Overview

overview

10

Static

static

hesapharek...df.exe

windows7-x64

10

hesapharek...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-02-2023 08:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    hesaphareketi-01.pdf.exe

  • Size

    358KB

  • MD5

    587a57c6f8590b6367d67b17fce54c0d

  • SHA1

    cbe56fc0d05531d2d9e7f5c4ef628e1a9941fba7

  • SHA256

    d03d5b49976a7d150f77a892f429ed698246930ba82e538b25f7835d67b9323d

  • SHA512

    3830c61306e797465d480e6330666575669d2e5860595c6378c270b5fcc60e0b13fc0cc51f8b95b6871f21d923c99a950027a9c7138efc28766308800a11c1d2

  • SSDEEP

    6144:oYa6Si77eBf68RvZWDvY4dUk931r+qzmnblebHqHhfM:oY4i46GhWDTldzacHqBU

Score
10/10
blustealerstormkittycollectionstealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5468731092:AAGGNQWBVRhX622u6xp1moMhaunIGtXuIxg/sendMessage?chat_id=1639214896

Signatures

  • BluStealer

    A Modular information stealer written in Visual Basic.

    stealerblustealer
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.pdf.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4408
    • C:\Users\Admin\AppData\Local\Temp\iaszff.exe
      "C:\Users\Admin\AppData\Local\Temp\iaszff.exe" C:\Users\Admin\AppData\Local\Temp\aoomwnkkess.t
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:3988
      • C:\Users\Admin\AppData\Local\Temp\iaszff.exe
        "C:\Users\Admin\AppData\Local\Temp\iaszff.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1880
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          4⤵
          • Accesses Microsoft Outlook profiles
          • Checks processor information in registry
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:4396

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\aoomwnkkess.t
    Filesize

    5KB

    MD5

    768f9eebb890c8e8df663160aa8a4f2f

    SHA1

    b9085918f05cd335808b178d314f30ae2e5f0414

    SHA256

    18466ea3d268516177c8b4a69453117cc99eb92f717d5b7d33e08991e13bfdb2

    SHA512

    74a1a7055414ee1cf03f5fa9c3b3d12e38f21f79038ebc05308fc81c7cc1caa23275797f2921ddd1492edb2089435ceb60a4163617d91ad3a4e140849f981754

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\cjkohdr.op
    Filesize

    156KB

    MD5

    7df2511e099d1d0b635a57aa73824795

    SHA1

    5ef5efb8113b95f0c248404e9d28e8752854abca

    SHA256

    170c2b0bfbb918fb3f1806c836086456dbdbcb421ff7bc74535e15342624a44a

    SHA512

    8ab646bacad5467247011e3a3a5439f8dd63a1c61b98fc282ac60791618aaaf7194df2e09115e786d1a600916efe6edf83dbe6aa4ad914e0938be61488a766ee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\iaszff.exe
    Filesize

    80KB

    MD5

    b9e8ce212ab0c4fe8a64dff29a99aeef

    SHA1

    9c86b09c0bcf382bd84e4d8364c42fcca65e4c26

    SHA256

    d62eb4efe7591dd9a762975ac373ea141a6f6a6a20fac45762953f1c353ed680

    SHA512

    0ad750ab9178c866711f9c80ccc5c5fa10fe32c5bb7cef29182e85d5ca83c1f21fa4a66ea467019ca9c9d7b1aa04cd08ae30d656f9f73beeb1a635224017bd57

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\iaszff.exe
    Filesize

    80KB

    MD5

    b9e8ce212ab0c4fe8a64dff29a99aeef

    SHA1

    9c86b09c0bcf382bd84e4d8364c42fcca65e4c26

    SHA256

    d62eb4efe7591dd9a762975ac373ea141a6f6a6a20fac45762953f1c353ed680

    SHA512

    0ad750ab9178c866711f9c80ccc5c5fa10fe32c5bb7cef29182e85d5ca83c1f21fa4a66ea467019ca9c9d7b1aa04cd08ae30d656f9f73beeb1a635224017bd57

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\iaszff.exe
    Filesize

    80KB

    MD5

    b9e8ce212ab0c4fe8a64dff29a99aeef

    SHA1

    9c86b09c0bcf382bd84e4d8364c42fcca65e4c26

    SHA256

    d62eb4efe7591dd9a762975ac373ea141a6f6a6a20fac45762953f1c353ed680

    SHA512

    0ad750ab9178c866711f9c80ccc5c5fa10fe32c5bb7cef29182e85d5ca83c1f21fa4a66ea467019ca9c9d7b1aa04cd08ae30d656f9f73beeb1a635224017bd57

    Download Submit

  • memory/1880-143-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1880-146-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4396-142-0x0000000000570000-0x000000000058A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4396-144-0x0000000004B50000-0x0000000004BB6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4396-145-0x00000000054E0000-0x000000000557C000-memory.dmp

    Filesize

    624KB

    Download