Analysis
-
max time kernel
191s -
max time network
190s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19-10-2022 13:24
Static task
static1
Behavioral task
behavioral1
Sample
hesaphareketi-01.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
hesaphareketi-01.exe
Resource
win10v2004-20220812-en
General
-
Target
hesaphareketi-01.exe
-
Size
21KB
-
MD5
490d4a3465fde85f1a3b6b4747664b6a
-
SHA1
6f287c570da94f1d1a1470a1645890122c075a19
-
SHA256
90215926494097b83b8fe2cf5c80dcce89f267c421f9c864890d2b82b7a4690e
-
SHA512
2d4aa4082a3684ef083a88efc68004e0c47d2f905221570c0099b1e6fa2edb00b825760e82c563858b4636e403971e6bcec10d9a15b1d32dea4c127db5d830da
-
SSDEEP
384:j+NWR0u/TBLqQFtXBMh2+DGi0mZqNewLrKcC/kXjRqmxWE4OB/uc2v42th:FqQFtY2G4mIewLCsXjwmxWtOB/ucCt
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5468731092:AAGGNQWBVRhX622u6xp1moMhaunIGtXuIxg/sendMessage?chat_id=1639214896
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral2/memory/1756-151-0x00000000005B0000-0x00000000005CA000-memory.dmp family_stormkitty -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation hesaphareketi-01.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Thabplk = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rhmklkxft\\Thabplk.exe\"" hesaphareketi-01.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4824 set thread context of 4884 4824 hesaphareketi-01.exe 88 PID 4884 set thread context of 1756 4884 hesaphareketi-01.exe 89 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 AppLaunch.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4640 powershell.exe 4640 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4824 hesaphareketi-01.exe Token: SeDebugPrivilege 4640 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4884 hesaphareketi-01.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4824 wrote to memory of 4640 4824 hesaphareketi-01.exe 80 PID 4824 wrote to memory of 4640 4824 hesaphareketi-01.exe 80 PID 4824 wrote to memory of 4640 4824 hesaphareketi-01.exe 80 PID 4824 wrote to memory of 4884 4824 hesaphareketi-01.exe 88 PID 4824 wrote to memory of 4884 4824 hesaphareketi-01.exe 88 PID 4824 wrote to memory of 4884 4824 hesaphareketi-01.exe 88 PID 4824 wrote to memory of 4884 4824 hesaphareketi-01.exe 88 PID 4824 wrote to memory of 4884 4824 hesaphareketi-01.exe 88 PID 4824 wrote to memory of 4884 4824 hesaphareketi-01.exe 88 PID 4824 wrote to memory of 4884 4824 hesaphareketi-01.exe 88 PID 4824 wrote to memory of 4884 4824 hesaphareketi-01.exe 88 PID 4884 wrote to memory of 1756 4884 hesaphareketi-01.exe 89 PID 4884 wrote to memory of 1756 4884 hesaphareketi-01.exe 89 PID 4884 wrote to memory of 1756 4884 hesaphareketi-01.exe 89 PID 4884 wrote to memory of 1756 4884 hesaphareketi-01.exe 89 PID 4884 wrote to memory of 1756 4884 hesaphareketi-01.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.exe"C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4640
-
-
C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.exeC:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Checks processor information in registry
PID:1756
-
-