blustealer | fd10d0c124ace345aaace7bab115d0cd3771c61919912e141924991146fc6b37 | Triage

Submit
Reports

Overview

overview

Static

static

Halkbank_E...DF.exe

windows7-x64

Halkbank_E...DF.exe

windows10-2004-x64

Sharing

General

Target

Halkbank_Ekstre_20221228_114528_468568,PDF.exe
Size

353KB
Sample

221228-jhjncshg43
MD5

c66534531458e789ad2fcdb17a3a0489
SHA1

28064aa47534ed6af85b6972cca639c3dcde93ee
SHA256

fd10d0c124ace345aaace7bab115d0cd3771c61919912e141924991146fc6b37
SHA512

1ca186310c3f85a46a3b9782c301af137be5100f988f7adc7ba266feabb45da239d8b433c6079a1d0459bbd06647aee2812c6f67394c893eb5566090c8d1613d
SSDEEP

6144:CYa6H/tWpNp5Cdqzr+yohjVpP515uGUhZzN4:CY9/tANp5/zApnPb5uGUhT4

Score

10^/10

blustealer stormkitty collection persistence stealer

Static task

static1

Behavioral task

behavioral1

Sample

Halkbank_Ekstre_20221228_114528_468568,PDF.exe

Resource

win7-20220812-en

blustealer stormkitty collection persistence stealer

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

Halkbank_Ekstre_20221228_114528_468568,PDF.exe

Resource

win10v2004-20221111-en

blustealer stormkitty collection persistence stealer

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5468731092:AAGGNQWBVRhX622u6xp1moMhaunIGtXuIxg/sendMessage?chat_id=1639214896

Targets

- Target
  
  Halkbank_Ekstre_20221228_114528_468568,PDF.exe
- Size
  
  353KB
- MD5
  
  c66534531458e789ad2fcdb17a3a0489
- SHA1
  
  28064aa47534ed6af85b6972cca639c3dcde93ee
- SHA256
  
  fd10d0c124ace345aaace7bab115d0cd3771c61919912e141924991146fc6b37
- SHA512
  
  1ca186310c3f85a46a3b9782c301af137be5100f988f7adc7ba266feabb45da239d8b433c6079a1d0459bbd06647aee2812c6f67394c893eb5566090c8d1613d
- SSDEEP
  
  6144:CYa6H/tWpNp5Cdqzr+yohjVpP515uGUhZzN4:CY9/tANp5/zApnPb5uGUhT4
Score

10^/10

blustealer stormkitty collection persistence stealer
- BluStealer
  A Modular information stealer written in Visual Basic.
  stealer blustealer
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

blustealerstormkittycollectionpersistencestealer

behavioral2

blustealerstormkittycollectionpersistencestealer

© 2018-2025

Terms | Privacy