General

  • Target

    Halkbank,doc.exe

  • Size

    104KB

  • Sample

    221027-nq5m1scadq

  • MD5

    eca5a273c2fd8d32e35a4af273064d5c

  • SHA1

    4dac9c2e6069f1007fab5f25e1f69be3310f6152

  • SHA256

    e8ec1e6c646cf6e7b9e8889ac902ec1facecc6d45236ceb0a3b0975d8aa13bfa

  • SHA512

    0e1c7c4587ebe29b5107e95f14d1ba8d1e784763012b7497552cfbfe6e269988f246a42ffabced99d7c5dde7e4a103691d6a6d62493c5d8bfbe037a881fa9182

  • SSDEEP

    1536:R1otmQi3h2Ovt0Yo++vw/18AyMMK4MIyp:R2twxOYo+mwNJb4MIyp

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5468731092:AAGGNQWBVRhX622u6xp1moMhaunIGtXuIxg/sendMessage?chat_id=1639214896

Targets

    • Target

      Halkbank,doc.exe

    • Size

      104KB

    • MD5

      eca5a273c2fd8d32e35a4af273064d5c

    • SHA1

      4dac9c2e6069f1007fab5f25e1f69be3310f6152

    • SHA256

      e8ec1e6c646cf6e7b9e8889ac902ec1facecc6d45236ceb0a3b0975d8aa13bfa

    • SHA512

      0e1c7c4587ebe29b5107e95f14d1ba8d1e784763012b7497552cfbfe6e269988f246a42ffabced99d7c5dde7e4a103691d6a6d62493c5d8bfbe037a881fa9182

    • SSDEEP

      1536:R1otmQi3h2Ovt0Yo++vw/18AyMMK4MIyp:R2twxOYo+mwNJb4MIyp

    • BluStealer

      A Modular information stealer written in Visual Basic.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks