blustealer | 16f2160476b2c78ec35b8fd9a4430b865cf3597c0da23795181196ea682f3df0 | Triage

Submit
Reports

Overview

overview

Static

static

Halkbank_E...DF.exe

windows7-x64

Halkbank_E...DF.exe

windows10-2004-x64

Sharing

General

Target

Halkbank_Ekstre_20221230_114528_468568,PDF.exe
Size

415KB
Sample

221230-lhlttsfc95
MD5

dd57da0ba5835d49e8c85a41641c14b2
SHA1

8e823ca64e4f674953adbe045425f62f39955644
SHA256

16f2160476b2c78ec35b8fd9a4430b865cf3597c0da23795181196ea682f3df0
SHA512

368d505001ade291386265aa6fed0e7f6480174d3446232702174652c2fbfa1fe6906c4031efd5cc17f0330ecb38917ac95ad5a4d3b93f41453d183b3bb79602
SSDEEP

12288:yYxmJxRHHE6mRsc9gC8NLhPtD/fJomIA14mwQKEuaL2dZsLqrFNOA:yYtO/fJH4mBKmL2dtHb

Score

10^/10

blustealer stormkitty collection persistence stealer

Static task

static1

Behavioral task

behavioral1

Sample

Halkbank_Ekstre_20221230_114528_468568,PDF.exe

Resource

win7-20220812-en

blustealer stormkitty collection persistence stealer

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

Halkbank_Ekstre_20221230_114528_468568,PDF.exe

Resource

win10v2004-20220812-en

blustealer stormkitty collection persistence stealer

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5468731092:AAGGNQWBVRhX622u6xp1moMhaunIGtXuIxg/sendMessage?chat_id=1639214896

Targets

- Target
  
  Halkbank_Ekstre_20221230_114528_468568,PDF.exe
- Size
  
  415KB
- MD5
  
  dd57da0ba5835d49e8c85a41641c14b2
- SHA1
  
  8e823ca64e4f674953adbe045425f62f39955644
- SHA256
  
  16f2160476b2c78ec35b8fd9a4430b865cf3597c0da23795181196ea682f3df0
- SHA512
  
  368d505001ade291386265aa6fed0e7f6480174d3446232702174652c2fbfa1fe6906c4031efd5cc17f0330ecb38917ac95ad5a4d3b93f41453d183b3bb79602
- SSDEEP
  
  12288:yYxmJxRHHE6mRsc9gC8NLhPtD/fJomIA14mwQKEuaL2dZsLqrFNOA:yYtO/fJH4mBKmL2dtHb
Score

10^/10

blustealer stormkitty collection persistence stealer
- BluStealer
  A Modular information stealer written in Visual Basic.
  stealer blustealer
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

blustealerstormkittycollectionpersistencestealer

behavioral2

blustealerstormkittycollectionpersistencestealer

© 2018-2024

Terms | Privacy