General

  • Target

    ziraat bankasi swift mesaji.exe

  • Size

    213KB

  • Sample

    221011-km58laeeg6

  • MD5

    50ae452a762aae14ccab1d1e56983307

  • SHA1

    1fe167e21638f2891585d7e1498160e3d3720594

  • SHA256

    3f3f17de70e897ba762f6a6073b6716a4fc01e04ea0038a4f01ce7842c7d8a74

  • SHA512

    9c36098e536cd242f99ba1eeb5a4606a823e95aef7d0d854e26bca9945cb134c9e8d9e137b63638aea985e23e6a82c9c8c061b3b1b56769f832b1ce9c1d9a8b1

  • SSDEEP

    3072:GB0z1qxbki54KcMcc+4bIsJUWGTBPZFyfShcP:GB0z1qU7c+4Hql

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5576673774:AAF__hFRh9bcJV72HkFb-9eZR9JNNyuOmFM/sendMessage?chat_id=1194722650

Targets

    • Target

      ziraat bankasi swift mesaji.exe

    • Size

      213KB

    • MD5

      50ae452a762aae14ccab1d1e56983307

    • SHA1

      1fe167e21638f2891585d7e1498160e3d3720594

    • SHA256

      3f3f17de70e897ba762f6a6073b6716a4fc01e04ea0038a4f01ce7842c7d8a74

    • SHA512

      9c36098e536cd242f99ba1eeb5a4606a823e95aef7d0d854e26bca9945cb134c9e8d9e137b63638aea985e23e6a82c9c8c061b3b1b56769f832b1ce9c1d9a8b1

    • SSDEEP

      3072:GB0z1qxbki54KcMcc+4bIsJUWGTBPZFyfShcP:GB0z1qU7c+4Hql

    • BluStealer

      A Modular information stealer written in Visual Basic.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks