General

  • Target

    Halkbank_Ekstre_20221227_114527_468568,PDF.exe

  • Size

    352KB

  • Sample

    221227-qthnrsab4x

  • MD5

    33465dc320318c2dfb7a145f23ee97e2

  • SHA1

    097e3e702117a8620b38b18c5380f47e9f1240aa

  • SHA256

    25292209f834f29e0739968eb50e8d021068b7558e64e2f3604657e7139605fc

  • SHA512

    2a4cce1259ab2f191107cc2e0538a836cf2b1219f46d8d6db433ddbe16cd7a01a1642c6ce68bf7d2ad1e6821ab675419367b4dad11eaa9cef8ebd982ce4fc07f

  • SSDEEP

    6144:oYa6hQx8ayrborZjYcnfmUpLL3JSXpxKg7Lv:oY0xPgUrZjYcfrpwXzKg3

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5468731092:AAGGNQWBVRhX622u6xp1moMhaunIGtXuIxg/sendMessage?chat_id=1639214896

Targets

    • Target

      Halkbank_Ekstre_20221227_114527_468568,PDF.exe

    • Size

      352KB

    • MD5

      33465dc320318c2dfb7a145f23ee97e2

    • SHA1

      097e3e702117a8620b38b18c5380f47e9f1240aa

    • SHA256

      25292209f834f29e0739968eb50e8d021068b7558e64e2f3604657e7139605fc

    • SHA512

      2a4cce1259ab2f191107cc2e0538a836cf2b1219f46d8d6db433ddbe16cd7a01a1642c6ce68bf7d2ad1e6821ab675419367b4dad11eaa9cef8ebd982ce4fc07f

    • SSDEEP

      6144:oYa6hQx8ayrborZjYcnfmUpLL3JSXpxKg7Lv:oY0xPgUrZjYcfrpwXzKg3

    • BluStealer

      A Modular information stealer written in Visual Basic.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks