blustealer | 52e3ee0168f34ab782a8103dc77814efe970b2a0fc5636a7266a4ea3e9bae2e7 | Triage

Submit
Reports

Overview

overview

Static

static

Ziraat Ban...ji.exe

windows7-x64

9

Ziraat Ban...ji.exe

windows10-2004-x64

Resubmissions

22-08-2022 13:50

220822-q5gwlsbeh5 3

22-08-2022 13:39

220822-qx9awsbea6 9

19-08-2022 15:22

220819-srv77afaer 10

Sharing

General

Target

Ziraat Bankasi Swift Mesaji.exe
Size

21KB
Sample

220819-srv77afaer
MD5

d865c75250a61c050f69dbb8735581a5
SHA1

3e7d1b0b961ea899e89902977e36b70fd92351a3
SHA256

52e3ee0168f34ab782a8103dc77814efe970b2a0fc5636a7266a4ea3e9bae2e7
SHA512

66f9439bd3f91e47ab4343147fe10d4a01fa1930b8533165744366c922865b59709683e9d453d5b2d80d12715bcb43b6898365026b12bda1817a4c8317d26500
SSDEEP

192:wC1NqE7QSmGvEKL5ccJu5ZtIZlBzeE8hHQ+mv:bxUYubtQBSdXm

Score

10^/10

blustealer stormkitty collection discovery persistence stealer

Static task

static1

Behavioral task

behavioral1

Sample

Ziraat Bankasi Swift Mesaji.exe

Resource

win7-20220812-en

windows7-x64

2 signatures

150 seconds

Behavioral task

behavioral2

Sample

Ziraat Bankasi Swift Mesaji.exe

Resource

win10v2004-20220812-en

blustealer stormkitty collection persistence stealer

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Targets

- Target
  
  Ziraat Bankasi Swift Mesaji.exe
- Size
  
  21KB
- MD5
  
  d865c75250a61c050f69dbb8735581a5
- SHA1
  
  3e7d1b0b961ea899e89902977e36b70fd92351a3
- SHA256
  
  52e3ee0168f34ab782a8103dc77814efe970b2a0fc5636a7266a4ea3e9bae2e7
- SHA512
  
  66f9439bd3f91e47ab4343147fe10d4a01fa1930b8533165744366c922865b59709683e9d453d5b2d80d12715bcb43b6898365026b12bda1817a4c8317d26500
- SSDEEP
  
  192:wC1NqE7QSmGvEKL5ccJu5ZtIZlBzeE8hHQ+mv:bxUYubtQBSdXm
Score

10^/10

discovery blustealer stormkitty collection persistence stealer
- BluStealer
  A Modular information stealer written in Visual Basic.
  stealer blustealer
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Network Service Scanning

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

blustealerstormkittycollectionpersistencestealer

© 2018-2025

Terms | Privacy