General

  • Target

    hesaphareketi-01.exe

  • Size

    25KB

  • Sample

    221014-wlwhjseab3

  • MD5

    e37b33e5a3135cf368bfc434ab681600

  • SHA1

    d0176ba72e96a3ed239965d8ac63e6dba8280a72

  • SHA256

    2c3ce21aed9ecd191dfefd59e3ea35ec6ec665cbe79f35e628b6e720d2233662

  • SHA512

    1c906cd557c4cf62a1c9563fdad81392b4de773b866f376c42da6266b7de0fd3487d47a7346cfb49b41bf827a6d84fa0ed1e40c46c1404fcbf56a48c0f64e873

  • SSDEEP

    384:ovncQtfcSL+x2JQFkLYLvLRHUQUngAFoTT:ozlcoMjxkrov

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5617443580:AAFX8iYrXMCASkw95O815OVGuLWLdSgh8Qo/sendMessage?chat_id=5334267822

Targets

    • Target

      hesaphareketi-01.exe

    • Size

      25KB

    • MD5

      e37b33e5a3135cf368bfc434ab681600

    • SHA1

      d0176ba72e96a3ed239965d8ac63e6dba8280a72

    • SHA256

      2c3ce21aed9ecd191dfefd59e3ea35ec6ec665cbe79f35e628b6e720d2233662

    • SHA512

      1c906cd557c4cf62a1c9563fdad81392b4de773b866f376c42da6266b7de0fd3487d47a7346cfb49b41bf827a6d84fa0ed1e40c46c1404fcbf56a48c0f64e873

    • SSDEEP

      384:ovncQtfcSL+x2JQFkLYLvLRHUQUngAFoTT:ozlcoMjxkrov

    • BluStealer

      A Modular information stealer written in Visual Basic.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks