blustealer | 761e4a0314cfb25685a468b01de973e51405f0de560a6c85d8cc1efa3e6ac013

General

Target

fatura64383,pdf.exe
Size

362KB
MD5

bb77706ba6e7c684bdd0b1b11fb7f5e1
SHA1

e092bad0cf6528e64f0798279e7bc02f45748f82
SHA256

761e4a0314cfb25685a468b01de973e51405f0de560a6c85d8cc1efa3e6ac013
SHA512

01c64294fc9ca1a74b8e3921bb412ef442d2beabe2862db69e9d24f23cd568602bd926a75ca4551f56e68bc7a4a1a5c867ec3faf5169e9c7019b06c7b6a00e43
SSDEEP

6144:IYa6h0+uhQMTNBGSeHP/GVLfNVfPluPVDIJ:IYQ+uhQMTDrtIPNk

Score

10^/10

blustealer stormkitty collection persistence stealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5468731092:AAGGNQWBVRhX622u6xp1moMhaunIGtXuIxg/sendMessage?chat_id=1639214896

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 4 IoCs

resource	yara_rule
behavioral1/memory/1740-71-0x00000000000D0000-0x00000000000EA000-memory.dmp	family_stormkitty
behavioral1/memory/1740-72-0x00000000000E4F6E-mapping.dmp	family_stormkitty
behavioral1/memory/1740-74-0x00000000000D0000-0x00000000000EA000-memory.dmp	family_stormkitty
behavioral1/memory/1740-76-0x00000000000D0000-0x00000000000EA000-memory.dmp	family_stormkitty

Executes dropped EXE 2 IoCs

pid	Process
1324	dahkrf.exe
1744	dahkrf.exe

Loads dropped DLL 2 IoCs

pid	Process
1096	fatura64383,pdf.exe
1324	dahkrf.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kdiisex = "C:\\Users\\Admin\\AppData\\Roaming\\ettundhyuaw\\fnfbxuusqhef.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dahkrf.exe\" C:\\Users\\Admin\\AppData\\"	dahkrf.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	icanhazip.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1324 set thread context of 1744	1324	dahkrf.exe	27
PID 1744 set thread context of 1740	1744	dahkrf.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	AppLaunch.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	AppLaunch.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1324	dahkrf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1740	AppLaunch.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1744	dahkrf.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 1324	1096	fatura64383,pdf.exe	26
PID 1096 wrote to memory of 1324	1096	fatura64383,pdf.exe	26
PID 1096 wrote to memory of 1324	1096	fatura64383,pdf.exe	26
PID 1096 wrote to memory of 1324	1096	fatura64383,pdf.exe	26
PID 1324 wrote to memory of 1744	1324	dahkrf.exe	27
PID 1324 wrote to memory of 1744	1324	dahkrf.exe	27
PID 1324 wrote to memory of 1744	1324	dahkrf.exe	27
PID 1324 wrote to memory of 1744	1324	dahkrf.exe	27
PID 1324 wrote to memory of 1744	1324	dahkrf.exe	27
PID 1744 wrote to memory of 1740	1744	dahkrf.exe	28
PID 1744 wrote to memory of 1740	1744	dahkrf.exe	28
PID 1744 wrote to memory of 1740	1744	dahkrf.exe	28
PID 1744 wrote to memory of 1740	1744	dahkrf.exe	28
PID 1744 wrote to memory of 1740	1744	dahkrf.exe	28
PID 1744 wrote to memory of 1740	1744	dahkrf.exe	28
PID 1744 wrote to memory of 1740	1744	dahkrf.exe	28
PID 1744 wrote to memory of 1740	1744	dahkrf.exe	28
PID 1744 wrote to memory of 1740	1744	dahkrf.exe	28

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\fatura64383,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\fatura64383,pdf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Users\Admin\AppData\Local\Temp\dahkrf.exe
  "C:\Users\Admin\AppData\Local\Temp\dahkrf.exe" C:\Users\Admin\AppData\Local\Temp\axxxlliqqv.u
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Users\Admin\AppData\Local\Temp\dahkrf.exe
    "C:\Users\Admin\AppData\Local\Temp\dahkrf.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1744
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      4⤵
      Accesses Microsoft Outlook profiles
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:1740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\axxxlliqqv.u

Filesize
7KB

MD5
857ab0cf4c7d7be56727c960a8e3217b

SHA1
86a8b85930f99bd6a8716693e1304d4361db3a4e

SHA256
85186e55c0fa596ad8deae8cb2a03a17130e1d4393b162be909f648227b72ca0

SHA512
9d8c396852c590440223677d7c72d9b67818186a8f788bea7ec6a818b2f3b690c0b9ec3b28b362b057a74e96431eb30979915d1820fa65a12ad0e61bcfd3d968

Download Submit
C:\Users\Admin\AppData\Local\Temp\dahkrf.exe

Filesize
87KB

MD5
8dea84197709d2fc2c8a0a2beb4b69dc

SHA1
18d0d5c620245357ad830ed7f0c866e08efddd34

SHA256
f1bc7fee853eba26fd3d9138758999ad49a3813c3980b3db2bfc2201ed7a3b2a

SHA512
08385f39b27eebd5cc8017f5b79a8352bad24da58bb5979964f4627d7c05c14b2808e1dd91ccb4f55555a1ae5f0c77dbe33e1923883e313003f323b3545f550e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dahkrf.exe

Filesize
87KB

MD5
8dea84197709d2fc2c8a0a2beb4b69dc

SHA1
18d0d5c620245357ad830ed7f0c866e08efddd34

SHA256
f1bc7fee853eba26fd3d9138758999ad49a3813c3980b3db2bfc2201ed7a3b2a

SHA512
08385f39b27eebd5cc8017f5b79a8352bad24da58bb5979964f4627d7c05c14b2808e1dd91ccb4f55555a1ae5f0c77dbe33e1923883e313003f323b3545f550e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dahkrf.exe

Filesize
87KB

MD5
8dea84197709d2fc2c8a0a2beb4b69dc

SHA1
18d0d5c620245357ad830ed7f0c866e08efddd34

SHA256
f1bc7fee853eba26fd3d9138758999ad49a3813c3980b3db2bfc2201ed7a3b2a

SHA512
08385f39b27eebd5cc8017f5b79a8352bad24da58bb5979964f4627d7c05c14b2808e1dd91ccb4f55555a1ae5f0c77dbe33e1923883e313003f323b3545f550e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hkrnttjf.lc

Filesize
156KB

MD5
2c1556b5388af112b522f4b2a557f162

SHA1
4a8a217ad7954bfea2769f84ff9b13efaad8aa3e

SHA256
b51d0720691ddcc62159c4a75990c07209c3f977624f2175aaece57acf4536d1

SHA512
a151d97c63163d2fe7522379d3f8906a41889759371b235c74d8674e5b247b0a3ed404a7f70cfbcaab9e5eadd972bf8598910f729d9bd057e71e82b8fe56c22b

Download Submit
\Users\Admin\AppData\Local\Temp\dahkrf.exe

Filesize
87KB

MD5
8dea84197709d2fc2c8a0a2beb4b69dc

SHA1
18d0d5c620245357ad830ed7f0c866e08efddd34

SHA256
f1bc7fee853eba26fd3d9138758999ad49a3813c3980b3db2bfc2201ed7a3b2a

SHA512
08385f39b27eebd5cc8017f5b79a8352bad24da58bb5979964f4627d7c05c14b2808e1dd91ccb4f55555a1ae5f0c77dbe33e1923883e313003f323b3545f550e

Download Submit
\Users\Admin\AppData\Local\Temp\dahkrf.exe

Filesize
87KB

MD5
8dea84197709d2fc2c8a0a2beb4b69dc

SHA1
18d0d5c620245357ad830ed7f0c866e08efddd34

SHA256
f1bc7fee853eba26fd3d9138758999ad49a3813c3980b3db2bfc2201ed7a3b2a

SHA512
08385f39b27eebd5cc8017f5b79a8352bad24da58bb5979964f4627d7c05c14b2808e1dd91ccb4f55555a1ae5f0c77dbe33e1923883e313003f323b3545f550e

Download Submit
memory/1096-54-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1740-71-0x00000000000D0000-0x00000000000EA000-memory.dmp

Filesize
104KB

Download
memory/1740-69-0x00000000000D0000-0x00000000000EA000-memory.dmp

Filesize
104KB

Download
memory/1740-74-0x00000000000D0000-0x00000000000EA000-memory.dmp

Filesize
104KB

Download
memory/1740-76-0x00000000000D0000-0x00000000000EA000-memory.dmp

Filesize
104KB

Download
memory/1744-65-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1744-78-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing