blustealer | f9e4451730239448df0b825886e85b1af1ce388697ed890e8d1d4152b09312d0 | Triage

Submit
Reports

Overview

overview

Static

static

Ziraat Ban...ji.exe

windows7-x64

Ziraat Ban...ji.exe

windows10-2004-x64

Sharing

General

Target

Ziraat Bankasi swift mesaji.exe
Size

859KB
Sample

220922-mkyf3sbca2
MD5

2aef199a37a0cb73fc832ce7e26da6f3
SHA1

3ced4d57eeaa6d22e2a1b247ce7ae87729e02d5d
SHA256

f9e4451730239448df0b825886e85b1af1ce388697ed890e8d1d4152b09312d0
SHA512

eafe6158ff2c9e26c97a64ff73b886db3a1133d56bbd02b2d3b9cefdcef68b7de573661331489d8fbbd7c83c756c42120019328c44bb0dcd09ff6d373313a10a
SSDEEP

12288:lNtcDwROWJpq7bwwgNrEEGoQ1k5FQm+cQoFw2x2agCN+TiGJMTQRAFB8:hcDwRq7bLg2EG10FCcQoFjx5TN

Score

10^/10

blustealer stormkitty collection stealer

Static task

static1

Behavioral task

behavioral1

Sample

Ziraat Bankasi swift mesaji.exe

Resource

win7-20220901-en

blustealer stormkitty collection stealer

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

Ziraat Bankasi swift mesaji.exe

Resource

win10v2004-20220812-en

blustealer stormkitty collection stealer

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5617443580:AAFX8iYrXMCASkw95O815OVGuLWLdSgh8Qo/sendMessage?chat_id=5334267822

Targets

- Target
  
  Ziraat Bankasi swift mesaji.exe
- Size
  
  859KB
- MD5
  
  2aef199a37a0cb73fc832ce7e26da6f3
- SHA1
  
  3ced4d57eeaa6d22e2a1b247ce7ae87729e02d5d
- SHA256
  
  f9e4451730239448df0b825886e85b1af1ce388697ed890e8d1d4152b09312d0
- SHA512
  
  eafe6158ff2c9e26c97a64ff73b886db3a1133d56bbd02b2d3b9cefdcef68b7de573661331489d8fbbd7c83c756c42120019328c44bb0dcd09ff6d373313a10a
- SSDEEP
  
  12288:lNtcDwROWJpq7bwwgNrEEGoQ1k5FQm+cQoFw2x2agCN+TiGJMTQRAFB8:hcDwRq7bLg2EG10FCcQoFjx5TN
Score

10^/10

blustealer stormkitty collection stealer
- BluStealer
  A Modular information stealer written in Visual Basic.
  stealer blustealer
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

blustealerstormkittycollectionstealer

behavioral2

blustealerstormkittycollectionstealer

© 2018-2025

Terms | Privacy