General
-
Target
swift Zirat Bankasi Swift Mesaji,pdf.exe
-
Size
42KB
-
Sample
221014-cq92yscde5
-
MD5
950b2eb32fcabb720d713f05a9e621bd
-
SHA1
8f4123b348c93691b5ef56c2280d027343686c68
-
SHA256
f636d15642c8a199f125c5128bae3f367e7e9595af631d1080f24fc6d94fcb2a
-
SHA512
23667ade6b2c826a10cdc303c7d0af97b79d13dfbac1eea5a4b823e12e845c104074847ae285225fc233dec920323f80ed514fe9cd81afdc1137899efbcbd226
-
SSDEEP
384:n1YgDFY7RNpfkLxmnSj3ge0G9s3CkEZsHLEn74i/8E9VF0Ny2ZxkEZsHLEs4i/8R:1YgRmnSj3gYCB2eE/beEm
Static task
static1
Behavioral task
behavioral1
Sample
swift Zirat Bankasi Swift Mesaji,pdf.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
swift Zirat Bankasi Swift Mesaji,pdf.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5583812995:AAFKzjSLC2-pDvMQ8X47-80XjrRiWrDtxA/sendMessage?chat_id=5434600361
Targets
-
-
Target
swift Zirat Bankasi Swift Mesaji,pdf.exe
-
Size
42KB
-
MD5
950b2eb32fcabb720d713f05a9e621bd
-
SHA1
8f4123b348c93691b5ef56c2280d027343686c68
-
SHA256
f636d15642c8a199f125c5128bae3f367e7e9595af631d1080f24fc6d94fcb2a
-
SHA512
23667ade6b2c826a10cdc303c7d0af97b79d13dfbac1eea5a4b823e12e845c104074847ae285225fc233dec920323f80ed514fe9cd81afdc1137899efbcbd226
-
SSDEEP
384:n1YgDFY7RNpfkLxmnSj3ge0G9s3CkEZsHLEn74i/8E9VF0Ny2ZxkEZsHLEs4i/8R:1YgRmnSj3gYCB2eE/beEm
Score10/10-
StormKitty payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-