Overview

overview

10

Static

static

hesapharek...df.exe

windows7-x64

9

hesapharek...df.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    hesaphareketi-01.pdf.exe

  • Size

    33KB

  • Sample

    220824-gde39saaf4

  • MD5

    d071661f5d97f4cad9f3ad6f89deb22a

  • SHA1

    4c84469d79f987d8cb33ab21ea2e4d850840dd66

  • SHA256

    d34d2bcd9b3777c6b55817e53c8e3b52d7f478c46694850f5dea5acf52544700

  • SHA512

    c457319d2804ddd9f50658a9d23fd7531ca3e195c996ea71cf34cb61d69e244b215960eddb42f8cf93824fdfb42244fd9274572a8240de46eb01f2c945296681

  • SSDEEP

    768:kldUwq5k2wlTMHcNS7dQ+pEDwGguTLqTDO5XNVZZb9WG:klGZ8NIQ+pENguTLqvO5Xn9WG

Score
10/10
blustealerstormkittycollectiondiscoverypersistencestealer

Malware Config

Targets

    • Target

      hesaphareketi-01.pdf.exe

    • Size

      33KB

    • MD5

      d071661f5d97f4cad9f3ad6f89deb22a

    • SHA1

      4c84469d79f987d8cb33ab21ea2e4d850840dd66

    • SHA256

      d34d2bcd9b3777c6b55817e53c8e3b52d7f478c46694850f5dea5acf52544700

    • SHA512

      c457319d2804ddd9f50658a9d23fd7531ca3e195c996ea71cf34cb61d69e244b215960eddb42f8cf93824fdfb42244fd9274572a8240de46eb01f2c945296681

    • SSDEEP

      768:kldUwq5k2wlTMHcNS7dQ+pEDwGguTLqTDO5XNVZZb9WG:klGZ8NIQ+pENguTLqvO5Xn9WG

    Score
    10/10
    discoveryblustealerstormkittycollectionpersistencestealer

    • BluStealer

      A Modular information stealer written in Visual Basic.

      stealerblustealer

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks