blustealer | 126f5c52f11be3cd3a1d0abfb756975a103999757b90e64abc5d415d04c6689c

Analysis

max time kernel
184s
max time network
226s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 10:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Win64.PWSX-gen.31026.16859.exe
Size

175KB
MD5

abe6ca791db534c12bef5ea422084c09
SHA1

3f27e6e2860e37ec43d95e56544baee9d7c5ba2d
SHA256

126f5c52f11be3cd3a1d0abfb756975a103999757b90e64abc5d415d04c6689c
SHA512

7e6c4b33f4ddbb2cd947fa07230e615d2dd5cdb27be3f3b959e51db79646f480c74bbf61decb071a80e5855acfd055b765fe71cc6b1e114f0b5857ef07bb9fb9
SSDEEP

3072:d2mRPME2xzNrb7Hac9VjFGfe/B8bv8zYUvsNs14avcvLtSzqJEVDR:d202xzNf7HauVjFGfmKiYhsGavMLtXEV

Score

10^/10

blustealer stormkitty spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5627356603:AAG-Mx0TbSHRRW6IwndrpX3VLZdhd6C-Zac/sendMessage?chat_id=5472437377

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/4900-143-0x0000000000F30000-0x0000000000F4A000-memory.dmp	family_stormkitty

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
83	icanhazip.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4120 set thread context of 2848	4120	SecuriteInfo.com.Win64.PWSX-gen.31026.16859.exe	84
PID 2848 set thread context of 4900	2848	Regsvcs.exe	87

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	AppLaunch.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4900	AppLaunch.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2848	Regsvcs.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4120 wrote to memory of 2848	4120	SecuriteInfo.com.Win64.PWSX-gen.31026.16859.exe	84
PID 4120 wrote to memory of 2848	4120	SecuriteInfo.com.Win64.PWSX-gen.31026.16859.exe	84
PID 4120 wrote to memory of 2848	4120	SecuriteInfo.com.Win64.PWSX-gen.31026.16859.exe	84
PID 4120 wrote to memory of 2848	4120	SecuriteInfo.com.Win64.PWSX-gen.31026.16859.exe	84
PID 4120 wrote to memory of 2848	4120	SecuriteInfo.com.Win64.PWSX-gen.31026.16859.exe	84
PID 4120 wrote to memory of 2848	4120	SecuriteInfo.com.Win64.PWSX-gen.31026.16859.exe	84
PID 4120 wrote to memory of 2848	4120	SecuriteInfo.com.Win64.PWSX-gen.31026.16859.exe	84
PID 4120 wrote to memory of 2848	4120	SecuriteInfo.com.Win64.PWSX-gen.31026.16859.exe	84
PID 2848 wrote to memory of 4900	2848	Regsvcs.exe	87
PID 2848 wrote to memory of 4900	2848	Regsvcs.exe	87
PID 2848 wrote to memory of 4900	2848	Regsvcs.exe	87
PID 2848 wrote to memory of 4900	2848	Regsvcs.exe	87
PID 2848 wrote to memory of 4900	2848	Regsvcs.exe	87

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.PWSX-gen.31026.16859.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.PWSX-gen.31026.16859.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4120
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regsvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regsvcs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:4900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2848-133-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2848-138-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2848-141-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2848-144-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4120-132-0x000002EE33FC0000-0x000002EE33FF2000-memory.dmp

Filesize
200KB

Download
memory/4120-134-0x00007FF8CEAE0000-0x00007FF8CF5A1000-memory.dmp

Filesize
10.8MB

Download
memory/4120-137-0x00007FF8CEAE0000-0x00007FF8CF5A1000-memory.dmp

Filesize
10.8MB

Download
memory/4900-143-0x0000000000F30000-0x0000000000F4A000-memory.dmp

Filesize
104KB

Download
memory/4900-145-0x00000000054A0000-0x0000000005506000-memory.dmp

Filesize
408KB

Download