General

  • Target

    hesaphareketi-01.zip

  • Size

    12KB

  • Sample

    221024-zj5vzsaecl

  • MD5

    4274674c33edee8e3e9aa4a6934aaa05

  • SHA1

    69e77c86087b2b7d8c55033d02013c74ced151c1

  • SHA256

    cf008579e85db4d3d31c9f0b6b6f017b93191ca6c1e40c3f3b547284b50a8c47

  • SHA512

    56d5aa2441d69bd251a1a450449cd580d5802522f1bed904097d4262fcc0f424791eba61c070ad6cb2af0c8a4aa62dd6c0e11f6f1376c56bfdf372329e46b031

  • SSDEEP

    384:aN4bNRdYRvI0pard5wyomCgoVkLkEd4QbYgZ+:3z0v9cr0yomCgh49

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5576673774:AAF__hFRh9bcJV72HkFb-9eZR9JNNyuOmFM/sendMessage?chat_id=1194722650

Targets

    • Target

      hesaphareketi-01.exe

    • Size

      21KB

    • MD5

      637f5600bc9e451058c51aa3375fd1e5

    • SHA1

      c14318a0e020ccf5c2830940741df2cc8b8cd261

    • SHA256

      31b24d6daaf516f5fffae5cde34c047cdeb0bcd530b4d0babb3a5b5fbdfaf06e

    • SHA512

      50e43c6cf53dadfb3f02d69a55f809500a78ded85e8b5b8f675075c1628980905c7eb122091b3471731e10fdca29ff90c1ce50bbe2bf76e75b3b919dfb543510

    • SSDEEP

      192:cEeTcW0iOFLfh15JKsUBSjarhF0nxcsz7Fs2WS7M6zvlRJTHhnj4OpqZndlJ4bi:cERWkLfh15JKsUBZd2Zz5TBHCZJ5H1d

    • BluStealer

      A Modular information stealer written in Visual Basic.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks