blustealer | 81d63eb754d5bf8897acfeb9762031fbe00d197c45aed84f2fe069dcd78109a1

General

Target

fatura002344567,pdf.exe
Size

266KB
MD5

e8a06710a9e1f2ae99424343e6f79cbc
SHA1

661eccd39e082d74b28f0c2bba440d7b7f8033cd
SHA256

81d63eb754d5bf8897acfeb9762031fbe00d197c45aed84f2fe069dcd78109a1
SHA512

42743045b9a7dad90688a10cf2679f1256f13bea2d97d3117c84ba1eb17c16f81ad40e14858a246da6dd538ab834855560ae89394d945eb6679a3c4c7a844f6c
SSDEEP

6144:IYa6ub7aTUXh2l9RT70FYe5Avpc1jJdGuf:IYgXaW21W5Av25/f

Score

10^/10

blustealer stormkitty collection stealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5468731092:AAGGNQWBVRhX622u6xp1moMhaunIGtXuIxg/sendMessage?chat_id=1639214896

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/1976-143-0x0000000000F90000-0x0000000000FAA000-memory.dmp	family_stormkitty

Executes dropped EXE 2 IoCs

pid	Process
3064	wtvubszfcs.exe
4476	wtvubszfcs.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	icanhazip.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3064 set thread context of 4476	3064	wtvubszfcs.exe	77
PID 4476 set thread context of 1976	4476	wtvubszfcs.exe	79

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	AppLaunch.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	AppLaunch.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3064	wtvubszfcs.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1976	AppLaunch.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4476	wtvubszfcs.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4624 wrote to memory of 3064	4624	fatura002344567,pdf.exe	76
PID 4624 wrote to memory of 3064	4624	fatura002344567,pdf.exe	76
PID 4624 wrote to memory of 3064	4624	fatura002344567,pdf.exe	76
PID 3064 wrote to memory of 4476	3064	wtvubszfcs.exe	77
PID 3064 wrote to memory of 4476	3064	wtvubszfcs.exe	77
PID 3064 wrote to memory of 4476	3064	wtvubszfcs.exe	77
PID 3064 wrote to memory of 4476	3064	wtvubszfcs.exe	77
PID 4476 wrote to memory of 1976	4476	wtvubszfcs.exe	79
PID 4476 wrote to memory of 1976	4476	wtvubszfcs.exe	79
PID 4476 wrote to memory of 1976	4476	wtvubszfcs.exe	79
PID 4476 wrote to memory of 1976	4476	wtvubszfcs.exe	79
PID 4476 wrote to memory of 1976	4476	wtvubszfcs.exe	79

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\fatura002344567,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\fatura002344567,pdf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4624
- C:\Users\Admin\AppData\Local\Temp\wtvubszfcs.exe
  "C:\Users\Admin\AppData\Local\Temp\wtvubszfcs.exe" C:\Users\Admin\AppData\Local\Temp\rjzgh.nmp
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Users\Admin\AppData\Local\Temp\wtvubszfcs.exe
    "C:\Users\Admin\AppData\Local\Temp\wtvubszfcs.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4476
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      4⤵
      Accesses Microsoft Outlook profiles
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:1976

Network

DNS

icanhazip.com

AppLaunch.exe

Remote address:

8.8.8.8:53

Request

icanhazip.com

IN A

Response

icanhazip.com

IN A

104.18.115.97

icanhazip.com

IN A

104.18.114.97
GET

http://icanhazip.com/

AppLaunch.exe

Remote address:

104.18.115.97:80

Request

GET / HTTP/1.1
Host: icanhazip.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Wed, 18 Jan 2023 09:37:33 GMT
Content-Type: text/plain
Content-Length: 13
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET
Set-Cookie: __cf_bm=hP2YjoBCptksdX9o4j9yYK85sgA3PT8CNpUZRvzM27Y-1674034653-0-AXgbLMRvTdOaTfaGa9vit8s8+yFsBumrgvpGYQeg2IBmfJq/zAW9OC1ZwIKoLng+ZuEoq7cFb8jhw23mScMyn/w=; path=/; expires=Wed, 18-Jan-23 10:07:33 GMT; domain=.icanhazip.com; HttpOnly
Server: cloudflare
CF-RAY: 78b65a460a860e84-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400

52.178.17.2:443

322 B
7
104.18.115.97:80

http://icanhazip.com/

http

AppLaunch.exe

293 B
687 B
5
3

HTTP Request

GET http://icanhazip.com/

HTTP Response

200
52.109.76.31:443

322 B
7

8.8.8.8:53

icanhazip.com

dns

AppLaunch.exe

59 B
91 B
1
1

DNS Request

icanhazip.com

DNS Response

104.18.115.97

104.18.114.97

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lkerzzgm.g

Filesize
156KB

MD5
041d361175b37e92cb22762db429aa5a

SHA1
f3039e1cf1f14cfa91353c3ba321b1a6552b8082

SHA256
fd264d1eb5a555bbb5226fcd900a30c2787f3563df202784ade2e0735532096c

SHA512
714feb402ca881636caf3c14b6d8ec594995a879a73da890b8870519fc9abe7be2671052643f0af96c90b56caf8caef39c3807c8baed0a81fb2573faec3a2338

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjzgh.nmp

Filesize
5KB

MD5
fe072a1513d78b94bc7a31f3f645e35a

SHA1
14e2aedcbf424c60ea0fb8c7a97ce4b8121713d3

SHA256
1f4e649dc723e124cf08fb63255641743182e3437a3dbfcfcc478cda5b2814d5

SHA512
c9f0e3ff0d8f61fa6e2d247a3415882438594425e6680f47b26bba4c9b9253570106bf51e726f0b862e66542499c3ffd7a4833a8231f5dc91c5cae2ac2711323

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtvubszfcs.exe

Filesize
53KB

MD5
11c3c3d980c8012fe7545e05fd4dc2aa

SHA1
9263f9e2e3642b6fe21a4dd25f3e599b75d25deb

SHA256
8439bcb060273ce0b7d1f532057e7d4df41aec2bf1b3b105f3e737b38153f1ca

SHA512
6befc1332c4b73fcd23c44ebcce8cdc94c44d51ab33e6dd8e093e99223f30462729f115d64ec96b72878028bad9da72e62a112d07beee47ebfe10cbdd409657e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtvubszfcs.exe

Filesize
53KB

MD5
11c3c3d980c8012fe7545e05fd4dc2aa

SHA1
9263f9e2e3642b6fe21a4dd25f3e599b75d25deb

SHA256
8439bcb060273ce0b7d1f532057e7d4df41aec2bf1b3b105f3e737b38153f1ca

SHA512
6befc1332c4b73fcd23c44ebcce8cdc94c44d51ab33e6dd8e093e99223f30462729f115d64ec96b72878028bad9da72e62a112d07beee47ebfe10cbdd409657e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtvubszfcs.exe

Filesize
53KB

MD5
11c3c3d980c8012fe7545e05fd4dc2aa

SHA1
9263f9e2e3642b6fe21a4dd25f3e599b75d25deb

SHA256
8439bcb060273ce0b7d1f532057e7d4df41aec2bf1b3b105f3e737b38153f1ca

SHA512
6befc1332c4b73fcd23c44ebcce8cdc94c44d51ab33e6dd8e093e99223f30462729f115d64ec96b72878028bad9da72e62a112d07beee47ebfe10cbdd409657e

Download Submit
memory/1976-143-0x0000000000F90000-0x0000000000FAA000-memory.dmp

Filesize
104KB

Download
memory/1976-144-0x0000000005820000-0x0000000005886000-memory.dmp

Filesize
408KB

Download
memory/1976-146-0x00000000060A0000-0x000000000613C000-memory.dmp

Filesize
624KB

Download
memory/4476-140-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4476-145-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.