General

  • Target

    hesaphareketi-01.exe

  • Size

    30KB

  • Sample

    221017-v5etgacdg8

  • MD5

    e6afab8c4782348cc7fab5c84acf1883

  • SHA1

    279ebffe57812186e4d4a7d65160b98674950a60

  • SHA256

    abfc03fd72f7e6827cf30bf0b28bd95fbda4095c549e4a07b5f23b7aeb55f4c8

  • SHA512

    6adfd0a446dbe13e09e71d71efc43be8cdf0ef579a5e6182d328da48ff88523c9bac8743e60fa0fbfb033dc12e583972d959ff7d4e6b8725dcedb36499b43678

  • SSDEEP

    768:cobj0sOzazGQloqQFtY2GmmIewLCsXjwmxWtOB/ucCJ:chylovczSLXjwmxWtG/+J

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5617443580:AAFX8iYrXMCASkw95O815OVGuLWLdSgh8Qo/sendMessage?chat_id=5334267822

Targets

    • Target

      hesaphareketi-01.exe

    • Size

      30KB

    • MD5

      e6afab8c4782348cc7fab5c84acf1883

    • SHA1

      279ebffe57812186e4d4a7d65160b98674950a60

    • SHA256

      abfc03fd72f7e6827cf30bf0b28bd95fbda4095c549e4a07b5f23b7aeb55f4c8

    • SHA512

      6adfd0a446dbe13e09e71d71efc43be8cdf0ef579a5e6182d328da48ff88523c9bac8743e60fa0fbfb033dc12e583972d959ff7d4e6b8725dcedb36499b43678

    • SSDEEP

      768:cobj0sOzazGQloqQFtY2GmmIewLCsXjwmxWtOB/ucCJ:chylovczSLXjwmxWtG/+J

    • BluStealer

      A Modular information stealer written in Visual Basic.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks