General

  • Target

    hesaphareketi-01.exe

  • Size

    88KB

  • Sample

    221014-wgaehsdhh8

  • MD5

    b512acd6e24d0dd3f81451daf4e3cd59

  • SHA1

    7463697bb4396a5193c6ab690e240558beb921b9

  • SHA256

    a1f05c1b3abcd13e9666882d300ab3e39865b0ace466e8e62737787caacf77b0

  • SHA512

    8de538963955c57e30ac45debc5d5c00305ea41d2aa6d539d0a62c5b55b0208ae123bb9e85787921fcb00c8b3b0b4d96767f4d7d03c604e553aeb3016a198a17

  • SSDEEP

    384:YAfkHnAev2PRr3Gy+AzJLVK8SykdvA98pgNkDlmSyqf2odsgwjbYJp2trlq8R:YzHw5z5LVKkSohN0lUqf2TbYJWRqK

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5468731092:AAGGNQWBVRhX622u6xp1moMhaunIGtXuIxg/sendMessage?chat_id=1639214896

Targets

    • Target

      hesaphareketi-01.exe

    • Size

      88KB

    • MD5

      b512acd6e24d0dd3f81451daf4e3cd59

    • SHA1

      7463697bb4396a5193c6ab690e240558beb921b9

    • SHA256

      a1f05c1b3abcd13e9666882d300ab3e39865b0ace466e8e62737787caacf77b0

    • SHA512

      8de538963955c57e30ac45debc5d5c00305ea41d2aa6d539d0a62c5b55b0208ae123bb9e85787921fcb00c8b3b0b4d96767f4d7d03c604e553aeb3016a198a17

    • SSDEEP

      384:YAfkHnAev2PRr3Gy+AzJLVK8SykdvA98pgNkDlmSyqf2odsgwjbYJp2trlq8R:YzHw5z5LVKkSohN0lUqf2TbYJWRqK

    • BluStealer

      A Modular information stealer written in Visual Basic.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks