General

  • Target

     41570002689_20221001_05352297_HesapOzeti.exe

  • Size

    1.1MB

  • Sample

    221003-kd5wgagfdl

  • MD5

    6a58925feb3fe5477f8c44595d2c36cd

  • SHA1

    1b9565b62bee0d29a4f21eb617a88e9682e09862

  • SHA256

    19b0d58c3611ccc99f681997248a835ac4a49572a50278f4f7c732237183db6a

  • SHA512

    fd83cb7cc2e9234f46f7b355a9ff66d26354adf1ba520d51ea3c95cf88ad6e618927d5c04ffa4248d887ad534d24b56a1485eeb6fbb40f603737012ff5898cde

  • SSDEEP

    12288:o/r9+ljmhNLbDYmcIZQWDA9aHZVIAodG21+sq+AJkZnfYHVKyGr3CQK4HTN2i8E6:EsljMLbDYquFY0o+A2ZwhGraJ

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5412597166:AAGUaWxuTxxhNb-NRhiURcTMzuW9nhGoEs/sendMessage?chat_id=932962718

Targets

    • Target

       41570002689_20221001_05352297_HesapOzeti.exe

    • Size

      1.1MB

    • MD5

      6a58925feb3fe5477f8c44595d2c36cd

    • SHA1

      1b9565b62bee0d29a4f21eb617a88e9682e09862

    • SHA256

      19b0d58c3611ccc99f681997248a835ac4a49572a50278f4f7c732237183db6a

    • SHA512

      fd83cb7cc2e9234f46f7b355a9ff66d26354adf1ba520d51ea3c95cf88ad6e618927d5c04ffa4248d887ad534d24b56a1485eeb6fbb40f603737012ff5898cde

    • SSDEEP

      12288:o/r9+ljmhNLbDYmcIZQWDA9aHZVIAodG21+sq+AJkZnfYHVKyGr3CQK4HTN2i8E6:EsljMLbDYquFY0o+A2ZwhGraJ

    • BluStealer

      A Modular information stealer written in Visual Basic.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks