blustealer | 3bb532a1c042b56a70ab6bdfc4d7ac5daf8637a34455b84f2b1e910534a8e026

General

Target

Halkbank_Ekstre_20221223_114527_468568,PDF.exe
Size

364KB
MD5

a81c89427eb400115d08cd4700910bbf
SHA1

2075d329511352113528f464dd7028496f71eb78
SHA256

3bb532a1c042b56a70ab6bdfc4d7ac5daf8637a34455b84f2b1e910534a8e026
SHA512

fc4191a98cd717ef92bd9e9663864d1ea91baef3309c38c9df9a21940e1f40945c81a2c67dccdc07e0ba4098c8ec90a6647dd5fa0e685e72599bcf72cb0b8a87
SSDEEP

6144:WkwFayrbJQxwr+HhqUtUH4onE5y9b66LXN4i:bgOxwrOtUHhEGLb

Score

10^/10

blustealer stormkitty collection persistence stealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5468731092:AAGGNQWBVRhX622u6xp1moMhaunIGtXuIxg/sendMessage?chat_id=1639214896

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/4232-145-0x00000000005E0000-0x00000000005FA000-memory.dmp	family_stormkitty

Executes dropped EXE 3 IoCs

pid	Process
4244	mfsfzqmwt.exe
2112	mfsfzqmwt.exe
360	mfsfzqmwt.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kybjni = "C:\\Users\\Admin\\AppData\\Roaming\\rqum\\ennpjjwytf.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\mfsfzqmwt.exe\" C:\\Users\\Admin\\AppData\\Local\\"	mfsfzqmwt.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	icanhazip.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4244 set thread context of 360	4244	mfsfzqmwt.exe	82
PID 360 set thread context of 4232	360	mfsfzqmwt.exe	83

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	AppLaunch.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	AppLaunch.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4244	mfsfzqmwt.exe
4244	mfsfzqmwt.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4232	AppLaunch.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
360	mfsfzqmwt.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 4244	2124	Halkbank_Ekstre_20221223_114527_468568,PDF.exe	80
PID 2124 wrote to memory of 4244	2124	Halkbank_Ekstre_20221223_114527_468568,PDF.exe	80
PID 2124 wrote to memory of 4244	2124	Halkbank_Ekstre_20221223_114527_468568,PDF.exe	80
PID 4244 wrote to memory of 2112	4244	mfsfzqmwt.exe	81
PID 4244 wrote to memory of 2112	4244	mfsfzqmwt.exe	81
PID 4244 wrote to memory of 2112	4244	mfsfzqmwt.exe	81
PID 4244 wrote to memory of 360	4244	mfsfzqmwt.exe	82
PID 4244 wrote to memory of 360	4244	mfsfzqmwt.exe	82
PID 4244 wrote to memory of 360	4244	mfsfzqmwt.exe	82
PID 4244 wrote to memory of 360	4244	mfsfzqmwt.exe	82
PID 360 wrote to memory of 4232	360	mfsfzqmwt.exe	83
PID 360 wrote to memory of 4232	360	mfsfzqmwt.exe	83
PID 360 wrote to memory of 4232	360	mfsfzqmwt.exe	83
PID 360 wrote to memory of 4232	360	mfsfzqmwt.exe	83
PID 360 wrote to memory of 4232	360	mfsfzqmwt.exe	83

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20221223_114527_468568,PDF.exe
"C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20221223_114527_468568,PDF.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\AppData\Local\Temp\mfsfzqmwt.exe
  "C:\Users\Admin\AppData\Local\Temp\mfsfzqmwt.exe" C:\Users\Admin\AppData\Local\Temp\omfxifnedv.ae
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4244
- - C:\Users\Admin\AppData\Local\Temp\mfsfzqmwt.exe
    "C:\Users\Admin\AppData\Local\Temp\mfsfzqmwt.exe"
    3⤵
    - Executes dropped EXE
    PID:2112
- - C:\Users\Admin\AppData\Local\Temp\mfsfzqmwt.exe
    "C:\Users\Admin\AppData\Local\Temp\mfsfzqmwt.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:360
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      4⤵
      Accesses Microsoft Outlook profiles
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:4232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mfsfzqmwt.exe

Filesize
105KB

MD5
96a8a922ff6a2d510ac75ad07fa0bb07

SHA1
7ba7221c683c477874db0965bb5bef234f0d8e76

SHA256
3d25500495f4e9ac13991c510f246aa18a6d4825726cfc33a4a5e647fc61f6b2

SHA512
b9de13e133a9428992f3583e52f281d7b2438b06b44f9225ca046e29f3528233e9e7472754037d7f4c2dfad0e6b38af9b623aea62c5fa43ca3463cd4fafbb5a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mfsfzqmwt.exe

Filesize
105KB

MD5
96a8a922ff6a2d510ac75ad07fa0bb07

SHA1
7ba7221c683c477874db0965bb5bef234f0d8e76

SHA256
3d25500495f4e9ac13991c510f246aa18a6d4825726cfc33a4a5e647fc61f6b2

SHA512
b9de13e133a9428992f3583e52f281d7b2438b06b44f9225ca046e29f3528233e9e7472754037d7f4c2dfad0e6b38af9b623aea62c5fa43ca3463cd4fafbb5a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mfsfzqmwt.exe

Filesize
105KB

MD5
96a8a922ff6a2d510ac75ad07fa0bb07

SHA1
7ba7221c683c477874db0965bb5bef234f0d8e76

SHA256
3d25500495f4e9ac13991c510f246aa18a6d4825726cfc33a4a5e647fc61f6b2

SHA512
b9de13e133a9428992f3583e52f281d7b2438b06b44f9225ca046e29f3528233e9e7472754037d7f4c2dfad0e6b38af9b623aea62c5fa43ca3463cd4fafbb5a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mfsfzqmwt.exe

Filesize
105KB

MD5
96a8a922ff6a2d510ac75ad07fa0bb07

SHA1
7ba7221c683c477874db0965bb5bef234f0d8e76

SHA256
3d25500495f4e9ac13991c510f246aa18a6d4825726cfc33a4a5e647fc61f6b2

SHA512
b9de13e133a9428992f3583e52f281d7b2438b06b44f9225ca046e29f3528233e9e7472754037d7f4c2dfad0e6b38af9b623aea62c5fa43ca3463cd4fafbb5a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\omfxifnedv.ae

Filesize
7KB

MD5
c3e6af3bee4be9bafa7109447e04f1f4

SHA1
2e0c0ef5c9ac0b6477d65beb059ea8964ebdd0c8

SHA256
558aa909455da52bfeb5ab4b6afb8d1a7a82abd9d8f4c5b1a207b2a5345d1f1b

SHA512
7a451b0f98173ec9fc74da1930af582b01650af21048962a431bbcbf386233bc7041ee07f627da2b65dea3742a0c1aa516356b883118faa9b3332a696080452d

Download Submit
C:\Users\Admin\AppData\Local\Temp\soxeywo.hj

Filesize
136KB

MD5
0b684764e750be9fb3a014f0a7d1346c

SHA1
69eeb78067fc5657e99bd32e6e040dfd463051f8

SHA256
13c63c9da71ac844c41497e8fbd19f559ba84b32e9b391dc8b7e63d555abd2f9

SHA512
9f0986fe60b07c8f0ca1638afa50025a6ca573c6ed1cabf3c60ea767fd457a35cf1a383f3a1940b3f8d53e1c6f8c29bcf7aa48abd92e95365c5c0d3fca5fe957

Download Submit
memory/360-143-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/360-148-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4232-145-0x00000000005E0000-0x00000000005FA000-memory.dmp

Filesize
104KB

Download
memory/4232-146-0x0000000004CD0000-0x0000000004D36000-memory.dmp

Filesize
408KB

Download
memory/4232-147-0x0000000005610000-0x00000000056AC000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing