blustealer | 810acdb822af195ddb50ce857992f3d78ab45d5dae9496456106180b43e7b1c7

General

Target

fatura6245687,pdf.exe
Size

309KB
MD5

b8226f71e477852a471bf6789c2973ce
SHA1

1dd378577e31562f343de35b8019b2cbaf7b2a2e
SHA256

810acdb822af195ddb50ce857992f3d78ab45d5dae9496456106180b43e7b1c7
SHA512

354419176d07cfd905ab1b7632b441ea3ae589874b14c15ae656e87f5343d22b13b1198763e555eb89bbea4482c674b48d824768ed5940eede62a96966c50a75
SSDEEP

6144:2Ya6BgSECqpOY018iutYxWtsidNqts5sHqVbXa+M08f:2Y3gQqpOY018i/lG06CHIK+MH

Score

10^/10

blustealer stormkitty collection persistence stealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5732817033:AAFBYIIZmJ7NuvVwD7WRcbV9qwcOqT7RpwM/sendMessage?chat_id=1638137774

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/2064-143-0x0000000000C40000-0x0000000000C5A000-memory.dmp	family_stormkitty

Executes dropped EXE 2 IoCs

pid	Process
2236	znfoudxb.exe
2680	znfoudxb.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ubovhf = "C:\\Users\\Admin\\AppData\\Roaming\\mkceflmeibsr\\jrdgnm.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\znfoudxb.exe\" C:\\Users\\Admin\\AppData\\Loc"	znfoudxb.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	icanhazip.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2236 set thread context of 2680	2236	znfoudxb.exe	82
PID 2680 set thread context of 2064	2680	znfoudxb.exe	83

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	AppLaunch.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	AppLaunch.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2680	znfoudxb.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2236	znfoudxb.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2064	AppLaunch.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2680	znfoudxb.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 2236	5020	fatura6245687,pdf.exe	81
PID 5020 wrote to memory of 2236	5020	fatura6245687,pdf.exe	81
PID 5020 wrote to memory of 2236	5020	fatura6245687,pdf.exe	81
PID 2236 wrote to memory of 2680	2236	znfoudxb.exe	82
PID 2236 wrote to memory of 2680	2236	znfoudxb.exe	82
PID 2236 wrote to memory of 2680	2236	znfoudxb.exe	82
PID 2236 wrote to memory of 2680	2236	znfoudxb.exe	82
PID 2680 wrote to memory of 2064	2680	znfoudxb.exe	83
PID 2680 wrote to memory of 2064	2680	znfoudxb.exe	83
PID 2680 wrote to memory of 2064	2680	znfoudxb.exe	83
PID 2680 wrote to memory of 2064	2680	znfoudxb.exe	83
PID 2680 wrote to memory of 2064	2680	znfoudxb.exe	83

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\fatura6245687,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\fatura6245687,pdf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Users\Admin\AppData\Local\Temp\znfoudxb.exe
  "C:\Users\Admin\AppData\Local\Temp\znfoudxb.exe" C:\Users\Admin\AppData\Local\Temp\usdqeimpe.hvv
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Users\Admin\AppData\Local\Temp\znfoudxb.exe
    "C:\Users\Admin\AppData\Local\Temp\znfoudxb.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      4⤵
      Accesses Microsoft Outlook profiles
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:2064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\usdqeimpe.hvv

Filesize
7KB

MD5
da58988f91934cccf280167c760cd7ac

SHA1
6b6eeaaa0a3d3c49abf8599b4ad8bb778ba75ef3

SHA256
47ae0111812c05ef2baa4646fd6251b1175ec2da374722a0eb865655cf1f34a9

SHA512
96c6d1428876d8c85457a1139e365b6f636d8354fc6c3eecef4fb2007d38167d001200195e11463bf2c178e249a7699aae064febfd0ecdb1c1bfd0b6f1b7fd7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xvrrfurz.v

Filesize
164KB

MD5
9371613143ea2cefd9aa5af779506c07

SHA1
59c104274d9c00692ac8179158167fedc5713e3a

SHA256
7cc9ad7af30b23a4442cbb7c70b1a3547c6fd1f1a6e3682c447f01b456b5f62c

SHA512
7c716b1156be3bf20c143e981dca83c34134ad1019f9841dbf9fabdfbd57cc1b30aac9d994cdbad01a6767367b196c9830ff9c65411cf8dbd84794b9ae2b7ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\znfoudxb.exe

Filesize
84KB

MD5
04971b0453aef4cb6f981457418ddacb

SHA1
bea1443215958753397a0ee07dfc287fc4a5033a

SHA256
67e2cc23d0d9600849c2fbfb8349996b48ae154637a7a089d54711f6a35baa09

SHA512
d49e5f3061f56de34f187889d83391a14d38fd838e9ab8c35a09d065a2e9de9223babc101c5cd137b6a55365fb580e52f581f7a9c5a8685ebe2710134c5592ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\znfoudxb.exe

Filesize
84KB

MD5
04971b0453aef4cb6f981457418ddacb

SHA1
bea1443215958753397a0ee07dfc287fc4a5033a

SHA256
67e2cc23d0d9600849c2fbfb8349996b48ae154637a7a089d54711f6a35baa09

SHA512
d49e5f3061f56de34f187889d83391a14d38fd838e9ab8c35a09d065a2e9de9223babc101c5cd137b6a55365fb580e52f581f7a9c5a8685ebe2710134c5592ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\znfoudxb.exe

Filesize
84KB

MD5
04971b0453aef4cb6f981457418ddacb

SHA1
bea1443215958753397a0ee07dfc287fc4a5033a

SHA256
67e2cc23d0d9600849c2fbfb8349996b48ae154637a7a089d54711f6a35baa09

SHA512
d49e5f3061f56de34f187889d83391a14d38fd838e9ab8c35a09d065a2e9de9223babc101c5cd137b6a55365fb580e52f581f7a9c5a8685ebe2710134c5592ff

Download Submit
memory/2064-143-0x0000000000C40000-0x0000000000C5A000-memory.dmp

Filesize
104KB

Download
memory/2064-144-0x00000000052D0000-0x0000000005336000-memory.dmp

Filesize
408KB

Download
memory/2064-145-0x0000000005D90000-0x0000000005E2C000-memory.dmp

Filesize
624KB

Download
memory/2680-141-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2680-146-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing