General

  • Target

    Hesaphareketi-01.exe

  • Size

    87KB

  • Sample

    221007-rqptcacfg6

  • MD5

    4696c1991b56b936a260d10c24e9f0a6

  • SHA1

    e0a92d221c411e55435f032713e399723a06d707

  • SHA256

    1de6232574a545bdc8d105cbdaaa84dcf6dc0d71774d46c7fbe158b13e11dd1a

  • SHA512

    038975431034090209b381f84a2b71b3cc77f795ccf163c58dda28a17d5d1020b00f966393e1acbaeced298e3f5ce4f859242e3a4350c36f7011d2763a9d4447

  • SSDEEP

    1536:PeEjNohembYWbo39G6AwOCy1hQfCw071xg/59jf:WEeho3rHyvo/bjf

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5472661190:AAH0_Es3-7EvHKo3diARLmBSPyMQ64sYLC8/sendMessage?chat_id=1148000519

Targets

    • Target

      Hesaphareketi-01.exe

    • Size

      87KB

    • MD5

      4696c1991b56b936a260d10c24e9f0a6

    • SHA1

      e0a92d221c411e55435f032713e399723a06d707

    • SHA256

      1de6232574a545bdc8d105cbdaaa84dcf6dc0d71774d46c7fbe158b13e11dd1a

    • SHA512

      038975431034090209b381f84a2b71b3cc77f795ccf163c58dda28a17d5d1020b00f966393e1acbaeced298e3f5ce4f859242e3a4350c36f7011d2763a9d4447

    • SSDEEP

      1536:PeEjNohembYWbo39G6AwOCy1hQfCw071xg/59jf:WEeho3rHyvo/bjf

    • BluStealer

      A Modular information stealer written in Visual Basic.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks