blustealer | 1ad0802a8ec7e2b02a912133947517e4b4b610426c5e278736e9de706956a97c

General

Target

hesaphareketi-02.exe
Size

286KB
MD5

020e8635c55df66681cd92163a811c7a
SHA1

21bf156059620f64f48b6a2e6564100108811dd2
SHA256

1ad0802a8ec7e2b02a912133947517e4b4b610426c5e278736e9de706956a97c
SHA512

3a737b8e6522af47ebeb29ea066bb89b520a86e6750762923aff52fb0430b9a6ba7724257e690cd6187e8d2a3079f0d6e4f8d78235363a842bc107e4f08fd457
SSDEEP

6144:WYa6NgSECqpOY00ZoaXPx9KYLENxmmz5g7oe29:WYbgQqpOY00zXPMW7U

Score

10^/10

blustealer stormkitty collection persistence stealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5468731092:AAGGNQWBVRhX622u6xp1moMhaunIGtXuIxg/sendMessage?chat_id=1639214896

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/4728-143-0x0000000000BA0000-0x0000000000BBA000-memory.dmp	family_stormkitty

Executes dropped EXE 2 IoCs

pid	Process
3176	rirpsbo.exe
4476	rirpsbo.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yqciwevsekycu = "C:\\Users\\Admin\\AppData\\Roaming\\ltybxsmfuowm\\btdc.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\rirpsbo.exe\" C:\\Users\\Admin\\AppData\\Local\\"	rirpsbo.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	icanhazip.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3176 set thread context of 4476	3176	rirpsbo.exe	83
PID 4476 set thread context of 4728	4476	rirpsbo.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	AppLaunch.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	AppLaunch.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3176	rirpsbo.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4728	AppLaunch.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4476	rirpsbo.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 3176	4944	hesaphareketi-02.exe	82
PID 4944 wrote to memory of 3176	4944	hesaphareketi-02.exe	82
PID 4944 wrote to memory of 3176	4944	hesaphareketi-02.exe	82
PID 3176 wrote to memory of 4476	3176	rirpsbo.exe	83
PID 3176 wrote to memory of 4476	3176	rirpsbo.exe	83
PID 3176 wrote to memory of 4476	3176	rirpsbo.exe	83
PID 3176 wrote to memory of 4476	3176	rirpsbo.exe	83
PID 4476 wrote to memory of 4728	4476	rirpsbo.exe	84
PID 4476 wrote to memory of 4728	4476	rirpsbo.exe	84
PID 4476 wrote to memory of 4728	4476	rirpsbo.exe	84
PID 4476 wrote to memory of 4728	4476	rirpsbo.exe	84
PID 4476 wrote to memory of 4728	4476	rirpsbo.exe	84

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\hesaphareketi-02.exe
"C:\Users\Admin\AppData\Local\Temp\hesaphareketi-02.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Users\Admin\AppData\Local\Temp\rirpsbo.exe
  "C:\Users\Admin\AppData\Local\Temp\rirpsbo.exe" C:\Users\Admin\AppData\Local\Temp\hfjjyxtqyag.bxm
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3176
- - C:\Users\Admin\AppData\Local\Temp\rirpsbo.exe
    "C:\Users\Admin\AppData\Local\Temp\rirpsbo.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4476
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      4⤵
      Accesses Microsoft Outlook profiles
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:4728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hfjjyxtqyag.bxm

Filesize
7KB

MD5
aa27677343aa570535825c3cec2f1502

SHA1
da331f227ea74b1f22816703bdb21cca319dc8a4

SHA256
c04955cd1071e5cccd5ba567ec8c263e33cbce7e25f30392127411f1e12f0c16

SHA512
467fe8258648c311c733f4067af4aacde93f5d7895e70be4a5c5915202e8bd49b6ca5521e50eef97f3aac849f543ca77ec722dbf7dba13ccecd3715c84cc5f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\rirpsbo.exe

Filesize
53KB

MD5
45093aa0671a150a5ba65e9c141a6769

SHA1
89c04a2ff8f849eb935c10880b70d332d111693e

SHA256
a5cc03d5211a424e31074309dee6c708547941905a287d416e3462c861152cd0

SHA512
0d3ae4f90dd0e1830dc8833d76501e41aedada4dbf899bdb682cb53556551e73d95344d208a23c096f0404d7a7d21939b4258ee4487b0a9c1d2e89715a773404

Download Submit
C:\Users\Admin\AppData\Local\Temp\rirpsbo.exe

Filesize
53KB

MD5
45093aa0671a150a5ba65e9c141a6769

SHA1
89c04a2ff8f849eb935c10880b70d332d111693e

SHA256
a5cc03d5211a424e31074309dee6c708547941905a287d416e3462c861152cd0

SHA512
0d3ae4f90dd0e1830dc8833d76501e41aedada4dbf899bdb682cb53556551e73d95344d208a23c096f0404d7a7d21939b4258ee4487b0a9c1d2e89715a773404

Download Submit
C:\Users\Admin\AppData\Local\Temp\rirpsbo.exe

Filesize
53KB

MD5
45093aa0671a150a5ba65e9c141a6769

SHA1
89c04a2ff8f849eb935c10880b70d332d111693e

SHA256
a5cc03d5211a424e31074309dee6c708547941905a287d416e3462c861152cd0

SHA512
0d3ae4f90dd0e1830dc8833d76501e41aedada4dbf899bdb682cb53556551e73d95344d208a23c096f0404d7a7d21939b4258ee4487b0a9c1d2e89715a773404

Download Submit
C:\Users\Admin\AppData\Local\Temp\wuhzdhn.tse

Filesize
156KB

MD5
e7ec85d99291702c6eeddcafbb18d0f8

SHA1
597940a25a8d2f38ee0315a6f68cc28a97b758a2

SHA256
0f43f0deecff37062ca0b48bc7e1f2c2d0352e52946d6dd3def105d5d8e83948

SHA512
a7393bc8e2b68a3b9ca8fd5e3b4830fc4bee109fdd4d3918544e3fbb1d8f67e2e9e67c300621414949ef19c865a8e1f0e542c9ff8dc1193e1061d0108bd28bbe

Download Submit
memory/4476-141-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4476-146-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4728-143-0x0000000000BA0000-0x0000000000BBA000-memory.dmp

Filesize
104KB

Download
memory/4728-144-0x0000000005060000-0x00000000050C6000-memory.dmp

Filesize
408KB

Download
memory/4728-145-0x00000000059D0000-0x0000000005A6C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing