blustealer | a9d460abe6b2e92e101bcf8d0d3a713c604019d385537590125699b4e5918108

General

Target

fatura6764355,pdf.exe
Size

365KB
MD5

b5eebe5b039a57b5c16495873a66b312
SHA1

df2a0fe56668093a1301e05fb849edb4cfef2de7
SHA256

a9d460abe6b2e92e101bcf8d0d3a713c604019d385537590125699b4e5918108
SHA512

072fc10c2a1bd4d71b1232264b77dc8cd434d0065c6a0ef1752eae2c57af628e40fa13ad1972d28336cb96eeb9a76df05a967655e3aadf20a295d3406f3f9308
SSDEEP

6144:YYa6YcpJFi31vGQkE/XKxNYk08nDfL6AJ8J0HK+IprN4h:YY/JIlv7eN24DfeAJ20HKxN6

Score

10^/10

blustealer stormkitty collection persistence stealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5468731092:AAGGNQWBVRhX622u6xp1moMhaunIGtXuIxg/sendMessage?chat_id=1639214896

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 4 IoCs

resource	yara_rule
behavioral1/memory/872-71-0x0000000000090000-0x00000000000AA000-memory.dmp	family_stormkitty
behavioral1/memory/872-72-0x00000000000A4F6E-mapping.dmp	family_stormkitty
behavioral1/memory/872-74-0x0000000000090000-0x00000000000AA000-memory.dmp	family_stormkitty
behavioral1/memory/872-76-0x0000000000090000-0x00000000000AA000-memory.dmp	family_stormkitty

Executes dropped EXE 2 IoCs

pid	Process
968	dzgbuztv.exe
524	dzgbuztv.exe

Loads dropped DLL 3 IoCs

pid	Process
1328	fatura6764355,pdf.exe
1328	fatura6764355,pdf.exe
968	dzgbuztv.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\jvgegl = "C:\\Users\\Admin\\AppData\\Roaming\\txrptshx\\scibcqrbtrgofm.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dzgbuztv.exe\" C:\\Users\\Admin\\AppData"	dzgbuztv.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	icanhazip.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 968 set thread context of 524	968	dzgbuztv.exe	30
PID 524 set thread context of 872	524	dzgbuztv.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	AppLaunch.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	AppLaunch.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
968	dzgbuztv.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	872	AppLaunch.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
524	dzgbuztv.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1328 wrote to memory of 968	1328	fatura6764355,pdf.exe	28
PID 1328 wrote to memory of 968	1328	fatura6764355,pdf.exe	28
PID 1328 wrote to memory of 968	1328	fatura6764355,pdf.exe	28
PID 1328 wrote to memory of 968	1328	fatura6764355,pdf.exe	28
PID 968 wrote to memory of 524	968	dzgbuztv.exe	30
PID 968 wrote to memory of 524	968	dzgbuztv.exe	30
PID 968 wrote to memory of 524	968	dzgbuztv.exe	30
PID 968 wrote to memory of 524	968	dzgbuztv.exe	30
PID 968 wrote to memory of 524	968	dzgbuztv.exe	30
PID 524 wrote to memory of 872	524	dzgbuztv.exe	31
PID 524 wrote to memory of 872	524	dzgbuztv.exe	31
PID 524 wrote to memory of 872	524	dzgbuztv.exe	31
PID 524 wrote to memory of 872	524	dzgbuztv.exe	31
PID 524 wrote to memory of 872	524	dzgbuztv.exe	31
PID 524 wrote to memory of 872	524	dzgbuztv.exe	31
PID 524 wrote to memory of 872	524	dzgbuztv.exe	31
PID 524 wrote to memory of 872	524	dzgbuztv.exe	31
PID 524 wrote to memory of 872	524	dzgbuztv.exe	31

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\fatura6764355,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\fatura6764355,pdf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Users\Admin\AppData\Local\Temp\dzgbuztv.exe
  "C:\Users\Admin\AppData\Local\Temp\dzgbuztv.exe" C:\Users\Admin\AppData\Local\Temp\bngkounxv.gat
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:968
- - C:\Users\Admin\AppData\Local\Temp\dzgbuztv.exe
    "C:\Users\Admin\AppData\Local\Temp\dzgbuztv.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:524
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      4⤵
      Accesses Microsoft Outlook profiles
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bngkounxv.gat

Filesize
7KB

MD5
b4e432ebacd26ecd3982c0f9dce699ba

SHA1
cdf13ede706a9789e5f9f36e5e6b434af461f803

SHA256
1a6eaff769fc117886cc0d878c9cefe19b7ba4e766ee62a424f2faf4e65501e8

SHA512
a3ec5da37154329edece8986970c087dac48a0b0640db4e1587531ae2352967872af0eb4563d223574ee9c19d4b6b07754e6170e70b325c1d78853aef4ce53d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dzgbuztv.exe

Filesize
46KB

MD5
109d7ccb376d588700f76789706ad71e

SHA1
d7f4995f6d9de76f7aa90880bb1cd31b70c1d808

SHA256
67440a36c78efa20ac75405351b67070b85844b4369e4bc489953b0f1aa1ea91

SHA512
b51c274a0eb3853ac0fd5d58d783ccb1477d5519f2eac1afbb8352ffb383a040642fda6a7ab81ae390d7ffceb88a0585474b2083bcf0d978c853ada38755dc86

Download Submit
C:\Users\Admin\AppData\Local\Temp\dzgbuztv.exe

Filesize
46KB

MD5
109d7ccb376d588700f76789706ad71e

SHA1
d7f4995f6d9de76f7aa90880bb1cd31b70c1d808

SHA256
67440a36c78efa20ac75405351b67070b85844b4369e4bc489953b0f1aa1ea91

SHA512
b51c274a0eb3853ac0fd5d58d783ccb1477d5519f2eac1afbb8352ffb383a040642fda6a7ab81ae390d7ffceb88a0585474b2083bcf0d978c853ada38755dc86

Download Submit
C:\Users\Admin\AppData\Local\Temp\dzgbuztv.exe

Filesize
46KB

MD5
109d7ccb376d588700f76789706ad71e

SHA1
d7f4995f6d9de76f7aa90880bb1cd31b70c1d808

SHA256
67440a36c78efa20ac75405351b67070b85844b4369e4bc489953b0f1aa1ea91

SHA512
b51c274a0eb3853ac0fd5d58d783ccb1477d5519f2eac1afbb8352ffb383a040642fda6a7ab81ae390d7ffceb88a0585474b2083bcf0d978c853ada38755dc86

Download Submit
C:\Users\Admin\AppData\Local\Temp\lfnuykch.y

Filesize
156KB

MD5
bc4346999a189c340f0b9aa630ed5f50

SHA1
36939d5f006f43a561e7f6b8755541a8bc083988

SHA256
d24bc7e0c09d64f27c0e2675f4ade416ef7cfa35559bae251c26d6daa3ccf280

SHA512
be9786d51ebad1fd43bc5c74bf604ebba9ddaa3bc43d076f69cd9e33d9b0ec1a564be82e08fb710b6bd5d50fc3520618d02efd7bca020700b838e5f370fa8bd1

Download Submit
\Users\Admin\AppData\Local\Temp\dzgbuztv.exe

Filesize
46KB

MD5
109d7ccb376d588700f76789706ad71e

SHA1
d7f4995f6d9de76f7aa90880bb1cd31b70c1d808

SHA256
67440a36c78efa20ac75405351b67070b85844b4369e4bc489953b0f1aa1ea91

SHA512
b51c274a0eb3853ac0fd5d58d783ccb1477d5519f2eac1afbb8352ffb383a040642fda6a7ab81ae390d7ffceb88a0585474b2083bcf0d978c853ada38755dc86

Download Submit
\Users\Admin\AppData\Local\Temp\dzgbuztv.exe

Filesize
46KB

MD5
109d7ccb376d588700f76789706ad71e

SHA1
d7f4995f6d9de76f7aa90880bb1cd31b70c1d808

SHA256
67440a36c78efa20ac75405351b67070b85844b4369e4bc489953b0f1aa1ea91

SHA512
b51c274a0eb3853ac0fd5d58d783ccb1477d5519f2eac1afbb8352ffb383a040642fda6a7ab81ae390d7ffceb88a0585474b2083bcf0d978c853ada38755dc86

Download Submit
\Users\Admin\AppData\Local\Temp\dzgbuztv.exe

Filesize
46KB

MD5
109d7ccb376d588700f76789706ad71e

SHA1
d7f4995f6d9de76f7aa90880bb1cd31b70c1d808

SHA256
67440a36c78efa20ac75405351b67070b85844b4369e4bc489953b0f1aa1ea91

SHA512
b51c274a0eb3853ac0fd5d58d783ccb1477d5519f2eac1afbb8352ffb383a040642fda6a7ab81ae390d7ffceb88a0585474b2083bcf0d978c853ada38755dc86

Download Submit
memory/524-78-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/524-79-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/872-71-0x0000000000090000-0x00000000000AA000-memory.dmp

Filesize
104KB

Download
memory/872-74-0x0000000000090000-0x00000000000AA000-memory.dmp

Filesize
104KB

Download
memory/872-76-0x0000000000090000-0x00000000000AA000-memory.dmp

Filesize
104KB

Download
memory/872-69-0x0000000000090000-0x00000000000AA000-memory.dmp

Filesize
104KB

Download
memory/1328-54-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing