General
-
Target
Halkbank,doc.exe
-
Size
104KB
-
Sample
221027-nq5m1scadq
-
MD5
eca5a273c2fd8d32e35a4af273064d5c
-
SHA1
4dac9c2e6069f1007fab5f25e1f69be3310f6152
-
SHA256
e8ec1e6c646cf6e7b9e8889ac902ec1facecc6d45236ceb0a3b0975d8aa13bfa
-
SHA512
0e1c7c4587ebe29b5107e95f14d1ba8d1e784763012b7497552cfbfe6e269988f246a42ffabced99d7c5dde7e4a103691d6a6d62493c5d8bfbe037a881fa9182
-
SSDEEP
1536:R1otmQi3h2Ovt0Yo++vw/18AyMMK4MIyp:R2twxOYo+mwNJb4MIyp
Static task
static1
Behavioral task
behavioral1
Sample
Halkbank,doc.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Halkbank,doc.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5468731092:AAGGNQWBVRhX622u6xp1moMhaunIGtXuIxg/sendMessage?chat_id=1639214896
Targets
-
-
Target
Halkbank,doc.exe
-
Size
104KB
-
MD5
eca5a273c2fd8d32e35a4af273064d5c
-
SHA1
4dac9c2e6069f1007fab5f25e1f69be3310f6152
-
SHA256
e8ec1e6c646cf6e7b9e8889ac902ec1facecc6d45236ceb0a3b0975d8aa13bfa
-
SHA512
0e1c7c4587ebe29b5107e95f14d1ba8d1e784763012b7497552cfbfe6e269988f246a42ffabced99d7c5dde7e4a103691d6a6d62493c5d8bfbe037a881fa9182
-
SSDEEP
1536:R1otmQi3h2Ovt0Yo++vw/18AyMMK4MIyp:R2twxOYo+mwNJb4MIyp
Score10/10-
StormKitty payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-