blustealer | 30c738704cea85f5ccea877f987abc3e6250ffdf52abd60852c96d5fde2281bd

General

Target

Halkbank_Ekstre_20221003_081552_734629.pdf.exe
Size

965KB
MD5

8fb1f1ec968e52ae2c514d5e83639c6f
SHA1

18002ed9408c2ebb8c744365176e937f5b701336
SHA256

30c738704cea85f5ccea877f987abc3e6250ffdf52abd60852c96d5fde2281bd
SHA512

08684e4b8e24fd97741ca48721999cd3edb9e6278cd44da4a9169c53f060369c2b8726b0b7f6a13449b11e3fa1471536c513eb1cecbd48377a02cf35833634d5
SSDEEP

12288:dENf32iNCdqE22rkaJprY5M9b31qtdBPh6T0wnrK4HTN:dSf31cdfvdprY5MFlMdR+0Y

Score

10^/10

blustealer stormkitty collection stealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5374342837:AAHF-c1HAIvNCdF89VuEdNggsL2YBlpgkSE/sendMessage?chat_id=2133303215

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 4 IoCs

resource	yara_rule
behavioral1/memory/1124-75-0x00000000000A4F6E-mapping.dmp	family_stormkitty
behavioral1/memory/1124-74-0x0000000000090000-0x00000000000AA000-memory.dmp	family_stormkitty
behavioral1/memory/1124-77-0x0000000000090000-0x00000000000AA000-memory.dmp	family_stormkitty
behavioral1/memory/1124-79-0x0000000000090000-0x00000000000AA000-memory.dmp	family_stormkitty

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	icanhazip.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1904 set thread context of 2024	1904	Halkbank_Ekstre_20221003_081552_734629.pdf.exe	27
PID 2024 set thread context of 1124	2024	Halkbank_Ekstre_20221003_081552_734629.pdf.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	AppLaunch.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1124	AppLaunch.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2024	Halkbank_Ekstre_20221003_081552_734629.pdf.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 2024	1904	Halkbank_Ekstre_20221003_081552_734629.pdf.exe	27
PID 1904 wrote to memory of 2024	1904	Halkbank_Ekstre_20221003_081552_734629.pdf.exe	27
PID 1904 wrote to memory of 2024	1904	Halkbank_Ekstre_20221003_081552_734629.pdf.exe	27
PID 1904 wrote to memory of 2024	1904	Halkbank_Ekstre_20221003_081552_734629.pdf.exe	27
PID 1904 wrote to memory of 2024	1904	Halkbank_Ekstre_20221003_081552_734629.pdf.exe	27
PID 1904 wrote to memory of 2024	1904	Halkbank_Ekstre_20221003_081552_734629.pdf.exe	27
PID 1904 wrote to memory of 2024	1904	Halkbank_Ekstre_20221003_081552_734629.pdf.exe	27
PID 1904 wrote to memory of 2024	1904	Halkbank_Ekstre_20221003_081552_734629.pdf.exe	27
PID 1904 wrote to memory of 2024	1904	Halkbank_Ekstre_20221003_081552_734629.pdf.exe	27
PID 2024 wrote to memory of 1124	2024	Halkbank_Ekstre_20221003_081552_734629.pdf.exe	28
PID 2024 wrote to memory of 1124	2024	Halkbank_Ekstre_20221003_081552_734629.pdf.exe	28
PID 2024 wrote to memory of 1124	2024	Halkbank_Ekstre_20221003_081552_734629.pdf.exe	28
PID 2024 wrote to memory of 1124	2024	Halkbank_Ekstre_20221003_081552_734629.pdf.exe	28
PID 2024 wrote to memory of 1124	2024	Halkbank_Ekstre_20221003_081552_734629.pdf.exe	28
PID 2024 wrote to memory of 1124	2024	Halkbank_Ekstre_20221003_081552_734629.pdf.exe	28
PID 2024 wrote to memory of 1124	2024	Halkbank_Ekstre_20221003_081552_734629.pdf.exe	28
PID 2024 wrote to memory of 1124	2024	Halkbank_Ekstre_20221003_081552_734629.pdf.exe	28
PID 2024 wrote to memory of 1124	2024	Halkbank_Ekstre_20221003_081552_734629.pdf.exe	28

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20221003_081552_734629.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20221003_081552_734629.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20221003_081552_734629.pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20221003_081552_734629.pdf.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:1124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1124-79-0x0000000000090000-0x00000000000AA000-memory.dmp

Filesize
104KB

Download
memory/1124-77-0x0000000000090000-0x00000000000AA000-memory.dmp

Filesize
104KB

Download
memory/1124-72-0x0000000000090000-0x00000000000AA000-memory.dmp

Filesize
104KB

Download
memory/1124-74-0x0000000000090000-0x00000000000AA000-memory.dmp

Filesize
104KB

Download
memory/1904-58-0x0000000005820000-0x00000000058A0000-memory.dmp

Filesize
512KB

Download
memory/1904-59-0x0000000000CE0000-0x0000000000D08000-memory.dmp

Filesize
160KB

Download
memory/1904-54-0x0000000001000000-0x00000000010F8000-memory.dmp

Filesize
992KB

Download
memory/1904-57-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/1904-56-0x00000000004D0000-0x00000000004EC000-memory.dmp

Filesize
112KB

Download
memory/1904-55-0x0000000076871000-0x0000000076873000-memory.dmp

Filesize
8KB

Download
memory/2024-60-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2024-61-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2024-63-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2024-65-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2024-68-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2024-81-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing