{ "id": "10682134-20d1-4b7d-b971-71c06d270424", "created_at": "2026-04-06T00:14:19.807557Z", "updated_at": "2026-04-10T03:37:08.772569Z", "deleted_at": null, "sha1_hash": "a7c9a5b4e8dcbdc7b5a1f37be0de7849e6a90947", "title": "24/7 managed detection, response, and expert cybersecurity services - GoSecure", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 95788, "plain_text": "24/7 managed detection, response, and expert cybersecurity\r\nservices - GoSecure\r\nArchived: 2026-04-05 15:26:02 UTC\r\nGoSecure Titan Labs obtained a sample of the high-profile malware identified as BluStealer - that can steal\r\ncredentials, passwords, credit card data, and more. The expert investigators at Titan Labs developed this detailed\r\nanalysis that examines the infection vector, components, methods of exfiltration and capabilities.\r\nThis sample of an optical disc image (ISO) file (01d4b90cc7c6281941483e1cccd438b2) from GoSecure's Inbox\r\nDetection and Response (IDR) team embedded within the ISO file is a 32-bit executable\r\n(6f7302e24899d1c05dcabbc8ec3e84d4) compiled in Visual Basic 6. The following is an in-depth analysis of the\r\nportable executable (PE).GoSecure Titan Labs obtained a sample of the high-profile malware identified as\r\nBluStealer - that can steal credentials, passwords, credit card data, and more. The expert investigators at Titan\r\nLabs developed this detailed analysis that examines the infection vector, components, methods of exfiltration and\r\ncapabilities.\r\nThis sample of an optical disc image (ISO) file (01d4b90cc7c6281941483e1cccd438b2) from GoSecure's Inbox\r\nDetection and Response (IDR) team embedded within the ISO file is a 32-bit executable\r\n(6f7302e24899d1c05dcabbc8ec3e84d4) compiled in Visual Basic 6. The following is an in-depth analysis of the\r\nportable executable (PE).\r\nAnalysis\r\n2.0.1 Infection Vector\r\nThe initial infection vector is via malspam containing links to cdn.discord.com. Using Discord's content delivery\r\nnetwork (CDN) as a malware distribution system continues to grow in popularity among threat actors. The email\r\n(1010589761b3051eec33681d0513242a) in this case, shown in Figure 1, purports to be from DHL Express,\r\nstating that a shipment is on the way and that it can be tracked or changed by clicking the link labelled here, which\r\ndownloads the malicious ISO file from hxxps://cdn[.]discordapp[.]com/attachments/\r\n829530662406193185/882109821736865832/Your_DHL_Shipment_Notification.pdf.iso. This particular\r\ncampaign does not exclusively use DHL spoofed emails, as emails spoofing other companies have also been\r\nobserved dropping the same final payload.\r\nFigure 1: Malspam\r\n2.0.2 BluStealer's Main Component\r\nAs displayed in Figure 2, the resource section of the PE contains data with extremely high entropy, indicating that\r\nit is encrypted. This, along with the large size of the resource section, suggests that the PE is a loader. Examining\r\nthe resource section reveals two large arrays of encrypted data contained within a segment of the resource section\r\nnamed CUSTOM.\r\nhttps://www.gosecure.net/blog/2021/09/22/gosecure-titan-labs-technical-report-blustealer-malware-threat/\r\nPage 1 of 10\n\nFigure 2: Packed Resource Section\r\nOpening the PE in x64dbg, we can see that the first instruction at the entry point is a call to\r\nMSVBVM60.ThunRTMain. Executables compiled in VB6 and lower begin with a call to ThunRTMain, which\r\ntakes an address as its only argument. This address points to a structure, beginning with VB5!, that contains\r\ninformation about the given program. At an offset of 45 bytes, the structure normally contains the address of\r\naSubMain, which is the program's main function. However, as displayed in Figure 3, the address in this instance\r\nconsists of only null bytes, indicating that the executable had either been obfuscated or had its compilation routine\r\nmodified.\r\nFigure 3: Call to ThunRTMain\r\nOnce inside user-defined code, it can be seen that an encryption key is created with a call to\r\nbcrypt.BCryptGenerateSymm etricKey. Next, an array is created that contains the hex values 1 through 1300. Each\r\nelement of the array is allotted 16 bytes, as depicted in Figure 4.\r\nFigure 4: Initialized Array\r\nUsing the encryption key that was created previously, the malware encrypts the newly initialized array with a call\r\nto bcrypt.BCryptEncrypt. These encrypted bytes will be used as XOR keys, and are shown in Figure 5.\r\nFigure 5: XOR Keys\r\nThe malware then loads the first array of ciphertext from its resource section into memory and proceeds to decrypt\r\nit. As can be observed from the decryption routine, depicted in Figure 6, a byte from the ciphertext, pointed to by\r\nthe address stored in the ESI register, is moved into the BL register. This value is then XORed with a XOR key,\r\npointed to by the address stored in the EAX register. The resulting value is then moved back to its original place in\r\nthe ciphertext array. The pointers to both the ciphertext and XOR keys are incremented by one and the process\r\ncontinues in a loop until the ciphertext is fully decrypted.\r\nFigure 6: Decryption Routine\r\nThe decrypted ciphertext yields a PE. As shown in Figure 7, the malware loads the PE with a call to\r\nuser32.CallWindowProcW, with C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe as its second\r\nargument and the PE's address as its third. In this manner, the PE is executed with AppLaunch.exe, which is a\r\nMicrosoft .NET launch utility. This confirms our suspicions that the malware is indeed a loader.\r\nFigure 7: Call to CallWindowProcW\r\n2.0.3 ChromeRecovery.exe Stealing Module\r\nFigure 8 displays the loaded PE, a 32-bit .NET assembly with the internal name ChromeRecovery.exe and the\r\nMD5 hash 53e09987f7b648fb5c594734a8f7c4e4, opened in dnSpy, a .NET debugger and decompiler.\r\nChromeRecovery.exe begins by gathering system information, such as the computer name, username, Windows\r\nversion, antivirus solution, CPU name, GPU name, the amount of RAM, internal IP, and external IP. This\r\ninformation is written to C:\\Users\u003cusername\u003e \\AppData \\Roaming \\Microsoft \\Windows \\Templates\r\n\\credentials.txt. It steals login credentials and credit card data from numerous web browsers, such as Chrome,\r\nEdge, FireFox, Opera, and Yandex, by targeting the Cookies and Web Data caches. It also steals login credentials\r\nfrom Pidgin, NordVPN, SQLite, FileZilla and CoreFTP, and numerous email clients, such as Outlook,\r\nThunderBird, and Foxmail. It appends all data to credentials.txt. Also depicted in Figure 8 is the format in which\r\nstolen credentials are written. Contained within ChromeRecovery.exe's resource section is a 32-bit .Net assembly\r\nwith the internal name ConsoleApp8.exe (4509c33c251e8e075e4aa95001e35cdf), which is saved to the Templates\r\ndirectory, executed and then deleted. ConsoleApp8.exe steals credentials from Windows Vault and WinSCP and\r\nhttps://www.gosecure.net/blog/2021/09/22/gosecure-titan-labs-technical-report-blustealer-malware-threat/\r\nPage 2 of 10\n\nappends them to credentials.txt. One of our file detection signatures entitled malware_blustealer_0, listed below in\r\nthe Detections section, alerted on ChromeRecovery.exe as BluStealer. Interestingly, the malware sample that the\r\nsignature was based on was a 32-bit VB6-compiled executable (a1329dab78d5bac41e39034d840c30f1), analyzed\r\nin June of this year. Comparing both samples, we found that BluStealer's full functionality was originally\r\ncontained within a single PE file. However, it would appear as though BluStealer's authors have opted for a more\r\nmodular malware, spreading its functionality, as well as enhancing it, across multiple binaries.\r\nFigure 8: ChromeRecovery.exe Credential Stealing Module\r\n2.0.4 ThunderFox.exe Stealing Module\r\nWhen execution is transferred back to the loader, it loads the second array of ciphertext from its resource section\r\ninto memory and proceeds to decrypt it in the exact same manner as it employed with the first one. This also\r\nresults in a 32-bit .NET assembly (00cdcfc91db339be14f441be75e0dec7), which is also loaded with\r\nAppLaunch.exe via user32.CallWindowProcW. Opening the file, internally named 5.exe, in dnSpy reveals that it\r\ndecompresses the file entitled app from its resource section and reflectively loads it via a call to\r\nMethodBase.Invoke, as shown in Figure 9.Figure 9: 5.exe\r\nThe decompressed file is yet another 32-bit .NET Assembly (6ae510da968ebcbf5a8661c080ac12fd). Its name,\r\nThunder-Fox.exe, is an amalgamation of ThunderBird and FireFox since it targets Mozilla products, which also\r\nincludes Waterfox, K-Meleon, IceDragon, Cyberfox, BlackHawK, Pale Moon. These products are also targeted by\r\nChromeRecovery.exe but in a different manner. As depicted in Figure 10, ThunderFox extracts login credentials\r\nfrom logins.json, key4.db, signons.sqlite, and key3.db. logins.json stores encrypted passwords for Mozilla\r\nproducts, while key4.db is the Network Security Services (NSS) key database used to store Mozilla encryption\r\ndata, which is required to decrypt the encrypted passwords in logins.json. signons.sqlite and key3.db have the\r\nsame functionality just described but are used with legacy versions of Mozilla products. The stolen data is\r\nformatted the same as with ChromeRecovery and is also appended to credentials.txt.\r\nFigure 10: ThunderFox Credentials Stealing Module\r\n2.0.5 Exfiltration Traffic\r\nOnce ThunderFox is finished and execution is transferred back to BluStealer's main module, it makes a call to\r\nwinhttp.WinHttpConnect, which returns a connection handle to an HTTP session. As displayed in Figure 11, the\r\nsecond argument, specifying the target server, is api.telegram.org, which is being used as BluStealer's C2\r\ninfrastructure.Figure 11: Call to winhttp.WinHttpConnect\r\nThe Final POST request and response from its C2 server can be viewed in Figure 12 and Figure 13, respectively.\r\nThe request's URL begins with the BotID 1901905375:AAFoPAvBxaWxmDiYbdJWH-OdsUuObDY0pjs, followed\r\nby the directory entitled sendDocument with the arguments chat_id and caption. The value of caption is the name\r\nof the text document containing the stolen information, followed by the delimiter :::, and the victim's computer\r\nname and username.\r\nFigure 12: Multipart/Form-Data Credentials ExfiltrationFigure 13: C2 Response\r\nBluStealer sends another HTTP POST request, which unlike the first one, is not of the Content-Type\r\nmultipart/form-data. As observed in Figure 14, it sends the stolen data as in the first request. However, the URL is\r\ndifferent from that of the first one, as it ends in the directory sendMessage instead of sendDocument and is without\r\narguments. Moreover, the victim's computer name and username are now contained within the text parameter and\r\nhttps://www.gosecure.net/blog/2021/09/22/gosecure-titan-labs-technical-report-blustealer-malware-threat/\r\nPage 3 of 10\n\nfollow the value Passwords. It should be noted that the network traffic from BluStealer's June sample shares many\r\nsimilarities with the present sample. However, it is sent over Simple Mail Transfer Protocol (SMTP) rather than\r\nHTTP.\r\nFigure 14: Credentials Exfiltration\r\n2.0.6 BluStealer's Main Component's Stealing Capabilities\r\nBesides the ability to load stealing modules and exfiltrate data, the main component also comes with its own\r\nstealing capabilities. As shown in Figure 15, it makes a call to msvbvm60.rtcDir, an undocumented VB runtime\r\nfunction that returns file names from a directory. The directory being inquired about is Zcash, which is a\r\ncryptocurrency.\r\nFigure 15: Cryptocurreny Query\r\nFigure 16 portrays all the processes, captured by Process Monitor, that query cryptocurrency folders. The\r\ncryptocurrency wallets targeted include Zcash, Armory, Bytecoin, Jaxx Liberty, Exodus, Ethereum, Electrum,\r\nGuarda, and Coinomi.\r\nFigure 16: Cryptocurrency Wallets\r\nBluStealer's main component also has keylogging functionality, which is achieved by employing the commonly\r\nused method of polling user32.getAsyncKeyState, which determines whether a key is pressed or not at the time of\r\nthe call.\r\nConclusion\r\nThe newly discovered threat BluStealer is equipped with a robust credential stealing tool set and is following the\r\nunfortunate trend of utilizing legitimate services, such as Telegram and Discord, for its malware infrastructure,\r\nwhich makes detection increasingly challenging.\r\nBy closely monitoring, analyzing, and reverse engineering, GoSecure Titan Labs, as part of our MDR offering,\r\nhave created signatures to detect the emerging threats discussed in this report.\r\nIndicators of Compromise\r\n**Indicators of Compromise**\r\n**Type** **Indicator** **Description**\r\nMD5 1010589761b3051eec33681d0513242a Malspam Email\r\nMD5 01d4b90cc7c6281941483e1cccd438b2 ISO File\r\nMD5 6f7302e24899d1c05dcabbc8ec3e84d4 BluStealer's Main Component\r\nMD5 53e09987f7b648fb5c594734a8f7c4e4 ChromeRecovery.exe\r\nMD5 4509c33c251e8e075e4aa95001e35cdf ConsoleApp8.exe\r\nMD5 00cdcfc91db339be14f441be75e0dec7 5.exe\r\nhttps://www.gosecure.net/blog/2021/09/22/gosecure-titan-labs-technical-report-blustealer-malware-threat/\r\nPage 4 of 10\n\nMD5 6ae510da968ebcbf5a8661c080ac12fd ThunderFox.exe\r\nMD5 a1329dab78d5bac41e39034d840c30f1 BluStealer June Sample\r\n## Detection\r\nGoSecure Titan Labs are providing the following signatures to help the community in detecting and identifying\r\nthe threats discussed in this report.\r\n`alert smtp any any -\u003e $EXTERNAL_NET any (\r\n msg:\"GS MALWARE BluStealer SMTP Exfiltration\";\r\n content:\"Subject|3a 20|Passwords::::\"; nocase; fast_pattern;\r\n content:\"\\\"; distance:0;\r\n flow:to_server, established;\r\n metadata:created 2021-07-02, type malware.stealer, os windows, tlp white, id 0; classtype:trojan-activity;\r\n sid:300001712;\r\n rev:1;\r\n)\r\nalert http any any -\u003e $EXTERNAL_NET any (\r\n msg:\"GS MALWARE BluStealer HTTP Exfiltration Group 1\";\r\n content:\"POST\"; http_method;\r\n content:\"caption=credentials.txt:::\"; http_uri; nocase; fast_pattern;\r\n flow:to_server, established;\r\n metadata:created 2021-09-10, type malware.stealer, os windows, tlp white, id 1; classtype:trojan-activity;\r\n sid:300001775;\r\n rev:1;\r\n)\r\nalert http any any -\u003e $EXTERNAL_NET any\r\n msg:\"GS MALWARE BluStealer HTTP Exfiltration Group 2\";\r\n content:\"POST\"; http_method;\r\n content:\"text=Passwords:::\"; http_client_body; depth:17; nocase; fast_pattern; flow:to_server, established;\r\n metadata:created 2021-09-16, type malware.stealer, os windows, tlp white, id 2; classtype:trojan-activity;\r\n sid:300001776;\r\n rev:1;\r\n)\r\nrule malware_other_vb5_loader_0 {\r\n meta:\r\n author = \"Titan Labs\"\r\n company = \"GoSecure\"\r\n description = \"VB5/6-based Loaders\"\r\n reference = \"https://zero2auto.com/2020/06/22/unpacking-visual-basic-packers/\"\r\n hash = \"6f7302e24899d1c05dcabbc8ec3e84d4\"\r\n created = \"2021-09-10\"\r\n os = \"windows\"\r\nhttps://www.gosecure.net/blog/2021/09/22/gosecure-titan-labs-technical-report-blustealer-malware-threat/\r\nPage 5 of 10\n\ntype = \"malware.loader\"\r\n tlp = \"white\"\r\n rev = 1\r\n strings:\r\n $obfuscated_aSubMain = { 56 42 35 21 [40] 00 00 00 00 }\r\n condition:\r\n uint16(0) == 0x5a4d and\r\n uint32(uint32(0x3c)) == 0x00004550 and\r\n math.entropy(0, filesize) \u003e= 7.0 and\r\n pe.imports(\"MSVBVM60.dll\", 100) and\r\n $obfuscated_aSubMain\r\n}\r\nrule malware_blustealer_0{\r\n meta:\r\n author = \"Titan Labs\"\r\n company = \"GoSecure\"\r\n description = \"Blustealer Unpacked Infostealer\"\r\n created = \"2020-06-29\"\r\n type = \"malware.stealer\"\r\n hash = \"a1329dab78d5bac41e39034d840c30f1\"\r\n os = \"windows\"\r\n tlp = \"white\"\r\n rev = 1\r\n strings:\r\n $string1 = \"::::\" ascii wide\r\n $string2 = \"CompName: \" ascii wide\r\n $string3 = \" - 64-bit\" ascii wide\r\n $string4 = \"=============================\" ascii wide\r\n $stealer1 = \"COREFTP\" ascii wide\r\n $stealer2 = \"Outlook\" ascii wide\r\n $stealer3 = \"signons.sqlite\" nocase ascii wide\r\n $stealer4 = \"filezilla\" nocase ascii wide\r\n $stealer5 = \"nordvpn\" nocase ascii wide\r\n $stealer6 = \"firefox\" nocase ascii wide\r\n condition:\r\n uint16(0) == 0x5a4d and\r\n uint32(uint32(0x3c)) == 0x00004550 and\r\n filesize \u003c 464KB and\r\n 2 of ($string*) and\r\n 3 of ($stealer*)\r\n}\r\nrule malware_blustealer_1 {\r\n meta:\r\n author = \"Titan Labs\"\r\n company = \"GoSecure\"\r\nhttps://www.gosecure.net/blog/2021/09/22/gosecure-titan-labs-technical-report-blustealer-malware-threat/\r\nPage 6 of 10\n\ndescription = \"BluStealer Main Component\"\r\n hash = \"6f7302e24899d1c05dcabbc8ec3e84d4\"\r\n created = \"2021-09-10\"\r\n os = \"windows\"\r\n type = \"malware.stealer\"\r\n tlp = \"white\"\r\n rev = 1\r\n strings:\r\n $obfuscated_aSubMain = { 56 42 35 21 [40] 00 00 00 00 }\r\n $MSVBVM60 = \"MSVBVM60.dll\" ascii wide nocase\r\n $decryption_routine = { 8b [5] 8b [2] 03 [5] 0f 80 [4] 8b [5] 89 [2] 8b [5] 8b\r\n [2] 3b [5] 7f ?? ff 7? ?? 8b [2] ff 3? e8 [4] 8b ?? 8b\r\n [5] ff 7? ?? 8b [5] ff 7? ?? e8 [4] 8a ?? 32 ?? ff 7?\r\n ?? 8b [2] ff 3? e8 [4] 88 ?? 8b [2] 83 c? ?? 0f 80 [4]\r\n 89 [2] eb }\r\n $behavior_0 = \"https://api.telegram.org/bot\" ascii wide\r\n $behavior_1 = \"/sendDocument?chat_id=\" ascii wide\r\n $behavior_2 = \"\u0026caption=\" ascii wide\r\n $behavior_3 = \"text=\" ascii wide\r\n $behavior_4 = \"\u0026chat_id=\" ascii wide\r\n $behavior_5 = \"Content-Disposition: form-data; name=\\\"document\\\"; filename=\\\"\" ascii wide\r\n $behavior_6 = \"\\\\Ethereum\\\\keystore\" ascii wide\r\n $behavior_7 = \"RegWrite\" ascii wide\r\n $behavior_8 = \"\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\AppLaunch.exe\" ascii wide\r\n $behavior_9 = \"\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\InstallUtil.exe\" ascii wide\r\n $behavior_10 = \"HKCU\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*RD_\" ascii wide\r\n $behavior_11 = \"GetAsyncKeyState\" ascii wide\r\n $behavior_12 = \"SHFileOperationA\" ascii wide\r\n $behavior_13 = \"GetDesktopWindow\" ascii wide\r\n $behavior_14 = \"SHGetSpecialFolderLocation\" ascii wide\r\n $behavior_15 = \"SHGetPathFromIDListA\" ascii wide\r\n $behavior_16 = \"CallWindowProcW\" ascii wide\r\n condition:\r\n uint16(0) == 0x5a4d and\r\n uint32(uint32(0x3c)) == 0x00004550 and\r\n $obfuscated_aSubMain and\r\n $MSVBVM60 and\r\n ($decryption_routine or 13 of ($behavior_*))\r\n}\r\nrule malware_thunder_fox_gzip_0 {\r\n meta:\r\n author = \"Titan Labs\"\r\n company = \"GoSecure\"\r\n description = \"Gzip Compressd ThunderFox Stealer\"\r\n hash = \"00cdcfc91db339be14f441be75e0dec7\"\r\n created = \"2021-09-15\"\r\n os = \"windows\"\r\nhttps://www.gosecure.net/blog/2021/09/22/gosecure-titan-labs-technical-report-blustealer-malware-threat/\r\nPage 7 of 10\n\ntype = \"malware.stealer\"\r\n tlp = \"white\"\r\n rev = 1\r\n strings:\r\n $compressed_payload = { 00 00 00 00 00 20 FA 48 04 00 1F 8B 08 00 00 00\r\n 00 00 04 00 AC BD 09 80 1C 47 75 37 3E D3 77 CF\r\n B5 5B D3 B3 3D B3 BB D2 CE 4A F2 4A AD E9 99 95\r\n 76 57 C7 4A 3E 24 1F F8 C4 B6 6C 0B 7B 46 3E 24 }\r\n condition:\r\n uint16(0) == 0x5a4d and\r\n uint32(uint32(0x3c)) == 0x00004550 and\r\n $compressed_payload\r\n}\r\nrule malware_thunder_fox_0 {\r\n meta:\r\n author = \"Titan Labs\"\r\n company = \"GoSecure\"\r\n description = \"ThunderFox Stealer\"\r\n hash = \"6ae510da968ebcbf5a8661c080ac12fd\"\r\n created = \"2021-09-15\"\r\n os = \"windows\"\r\n type = \"malware.stealer\"\r\n tlp = \"white\"\r\n rev = 1\r\n strings:\r\n $browser_0 = \"Pale Moon\" nocase ascii wide\r\n $browser_1 = \"Firefox\" nocase ascii wide\r\n $browser_2 = \"Waterfox\" nocase ascii wide\r\n $browser_3 = \"K-Meleon\" nocase ascii wide\r\n $browser_4 = \"Thunderbird\" nocase ascii wide\r\n $browser_5 = \"IceDragon\" nocase ascii wide\r\n $browser_6 = \"Cyberfox\" nocase ascii wide\r\n $browser_7 = \"BlackHawK\" nocase ascii wide\r\n $data_store_0 = \"logins.json\" nocase ascii wide\r\n $data_store_1 = \"key4.db\" nocase ascii wide\r\n $data_store_2 = \"signons.sqlite\" nocase ascii wide\r\n $data_store_3 = \"key3.db\" nocase ascii wide\r\n $data_store_4 = \"moz_logins\" nocase ascii wide\r\n $user_cred_0 = \"hostname\" nocase ascii wide\r\n $user_cred_1 = \"encryptedUsername\" nocase ascii wide\r\n $user_cred_2 = \"encryptedPassword\" nocase ascii wide\r\n condition:\r\n uint16(0) == 0x5a4d and\r\n uint32(uint32(0x3c)) == 0x00004550 and\r\n 5 of ($browser_*) and\r\n 3 of ($data_store_*) and\r\nhttps://www.gosecure.net/blog/2021/09/22/gosecure-titan-labs-technical-report-blustealer-malware-threat/\r\nPage 8 of 10\n\n2 of ($user_cred_*)\r\n}\r\nrule malware_other_stealer_2 {\r\n meta:\r\n author = \"Titan Labs\"\r\n company = \"GoSecure\"\r\n description = \"Generic Windows Vault Credential Stealer\"\r\n reference = \"https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-VaultCredential.ha\r\n created = \"2021-09-10\"\r\n os = \"windows\"\r\n type = \"malware.stealer\"\r\n tlp = \"white\"\r\n rev = 1\r\n strings:\r\n $s1 = \"2F1A6504-0641-44CF-8BB5-3612D865F2E5\" ascii wide\r\n $s2 = \"Windows Secure Note\" ascii wide\r\n $s3 = \"3CCD5499-87A8-4B10-A215-608888DD3B55\" ascii wide\r\n $s4 = \"Windows Web Password Credential\"ascii wide\r\n $s5 = \"154E23D0-C644-4E6F-8CE6-5069272F999F\" ascii wide\r\n $s6 = \"Windows Credential Picker Protector\" ascii wide\r\n $s7 = \"4BF4C442-9B8A-41A0-B380-DD4A704DDB28\" ascii wide\r\n $s8 = \"Web Credentials\" ascii wide\r\n $s9 = \"77BC582B-F0A6-4E15-4E80-61736B6F3B29\" ascii wide\r\n $s10 = \"Windows Credentials\" ascii wide\r\n $s11 = \"E69D7838-91B5-4FC9-89D5-230D4D4CC2BC\" ascii wide\r\n $s12 = \"Windows Domain Certificate Credential\" ascii wide\r\n $s13 = \"3E0E35BE-1B77-43E7-B873-AED901B6275B\" ascii wide\r\n $s14 = \"Windows Domain Password Credential\" ascii wide\r\n $s15 = \"3C886FF3-2669-4AA2-A8FB-3F6759A77548\" ascii wide\r\n $s16 = \"Windows Extended Credential\" ascii wide\r\n $s17 = \"00000000-0000-0000-0000-000000000000\" ascii wide\r\n condition:\r\n uint16(0) == 0x5a4d and\r\n uint32(uint32(0x3c)) == 0x00004550 and\r\n all of them\r\n}\r\nrule malware_other_stealer_3 {\r\n meta:\r\n author = \"Titan Labs\"\r\n company = \"GoSecure\"\r\n description = \"Generic WinSCP Credential Stealer\"\r\n reference = \"https://gist.github.com/jojonas/07c3771711fb19aed1f3\"\r\n hash = \"4509c33c251e8e075e4aa95001e35cdf\"\r\n created = \"2021-09-10\"\r\n os = \"windows\"\r\nhttps://www.gosecure.net/blog/2021/09/22/gosecure-titan-labs-technical-report-blustealer-malware-threat/\r\nPage 9 of 10\n\ntype = \"malware.stealer\"\r\n tlp = \"white\"\r\n rev = 1\r\n strings:\r\n $s1 = \"Software\\\\Martin Prikryl\\\\WinSCP 2\\\\Sessions\" ascii wide nocase\r\n $s2 = \"HostName\" ascii wide nocase\r\n $s3 = \"UserName\" ascii wide nocase\r\n $s4 = \"Password\"ascii wide nocase\r\n condition:\r\n uint16(0) == 0x5a4d and\r\n uint32(uint32(0x3c)) == 0x00004550 and\r\n all of them\r\n}`\r\nSource: https://www.gosecure.net/blog/2021/09/22/gosecure-titan-labs-technical-report-blustealer-malware-threat/\r\nhttps://www.gosecure.net/blog/2021/09/22/gosecure-titan-labs-technical-report-blustealer-malware-threat/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.gosecure.net/blog/2021/09/22/gosecure-titan-labs-technical-report-blustealer-malware-threat/" ], "report_names": [ "gosecure-titan-labs-technical-report-blustealer-malware-threat" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434459, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a7c9a5b4e8dcbdc7b5a1f37be0de7849e6a90947.pdf", "text": "https://archive.orkl.eu/a7c9a5b4e8dcbdc7b5a1f37be0de7849e6a90947.txt", "img": "https://archive.orkl.eu/a7c9a5b4e8dcbdc7b5a1f37be0de7849e6a90947.jpg" } }