blustealer | 7130b704fe2c8bf91508ad0dfa4869780e5afc92918f0f92e25c4e9523d1ab56 | Triage

Submit
Reports

Overview

overview

Static

static

Ziraat Ban...df.exe

windows7-x64

Ziraat Ban...df.exe

windows10-2004-x64

Sharing

General

Target

Ziraat Bankasi Swift Mesaji.pdf.exe
Size

896KB
Sample

221006-nfzc9ahbf6
MD5

44be4836f3228810bdb241f11a393952
SHA1

6ad820d986a29601c52346323cdeff859deba0b6
SHA256

7130b704fe2c8bf91508ad0dfa4869780e5afc92918f0f92e25c4e9523d1ab56
SHA512

a17b9c1e08bb8bed6bc338e4ce9ccef5639fd4e9259d4401a18942c33370abce56aad6643f57be550c4066eb276ab1286647f7c326a3db9a4ef62b257416d165
SSDEEP

12288:FHa2PRb2y2aWXAwWVTqiG78nvYpYWJrj+vSjURiijEZs1s4A54ve:UY2zXKV28nv8xj3jUR/E624ve

Score

10^/10

blustealer stormkitty collection stealer

Static task

static1

Behavioral task

behavioral1

Sample

Ziraat Bankasi Swift Mesaji.pdf.exe

Resource

win7-20220812-en

blustealer stormkitty collection stealer

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

Ziraat Bankasi Swift Mesaji.pdf.exe

Resource

win10v2004-20220812-en

blustealer stormkitty collection stealer

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5617443580:AAFX8iYrXMCASkw95O815OVGuLWLdSgh8Qo/sendMessage?chat_id=5334267822

Targets

- Target
  
  Ziraat Bankasi Swift Mesaji.pdf.exe
- Size
  
  896KB
- MD5
  
  44be4836f3228810bdb241f11a393952
- SHA1
  
  6ad820d986a29601c52346323cdeff859deba0b6
- SHA256
  
  7130b704fe2c8bf91508ad0dfa4869780e5afc92918f0f92e25c4e9523d1ab56
- SHA512
  
  a17b9c1e08bb8bed6bc338e4ce9ccef5639fd4e9259d4401a18942c33370abce56aad6643f57be550c4066eb276ab1286647f7c326a3db9a4ef62b257416d165
- SSDEEP
  
  12288:FHa2PRb2y2aWXAwWVTqiG78nvYpYWJrj+vSjURiijEZs1s4A54ve:UY2zXKV28nv8xj3jUR/E624ve
Score

10^/10

blustealer stormkitty collection stealer
- BluStealer
  A Modular information stealer written in Visual Basic.
  stealer blustealer
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

blustealerstormkittycollectionstealer

behavioral2

blustealerstormkittycollectionstealer

© 2018-2025

Terms | Privacy