idx in range(idx + 1, idx*2) :
+                        idc.patch_word(citext_addrs[i] + pad_idx*2, 0x00)
+    return strings
+
+''''
+Please provide the address of the following functions
+hex_func as Proc_1_3
+decrypt_func as Proc_1_5
+
+(void (__fastcall *)(char *, const wchar_t *))_vbaStrCopy)(
+    v165,
+    L"9FB61391D8974B3D8AD01F88F3CECED5B4E9100A3C10C6A37AC8670C078E23B9C0C7");
+  v8 = Proc_1_3(v165);
+  ((void (__fastcall *)(int *, int))_vbaStrMove)(&v162, v8);
+  ((void (__fastcall *)(char *, const wchar_t *))_vbaStrCopy)(v163, L"OMSkahFpbDoSRbwObPrXoXrL");
+  v120 = v162;
+  v162 = 0;
+  ((void (__fastcall *)(char *, int))_vbaStrMove)(v164, v120);
+  v156 = Proc_1_5(v164, v163);
+
+Please apply an IDC Script generated from http://sandsprite.com/vbdec/ to help fix up all functions
+'''
+hex_func =
+decrypt_func =
+strings = decrypt_all_strs(hex_func, decrypt_func, patch=0)
+
+#Decrypt payload from resource file example
+#citext = bytearray(open('CUSTOM101', 'rb').read())
+#password = b'DDDJJFHHDII8387474765HHFNNFBGGFJJRKJKERJ439485TH8THTJMNBGJTIGH4I5YYIU45VBIUG4I7I1123405TY'
+#open('payload.bin', 'wb').write(aes_decrypt(citext, password))
diff --git a/BluStealer/network.txt b/BluStealer/network.txt
@@ -0,0 +1,13 @@
+cdn[.]discordapp.com/attachments/829530662406193185/881703391888281630/TME_delivery_status.iso
+cdn[.]discordapp.com/attachments/829530662406193185/882099214866333706/Shipment_Receipt.pdf.iso
+andres.galarraga@sismode.com
+saleseuropower@yandex.com
+info@starkgulf.com
+etopical@bojtai.club
+fernando@digitaldirecto.es
+baerbelscheibll1809@gmail.com
+dashboard@grandamishabot.ru
+logs@grandamishabot.ru
+shan@farm-finn.com
+info@starkgulf.com
+netline@netjul.shop
diff --git a/BluStealer/samples.md5 b/BluStealer/samples.md5
@@ -0,0 +1,43 @@
+9d68d62ba648dc881076bbd7d70ac59c
+925b9684983a46b984f190c18c868db3
+79a97d24433615837251fe141b7174d4
+6f7302e24899d1c05dcabbc8ec3e84d4
+6ada9bd1462fbfd331cf512e5818845c
+e1cb274e093a6511f3f4fe455f914544
+0126cf58488b9c91b900d66990dea74a
+6b7904fcf4f57299a961a746d83cef89
+d4acddc42c8a82dfe42b86f02eb8bc76
+7b67428d037e03d486bfc80126a86fc9
+f2f6a1a59fea21aae4341827feea8d0b
+b3d0b8c065ad75dfd646829bc7c87735
+75cd3d2c8c439e9e7bb66b3b102bfda0
+716f710f6f2b57d83ad58644fbd96b8b
+fd5bcdac791022b5452b12542a4be250
+07ddb19024ba308280048375e9be32ff
+5ad315813b752aa9483c5868dbc7d37b
+199bab13ac407a49891dabb0c1c8e303
+e0b26c5b50a37a6672d29e90b8b0adbd
+91b41651e6e9ab352805c6d35a297d08
+6ae510da968ebcbf5a8661c080ac12fd
+4b975596502b87cd63ac969b13ea998f
+6f8bb2ff11646a8e47c1b2a27d475010
+3729ddb118ee2c7addc09de37b00c7bf
+6fe6ba1439d88cf7fd8debb37324ce82
+479de94fbadd83fce799ed3389da1ce5
+4ac6f9f4017f83d0582f445584bb143c
+659add09ffc62a07b044a31d8b0df624
+906dccd51a18df6ea9f18d092976f942
+28896e0518936c1d15f282b7cba5f7c6
+818d803e3bb3a1b21fd663db75b3c6ae
+852272ecaca074fc886617a92886c511
+4a7e2d2455e0a69ffd9f67c1d3742a0e
+e07778f09aa5030ed8552e5038f8fc1c
+5a025fd5a54ec9b733c5c7936977839f
+9907b4c2e52595de42ae8cda0cb10613
+98c0be7dfb690e61ba2a0eb9352e1497
+a14f2cf850e04ec669fdb46462895541
+f71be3c684a4cc97288b3b7609adeda3
+71be01727b86c69e893e046be8f9fa1b
+03ebd4eb395cf8a547048504d8c97540
+61ae6cda7bcd244e8bd4717425ec823d
+46349f1af3adcf917df984040a8dce52
diff --git a/BluStealer/samples.sha1 b/BluStealer/samples.sha1
@@ -0,0 +1,43 @@
+9a896957321b89c4ad55d906f98d58024f05b9f9
+d8452cda97b9efc597254055e1d3089a21aa5582
+6629ebd021eefece2411f6253e2d0b2c7a04d577
+11a5cbb08fc5698fd3bf3fd086ba0fcd954ecdec
+a0960b16e2057ed5ec1a5b356005392beb59de64
+42e6134c8ab92fb8bcdf1e222d9b80c117640b27
+731c5fd198ff88c8819d99a2d499a2d23e50114f
+bfe71a81fc2a1ee0e45a705fe021b0302b07c927
+1ab7ff892bb1cfa2b88e3024561288efc5a9c0c8
+a50ff1bc36532a11b987471ee42d34a657a0b7ad
+6a5abba4d17f275eb4c28028f815642c7e22a1ce
+629655f03b356ad46ae106855eb004c7be7098c0
+d2a2717f22f5ce326a3e8f8e7efd852e5b5c68f7
+f2a9b68f3222ca133ffd26c22c358f3f285b8eba
+7ad684c4d6969dc2292fd73a924c6109614190c3
+e2714ca01a6e8e8713e9e2a175c0e3598ebb75df
+73375d743067ada0569acc444143b56fa66c1ff3
+e332094b0ffd29f0fc0e7a70a03345ef725181d9
+9d70d4c5bed44e6a3375cf16d9f8830f0a85c8ab
+11b8eaa7b7941461bc952b11ec3f07d25dcd1c2e
+954411a295d35020e447be1535253d800d463efe
+c3f2fa95e2b668b5e32b3a494f81d8ac5f476f60
+a300b7be64343ce6ab88edb0c71f3052663674d4
+4c56754e3261a7368ade6033e6cca69b316cc834
+6dd21af92d79085a4140be5db5c6faa7c5de2f81
+4ae4c57faeab4e3b4cbf07f34c0cb12f542bc422
+15d11f71b884c4ce0c1c4a83e760bf7a7c492cab
+bef7500a5e3a62295f102ef5f6f100597d78a546
+7328e378ec766d7a898c4043f3d9ec0885a2d209
+87d3b5c8b1d284f446cf3a0dc955551c4d42fe3c
+37f7b510514953113fd7cbc1b5ff246e2e486a7a
+e3a16c367d0672868c65f5bffbfa33264458a84d
+a35989cc8343c5afbfa7eab186dc6c72129cfc2a
+994c26d20165cb5be37a18a61211d713f8c6d487
+a46c05b5ea797f490ac8d5379b1be3278e9d512e
+aef892e87feb647658b4dd5a1596018febb54bc4
+8354b56569ccd489f6f183154f233b4421899b83
+adfa3cc683f488a3adf1b0260b0b447aac6db575
+7c5ece45eed87e34b1a138bb2dedddc982d8c8b9
+be2d44249d8dae9a8370686c9b44e21cf3e53bf9
+5bbef49ef15239fade1d94ea21d542268a781857
+4daa6d18aa326da1e70fc488cecec5ff7f66c3cf
+a8b368324a9188ca6af687c1fc62f48474ea742d
diff --git a/BluStealer/samples.sha256 b/BluStealer/samples.sha256
