# IoC for BluStealer

Malware analysis and more technical information at <https://decoded.avast.io/anhho/blustealer/>


### Table of Contents
* [BluStealer](#samples-sha-256)
* [Network indicators](#network-indicators)


## BluStealer
#### SHA-256
```
678e9028caccb74ee81779c5dd6627fb6f336b2833e9a99c4099898527b0d481
3151ddec325ffc6269e6704d04ef206d62bba338f50a4ea833740c4b6fe770ea
7603f8e827ab78d5ff15be1b04b9a02821edf3bf90475295e0c7c792bc328f63
7abe87a6b675d3601a4014ac6da84392442159a68992ce0b24e709d4a1d20690
49da8145f85c63063230762826aa8d85d80399454339e47f788127dafc62ac22
5ff29232adcc335d007ee55421d2d6bb4ac171becf2b9b9a7595d6e4b9fc13e1
edab175c91e078e92b57446111cb07c61e357d9a12274cab33872e14d4511ea9
8ba38dfdaed05011a8f9d19eec1670efa63cce30f23609a3c00afb265aa22ad8
c52a0ce16c6db82bf194988a0094a4b18aec550f1953b5e9ab127c0b84f4ecca
1885c2faae1cf90783c7fc9ea93506e8241232e90bdaeae4ca04a5cb305e13f3
e6ed1d0f3827d5a2e6fd38ec812456b62ee702bdaa460f7f6ef5298db5136df5
61560f470822a249950e3d35574aae0ee9c93da31c1fd6f001c0cec97069a4fb
1e41442f28a2328a8cec90459483ae5da9b21484b2bdd2b2e206e34a8f5672bc
6384e3d112dfb4f7d3f2761764e491383f20cffbb7a180a087b22ef903bcc9a6
037815f51ba857c16a5c98aa37a2acba3430b0d27de3abf558cda2bff50fa35e
b9dcf75696ba71f292246a31877cc8c833676c5c8c241e65c741711388d99bcb
d1c69a54577f5c6491b2979279b04c5db668e20968363d7476848d152bb94362
e6ed1d0f3827d5a2e6fd38ec812456b62ee702bdaa460f7f6ef5298db5136df5
fbab6f778d521589e9371227f25112fed34c19efa9f3cc068bdcffe304d67111
620ce6c90baeaba37fb4e4ad1edcb0a862e12e1b058eaa8c41bed7439c3bd983
0872abe29cc9231cdded3a44e02a7ea17f09cf2ac2bdbd7077065858829c3723
b340e287c5c5cd48a5d27c71808dc75c3fd3a69a6cad029db2332e19d998bb82
aef52ead2a03729f95962c511947226d78fe856d29ccfaacf25e1c002c0c9f92
35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0
c783bdf31d6ee3782d05fde9e87f70e9f3a9b39bf1684504770ce02f29d5b7e1
42fe72df91aa852b257cc3227329eb5bf4fce5dabff34cd0093f1298e3b5454e
1c29ee414b011a411db774015a98a8970bf90c3475f91f7547a16a8946cd5a81
81bbcc887017cc47015421c38703c9c261e986c3fdcd7fef5ca4c01bcf997007
6322ebb240ba18119193412e0ed7b325af171ec9ad48f61ce532cc120418c8d5
4932ea0c29c86544f03f9425b8088886d68a5965be8541a8d9c36a9b95eeacf9
7b1fc82d47470ee3c7f8de53a959eb55febe3c4c6ba408190a877396907f8293
5d5e9bc60284b01bc75bec81489654b56a739d81acce580cdff735070d9e831f
43c2649b8f43a3a39f3d5f93347ac0460b9ccf910bda544e84a07769e1af34bd
bc52d9795f801ca6872502c6e8af05cf3730384062f3b90113abc30ff9395879
304c188b1452beea8b8a1f8bd4ac64b02781665792b46df692762b18685b1ccb
75839121c06dd5f7ea7a32ced2755c8913ae81f7225ef6e790c131a5554034fa
b2a74a9349ed9ebe01b89786e5472ac4cb437cec7bfb7107e135baa69d41e11a
21f75377b964d884a9c32849b766d52f43dc05a5e53a3bf5665473abc15d7740
efd63437050cbce03fb4e13c4be8858d0793ceaf678ffed8e6369578037fb6e1
274bcc8a907b7f1bbfceb5b0e9f0f8f6d0dbdc65d774ce135467b704f755db81
7881a0b4a3b923ae091c09e3498e1513ff8872a56fbf7977777ad6776a781b0b
b9933e298be75df66ed2eee62207815a20ec36cbfae9b098c24739f0d712aacf
add711e10bfde4da3e2048a27d8c8eab084e2df5bde714437ff2dd5dc0baa505
```

#### Crypto Address List
```
1ARtkKzd18Z4QhvHVijrVFTgerYEoopjLP (1.67227860 BTC)
1AfFoww2ajt5g1YyrrfNYQfKJAjnRwVUsX (0.06755943 BTC)
1MEf31xHgNKqyB7HEeAbcU6BhofMdwLE3r
38atNsForzrDRhJoVAhyXsQLqWYfYgodd5
bc1qrjl4ksg5h7p70jjtypr8s6cjpngzd3kerfj9rt
bc1qjg3y4d4t6hwg6h22khknlxcstevjg2qkrxt6qu
1KfRWVcShzwE2Atp1njogAqH8qodsif3pi
3P6JnvWtubxbCxgPW7GAAj8u6CLV2h9MkY
13vZcoMYRcKrDRDYUyH9Cd4kCRMZVjFkyn
qrej5ltx0sgk5c7aygdsvt2gh7fq04umvusxhxl7wq
qrzakt59udz893u2uuwtgrwrjj9dhtk0gc3m4m2sj5
0xd070c48cd3bdeb8a6ca90310249aae90a7f26303 (0.10 ETH) 
0x95d3763546235393B77aC188E5B08dD4Af68d89D
0xcfE71c720b7E99e555c0e98b725919B7a69f8Bb0
46W5WHQG2B1Df9uKrkyuhoLNVtJouMfPR9wMkhrzRiEtD2PmdcXMvQt52jQVWKXUC45hwYRXhBYVjLRbpDu8CK2UN2xzenr
43Q4G9CdM3iNbkwhujAQJ7TedSLxYQ8hJJHYqsqns7qz696gkPgMvUvDcDfZJ7bMzcaQeoSF86eFE2fL9njU59dQRfPHFnv
LfADbqTZoQhCPBr39mqQpf9myUiUiFrDBG
LY5jmjdFnvgFjJET2wX5fVV6Gv89QdQRv3
GCGIOH2DY63P3EX4UIKXDN757DFGHWAYRBFZ5FD7QOJTXAOUTHF64RIA
GBQAOVKWPEY3M373CZSN2EQSIGRXWG3J4SNLOQNVCWRUYK7S4RJXKTOJ
r3xDYvq9FEqk37aDmS8S1WWSst58AiykVq
rKJedgqQy12s8Y7y4ziL9kWkMMzfJ2wfAm
```

## Network indicators
#### Download URL
```
hxxps://cdn[.]discordapp.com/attachments/829530662406193185/881703391888281630/TME_delivery_status.iso
hxxps://cdn[.]discordapp.com/attachments/829530662406193185/882099214866333706/Shipment_Receipt.pdf.iso
```

#### SMTP
```
andres.galarraga@sismode.com (smtp.1and1.com)
saleseuropower@yandex.com
info@starkgulf.com (mail.starkgulf.com )
etopical@bojtai.club (mail.bojtai.club)
fernando@digitaldirecto.es (smtp.ionos.es)
baerbelscheibll1809@gmail.com
dashboard@grandamishabot.ru (shepherd.myhostcpl.com)
logs@grandamishabot.ru
shan@farm-finn.com (mail.farm-finn.com)
info@starkgulf.com (mail.starkgulf.com)
netline@netjul.shop (mail.restd.club)
```

#### Telegram Token
```
1901905375:AAFoPAvBxaWxmDiYbdJWH-OdsUuObDY0pjs 
1989667182:AAFx2Rti45m06IscLpGbHo8v4659Q8swfkQ
```