Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-10-2022 20:45
Static task
static1
Behavioral task
behavioral1
Sample
hesaphareketi-01,pdf.zip
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
hesaphareketi-01,pdf.zip
Resource
win10v2004-20220901-en
Behavioral task
behavioral3
Sample
hesaphareketi-01,pdf.exe
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
hesaphareketi-01,pdf.exe
Resource
win10v2004-20220812-en
General
-
Target
hesaphareketi-01,pdf.exe
-
Size
22KB
-
MD5
d8748aaaee46da2fc83ef3122863cd41
-
SHA1
df2a9725d6d3df7d53137300e9e6197ff161ff58
-
SHA256
5e24b8db8856eba5cb5a2547949d3a3fbfb9c125172de04f8eb598f4ef33b526
-
SHA512
64810d855583b27fe27f58ae22497df9debbcd3d59ebcd4842fa6734a27a9c93e47f3a72f0a2d5f33ec03cdf5ef15ba992daf7b332f491844a466bb168961925
-
SSDEEP
192:4b16DLDiNHv+figinxcsz7Fs2WS7M6zvlRJTHhnj4OpqZndlJ4biHPNLm:vDLDiJv+atZz5TBHCZJ5H1L
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5576673774:AAF__hFRh9bcJV72HkFb-9eZR9JNNyuOmFM/sendMessage?chat_id=1194722650
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral4/memory/4468-142-0x0000000000DA0000-0x0000000000DBA000-memory.dmp family_stormkitty -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 13 icanhazip.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 5088 set thread context of 2148 5088 hesaphareketi-01,pdf.exe 84 PID 2148 set thread context of 4468 2148 hesaphareketi-01,pdf.exe 85 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 AppLaunch.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5088 hesaphareketi-01,pdf.exe Token: SeDebugPrivilege 4468 AppLaunch.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2148 hesaphareketi-01,pdf.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 5088 wrote to memory of 2148 5088 hesaphareketi-01,pdf.exe 84 PID 5088 wrote to memory of 2148 5088 hesaphareketi-01,pdf.exe 84 PID 5088 wrote to memory of 2148 5088 hesaphareketi-01,pdf.exe 84 PID 5088 wrote to memory of 2148 5088 hesaphareketi-01,pdf.exe 84 PID 5088 wrote to memory of 2148 5088 hesaphareketi-01,pdf.exe 84 PID 5088 wrote to memory of 2148 5088 hesaphareketi-01,pdf.exe 84 PID 5088 wrote to memory of 2148 5088 hesaphareketi-01,pdf.exe 84 PID 5088 wrote to memory of 2148 5088 hesaphareketi-01,pdf.exe 84 PID 2148 wrote to memory of 4468 2148 hesaphareketi-01,pdf.exe 85 PID 2148 wrote to memory of 4468 2148 hesaphareketi-01,pdf.exe 85 PID 2148 wrote to memory of 4468 2148 hesaphareketi-01,pdf.exe 85 PID 2148 wrote to memory of 4468 2148 hesaphareketi-01,pdf.exe 85 PID 2148 wrote to memory of 4468 2148 hesaphareketi-01,pdf.exe 85 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01,pdf.exe"C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01,pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01,pdf.exeC:\Users\Admin\AppData\Local\Temp\hesaphareketi-01,pdf.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4468
-
-