blustealer | 06a16b27c0fb73721a8e914688491abab539ea56fbe8df580fa91b22a0c8afec

General

Target

SecuriteInfo.com.Win32.PWSX-gen.3137.exe
Size

166KB
MD5

74c571340a29f8b79e012e9d835ac426
SHA1

81401ab6f1e291774d5465750eaedac986d4dc3b
SHA256

06a16b27c0fb73721a8e914688491abab539ea56fbe8df580fa91b22a0c8afec
SHA512

c8593976fa0a77b0108e71796b17df72d0cbe82d91b7bf9d1c4bbebaeeb21827c7861b9d5b9a89bbf53ef2845acfdaac2461cd772e212cae2985dd2233425b18
SSDEEP

3072:ep8xfXO3mVO6ipX6PN6BrjZy7EZRgA3NAR8MrDgeLdj8bKrOHm:k8xfQmVtipX6VWDHCRhXFdoO6G

Score

10^/10

blustealer stormkitty collection spyware stealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5627356603:AAG-Mx0TbSHRRW6IwndrpX3VLZdhd6C-Zac/sendMessage?chat_id=5472437377

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/3480-141-0x0000000000770000-0x000000000078A000-memory.dmp	family_stormkitty

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	icanhazip.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1336 set thread context of 228	1336	SecuriteInfo.com.Win32.PWSX-gen.3137.exe	85
PID 228 set thread context of 3480	228	aspnet_compiler.exe	89

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	AppLaunch.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3480	AppLaunch.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
228	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 228	1336	SecuriteInfo.com.Win32.PWSX-gen.3137.exe	85
PID 1336 wrote to memory of 228	1336	SecuriteInfo.com.Win32.PWSX-gen.3137.exe	85
PID 1336 wrote to memory of 228	1336	SecuriteInfo.com.Win32.PWSX-gen.3137.exe	85
PID 1336 wrote to memory of 228	1336	SecuriteInfo.com.Win32.PWSX-gen.3137.exe	85
PID 1336 wrote to memory of 228	1336	SecuriteInfo.com.Win32.PWSX-gen.3137.exe	85
PID 1336 wrote to memory of 228	1336	SecuriteInfo.com.Win32.PWSX-gen.3137.exe	85
PID 1336 wrote to memory of 228	1336	SecuriteInfo.com.Win32.PWSX-gen.3137.exe	85
PID 1336 wrote to memory of 228	1336	SecuriteInfo.com.Win32.PWSX-gen.3137.exe	85
PID 228 wrote to memory of 3480	228	aspnet_compiler.exe	89
PID 228 wrote to memory of 3480	228	aspnet_compiler.exe	89
PID 228 wrote to memory of 3480	228	aspnet_compiler.exe	89
PID 228 wrote to memory of 3480	228	aspnet_compiler.exe	89
PID 228 wrote to memory of 3480	228	aspnet_compiler.exe	89

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.3137.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.3137.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:3480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/228-134-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/228-136-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/228-139-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/228-144-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1336-132-0x0000000000150000-0x000000000017E000-memory.dmp

Filesize
184KB

Download
memory/3480-141-0x0000000000770000-0x000000000078A000-memory.dmp

Filesize
104KB

Download
memory/3480-142-0x0000000004BD0000-0x0000000004C36000-memory.dmp

Filesize
408KB

Download
memory/3480-143-0x00000000055A0000-0x000000000563C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing