General

  • Target

    hesaphareketi-01.exe

  • Size

    23KB

  • Sample

    221014-gwfgrabbbp

  • MD5

    f6b1dd2591feab56f364a1ccaa7e2538

  • SHA1

    4a703eebae8be5be510b2a77f8c0c3c02eb67a32

  • SHA256

    826e3671ba9e4e5b882513fe4805843f9ed48d26738e2072d33655ffcafca83d

  • SHA512

    616a976e8108801e3e94128596bab266606fbc4edabccfbdd269121967fe1ecf948619e128775c8ca25e3df95cb67538d14dca2d9e633acd2935c8480cc684b8

  • SSDEEP

    192:GqjfkKXPCGDAev2PcoFTPnxcFz7Fs2WST6zvlRJTHhnj4OpqZndlJ4biHPNyW1:GqjfkFYAev2PbLYzQTBHCZJ5H1T

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5617443580:AAFX8iYrXMCASkw95O815OVGuLWLdSgh8Qo/sendMessage?chat_id=5334267822

Targets

    • Target

      hesaphareketi-01.exe

    • Size

      23KB

    • MD5

      f6b1dd2591feab56f364a1ccaa7e2538

    • SHA1

      4a703eebae8be5be510b2a77f8c0c3c02eb67a32

    • SHA256

      826e3671ba9e4e5b882513fe4805843f9ed48d26738e2072d33655ffcafca83d

    • SHA512

      616a976e8108801e3e94128596bab266606fbc4edabccfbdd269121967fe1ecf948619e128775c8ca25e3df95cb67538d14dca2d9e633acd2935c8480cc684b8

    • SSDEEP

      192:GqjfkKXPCGDAev2PcoFTPnxcFz7Fs2WST6zvlRJTHhnj4OpqZndlJ4biHPNyW1:GqjfkFYAev2PbLYzQTBHCZJ5H1T

    • BluStealer

      A Modular information stealer written in Visual Basic.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks