blustealer | 17b3bacd218018d84a5ab6e8d8dcb0f9b16d9e9f6a77a597d8dbe100fbd61667

General

Target

hesaphareketi-01.exe
Size

249KB
MD5

ff608c7e72a486f71069cf6eab782d3c
SHA1

1927d0c361c02c075005842410e2ef4661909fcc
SHA256

17b3bacd218018d84a5ab6e8d8dcb0f9b16d9e9f6a77a597d8dbe100fbd61667
SHA512

b424e88626c4c6b40e2749635fb96e68e9da8b0bed973c85af7c54282a2df2549b8421f57fea5a3a2e0aff9d33ee6ee7b5369d006f9bec033c9dd1d13dd9f6c9
SSDEEP

3072:kfY/TU9fE9PEtuHbq4aaXavMTQmVf5hgMAG47F27OxVIObwi8qwGHGWZYvGqKr4M:yYa6Nq4aaXaMJfsMAGUYAZXr6vGqYzH

Score

10^/10

blustealer stormkitty collection persistence stealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5468731092:AAGGNQWBVRhX622u6xp1moMhaunIGtXuIxg/sendMessage?chat_id=1639214896

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 4 IoCs

resource	yara_rule
behavioral1/memory/1992-72-0x0000000000090000-0x00000000000AA000-memory.dmp	family_stormkitty
behavioral1/memory/1992-73-0x00000000000A4F6E-mapping.dmp	family_stormkitty
behavioral1/memory/1992-75-0x0000000000090000-0x00000000000AA000-memory.dmp	family_stormkitty
behavioral1/memory/1992-77-0x0000000000090000-0x00000000000AA000-memory.dmp	family_stormkitty

Executes dropped EXE 2 IoCs

pid	Process
1216	kujojwsai.exe
432	kujojwsai.exe

Loads dropped DLL 3 IoCs

pid	Process
1404	hesaphareketi-01.exe
1404	hesaphareketi-01.exe
1216	kujojwsai.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\vlces = "C:\\Users\\Admin\\AppData\\Roaming\\fkldbktuuk\\fwcsetkrcobmo.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\kujojwsai.exe\" C:\\Users\\Admin\\AppDa"	kujojwsai.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	icanhazip.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1216 set thread context of 432	1216	kujojwsai.exe	30
PID 432 set thread context of 1992	432	kujojwsai.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	AppLaunch.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	AppLaunch.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1216	kujojwsai.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1992	AppLaunch.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
432	kujojwsai.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 1216	1404	hesaphareketi-01.exe	28
PID 1404 wrote to memory of 1216	1404	hesaphareketi-01.exe	28
PID 1404 wrote to memory of 1216	1404	hesaphareketi-01.exe	28
PID 1404 wrote to memory of 1216	1404	hesaphareketi-01.exe	28
PID 1216 wrote to memory of 432	1216	kujojwsai.exe	30
PID 1216 wrote to memory of 432	1216	kujojwsai.exe	30
PID 1216 wrote to memory of 432	1216	kujojwsai.exe	30
PID 1216 wrote to memory of 432	1216	kujojwsai.exe	30
PID 1216 wrote to memory of 432	1216	kujojwsai.exe	30
PID 432 wrote to memory of 1992	432	kujojwsai.exe	31
PID 432 wrote to memory of 1992	432	kujojwsai.exe	31
PID 432 wrote to memory of 1992	432	kujojwsai.exe	31
PID 432 wrote to memory of 1992	432	kujojwsai.exe	31
PID 432 wrote to memory of 1992	432	kujojwsai.exe	31
PID 432 wrote to memory of 1992	432	kujojwsai.exe	31
PID 432 wrote to memory of 1992	432	kujojwsai.exe	31
PID 432 wrote to memory of 1992	432	kujojwsai.exe	31
PID 432 wrote to memory of 1992	432	kujojwsai.exe	31

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.exe
"C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Users\Admin\AppData\Local\Temp\kujojwsai.exe
  "C:\Users\Admin\AppData\Local\Temp\kujojwsai.exe" C:\Users\Admin\AppData\Local\Temp\wjingx.klx
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1216
- - C:\Users\Admin\AppData\Local\Temp\kujojwsai.exe
    "C:\Users\Admin\AppData\Local\Temp\kujojwsai.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:432
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      4⤵
      Accesses Microsoft Outlook profiles
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:1992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kujojwsai.exe

Filesize
8KB

MD5
4ddee06a2f70fa9ab5a2bc90ac8b0986

SHA1
b8e8a7e7c1cf7f2df75ebdfc511ee72128745e4d

SHA256
37d0f15aa1c2b30455a6d97a32df73581f18ff0bf022ba8ceeef6315833ad6b8

SHA512
2e8326d2e246ea18e752373024f3b74424f2c3fe95493613fddf76b989b8f3f6dbe380e7f8eddec270be0c8f6029cbb49c4bb264fd90f65ba4f4c18cb445c967

Download Submit
C:\Users\Admin\AppData\Local\Temp\kujojwsai.exe

Filesize
8KB

MD5
4ddee06a2f70fa9ab5a2bc90ac8b0986

SHA1
b8e8a7e7c1cf7f2df75ebdfc511ee72128745e4d

SHA256
37d0f15aa1c2b30455a6d97a32df73581f18ff0bf022ba8ceeef6315833ad6b8

SHA512
2e8326d2e246ea18e752373024f3b74424f2c3fe95493613fddf76b989b8f3f6dbe380e7f8eddec270be0c8f6029cbb49c4bb264fd90f65ba4f4c18cb445c967

Download Submit
C:\Users\Admin\AppData\Local\Temp\kujojwsai.exe

Filesize
8KB

MD5
4ddee06a2f70fa9ab5a2bc90ac8b0986

SHA1
b8e8a7e7c1cf7f2df75ebdfc511ee72128745e4d

SHA256
37d0f15aa1c2b30455a6d97a32df73581f18ff0bf022ba8ceeef6315833ad6b8

SHA512
2e8326d2e246ea18e752373024f3b74424f2c3fe95493613fddf76b989b8f3f6dbe380e7f8eddec270be0c8f6029cbb49c4bb264fd90f65ba4f4c18cb445c967

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgkhyjnibjz.nsm

Filesize
156KB

MD5
043c0513fbad5c58b22a571b6a335eac

SHA1
421e8f2201f8fa251e227bba9ffaa471b7bc8c89

SHA256
1e95d161fb70c6d76888244cec61a96e3a381fbb5204c92b31d94be3a430f297

SHA512
60721e2836894d81957a9fe0024bd115ec3f7591c013203dc5ebb69d7c0cdc46a34b0d61bd6dc676a0e309463396af97a6c2706ac7a1b518d7b2aab7792d7494

Download Submit
C:\Users\Admin\AppData\Local\Temp\wjingx.klx

Filesize
7KB

MD5
a2e65e9eb9acb3c0ebf11433f27ee6f1

SHA1
82a477530bb7217833b3f2ae4ddca1df6e7737e0

SHA256
624bc82e34a75e1325d83a32ea9d099c809745803cf8ad3948060d6d5dcb449a

SHA512
30183115d58b789ec16681d50d5fe7c4724347ba0d0fa8b634adf97f949b5660c88f782107c5212b7e6e1fc95014b8ad819686867519035645a5c36d63b17a29

Download Submit
\Users\Admin\AppData\Local\Temp\kujojwsai.exe

Filesize
8KB

MD5
4ddee06a2f70fa9ab5a2bc90ac8b0986

SHA1
b8e8a7e7c1cf7f2df75ebdfc511ee72128745e4d

SHA256
37d0f15aa1c2b30455a6d97a32df73581f18ff0bf022ba8ceeef6315833ad6b8

SHA512
2e8326d2e246ea18e752373024f3b74424f2c3fe95493613fddf76b989b8f3f6dbe380e7f8eddec270be0c8f6029cbb49c4bb264fd90f65ba4f4c18cb445c967

Download Submit
\Users\Admin\AppData\Local\Temp\kujojwsai.exe

Filesize
8KB

MD5
4ddee06a2f70fa9ab5a2bc90ac8b0986

SHA1
b8e8a7e7c1cf7f2df75ebdfc511ee72128745e4d

SHA256
37d0f15aa1c2b30455a6d97a32df73581f18ff0bf022ba8ceeef6315833ad6b8

SHA512
2e8326d2e246ea18e752373024f3b74424f2c3fe95493613fddf76b989b8f3f6dbe380e7f8eddec270be0c8f6029cbb49c4bb264fd90f65ba4f4c18cb445c967

Download Submit
\Users\Admin\AppData\Local\Temp\kujojwsai.exe

Filesize
8KB

MD5
4ddee06a2f70fa9ab5a2bc90ac8b0986

SHA1
b8e8a7e7c1cf7f2df75ebdfc511ee72128745e4d

SHA256
37d0f15aa1c2b30455a6d97a32df73581f18ff0bf022ba8ceeef6315833ad6b8

SHA512
2e8326d2e246ea18e752373024f3b74424f2c3fe95493613fddf76b989b8f3f6dbe380e7f8eddec270be0c8f6029cbb49c4bb264fd90f65ba4f4c18cb445c967

Download Submit
memory/432-69-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/432-79-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1404-54-0x0000000075881000-0x0000000075883000-memory.dmp

Filesize
8KB

Download
memory/1992-70-0x0000000000090000-0x00000000000AA000-memory.dmp

Filesize
104KB

Download
memory/1992-72-0x0000000000090000-0x00000000000AA000-memory.dmp

Filesize
104KB

Download
memory/1992-75-0x0000000000090000-0x00000000000AA000-memory.dmp

Filesize
104KB

Download
memory/1992-77-0x0000000000090000-0x00000000000AA000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing