blustealer | 3f72559d8006b06384919574af6bfbc80f6dc43774cd56c0754ae2cc8898ef83

General

Target

Halkbank_Ekstre_202301901_142426_2309801.doc.exe
Size

440KB
MD5

5497b520750b56b52f2e83664c42b8b9
SHA1

e954f6a3e4e870d07045607c0e8a68a6b81a8fcd
SHA256

3f72559d8006b06384919574af6bfbc80f6dc43774cd56c0754ae2cc8898ef83
SHA512

7290cce10407c967ae7bb00b618b0123af1df127dcd69062f174ba0b87a772cd2bb0af9c6380ecd3f21f99e071ea8c7febcc057f838db72590600980be9bbcb2
SSDEEP

6144:ZYa6dITud1s4W8q9UdkRmDzR8ffwtQozmodL1qjF/2+oE8eTbYNwESdXTx:ZYcTudK4WL9lUAAtioZIjHoE84nf

Score

10^/10

blustealer stormkitty collection stealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5468731092:AAGGNQWBVRhX622u6xp1moMhaunIGtXuIxg/sendMessage?chat_id=1639214896

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2880-143-0x0000000001310000-0x000000000132A000-memory.dmp	family_stormkitty

Executes dropped EXE 2 IoCs

Processes:

sispkeaz.exesispkeaz.exe

pid process

4440 sispkeaz.exe
1392 sispkeaz.exe

pid	process
4440	sispkeaz.exe
1392	sispkeaz.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

AppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 icanhazip.com

flow	ioc
18	icanhazip.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

sispkeaz.exesispkeaz.exe

description	pid	process	target process
PID 4440 set thread context of 1392	4440	sispkeaz.exe	sispkeaz.exe
PID 1392 set thread context of 2880	1392	sispkeaz.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	AppLaunch.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	AppLaunch.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

sispkeaz.exe

pid process

4440 sispkeaz.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 2880 AppLaunch.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

sispkeaz.exe

pid process

1392 sispkeaz.exe

pid	process
4440	sispkeaz.exe

description	pid	process
Token: SeDebugPrivilege	2880	AppLaunch.exe

pid	process
1392	sispkeaz.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Halkbank_Ekstre_202301901_142426_2309801.doc.exesispkeaz.exesispkeaz.exe

description	pid	process	target process
PID 1556 wrote to memory of 4440	1556	Halkbank_Ekstre_202301901_142426_2309801.doc.exe	sispkeaz.exe
PID 1556 wrote to memory of 4440	1556	Halkbank_Ekstre_202301901_142426_2309801.doc.exe	sispkeaz.exe
PID 1556 wrote to memory of 4440	1556	Halkbank_Ekstre_202301901_142426_2309801.doc.exe	sispkeaz.exe
PID 4440 wrote to memory of 1392	4440	sispkeaz.exe	sispkeaz.exe
PID 4440 wrote to memory of 1392	4440	sispkeaz.exe	sispkeaz.exe
PID 4440 wrote to memory of 1392	4440	sispkeaz.exe	sispkeaz.exe
PID 4440 wrote to memory of 1392	4440	sispkeaz.exe	sispkeaz.exe
PID 1392 wrote to memory of 2880	1392	sispkeaz.exe	AppLaunch.exe
PID 1392 wrote to memory of 2880	1392	sispkeaz.exe	AppLaunch.exe
PID 1392 wrote to memory of 2880	1392	sispkeaz.exe	AppLaunch.exe
PID 1392 wrote to memory of 2880	1392	sispkeaz.exe	AppLaunch.exe
PID 1392 wrote to memory of 2880	1392	sispkeaz.exe	AppLaunch.exe

outlook_office_path 1 IoCs

Processes:

AppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

Processes:

AppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_202301901_142426_2309801.doc.exe
"C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_202301901_142426_2309801.doc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1556

C:\Users\Admin\AppData\Local\Temp\sispkeaz.exe
"C:\Users\Admin\AppData\Local\Temp\sispkeaz.exe" C:\Users\Admin\AppData\Local\Temp\icbvmpleuhs.rta
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4440

C:\Users\Admin\AppData\Local\Temp\sispkeaz.exe
"C:\Users\Admin\AppData\Local\Temp\sispkeaz.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
4⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\icbvmpleuhs.rta
Filesize
5KB

MD5
1d859a4a87a00863d5f20dff301ea791

SHA1
73872878aeaa120005c2d3cfbf9e65769a7b656d

SHA256
468a9bd92147a4f90da867b6e5c602c009c640e607a9a91c2b434b003e93153f

SHA512
1fb2bad7b11044a61d7646b015d61e87901cfde137c0df27e78fdd94e3f6115f16615d2b2e2304dbb9579ddefe50a4e51c38f2dc879296334ea74b120e5b9c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\qtiebamce.yyv
Filesize
156KB

MD5
98259b7c554f6d821d637154f8a2af60

SHA1
ae7355c1831e446d86f9939e477716dcd1f5f0c7

SHA256
1d184ad42fd25877860aa7dd92c2d1e1b00f401b8305965e4e59251be0f54670

SHA512
4b7729b0cdb6c4da5c179ef9d06a4d094d825fabf7f67242958760f21b5178abe8f6d34a80520191e7d18494c2e4d6727a02ca80a21941ed38405a62c8895abe

Download Submit
C:\Users\Admin\AppData\Local\Temp\sispkeaz.exe
Filesize
49KB

MD5
80ca1bf4d1fd22cfaeb69f8e952c4555

SHA1
e5d54a408e9a971f12752bb54b03f619bf33fd6c

SHA256
550ecef9fc816c553037caf1bfe514c7a5a6239565fb627001b8748a260166af

SHA512
93f5e048d43fe3a60596c887fee716b4c8e34eca9695c5c641c7f3f66509f502092856c70773f0a38c3381f633f84a0416edb88770c427864749f3682aa44acd

Download Submit
C:\Users\Admin\AppData\Local\Temp\sispkeaz.exe
Filesize
49KB

MD5
80ca1bf4d1fd22cfaeb69f8e952c4555

SHA1
e5d54a408e9a971f12752bb54b03f619bf33fd6c

SHA256
550ecef9fc816c553037caf1bfe514c7a5a6239565fb627001b8748a260166af

SHA512
93f5e048d43fe3a60596c887fee716b4c8e34eca9695c5c641c7f3f66509f502092856c70773f0a38c3381f633f84a0416edb88770c427864749f3682aa44acd

Download Submit
C:\Users\Admin\AppData\Local\Temp\sispkeaz.exe
Filesize
49KB

MD5
80ca1bf4d1fd22cfaeb69f8e952c4555

SHA1
e5d54a408e9a971f12752bb54b03f619bf33fd6c

SHA256
550ecef9fc816c553037caf1bfe514c7a5a6239565fb627001b8748a260166af

SHA512
93f5e048d43fe3a60596c887fee716b4c8e34eca9695c5c641c7f3f66509f502092856c70773f0a38c3381f633f84a0416edb88770c427864749f3682aa44acd

Download Submit
memory/1392-137-0x0000000000000000-mapping.dmp

Download
memory/1392-141-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1392-146-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2880-142-0x0000000000000000-mapping.dmp

Download
memory/2880-143-0x0000000001310000-0x000000000132A000-memory.dmp

Filesize
104KB

Download
memory/2880-144-0x0000000005900000-0x0000000005966000-memory.dmp

Filesize
408KB

Download
memory/2880-145-0x0000000006370000-0x000000000640C000-memory.dmp

Filesize
624KB

Download
memory/4440-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads