blustealer | 288a470426cff4110e23d8d2a531a19bae23149bba818a86e1e79341f10548d0

General

Target

fatura64383,pdf.exe
Size

366KB
MD5

ed637030ae7f20a8af6b08fc5401b2eb
SHA1

07d6ea65d57216d032a547cd41596f7f0d77fce6
SHA256

288a470426cff4110e23d8d2a531a19bae23149bba818a86e1e79341f10548d0
SHA512

c8b7216d4bfd486da62b54cb414bfd33e29304ef9d837306f01ecf36a116e2b101ab45424d1a9a7cff931947458de2dfd8af01ddcdc71b0fe89b10cc9baaf6e3
SSDEEP

6144:8Ya6hpFXx6WGu1PGgl95W9YBw1SrPK9a17TCd7FgibOJrdhEk:8YTpFXxLG6Gg09Yrr9f27vbOJd

Score

10^/10

blustealer stormkitty collection persistence stealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5732817033:AAFBYIIZmJ7NuvVwD7WRcbV9qwcOqT7RpwM/sendMessage?chat_id=1638137774

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1116-71-0x0000000000090000-0x00000000000AA000-memory.dmp	family_stormkitty
behavioral1/memory/1116-72-0x00000000000A4F6E-mapping.dmp	family_stormkitty
behavioral1/memory/1116-74-0x0000000000090000-0x00000000000AA000-memory.dmp	family_stormkitty
behavioral1/memory/1116-76-0x0000000000090000-0x00000000000AA000-memory.dmp	family_stormkitty

Executes dropped EXE 2 IoCs

Processes:

ajsmtz.exeajsmtz.exe

pid process

1484 ajsmtz.exe
1088 ajsmtz.exe
Loads dropped DLL 3 IoCs

Processes:

fatura64383,pdf.exeajsmtz.exe

pid process

1728 fatura64383,pdf.exe
1728 fatura64383,pdf.exe
1484 ajsmtz.exe

pid	process
1484	ajsmtz.exe
1088	ajsmtz.exe

pid	process
1728	fatura64383,pdf.exe
1728	fatura64383,pdf.exe
1484	ajsmtz.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

AppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ajsmtz.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\htyh = "C:\\Users\\Admin\\AppData\\Roaming\\rpjddpxyku\\vkmvrdifccmbs.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ajsmtz.exe\" C:\\Users\\Admin\\AppData\\"	ajsmtz.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 icanhazip.com

flow	ioc
3	icanhazip.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

ajsmtz.exeajsmtz.exe

description	pid	process	target process
PID 1484 set thread context of 1088	1484	ajsmtz.exe	ajsmtz.exe
PID 1088 set thread context of 1116	1088	ajsmtz.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	AppLaunch.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	AppLaunch.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

ajsmtz.exe

pid process

1088 ajsmtz.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

ajsmtz.exe

pid process

1484 ajsmtz.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 1116 AppLaunch.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ajsmtz.exe

pid process

1088 ajsmtz.exe

pid	process
1088	ajsmtz.exe

pid	process
1484	ajsmtz.exe

description	pid	process
Token: SeDebugPrivilege	1116	AppLaunch.exe

pid	process
1088	ajsmtz.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

fatura64383,pdf.exeajsmtz.exeajsmtz.exe

description	pid	process	target process
PID 1728 wrote to memory of 1484	1728	fatura64383,pdf.exe	ajsmtz.exe
PID 1728 wrote to memory of 1484	1728	fatura64383,pdf.exe	ajsmtz.exe
PID 1728 wrote to memory of 1484	1728	fatura64383,pdf.exe	ajsmtz.exe
PID 1728 wrote to memory of 1484	1728	fatura64383,pdf.exe	ajsmtz.exe
PID 1484 wrote to memory of 1088	1484	ajsmtz.exe	ajsmtz.exe
PID 1484 wrote to memory of 1088	1484	ajsmtz.exe	ajsmtz.exe
PID 1484 wrote to memory of 1088	1484	ajsmtz.exe	ajsmtz.exe
PID 1484 wrote to memory of 1088	1484	ajsmtz.exe	ajsmtz.exe
PID 1484 wrote to memory of 1088	1484	ajsmtz.exe	ajsmtz.exe
PID 1088 wrote to memory of 1116	1088	ajsmtz.exe	AppLaunch.exe
PID 1088 wrote to memory of 1116	1088	ajsmtz.exe	AppLaunch.exe
PID 1088 wrote to memory of 1116	1088	ajsmtz.exe	AppLaunch.exe
PID 1088 wrote to memory of 1116	1088	ajsmtz.exe	AppLaunch.exe
PID 1088 wrote to memory of 1116	1088	ajsmtz.exe	AppLaunch.exe
PID 1088 wrote to memory of 1116	1088	ajsmtz.exe	AppLaunch.exe
PID 1088 wrote to memory of 1116	1088	ajsmtz.exe	AppLaunch.exe
PID 1088 wrote to memory of 1116	1088	ajsmtz.exe	AppLaunch.exe
PID 1088 wrote to memory of 1116	1088	ajsmtz.exe	AppLaunch.exe

outlook_office_path 1 IoCs

Processes:

AppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

Processes:

AppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\fatura64383,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\fatura64383,pdf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728

C:\Users\Admin\AppData\Local\Temp\ajsmtz.exe
"C:\Users\Admin\AppData\Local\Temp\ajsmtz.exe" C:\Users\Admin\AppData\Local\Temp\xaovnyrryr.yh
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1484

C:\Users\Admin\AppData\Local\Temp\ajsmtz.exe
"C:\Users\Admin\AppData\Local\Temp\ajsmtz.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
4⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1116

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ajsmtz.exe
Filesize
57KB

MD5
1fa0e2a8c8dda67150e1491bb30bc81e

SHA1
cd57df6dc0ce3d88d191662ce5edf8a9a7ce9930

SHA256
9406c588ddedc001a2e75357643a1473729d9030e1cb82164da46456917eff7a

SHA512
0f765bd1e76ce4a91291415ff357e23a42721a9e45e15e3ec0fdc6e48fbcfcb21b82d888da85313d9d3d5da7019ab6a2ed98ddbe1f85cce3238179652021ea50

Download Submit
C:\Users\Admin\AppData\Local\Temp\ajsmtz.exe
Filesize
57KB

MD5
1fa0e2a8c8dda67150e1491bb30bc81e

SHA1
cd57df6dc0ce3d88d191662ce5edf8a9a7ce9930

SHA256
9406c588ddedc001a2e75357643a1473729d9030e1cb82164da46456917eff7a

SHA512
0f765bd1e76ce4a91291415ff357e23a42721a9e45e15e3ec0fdc6e48fbcfcb21b82d888da85313d9d3d5da7019ab6a2ed98ddbe1f85cce3238179652021ea50

Download Submit
C:\Users\Admin\AppData\Local\Temp\ajsmtz.exe
Filesize
57KB

MD5
1fa0e2a8c8dda67150e1491bb30bc81e

SHA1
cd57df6dc0ce3d88d191662ce5edf8a9a7ce9930

SHA256
9406c588ddedc001a2e75357643a1473729d9030e1cb82164da46456917eff7a

SHA512
0f765bd1e76ce4a91291415ff357e23a42721a9e45e15e3ec0fdc6e48fbcfcb21b82d888da85313d9d3d5da7019ab6a2ed98ddbe1f85cce3238179652021ea50

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcdxqcrrmin.pu
Filesize
164KB

MD5
d35d05b93e1f06c2df8f6c9ef9e3605e

SHA1
fd6a62e4e8e880c9512dcab86a6f802ab7af56ec

SHA256
ff11a2e9a0a0ccabd79a00238aa0f26b55a2dae63dc8c68fd706ab7c408aa0c2

SHA512
b7c9b7bf7dbcf8597e17d0680efe3f19eb7200526b749fbcbb3349575635e2666abeacee3d6d471ef23c6a31b1b63850054efc5429f1fdd8dc4d1023b2e65b61

Download Submit
C:\Users\Admin\AppData\Local\Temp\xaovnyrryr.yh
Filesize
7KB

MD5
b380734fee07e1f50b924f61ee13b959

SHA1
8128102b3cfe3d5510fe094a8c1460c9520f3fed

SHA256
4f1daaddbf07bbbbe2fa84069f0856af3432bcc44fd49a30906800a2d2221e5e

SHA512
0d163aa66b4949f311b8e550319029efa0f73c0576dace8e5f2bcd2051cede690324229e1fbf2970311cf881242ac497be94c19f6d2f763ac3b01f98fb41c0e9

Download Submit
\Users\Admin\AppData\Local\Temp\ajsmtz.exe
Filesize
57KB

MD5
1fa0e2a8c8dda67150e1491bb30bc81e

SHA1
cd57df6dc0ce3d88d191662ce5edf8a9a7ce9930

SHA256
9406c588ddedc001a2e75357643a1473729d9030e1cb82164da46456917eff7a

SHA512
0f765bd1e76ce4a91291415ff357e23a42721a9e45e15e3ec0fdc6e48fbcfcb21b82d888da85313d9d3d5da7019ab6a2ed98ddbe1f85cce3238179652021ea50

Download Submit
\Users\Admin\AppData\Local\Temp\ajsmtz.exe
Filesize
57KB

MD5
1fa0e2a8c8dda67150e1491bb30bc81e

SHA1
cd57df6dc0ce3d88d191662ce5edf8a9a7ce9930

SHA256
9406c588ddedc001a2e75357643a1473729d9030e1cb82164da46456917eff7a

SHA512
0f765bd1e76ce4a91291415ff357e23a42721a9e45e15e3ec0fdc6e48fbcfcb21b82d888da85313d9d3d5da7019ab6a2ed98ddbe1f85cce3238179652021ea50

Download Submit
\Users\Admin\AppData\Local\Temp\ajsmtz.exe
Filesize
57KB

MD5
1fa0e2a8c8dda67150e1491bb30bc81e

SHA1
cd57df6dc0ce3d88d191662ce5edf8a9a7ce9930

SHA256
9406c588ddedc001a2e75357643a1473729d9030e1cb82164da46456917eff7a

SHA512
0f765bd1e76ce4a91291415ff357e23a42721a9e45e15e3ec0fdc6e48fbcfcb21b82d888da85313d9d3d5da7019ab6a2ed98ddbe1f85cce3238179652021ea50

Download Submit
memory/1088-64-0x0000000000401D50-mapping.dmp

Download
memory/1088-78-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1088-79-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1116-69-0x0000000000090000-0x00000000000AA000-memory.dmp

Filesize
104KB

Download
memory/1116-71-0x0000000000090000-0x00000000000AA000-memory.dmp

Filesize
104KB

Download
memory/1116-72-0x00000000000A4F6E-mapping.dmp

Download
memory/1116-74-0x0000000000090000-0x00000000000AA000-memory.dmp

Filesize
104KB

Download
memory/1116-76-0x0000000000090000-0x00000000000AA000-memory.dmp

Filesize
104KB

Download
memory/1484-57-0x0000000000000000-mapping.dmp

Download
memory/1728-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads