blustealer | e3f0cf7effaf970e55ce7b44afa66607f8126403523b609849339d551011480f

General

Target

1664899251557_MLCAL100300189.00.pdf.exe
Size

418KB
MD5

07483641fb9e47b6381039d8806aabc8
SHA1

7f992d4eeae9bb1dc8936a833298bfd7ee870ffb
SHA256

e3f0cf7effaf970e55ce7b44afa66607f8126403523b609849339d551011480f
SHA512

8b3a201a85600c8cea9404515dd0be09fb2b41d952f5c795b36166cbfb20deef01c0d91c0da31a1a3f2a554d5e045160450a4965147824ac0244d602d4bd78cf
SSDEEP

6144:KYa6AExBLoJvdNJDGcNc7rsJ1RqonlSpiHUtMj:KYC8LodlGcNc781RpSpdOj

Score

10^/10

blustealer stormkitty collection persistence stealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5468731092:AAGGNQWBVRhX622u6xp1moMhaunIGtXuIxg/sendMessage?chat_id=1639214896

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 4 IoCs

resource	yara_rule
behavioral1/memory/1872-72-0x0000000000090000-0x00000000000AA000-memory.dmp	family_stormkitty
behavioral1/memory/1872-73-0x00000000000A4F6E-mapping.dmp	family_stormkitty
behavioral1/memory/1872-77-0x0000000000090000-0x00000000000AA000-memory.dmp	family_stormkitty
behavioral1/memory/1872-75-0x0000000000090000-0x00000000000AA000-memory.dmp	family_stormkitty

Executes dropped EXE 2 IoCs

pid	Process
2016	mxuoquv.exe
1372	mxuoquv.exe

Loads dropped DLL 3 IoCs

pid	Process
1048	1664899251557_MLCAL100300189.00.pdf.exe
1048	1664899251557_MLCAL100300189.00.pdf.exe
2016	mxuoquv.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\lpudbyc = "C:\\Users\\Admin\\AppData\\Roaming\\unvjkjhqdbeoxr\\vimgadnjbnv.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\mxuoquv.exe\" C:\\Users\\Admin\\AppDa"	mxuoquv.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	icanhazip.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2016 set thread context of 1372	2016	mxuoquv.exe	29
PID 1372 set thread context of 1872	1372	mxuoquv.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	AppLaunch.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	AppLaunch.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2016	mxuoquv.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1872	AppLaunch.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1372	mxuoquv.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 2016	1048	1664899251557_MLCAL100300189.00.pdf.exe	27
PID 1048 wrote to memory of 2016	1048	1664899251557_MLCAL100300189.00.pdf.exe	27
PID 1048 wrote to memory of 2016	1048	1664899251557_MLCAL100300189.00.pdf.exe	27
PID 1048 wrote to memory of 2016	1048	1664899251557_MLCAL100300189.00.pdf.exe	27
PID 2016 wrote to memory of 1372	2016	mxuoquv.exe	29
PID 2016 wrote to memory of 1372	2016	mxuoquv.exe	29
PID 2016 wrote to memory of 1372	2016	mxuoquv.exe	29
PID 2016 wrote to memory of 1372	2016	mxuoquv.exe	29
PID 2016 wrote to memory of 1372	2016	mxuoquv.exe	29
PID 1372 wrote to memory of 1872	1372	mxuoquv.exe	30
PID 1372 wrote to memory of 1872	1372	mxuoquv.exe	30
PID 1372 wrote to memory of 1872	1372	mxuoquv.exe	30
PID 1372 wrote to memory of 1872	1372	mxuoquv.exe	30
PID 1372 wrote to memory of 1872	1372	mxuoquv.exe	30
PID 1372 wrote to memory of 1872	1372	mxuoquv.exe	30
PID 1372 wrote to memory of 1872	1372	mxuoquv.exe	30
PID 1372 wrote to memory of 1872	1372	mxuoquv.exe	30
PID 1372 wrote to memory of 1872	1372	mxuoquv.exe	30

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\1664899251557_MLCAL100300189.00.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\1664899251557_MLCAL100300189.00.pdf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Users\Admin\AppData\Local\Temp\mxuoquv.exe
  "C:\Users\Admin\AppData\Local\Temp\mxuoquv.exe" C:\Users\Admin\AppData\Local\Temp\agvcsd.xia
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Users\Admin\AppData\Local\Temp\mxuoquv.exe
    "C:\Users\Admin\AppData\Local\Temp\mxuoquv.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1372
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      4⤵
      Accesses Microsoft Outlook profiles
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:1872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\agvcsd.xia

Filesize
8KB

MD5
90c2a3c3487e5dadeb270ce3f5c8a01c

SHA1
edc2d5e2b26cbabeeb8d69e8c4501f503c6e58fc

SHA256
7e9e63b244d5699e8217c274718ca57874a82d9bf64211a9c2029b0841270a95

SHA512
2d40b47980caafeb01b85d7182e4ee606d86c160fc32c13ae5f9775d323807ec3605fa600d3e82a35952d66e95cb4161be148e96cd6bf6bdd7e87be5a51bdd88

Download Submit
C:\Users\Admin\AppData\Local\Temp\kjwcrxgzt.b

Filesize
156KB

MD5
354f5a89f5197083616340a0064cf264

SHA1
a05ea1cb9ea0141408cf76d3672c09c4662284d4

SHA256
b24d24bc0071cdcec4f3ff52a4cdebc812f450927b5c9fcc7c596957e4b167bb

SHA512
dea51923004426dad19cefe6b52c4f3927634f2a93dc9ab1ab1154bba8269df25b953ebdbd03afe01b4d4a8d61e46295ddaf980b246578a4ad461c8a3a44b6fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\mxuoquv.exe

Filesize
63KB

MD5
dddd982b03cb1e42cda0fc1bc0bc9f4c

SHA1
fe25abd82ae5c9bd0db39eb780b32236de5ac0dd

SHA256
1931caa80bc281f650739ac6c3f545d578ae839cc38890d4cd0da1484d694a5a

SHA512
af7b7e70c9a497a26b3cd2a136f21e98866fe56edf83baf5641df154c62a5ebf0453814ec2ed3c26a19d763d4d46c80eb45df13dc8fd8bbef4f1746e4d79b1ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\mxuoquv.exe

Filesize
63KB

MD5
dddd982b03cb1e42cda0fc1bc0bc9f4c

SHA1
fe25abd82ae5c9bd0db39eb780b32236de5ac0dd

SHA256
1931caa80bc281f650739ac6c3f545d578ae839cc38890d4cd0da1484d694a5a

SHA512
af7b7e70c9a497a26b3cd2a136f21e98866fe56edf83baf5641df154c62a5ebf0453814ec2ed3c26a19d763d4d46c80eb45df13dc8fd8bbef4f1746e4d79b1ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\mxuoquv.exe

Filesize
63KB

MD5
dddd982b03cb1e42cda0fc1bc0bc9f4c

SHA1
fe25abd82ae5c9bd0db39eb780b32236de5ac0dd

SHA256
1931caa80bc281f650739ac6c3f545d578ae839cc38890d4cd0da1484d694a5a

SHA512
af7b7e70c9a497a26b3cd2a136f21e98866fe56edf83baf5641df154c62a5ebf0453814ec2ed3c26a19d763d4d46c80eb45df13dc8fd8bbef4f1746e4d79b1ad

Download Submit
\Users\Admin\AppData\Local\Temp\mxuoquv.exe

Filesize
63KB

MD5
dddd982b03cb1e42cda0fc1bc0bc9f4c

SHA1
fe25abd82ae5c9bd0db39eb780b32236de5ac0dd

SHA256
1931caa80bc281f650739ac6c3f545d578ae839cc38890d4cd0da1484d694a5a

SHA512
af7b7e70c9a497a26b3cd2a136f21e98866fe56edf83baf5641df154c62a5ebf0453814ec2ed3c26a19d763d4d46c80eb45df13dc8fd8bbef4f1746e4d79b1ad

Download Submit
\Users\Admin\AppData\Local\Temp\mxuoquv.exe

Filesize
63KB

MD5
dddd982b03cb1e42cda0fc1bc0bc9f4c

SHA1
fe25abd82ae5c9bd0db39eb780b32236de5ac0dd

SHA256
1931caa80bc281f650739ac6c3f545d578ae839cc38890d4cd0da1484d694a5a

SHA512
af7b7e70c9a497a26b3cd2a136f21e98866fe56edf83baf5641df154c62a5ebf0453814ec2ed3c26a19d763d4d46c80eb45df13dc8fd8bbef4f1746e4d79b1ad

Download Submit
\Users\Admin\AppData\Local\Temp\mxuoquv.exe

Filesize
63KB

MD5
dddd982b03cb1e42cda0fc1bc0bc9f4c

SHA1
fe25abd82ae5c9bd0db39eb780b32236de5ac0dd

SHA256
1931caa80bc281f650739ac6c3f545d578ae839cc38890d4cd0da1484d694a5a

SHA512
af7b7e70c9a497a26b3cd2a136f21e98866fe56edf83baf5641df154c62a5ebf0453814ec2ed3c26a19d763d4d46c80eb45df13dc8fd8bbef4f1746e4d79b1ad

Download Submit
memory/1048-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1372-79-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1372-80-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1872-70-0x0000000000090000-0x00000000000AA000-memory.dmp

Filesize
104KB

Download
memory/1872-72-0x0000000000090000-0x00000000000AA000-memory.dmp

Filesize
104KB

Download
memory/1872-77-0x0000000000090000-0x00000000000AA000-memory.dmp

Filesize
104KB

Download
memory/1872-75-0x0000000000090000-0x00000000000AA000-memory.dmp

Filesize
104KB

Download
memory/2016-66-0x00000000000F0000-0x00000000000F3000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing