General

  • Target

    hesaphareketi-01.exe

  • Size

    21KB

  • Sample

    221019-qnsa1sabdq

  • MD5

    490d4a3465fde85f1a3b6b4747664b6a

  • SHA1

    6f287c570da94f1d1a1470a1645890122c075a19

  • SHA256

    90215926494097b83b8fe2cf5c80dcce89f267c421f9c864890d2b82b7a4690e

  • SHA512

    2d4aa4082a3684ef083a88efc68004e0c47d2f905221570c0099b1e6fa2edb00b825760e82c563858b4636e403971e6bcec10d9a15b1d32dea4c127db5d830da

  • SSDEEP

    384:j+NWR0u/TBLqQFtXBMh2+DGi0mZqNewLrKcC/kXjRqmxWE4OB/uc2v42th:FqQFtY2G4mIewLCsXjwmxWtOB/ucCt

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5468731092:AAGGNQWBVRhX622u6xp1moMhaunIGtXuIxg/sendMessage?chat_id=1639214896

Targets

    • Target

      hesaphareketi-01.exe

    • Size

      21KB

    • MD5

      490d4a3465fde85f1a3b6b4747664b6a

    • SHA1

      6f287c570da94f1d1a1470a1645890122c075a19

    • SHA256

      90215926494097b83b8fe2cf5c80dcce89f267c421f9c864890d2b82b7a4690e

    • SHA512

      2d4aa4082a3684ef083a88efc68004e0c47d2f905221570c0099b1e6fa2edb00b825760e82c563858b4636e403971e6bcec10d9a15b1d32dea4c127db5d830da

    • SSDEEP

      384:j+NWR0u/TBLqQFtXBMh2+DGi0mZqNewLrKcC/kXjRqmxWE4OB/uc2v42th:FqQFtY2G4mIewLCsXjwmxWtOB/ucCt

    • BluStealer

      A Modular information stealer written in Visual Basic.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks