blustealer | 6b3c502c1c7b53486fee54996d4c73905280fc76a897644b430d3c65a89ec381

General

Target

fatura643976,pdf.exe
Size

421KB
MD5

30caef35075e79f0a150e49e7fd665a9
SHA1

6cc67419a39d41ef1d98d7fc236470ef7b23a0ea
SHA256

6b3c502c1c7b53486fee54996d4c73905280fc76a897644b430d3c65a89ec381
SHA512

e4688addab4cdac3df8695cfecfb4719148dd14d04d0083645211a4180aea73e3d23484e63b8d2241d43318b49748dcb55906b057e5ef7e17483a2a60f26b931
SSDEEP

6144:OYa6whAp081nNxvOjqKoeKQFXrKr/mpn4AkpFxbn8HnOYoqDz3Y1e:OY26nvmjqKoebFGro4RpFWOTYzo1e

Score

10^/10

blustealer stormkitty collection persistence stealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5468731092:AAGGNQWBVRhX622u6xp1moMhaunIGtXuIxg/sendMessage?chat_id=1639214896

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 4 IoCs

resource	yara_rule
behavioral1/memory/1640-71-0x00000000000D0000-0x00000000000EA000-memory.dmp	family_stormkitty
behavioral1/memory/1640-72-0x00000000000E4F6E-mapping.dmp	family_stormkitty
behavioral1/memory/1640-74-0x00000000000D0000-0x00000000000EA000-memory.dmp	family_stormkitty
behavioral1/memory/1640-76-0x00000000000D0000-0x00000000000EA000-memory.dmp	family_stormkitty

Executes dropped EXE 2 IoCs

pid	Process
900	fmmkfwck.exe
796	fmmkfwck.exe

Loads dropped DLL 3 IoCs

pid	Process
828	fatura643976,pdf.exe
828	fatura643976,pdf.exe
900	fmmkfwck.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\gebcp = "C:\\Users\\Admin\\AppData\\Roaming\\osjl\\sojmp.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\fmmkfwck.exe\" C:\\Users\\Admin\\AppData\\Local\\Temp\\w"	fmmkfwck.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	icanhazip.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 900 set thread context of 796	900	fmmkfwck.exe	28
PID 796 set thread context of 1640	796	fmmkfwck.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	AppLaunch.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	AppLaunch.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
900	fmmkfwck.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1640	AppLaunch.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
796	fmmkfwck.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 828 wrote to memory of 900	828	fatura643976,pdf.exe	27
PID 828 wrote to memory of 900	828	fatura643976,pdf.exe	27
PID 828 wrote to memory of 900	828	fatura643976,pdf.exe	27
PID 828 wrote to memory of 900	828	fatura643976,pdf.exe	27
PID 900 wrote to memory of 796	900	fmmkfwck.exe	28
PID 900 wrote to memory of 796	900	fmmkfwck.exe	28
PID 900 wrote to memory of 796	900	fmmkfwck.exe	28
PID 900 wrote to memory of 796	900	fmmkfwck.exe	28
PID 900 wrote to memory of 796	900	fmmkfwck.exe	28
PID 796 wrote to memory of 1640	796	fmmkfwck.exe	29
PID 796 wrote to memory of 1640	796	fmmkfwck.exe	29
PID 796 wrote to memory of 1640	796	fmmkfwck.exe	29
PID 796 wrote to memory of 1640	796	fmmkfwck.exe	29
PID 796 wrote to memory of 1640	796	fmmkfwck.exe	29
PID 796 wrote to memory of 1640	796	fmmkfwck.exe	29
PID 796 wrote to memory of 1640	796	fmmkfwck.exe	29
PID 796 wrote to memory of 1640	796	fmmkfwck.exe	29
PID 796 wrote to memory of 1640	796	fmmkfwck.exe	29

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\fatura643976,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\fatura643976,pdf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:828
- C:\Users\Admin\AppData\Local\Temp\fmmkfwck.exe
  "C:\Users\Admin\AppData\Local\Temp\fmmkfwck.exe" C:\Users\Admin\AppData\Local\Temp\wsfatqze.qc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:900
- - C:\Users\Admin\AppData\Local\Temp\fmmkfwck.exe
    "C:\Users\Admin\AppData\Local\Temp\fmmkfwck.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:796
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      4⤵
      Accesses Microsoft Outlook profiles
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:1640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fmmkfwck.exe

Filesize
84KB

MD5
ab5c3b78cc034b88e5289f11f977184e

SHA1
5b705c3fddcc792e99318ae94a77ddeb4f42ae87

SHA256
c301c219333093b817496bdf4f0023c49414533855de0564a14261215654e348

SHA512
fe56b4428ab35512bcda00d685dc37cd7c1c0abe4515c291ff4c906e9f8a6b45bb77b8ae45bddd8b400a84bd1271924763e6ec8d44a31f82134d1b0884bb66ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\fmmkfwck.exe

Filesize
84KB

MD5
ab5c3b78cc034b88e5289f11f977184e

SHA1
5b705c3fddcc792e99318ae94a77ddeb4f42ae87

SHA256
c301c219333093b817496bdf4f0023c49414533855de0564a14261215654e348

SHA512
fe56b4428ab35512bcda00d685dc37cd7c1c0abe4515c291ff4c906e9f8a6b45bb77b8ae45bddd8b400a84bd1271924763e6ec8d44a31f82134d1b0884bb66ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\fmmkfwck.exe

Filesize
84KB

MD5
ab5c3b78cc034b88e5289f11f977184e

SHA1
5b705c3fddcc792e99318ae94a77ddeb4f42ae87

SHA256
c301c219333093b817496bdf4f0023c49414533855de0564a14261215654e348

SHA512
fe56b4428ab35512bcda00d685dc37cd7c1c0abe4515c291ff4c906e9f8a6b45bb77b8ae45bddd8b400a84bd1271924763e6ec8d44a31f82134d1b0884bb66ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\qxsewgw.dmh

Filesize
156KB

MD5
9ef9195ff8041d5d407493b229f4bacc

SHA1
1173c3debb17b75aeaf78d193a9fe61c4a270a50

SHA256
c45f4233dab83b7abc75d9a17cecd7c4f189771772d09de695e85ecbd0428f5f

SHA512
9b651e3832164da74265e86dbf0a2b3deb680bd6a15c7477c89fcba24e2942828f2661667aaabf802955b4a125d9190a87aac98084c427e203dedc4c9d86824c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsfatqze.qc

Filesize
7KB

MD5
9895e54a683347ddd62483f8576618f5

SHA1
6130ca25510c9f0baf4357d2fcf07fb7dd709a24

SHA256
3b3a94018fcdfc8333980691ab09e5e52304b5d114b8aafb7af837dcfd912358

SHA512
61c7a910a3bfe91dd34010248ee905c530164df5316a3ed3454e467cbeb0f6901ac0fb49e16fe513916fc6222b26de01bd8983ac3fdf6c63970b97079a8442d9

Download Submit
\Users\Admin\AppData\Local\Temp\fmmkfwck.exe

Filesize
84KB

MD5
ab5c3b78cc034b88e5289f11f977184e

SHA1
5b705c3fddcc792e99318ae94a77ddeb4f42ae87

SHA256
c301c219333093b817496bdf4f0023c49414533855de0564a14261215654e348

SHA512
fe56b4428ab35512bcda00d685dc37cd7c1c0abe4515c291ff4c906e9f8a6b45bb77b8ae45bddd8b400a84bd1271924763e6ec8d44a31f82134d1b0884bb66ad

Download Submit
\Users\Admin\AppData\Local\Temp\fmmkfwck.exe

Filesize
84KB

MD5
ab5c3b78cc034b88e5289f11f977184e

SHA1
5b705c3fddcc792e99318ae94a77ddeb4f42ae87

SHA256
c301c219333093b817496bdf4f0023c49414533855de0564a14261215654e348

SHA512
fe56b4428ab35512bcda00d685dc37cd7c1c0abe4515c291ff4c906e9f8a6b45bb77b8ae45bddd8b400a84bd1271924763e6ec8d44a31f82134d1b0884bb66ad

Download Submit
\Users\Admin\AppData\Local\Temp\fmmkfwck.exe

Filesize
84KB

MD5
ab5c3b78cc034b88e5289f11f977184e

SHA1
5b705c3fddcc792e99318ae94a77ddeb4f42ae87

SHA256
c301c219333093b817496bdf4f0023c49414533855de0564a14261215654e348

SHA512
fe56b4428ab35512bcda00d685dc37cd7c1c0abe4515c291ff4c906e9f8a6b45bb77b8ae45bddd8b400a84bd1271924763e6ec8d44a31f82134d1b0884bb66ad

Download Submit
memory/796-78-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/796-79-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/828-54-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/1640-74-0x00000000000D0000-0x00000000000EA000-memory.dmp

Filesize
104KB

Download
memory/1640-76-0x00000000000D0000-0x00000000000EA000-memory.dmp

Filesize
104KB

Download
memory/1640-71-0x00000000000D0000-0x00000000000EA000-memory.dmp

Filesize
104KB

Download
memory/1640-69-0x00000000000D0000-0x00000000000EA000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing