General
-
Target
ziraat bankasi swift mesaji.exe
-
Size
213KB
-
Sample
221011-kndvqseggm
-
MD5
50ae452a762aae14ccab1d1e56983307
-
SHA1
1fe167e21638f2891585d7e1498160e3d3720594
-
SHA256
3f3f17de70e897ba762f6a6073b6716a4fc01e04ea0038a4f01ce7842c7d8a74
-
SHA512
9c36098e536cd242f99ba1eeb5a4606a823e95aef7d0d854e26bca9945cb134c9e8d9e137b63638aea985e23e6a82c9c8c061b3b1b56769f832b1ce9c1d9a8b1
-
SSDEEP
3072:GB0z1qxbki54KcMcc+4bIsJUWGTBPZFyfShcP:GB0z1qU7c+4Hql
Static task
static1
Behavioral task
behavioral1
Sample
ziraat bankasi swift mesaji.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ziraat bankasi swift mesaji.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5576673774:AAF__hFRh9bcJV72HkFb-9eZR9JNNyuOmFM/sendMessage?chat_id=1194722650
Targets
-
-
Target
ziraat bankasi swift mesaji.exe
-
Size
213KB
-
MD5
50ae452a762aae14ccab1d1e56983307
-
SHA1
1fe167e21638f2891585d7e1498160e3d3720594
-
SHA256
3f3f17de70e897ba762f6a6073b6716a4fc01e04ea0038a4f01ce7842c7d8a74
-
SHA512
9c36098e536cd242f99ba1eeb5a4606a823e95aef7d0d854e26bca9945cb134c9e8d9e137b63638aea985e23e6a82c9c8c061b3b1b56769f832b1ce9c1d9a8b1
-
SSDEEP
3072:GB0z1qxbki54KcMcc+4bIsJUWGTBPZFyfShcP:GB0z1qU7c+4Hql
Score10/10-
StormKitty payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-