General

  • Target

    hesaphareketi-01,pdf.iso

  • Size

    12KB

  • Sample

    221024-zj4mxsaeb5

  • MD5

    7a77d71c5a0996c1c6f79c90e54de6ba

  • SHA1

    d0d869076afe18c2d6f76ac625db2acee8de2679

  • SHA256

    1e9ba4037271ec3603d384619dff8a1be75a7ed04bd15714be1d23fa49709904

  • SHA512

    e519d5b3979e9e4f0fd426da31b2e6095426dfdc319c7a5e8cbc187354f460409cb141dde88fdebbde6fe8e6b19946c5c881f3f04838afb911a5313e03a3a583

  • SSDEEP

    384:aN4bNRF6n0t/U7Tn0CCaj7hNzFzxiB0kUA+k:3zFrt/U7T0avj40kUA+k

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5576673774:AAF__hFRh9bcJV72HkFb-9eZR9JNNyuOmFM/sendMessage?chat_id=1194722650

Targets

    • Target

      hesaphareketi-01,pdf.iso

    • Size

      12KB

    • MD5

      7a77d71c5a0996c1c6f79c90e54de6ba

    • SHA1

      d0d869076afe18c2d6f76ac625db2acee8de2679

    • SHA256

      1e9ba4037271ec3603d384619dff8a1be75a7ed04bd15714be1d23fa49709904

    • SHA512

      e519d5b3979e9e4f0fd426da31b2e6095426dfdc319c7a5e8cbc187354f460409cb141dde88fdebbde6fe8e6b19946c5c881f3f04838afb911a5313e03a3a583

    • SSDEEP

      384:aN4bNRF6n0t/U7Tn0CCaj7hNzFzxiB0kUA+k:3zFrt/U7T0avj40kUA+k

    Score
    1/10
    • Target

      hesaphareketi-01,pdf.exe

    • Size

      22KB

    • MD5

      d8748aaaee46da2fc83ef3122863cd41

    • SHA1

      df2a9725d6d3df7d53137300e9e6197ff161ff58

    • SHA256

      5e24b8db8856eba5cb5a2547949d3a3fbfb9c125172de04f8eb598f4ef33b526

    • SHA512

      64810d855583b27fe27f58ae22497df9debbcd3d59ebcd4842fa6734a27a9c93e47f3a72f0a2d5f33ec03cdf5ef15ba992daf7b332f491844a466bb168961925

    • SSDEEP

      192:4b16DLDiNHv+figinxcsz7Fs2WS7M6zvlRJTHhnj4OpqZndlJ4biHPNLm:vDLDiJv+atZz5TBHCZJ5H1L

    • BluStealer

      A Modular information stealer written in Visual Basic.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks