blustealer | b66a64b70d5d0e02f35afc5b2ba9fffe6365fd876d1d83e50419d1caff4f3868

General

Target

fatura643900089,pdf.exe
Size

283KB
MD5

a5ab578b9acbbecc8eb7f52cfe6b53b5
SHA1

575935612d4f0d7e8c481251a13782a4ab2c9eaa
SHA256

b66a64b70d5d0e02f35afc5b2ba9fffe6365fd876d1d83e50419d1caff4f3868
SHA512

b53ba18ba9c535315d3ba23ad6e9fbd0d6d98536b4f09c42a684b8ad10bc5ea72763be36cd0bd023ca292b98954b667b3440f0ad68e06ef3e56640c3bdbd81ce
SSDEEP

6144:QYa6NgSECqpOY0DsSezKB0IvZ9v5R/ihbq/YS2S+dXIorT1ws7:QYbgQqpOY0DAKOI/v5R/i25B+dXIo9z7

Score

10^/10

blustealer stormkitty collection persistence stealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5468731092:AAGGNQWBVRhX622u6xp1moMhaunIGtXuIxg/sendMessage?chat_id=1639214896

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 4 IoCs

resource	yara_rule
behavioral1/memory/1292-71-0x0000000000190000-0x00000000001AA000-memory.dmp	family_stormkitty
behavioral1/memory/1292-72-0x00000000001A4F6E-mapping.dmp	family_stormkitty
behavioral1/memory/1292-74-0x0000000000190000-0x00000000001AA000-memory.dmp	family_stormkitty
behavioral1/memory/1292-76-0x0000000000190000-0x00000000001AA000-memory.dmp	family_stormkitty

Executes dropped EXE 2 IoCs

pid	Process
2004	ibsjz.exe
556	ibsjz.exe

Loads dropped DLL 3 IoCs

pid	Process
1080	fatura643900089,pdf.exe
1080	fatura643900089,pdf.exe
2004	ibsjz.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ywcspxvwhxriw = "C:\\Users\\Admin\\AppData\\Roaming\\hdurwnryu\\rfavjt.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ibsjz.exe\" C:\\Users\\Admin\\AppData\\Local\\Tem"	ibsjz.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	icanhazip.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2004 set thread context of 556	2004	ibsjz.exe	29
PID 556 set thread context of 1292	556	ibsjz.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	AppLaunch.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2004	ibsjz.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1292	AppLaunch.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
556	ibsjz.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 2004	1080	fatura643900089,pdf.exe	28
PID 1080 wrote to memory of 2004	1080	fatura643900089,pdf.exe	28
PID 1080 wrote to memory of 2004	1080	fatura643900089,pdf.exe	28
PID 1080 wrote to memory of 2004	1080	fatura643900089,pdf.exe	28
PID 2004 wrote to memory of 556	2004	ibsjz.exe	29
PID 2004 wrote to memory of 556	2004	ibsjz.exe	29
PID 2004 wrote to memory of 556	2004	ibsjz.exe	29
PID 2004 wrote to memory of 556	2004	ibsjz.exe	29
PID 2004 wrote to memory of 556	2004	ibsjz.exe	29
PID 556 wrote to memory of 1292	556	ibsjz.exe	30
PID 556 wrote to memory of 1292	556	ibsjz.exe	30
PID 556 wrote to memory of 1292	556	ibsjz.exe	30
PID 556 wrote to memory of 1292	556	ibsjz.exe	30
PID 556 wrote to memory of 1292	556	ibsjz.exe	30
PID 556 wrote to memory of 1292	556	ibsjz.exe	30
PID 556 wrote to memory of 1292	556	ibsjz.exe	30
PID 556 wrote to memory of 1292	556	ibsjz.exe	30
PID 556 wrote to memory of 1292	556	ibsjz.exe	30

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\fatura643900089,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\fatura643900089,pdf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Users\Admin\AppData\Local\Temp\ibsjz.exe
  "C:\Users\Admin\AppData\Local\Temp\ibsjz.exe" C:\Users\Admin\AppData\Local\Temp\pprcmgq.uv
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Users\Admin\AppData\Local\Temp\ibsjz.exe
    "C:\Users\Admin\AppData\Local\Temp\ibsjz.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:556
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      4⤵
      Accesses Microsoft Outlook profiles
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:1292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dtunuoozxy.q

Filesize
156KB

MD5
c75dd08e91e7da5c3aa46c7e0809ed6b

SHA1
4d2f7da1aa907de03836a6323932f3c437a350b1

SHA256
f37f7e8ed66aafe161431a481a4a0d7f0b31933d9a9cf686a181b2ec72e25e9a

SHA512
1dfa33a8504057f227b31c47b29a8c3087a5574d041b71de5d5ef5560c6692a139ad853d00b015bff78221b3923ddd2327b3ef348cd43596df7e4ac636fb9ac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ibsjz.exe

Filesize
48KB

MD5
70374a3536736f609a8a022bc2c30aca

SHA1
25b8d77d9c005ccb352d27c791335e1820de5737

SHA256
4241ca5a7d1805f1ab9b52e484e550b5867806e5fdc3babea115a00af4ac63da

SHA512
91e27e06f080776d46ada651c795274896af3cdf97195a29bf9bc6a112966df3d86397aa668059af75bb09c8cbf90986a58270b27bf1f507a7d1e18778875225

Download Submit
C:\Users\Admin\AppData\Local\Temp\ibsjz.exe

Filesize
48KB

MD5
70374a3536736f609a8a022bc2c30aca

SHA1
25b8d77d9c005ccb352d27c791335e1820de5737

SHA256
4241ca5a7d1805f1ab9b52e484e550b5867806e5fdc3babea115a00af4ac63da

SHA512
91e27e06f080776d46ada651c795274896af3cdf97195a29bf9bc6a112966df3d86397aa668059af75bb09c8cbf90986a58270b27bf1f507a7d1e18778875225

Download Submit
C:\Users\Admin\AppData\Local\Temp\ibsjz.exe

Filesize
48KB

MD5
70374a3536736f609a8a022bc2c30aca

SHA1
25b8d77d9c005ccb352d27c791335e1820de5737

SHA256
4241ca5a7d1805f1ab9b52e484e550b5867806e5fdc3babea115a00af4ac63da

SHA512
91e27e06f080776d46ada651c795274896af3cdf97195a29bf9bc6a112966df3d86397aa668059af75bb09c8cbf90986a58270b27bf1f507a7d1e18778875225

Download Submit
C:\Users\Admin\AppData\Local\Temp\pprcmgq.uv

Filesize
7KB

MD5
d458af914a702b809cee8fd9f33e8a3a

SHA1
3e81bb59ff2ebf01c771cd26c8d602f8029645a3

SHA256
cb3b19a9103ac3b5d0dc46f20d627c52df49434752d58ce13b9d0429f1eca1f3

SHA512
2d170ae9b415807c85aaa35fce0f3910fbb78837f88ae980e7f04797f65472be64ea09571303e1939efe7d0faeb467c9c8428fc848da9bfc5868533ef8deef9c

Download Submit
\Users\Admin\AppData\Local\Temp\ibsjz.exe

Filesize
48KB

MD5
70374a3536736f609a8a022bc2c30aca

SHA1
25b8d77d9c005ccb352d27c791335e1820de5737

SHA256
4241ca5a7d1805f1ab9b52e484e550b5867806e5fdc3babea115a00af4ac63da

SHA512
91e27e06f080776d46ada651c795274896af3cdf97195a29bf9bc6a112966df3d86397aa668059af75bb09c8cbf90986a58270b27bf1f507a7d1e18778875225

Download Submit
\Users\Admin\AppData\Local\Temp\ibsjz.exe

Filesize
48KB

MD5
70374a3536736f609a8a022bc2c30aca

SHA1
25b8d77d9c005ccb352d27c791335e1820de5737

SHA256
4241ca5a7d1805f1ab9b52e484e550b5867806e5fdc3babea115a00af4ac63da

SHA512
91e27e06f080776d46ada651c795274896af3cdf97195a29bf9bc6a112966df3d86397aa668059af75bb09c8cbf90986a58270b27bf1f507a7d1e18778875225

Download Submit
\Users\Admin\AppData\Local\Temp\ibsjz.exe

Filesize
48KB

MD5
70374a3536736f609a8a022bc2c30aca

SHA1
25b8d77d9c005ccb352d27c791335e1820de5737

SHA256
4241ca5a7d1805f1ab9b52e484e550b5867806e5fdc3babea115a00af4ac63da

SHA512
91e27e06f080776d46ada651c795274896af3cdf97195a29bf9bc6a112966df3d86397aa668059af75bb09c8cbf90986a58270b27bf1f507a7d1e18778875225

Download Submit
memory/556-78-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/556-79-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1080-54-0x0000000075671000-0x0000000075673000-memory.dmp

Filesize
8KB

Download
memory/1292-69-0x0000000000190000-0x00000000001AA000-memory.dmp

Filesize
104KB

Download
memory/1292-71-0x0000000000190000-0x00000000001AA000-memory.dmp

Filesize
104KB

Download
memory/1292-74-0x0000000000190000-0x00000000001AA000-memory.dmp

Filesize
104KB

Download
memory/1292-76-0x0000000000190000-0x00000000001AA000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing