blustealer | dbbd97938b7195d695adbf9d86f4a0efe9b044aaf3da437e02f187ec6323a177

General

Target

fatura64390089,pdf.exe
Size

407KB
MD5

c05d621f037ac3934058043187adec75
SHA1

be6482abbdf88b6462293f4058f00c9b5d8de995
SHA256

dbbd97938b7195d695adbf9d86f4a0efe9b044aaf3da437e02f187ec6323a177
SHA512

8d3db7aacecc65ce982ee4f0168d52d3059b5c94a8307bcff6b5c7a6b628020682e090bd909c18b6991c1a94adea7af39c83bc850747d34b65898eff73fc0091
SSDEEP

12288:gYEP7r9r/+ppppppppppppppppppppppppppppp0YGspBGc52epgqIM4l5q4/:gYE1MGsnGAQPn

Score

10^/10

blustealer stormkitty collection persistence stealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5732817033:AAFBYIIZmJ7NuvVwD7WRcbV9qwcOqT7RpwM/sendMessage?chat_id=1638137774

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 4 IoCs

resource	yara_rule
behavioral1/memory/1988-71-0x00000000000D0000-0x00000000000EA000-memory.dmp	family_stormkitty
behavioral1/memory/1988-72-0x00000000000E4F6E-mapping.dmp	family_stormkitty
behavioral1/memory/1988-74-0x00000000000D0000-0x00000000000EA000-memory.dmp	family_stormkitty
behavioral1/memory/1988-76-0x00000000000D0000-0x00000000000EA000-memory.dmp	family_stormkitty

Executes dropped EXE 2 IoCs

pid	Process
1148	ffdkbznenn.exe
1100	ffdkbznenn.exe

Loads dropped DLL 3 IoCs

pid	Process
2012	fatura64390089,pdf.exe
2012	fatura64390089,pdf.exe
1148	ffdkbznenn.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\aupp = "C:\\Users\\Admin\\AppData\\Roaming\\xvfemejxi\\rqxm.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ffdkbznenn.exe\" C:\\Users\\Admin\\AppData\\Local\\"	ffdkbznenn.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	icanhazip.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1148 set thread context of 1100	1148	ffdkbznenn.exe	28
PID 1100 set thread context of 1988	1100	ffdkbznenn.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	AppLaunch.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	AppLaunch.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1100	ffdkbznenn.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1148	ffdkbznenn.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1988	AppLaunch.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1100	ffdkbznenn.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 1148	2012	fatura64390089,pdf.exe	27
PID 2012 wrote to memory of 1148	2012	fatura64390089,pdf.exe	27
PID 2012 wrote to memory of 1148	2012	fatura64390089,pdf.exe	27
PID 2012 wrote to memory of 1148	2012	fatura64390089,pdf.exe	27
PID 1148 wrote to memory of 1100	1148	ffdkbznenn.exe	28
PID 1148 wrote to memory of 1100	1148	ffdkbznenn.exe	28
PID 1148 wrote to memory of 1100	1148	ffdkbznenn.exe	28
PID 1148 wrote to memory of 1100	1148	ffdkbznenn.exe	28
PID 1148 wrote to memory of 1100	1148	ffdkbznenn.exe	28
PID 1100 wrote to memory of 1988	1100	ffdkbznenn.exe	29
PID 1100 wrote to memory of 1988	1100	ffdkbznenn.exe	29
PID 1100 wrote to memory of 1988	1100	ffdkbznenn.exe	29
PID 1100 wrote to memory of 1988	1100	ffdkbznenn.exe	29
PID 1100 wrote to memory of 1988	1100	ffdkbznenn.exe	29
PID 1100 wrote to memory of 1988	1100	ffdkbznenn.exe	29
PID 1100 wrote to memory of 1988	1100	ffdkbznenn.exe	29
PID 1100 wrote to memory of 1988	1100	ffdkbznenn.exe	29
PID 1100 wrote to memory of 1988	1100	ffdkbznenn.exe	29

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\fatura64390089,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\fatura64390089,pdf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Local\Temp\ffdkbznenn.exe
  "C:\Users\Admin\AppData\Local\Temp\ffdkbznenn.exe" C:\Users\Admin\AppData\Local\Temp\iiijlwhsvt.hcv
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Users\Admin\AppData\Local\Temp\ffdkbznenn.exe
    "C:\Users\Admin\AppData\Local\Temp\ffdkbznenn.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1100
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      4⤵
      Accesses Microsoft Outlook profiles
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:1988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ffdkbznenn.exe

Filesize
53KB

MD5
292f15361b1c917862f22d5f86e83e2e

SHA1
e12efc100d01f52e3dc53d2172602e2e86a5671b

SHA256
0e605b21230a7fda50f970a5cc9dde223854a75d9d5e5f2a33963f84810f2490

SHA512
a8311c10337eeec3253699c53ccebd846fe3a14e136de2e8300398e946d0f6e0bf08a83df510e24fb1488e6a81dc43b26c40643cc4ec7eb180e104ae0c465b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\ffdkbznenn.exe

Filesize
53KB

MD5
292f15361b1c917862f22d5f86e83e2e

SHA1
e12efc100d01f52e3dc53d2172602e2e86a5671b

SHA256
0e605b21230a7fda50f970a5cc9dde223854a75d9d5e5f2a33963f84810f2490

SHA512
a8311c10337eeec3253699c53ccebd846fe3a14e136de2e8300398e946d0f6e0bf08a83df510e24fb1488e6a81dc43b26c40643cc4ec7eb180e104ae0c465b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\ffdkbznenn.exe

Filesize
53KB

MD5
292f15361b1c917862f22d5f86e83e2e

SHA1
e12efc100d01f52e3dc53d2172602e2e86a5671b

SHA256
0e605b21230a7fda50f970a5cc9dde223854a75d9d5e5f2a33963f84810f2490

SHA512
a8311c10337eeec3253699c53ccebd846fe3a14e136de2e8300398e946d0f6e0bf08a83df510e24fb1488e6a81dc43b26c40643cc4ec7eb180e104ae0c465b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\iiijlwhsvt.hcv

Filesize
7KB

MD5
57dc842d381d9d79fbc3ec8f3ebde260

SHA1
bc816ee4cb338e9486a2446d0f40d34ac7f017c4

SHA256
570080568f2d6becd79e7e76fb7499ee4924ad2b103b9cb037195cfbbaf52fed

SHA512
15ad3cc80f79825d00617d5fe1214a6cc8513d0d7a4714e5f7ba3c6a70960759b446d1d2ff456d1cedc779f93586d406123db3a77e782d3d199aa8d6b27ffe68

Download Submit
C:\Users\Admin\AppData\Local\Temp\oabtivtl.s

Filesize
164KB

MD5
0ad27cb8fc43f58b4e8cef4931c5a5fd

SHA1
4a8f8c0e7070ffd8614174e1c6b19087ab2e5764

SHA256
bb858577716f072849106950e08834c35efd87de9e7d9b00e0082810e31ec202

SHA512
4338db180c0385206ab8b7b0e5473fdecc6a7599fc22b338c105adb73b2e72d328d89d2fbaf874d22135dd8ca98b4b1759e3a2d3cba312e0b7bdcf8e4f06698b

Download Submit
\Users\Admin\AppData\Local\Temp\ffdkbznenn.exe

Filesize
53KB

MD5
292f15361b1c917862f22d5f86e83e2e

SHA1
e12efc100d01f52e3dc53d2172602e2e86a5671b

SHA256
0e605b21230a7fda50f970a5cc9dde223854a75d9d5e5f2a33963f84810f2490

SHA512
a8311c10337eeec3253699c53ccebd846fe3a14e136de2e8300398e946d0f6e0bf08a83df510e24fb1488e6a81dc43b26c40643cc4ec7eb180e104ae0c465b44

Download Submit
\Users\Admin\AppData\Local\Temp\ffdkbznenn.exe

Filesize
53KB

MD5
292f15361b1c917862f22d5f86e83e2e

SHA1
e12efc100d01f52e3dc53d2172602e2e86a5671b

SHA256
0e605b21230a7fda50f970a5cc9dde223854a75d9d5e5f2a33963f84810f2490

SHA512
a8311c10337eeec3253699c53ccebd846fe3a14e136de2e8300398e946d0f6e0bf08a83df510e24fb1488e6a81dc43b26c40643cc4ec7eb180e104ae0c465b44

Download Submit
\Users\Admin\AppData\Local\Temp\ffdkbznenn.exe

Filesize
53KB

MD5
292f15361b1c917862f22d5f86e83e2e

SHA1
e12efc100d01f52e3dc53d2172602e2e86a5671b

SHA256
0e605b21230a7fda50f970a5cc9dde223854a75d9d5e5f2a33963f84810f2490

SHA512
a8311c10337eeec3253699c53ccebd846fe3a14e136de2e8300398e946d0f6e0bf08a83df510e24fb1488e6a81dc43b26c40643cc4ec7eb180e104ae0c465b44

Download Submit
memory/1100-78-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1100-79-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1988-69-0x00000000000D0000-0x00000000000EA000-memory.dmp

Filesize
104KB

Download
memory/1988-71-0x00000000000D0000-0x00000000000EA000-memory.dmp

Filesize
104KB

Download
memory/1988-74-0x00000000000D0000-0x00000000000EA000-memory.dmp

Filesize
104KB

Download
memory/1988-76-0x00000000000D0000-0x00000000000EA000-memory.dmp

Filesize
104KB

Download
memory/2012-54-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing