General
-
Target
Halkbank_Ekstre_20221227_114527_468568,PDF.exe
-
Size
352KB
-
Sample
221227-qthnrsab4x
-
MD5
33465dc320318c2dfb7a145f23ee97e2
-
SHA1
097e3e702117a8620b38b18c5380f47e9f1240aa
-
SHA256
25292209f834f29e0739968eb50e8d021068b7558e64e2f3604657e7139605fc
-
SHA512
2a4cce1259ab2f191107cc2e0538a836cf2b1219f46d8d6db433ddbe16cd7a01a1642c6ce68bf7d2ad1e6821ab675419367b4dad11eaa9cef8ebd982ce4fc07f
-
SSDEEP
6144:oYa6hQx8ayrborZjYcnfmUpLL3JSXpxKg7Lv:oY0xPgUrZjYcfrpwXzKg3
Static task
static1
Behavioral task
behavioral1
Sample
Halkbank_Ekstre_20221227_114527_468568,PDF.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Halkbank_Ekstre_20221227_114527_468568,PDF.exe
Resource
win10v2004-20221111-en
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5468731092:AAGGNQWBVRhX622u6xp1moMhaunIGtXuIxg/sendMessage?chat_id=1639214896
Targets
-
-
Target
Halkbank_Ekstre_20221227_114527_468568,PDF.exe
-
Size
352KB
-
MD5
33465dc320318c2dfb7a145f23ee97e2
-
SHA1
097e3e702117a8620b38b18c5380f47e9f1240aa
-
SHA256
25292209f834f29e0739968eb50e8d021068b7558e64e2f3604657e7139605fc
-
SHA512
2a4cce1259ab2f191107cc2e0538a836cf2b1219f46d8d6db433ddbe16cd7a01a1642c6ce68bf7d2ad1e6821ab675419367b4dad11eaa9cef8ebd982ce4fc07f
-
SSDEEP
6144:oYa6hQx8ayrborZjYcnfmUpLL3JSXpxKg7Lv:oY0xPgUrZjYcfrpwXzKg3
Score10/10-
StormKitty payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-