General

  • Target

    swift Zirat Bankasi Swift Mesaji,pdf.exe

  • Size

    42KB

  • Sample

    221014-cq92yscde5

  • MD5

    950b2eb32fcabb720d713f05a9e621bd

  • SHA1

    8f4123b348c93691b5ef56c2280d027343686c68

  • SHA256

    f636d15642c8a199f125c5128bae3f367e7e9595af631d1080f24fc6d94fcb2a

  • SHA512

    23667ade6b2c826a10cdc303c7d0af97b79d13dfbac1eea5a4b823e12e845c104074847ae285225fc233dec920323f80ed514fe9cd81afdc1137899efbcbd226

  • SSDEEP

    384:n1YgDFY7RNpfkLxmnSj3ge0G9s3CkEZsHLEn74i/8E9VF0Ny2ZxkEZsHLEs4i/8R:1YgRmnSj3gYCB2eE/beEm

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5583812995:AAFKzjSLC2-pDvMQ8X47-80XjrRiWrDtxA/sendMessage?chat_id=5434600361

Targets

    • Target

      swift Zirat Bankasi Swift Mesaji,pdf.exe

    • Size

      42KB

    • MD5

      950b2eb32fcabb720d713f05a9e621bd

    • SHA1

      8f4123b348c93691b5ef56c2280d027343686c68

    • SHA256

      f636d15642c8a199f125c5128bae3f367e7e9595af631d1080f24fc6d94fcb2a

    • SHA512

      23667ade6b2c826a10cdc303c7d0af97b79d13dfbac1eea5a4b823e12e845c104074847ae285225fc233dec920323f80ed514fe9cd81afdc1137899efbcbd226

    • SSDEEP

      384:n1YgDFY7RNpfkLxmnSj3ge0G9s3CkEZsHLEn74i/8E9VF0Ny2ZxkEZsHLEs4i/8R:1YgRmnSj3gYCB2eE/beEm

    • BluStealer

      A Modular information stealer written in Visual Basic.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks