blustealer | 25292209f834f29e0739968eb50e8d021068b7558e64e2f3604657e7139605fc

Analysis

max time kernel
116s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27-12-2022 13:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Halkbank_Ekstre_20221227_114527_468568,PDF.exe
Size

352KB
MD5

33465dc320318c2dfb7a145f23ee97e2
SHA1

097e3e702117a8620b38b18c5380f47e9f1240aa
SHA256

25292209f834f29e0739968eb50e8d021068b7558e64e2f3604657e7139605fc
SHA512

2a4cce1259ab2f191107cc2e0538a836cf2b1219f46d8d6db433ddbe16cd7a01a1642c6ce68bf7d2ad1e6821ab675419367b4dad11eaa9cef8ebd982ce4fc07f
SSDEEP

6144:oYa6hQx8ayrborZjYcnfmUpLL3JSXpxKg7Lv:oY0xPgUrZjYcfrpwXzKg3

Score

10^/10

blustealer stormkitty collection persistence stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5468731092:AAGGNQWBVRhX622u6xp1moMhaunIGtXuIxg/sendMessage?chat_id=1639214896

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 4 IoCs

resource	yara_rule
behavioral1/memory/432-72-0x00000000001F0000-0x000000000020A000-memory.dmp	family_stormkitty
behavioral1/memory/432-73-0x0000000000204F6E-mapping.dmp	family_stormkitty
behavioral1/memory/432-75-0x00000000001F0000-0x000000000020A000-memory.dmp	family_stormkitty
behavioral1/memory/432-77-0x00000000001F0000-0x000000000020A000-memory.dmp	family_stormkitty

Executes dropped EXE 3 IoCs

pid	Process
1632	hmhngf.exe
1156	hmhngf.exe
1984	hmhngf.exe

Loads dropped DLL 3 IoCs

pid	Process
1588	Halkbank_Ekstre_20221227_114527_468568,PDF.exe
1632	hmhngf.exe
1632	hmhngf.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\hbjafd = "C:\\Users\\Admin\\AppData\\Roaming\\xkivwgf\\bkyafmvwtdmysw.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hmhngf.exe\" C:\\Users\\Admin\\AppData\\Lo"	hmhngf.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	icanhazip.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1632 set thread context of 1984	1632	hmhngf.exe	30
PID 1984 set thread context of 432	1984	hmhngf.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	AppLaunch.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	AppLaunch.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1632	hmhngf.exe
1632	hmhngf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	432	AppLaunch.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1984	hmhngf.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 1632	1588	Halkbank_Ekstre_20221227_114527_468568,PDF.exe	28
PID 1588 wrote to memory of 1632	1588	Halkbank_Ekstre_20221227_114527_468568,PDF.exe	28
PID 1588 wrote to memory of 1632	1588	Halkbank_Ekstre_20221227_114527_468568,PDF.exe	28
PID 1588 wrote to memory of 1632	1588	Halkbank_Ekstre_20221227_114527_468568,PDF.exe	28
PID 1632 wrote to memory of 1156	1632	hmhngf.exe	29
PID 1632 wrote to memory of 1156	1632	hmhngf.exe	29
PID 1632 wrote to memory of 1156	1632	hmhngf.exe	29
PID 1632 wrote to memory of 1156	1632	hmhngf.exe	29
PID 1632 wrote to memory of 1984	1632	hmhngf.exe	30
PID 1632 wrote to memory of 1984	1632	hmhngf.exe	30
PID 1632 wrote to memory of 1984	1632	hmhngf.exe	30
PID 1632 wrote to memory of 1984	1632	hmhngf.exe	30
PID 1632 wrote to memory of 1984	1632	hmhngf.exe	30
PID 1984 wrote to memory of 432	1984	hmhngf.exe	31
PID 1984 wrote to memory of 432	1984	hmhngf.exe	31
PID 1984 wrote to memory of 432	1984	hmhngf.exe	31
PID 1984 wrote to memory of 432	1984	hmhngf.exe	31
PID 1984 wrote to memory of 432	1984	hmhngf.exe	31
PID 1984 wrote to memory of 432	1984	hmhngf.exe	31
PID 1984 wrote to memory of 432	1984	hmhngf.exe	31
PID 1984 wrote to memory of 432	1984	hmhngf.exe	31
PID 1984 wrote to memory of 432	1984	hmhngf.exe	31

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20221227_114527_468568,PDF.exe
"C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20221227_114527_468568,PDF.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Users\Admin\AppData\Local\Temp\hmhngf.exe
  "C:\Users\Admin\AppData\Local\Temp\hmhngf.exe" C:\Users\Admin\AppData\Local\Temp\jlxvllz.cv
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Users\Admin\AppData\Local\Temp\hmhngf.exe
    "C:\Users\Admin\AppData\Local\Temp\hmhngf.exe"
    3⤵
    - Executes dropped EXE
    PID:1156
- - C:\Users\Admin\AppData\Local\Temp\hmhngf.exe
    "C:\Users\Admin\AppData\Local\Temp\hmhngf.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      4⤵
      Accesses Microsoft Outlook profiles
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\epmrvnmpfya.uu

Filesize
156KB

MD5
a01be1b28a7a429cbfc4eef39c93d79f

SHA1
0c53c6b277355b87efc978806644e7f19f5347d9

SHA256
6a3958d9b5f3278a020a30a10bdd7ffb0e9db55259862545d00fe2a163268a77

SHA512
3dfee60ce807167bd37907e2eaba882b799ed7e523e2a0a12da1440aac996994edd846c9ea5ee6cd19a4e5a5beb0e20d2ff1a075b399ff1b1b5289a17f220073

Download Submit
C:\Users\Admin\AppData\Local\Temp\hmhngf.exe

Filesize
12KB

MD5
e490090136bc813737e29bcb1bbb84b0

SHA1
38d50d33de36ddfb388ee3c817f3af81fb64d59a

SHA256
0bf1b430e348b0a561e580d73137c62da90c95b9ff8420bb35af1ab326b8a1c8

SHA512
beba3226c7893459afe3e110b0e4c7254affc84a672ec561e6c1bc7b92e3f7b2bf8f1a6e3bf9d68eac4d33c7577fa1a4e3ded6fd9394d763e0ff39996adf3d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\hmhngf.exe

Filesize
12KB

MD5
e490090136bc813737e29bcb1bbb84b0

SHA1
38d50d33de36ddfb388ee3c817f3af81fb64d59a

SHA256
0bf1b430e348b0a561e580d73137c62da90c95b9ff8420bb35af1ab326b8a1c8

SHA512
beba3226c7893459afe3e110b0e4c7254affc84a672ec561e6c1bc7b92e3f7b2bf8f1a6e3bf9d68eac4d33c7577fa1a4e3ded6fd9394d763e0ff39996adf3d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\hmhngf.exe

Filesize
12KB

MD5
e490090136bc813737e29bcb1bbb84b0

SHA1
38d50d33de36ddfb388ee3c817f3af81fb64d59a

SHA256
0bf1b430e348b0a561e580d73137c62da90c95b9ff8420bb35af1ab326b8a1c8

SHA512
beba3226c7893459afe3e110b0e4c7254affc84a672ec561e6c1bc7b92e3f7b2bf8f1a6e3bf9d68eac4d33c7577fa1a4e3ded6fd9394d763e0ff39996adf3d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\hmhngf.exe

Filesize
12KB

MD5
e490090136bc813737e29bcb1bbb84b0

SHA1
38d50d33de36ddfb388ee3c817f3af81fb64d59a

SHA256
0bf1b430e348b0a561e580d73137c62da90c95b9ff8420bb35af1ab326b8a1c8

SHA512
beba3226c7893459afe3e110b0e4c7254affc84a672ec561e6c1bc7b92e3f7b2bf8f1a6e3bf9d68eac4d33c7577fa1a4e3ded6fd9394d763e0ff39996adf3d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\jlxvllz.cv

Filesize
7KB

MD5
b92562f6233b0b9f7780f39529da12d9

SHA1
7466e24bbb93495f7399024e7e92a3d992dc31f3

SHA256
de68d47e81485bac62567c362548b9ffac065631361a5115bef035e858ad163f

SHA512
2a1c217d8b3aa18f65e7f60c2dd121779f6617faec0cbcb9b415e73fd3dd34cd1fd90335469ef3f1685ce6dbdb4632b9cf82ad3a8eaaf69a63485b808e95a2dc

Download Submit
\Users\Admin\AppData\Local\Temp\hmhngf.exe

Filesize
12KB

MD5
e490090136bc813737e29bcb1bbb84b0

SHA1
38d50d33de36ddfb388ee3c817f3af81fb64d59a

SHA256
0bf1b430e348b0a561e580d73137c62da90c95b9ff8420bb35af1ab326b8a1c8

SHA512
beba3226c7893459afe3e110b0e4c7254affc84a672ec561e6c1bc7b92e3f7b2bf8f1a6e3bf9d68eac4d33c7577fa1a4e3ded6fd9394d763e0ff39996adf3d57

Download Submit
\Users\Admin\AppData\Local\Temp\hmhngf.exe

Filesize
12KB

MD5
e490090136bc813737e29bcb1bbb84b0

SHA1
38d50d33de36ddfb388ee3c817f3af81fb64d59a

SHA256
0bf1b430e348b0a561e580d73137c62da90c95b9ff8420bb35af1ab326b8a1c8

SHA512
beba3226c7893459afe3e110b0e4c7254affc84a672ec561e6c1bc7b92e3f7b2bf8f1a6e3bf9d68eac4d33c7577fa1a4e3ded6fd9394d763e0ff39996adf3d57

Download Submit
\Users\Admin\AppData\Local\Temp\hmhngf.exe

Filesize
12KB

MD5
e490090136bc813737e29bcb1bbb84b0

SHA1
38d50d33de36ddfb388ee3c817f3af81fb64d59a

SHA256
0bf1b430e348b0a561e580d73137c62da90c95b9ff8420bb35af1ab326b8a1c8

SHA512
beba3226c7893459afe3e110b0e4c7254affc84a672ec561e6c1bc7b92e3f7b2bf8f1a6e3bf9d68eac4d33c7577fa1a4e3ded6fd9394d763e0ff39996adf3d57

Download Submit
memory/432-70-0x00000000001F0000-0x000000000020A000-memory.dmp

Filesize
104KB

Download
memory/432-72-0x00000000001F0000-0x000000000020A000-memory.dmp

Filesize
104KB

Download
memory/432-75-0x00000000001F0000-0x000000000020A000-memory.dmp

Filesize
104KB

Download
memory/432-77-0x00000000001F0000-0x000000000020A000-memory.dmp

Filesize
104KB

Download
memory/1588-54-0x0000000075BE1000-0x0000000075BE3000-memory.dmp

Filesize
8KB

Download
memory/1984-79-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1984-80-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download