blustealer | 342f87e6bb76f4915621c2c494c08be7cf1c265c9c6b41a7f5ac9fb50f2cbf06

General

Target

fatura643976_pdf.exe
Size

353KB
MD5

3b3a92de582ab24c08a82e9a845e4254
SHA1

2b5a886fbcf838b5837e6a3f980c6da06238b64a
SHA256

342f87e6bb76f4915621c2c494c08be7cf1c265c9c6b41a7f5ac9fb50f2cbf06
SHA512

f3daa31bb2153aa45bbe252ec4f88ef477207c8a542aa768e7e763bb85f070e3083ceda18f88448105729edac26452aedce47e9e11608f28f7a3b616efcb84ca
SSDEEP

6144:2Ya6UAmTALugWJ52FikZ4rk4aDvo/SOlqmizhHhu6edC:2YtO0ugWJw5Z4rQDmS9u6eI

Score

10^/10

blustealer stormkitty collection persistence stealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5468731092:AAGGNQWBVRhX622u6xp1moMhaunIGtXuIxg/sendMessage?chat_id=1639214896

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/1048-143-0x0000000001200000-0x000000000121A000-memory.dmp	family_stormkitty

Executes dropped EXE 2 IoCs

pid	Process
668	gnbimltqq.exe
4804	gnbimltqq.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xinqgplwkymnh = "C:\\Users\\Admin\\AppData\\Roaming\\dsgoa\\bvavmlpylaa.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\gnbimltqq.exe\" C:\\Users\\Admin\\AppData\\Loca"	gnbimltqq.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	icanhazip.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 668 set thread context of 4804	668	gnbimltqq.exe	80
PID 4804 set thread context of 1048	4804	gnbimltqq.exe	81

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	AppLaunch.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	AppLaunch.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
668	gnbimltqq.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1048	AppLaunch.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4804	gnbimltqq.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3144 wrote to memory of 668	3144	fatura643976_pdf.exe	79
PID 3144 wrote to memory of 668	3144	fatura643976_pdf.exe	79
PID 3144 wrote to memory of 668	3144	fatura643976_pdf.exe	79
PID 668 wrote to memory of 4804	668	gnbimltqq.exe	80
PID 668 wrote to memory of 4804	668	gnbimltqq.exe	80
PID 668 wrote to memory of 4804	668	gnbimltqq.exe	80
PID 668 wrote to memory of 4804	668	gnbimltqq.exe	80
PID 4804 wrote to memory of 1048	4804	gnbimltqq.exe	81
PID 4804 wrote to memory of 1048	4804	gnbimltqq.exe	81
PID 4804 wrote to memory of 1048	4804	gnbimltqq.exe	81
PID 4804 wrote to memory of 1048	4804	gnbimltqq.exe	81
PID 4804 wrote to memory of 1048	4804	gnbimltqq.exe	81

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\fatura643976_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\fatura643976_pdf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3144
- C:\Users\Admin\AppData\Local\Temp\gnbimltqq.exe
  "C:\Users\Admin\AppData\Local\Temp\gnbimltqq.exe" C:\Users\Admin\AppData\Local\Temp\rzomtvl.a
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:668
- - C:\Users\Admin\AppData\Local\Temp\gnbimltqq.exe
    "C:\Users\Admin\AppData\Local\Temp\gnbimltqq.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4804
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      4⤵
      Accesses Microsoft Outlook profiles
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:1048

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gnbimltqq.exe

Filesize
52KB

MD5
7f77c56b5a1ed634278d3c57659a9093

SHA1
8f249f07546a4840e44ca8d69a92558372ffe67b

SHA256
19210b19e9f1ec1a098f3def6f4758c3689a50ee3ef0da092efd131696c78556

SHA512
bf8bd5b5dff102c08e849ac8737970c08926f11deca91fd2a675a9631b0f82395ac1304917a85eece602a117a5bb96fb920cb0588ab0a83fad56d194d8b65f8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gnbimltqq.exe

Filesize
52KB

MD5
7f77c56b5a1ed634278d3c57659a9093

SHA1
8f249f07546a4840e44ca8d69a92558372ffe67b

SHA256
19210b19e9f1ec1a098f3def6f4758c3689a50ee3ef0da092efd131696c78556

SHA512
bf8bd5b5dff102c08e849ac8737970c08926f11deca91fd2a675a9631b0f82395ac1304917a85eece602a117a5bb96fb920cb0588ab0a83fad56d194d8b65f8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gnbimltqq.exe

Filesize
52KB

MD5
7f77c56b5a1ed634278d3c57659a9093

SHA1
8f249f07546a4840e44ca8d69a92558372ffe67b

SHA256
19210b19e9f1ec1a098f3def6f4758c3689a50ee3ef0da092efd131696c78556

SHA512
bf8bd5b5dff102c08e849ac8737970c08926f11deca91fd2a675a9631b0f82395ac1304917a85eece602a117a5bb96fb920cb0588ab0a83fad56d194d8b65f8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ljamwrfkuj.j

Filesize
156KB

MD5
f82b99ed44a256ae028dbfaf8bb88a53

SHA1
8dff576ef382c48e70bc75269df7c05746bb2704

SHA256
9923dbfc04dcc31fe57b8a927c14834ce8336565b21b2a376748265098cc67e6

SHA512
25dbd7cba2e723bcd9dbaac6699b464993b36c676bb46bae058225dbc56eda43b97079249cdc550cb6df35862e8a67741502bc740c9be8af87aaa6fcf047ee38

Download Submit
C:\Users\Admin\AppData\Local\Temp\rzomtvl.a

Filesize
7KB

MD5
536c6a1b2dc63b62bd098e0dcb9d0f7f

SHA1
9f1db0797ebf3a68a62c62ddbb98715ba375f4d2

SHA256
a35d7707897102e8871e2a325bad905905cdbfd8720a7a026d1b8964ad4eb1b4

SHA512
484c61296000b8e5b945064d3455bc8b9b626eb257aecad7e5291efc4a813df656c6777cee71488ec25d711991b06dc07027bcc0c1fa42da01934c7b37dd56b0

Download Submit
memory/1048-143-0x0000000001200000-0x000000000121A000-memory.dmp

Filesize
104KB

Download
memory/1048-144-0x00000000057D0000-0x0000000005836000-memory.dmp

Filesize
408KB

Download
memory/1048-146-0x0000000006160000-0x00000000061FC000-memory.dmp

Filesize
624KB

Download
memory/4804-140-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4804-145-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing