blustealer | 5afb4e6a861525cd433a70e5249c5a85573b4282f1b292e175f4737ba13eff56

General

Target

5afb4e6a861525cd433a70e5249c5a85573b4282f1b292e175f4737ba13eff56.exe
Size

205KB
MD5

31503bd1455f4dc0288263ecbc7af2d4
SHA1

ac35a7aa76f1b8c9be148f2a835adb12295125ce
SHA256

5afb4e6a861525cd433a70e5249c5a85573b4282f1b292e175f4737ba13eff56
SHA512

0dc1124cf9b6189e43a4cddd9045e2f13845e6d935fd72faee52331fc070c0a979a66657df0332c91850e620bdf368bab0d33561fc6051055b1597ad2a7e0f5a
SSDEEP

3072:ayEdA7fMpvQVOl3uutPT8ahmHwbQ6rLr4UEW4FP1y86vLabNCdRQav3Iyc2Ab8Fs:a23UTLhmQs6rlEWApqLaUdRrPAbin4

Score

10^/10

blustealer stormkitty stealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot6055609563:AAEfBlANuysNS3Feagncr0tioVRR2TOueCY/sendMessage?chat_id=6188873948

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 3 IoCs

resource	yara_rule
behavioral1/memory/2604-72-0x0000000000090000-0x00000000000AA000-memory.dmp	family_stormkitty
behavioral1/memory/2604-74-0x0000000000090000-0x00000000000AA000-memory.dmp	family_stormkitty
behavioral1/memory/2604-76-0x0000000000090000-0x00000000000AA000-memory.dmp	family_stormkitty

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	icanhazip.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1708 set thread context of 2220	1708	5afb4e6a861525cd433a70e5249c5a85573b4282f1b292e175f4737ba13eff56.exe	28
PID 2220 set thread context of 2604	2220	Caspol.exe	29

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2604	AppLaunch.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2220	Caspol.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 2220	1708	5afb4e6a861525cd433a70e5249c5a85573b4282f1b292e175f4737ba13eff56.exe	28
PID 1708 wrote to memory of 2220	1708	5afb4e6a861525cd433a70e5249c5a85573b4282f1b292e175f4737ba13eff56.exe	28
PID 1708 wrote to memory of 2220	1708	5afb4e6a861525cd433a70e5249c5a85573b4282f1b292e175f4737ba13eff56.exe	28
PID 1708 wrote to memory of 2220	1708	5afb4e6a861525cd433a70e5249c5a85573b4282f1b292e175f4737ba13eff56.exe	28
PID 1708 wrote to memory of 2220	1708	5afb4e6a861525cd433a70e5249c5a85573b4282f1b292e175f4737ba13eff56.exe	28
PID 1708 wrote to memory of 2220	1708	5afb4e6a861525cd433a70e5249c5a85573b4282f1b292e175f4737ba13eff56.exe	28
PID 1708 wrote to memory of 2220	1708	5afb4e6a861525cd433a70e5249c5a85573b4282f1b292e175f4737ba13eff56.exe	28
PID 1708 wrote to memory of 2220	1708	5afb4e6a861525cd433a70e5249c5a85573b4282f1b292e175f4737ba13eff56.exe	28
PID 1708 wrote to memory of 2220	1708	5afb4e6a861525cd433a70e5249c5a85573b4282f1b292e175f4737ba13eff56.exe	28
PID 2220 wrote to memory of 2604	2220	Caspol.exe	29
PID 2220 wrote to memory of 2604	2220	Caspol.exe	29
PID 2220 wrote to memory of 2604	2220	Caspol.exe	29
PID 2220 wrote to memory of 2604	2220	Caspol.exe	29
PID 2220 wrote to memory of 2604	2220	Caspol.exe	29
PID 2220 wrote to memory of 2604	2220	Caspol.exe	29
PID 2220 wrote to memory of 2604	2220	Caspol.exe	29
PID 2220 wrote to memory of 2604	2220	Caspol.exe	29
PID 2220 wrote to memory of 2604	2220	Caspol.exe	29

C:\Users\Admin\AppData\Local\Temp\5afb4e6a861525cd433a70e5249c5a85573b4282f1b292e175f4737ba13eff56.exe
"C:\Users\Admin\AppData\Local\Temp\5afb4e6a861525cd433a70e5249c5a85573b4282f1b292e175f4737ba13eff56.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2604

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1708-66-0x000007FEF5330000-0x000007FEF5D1C000-memory.dmp

Filesize
9.9MB

Download
memory/1708-55-0x0000000001350000-0x0000000001384000-memory.dmp

Filesize
208KB

Download
memory/1708-56-0x0000000000910000-0x0000000000990000-memory.dmp

Filesize
512KB

Download
memory/1708-57-0x0000000000640000-0x0000000000650000-memory.dmp

Filesize
64KB

Download
memory/1708-54-0x000007FEF5330000-0x000007FEF5D1C000-memory.dmp

Filesize
9.9MB

Download
memory/2220-65-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2220-60-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2220-62-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2220-63-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2220-59-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2220-58-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2220-80-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2604-72-0x0000000000090000-0x00000000000AA000-memory.dmp

Filesize
104KB

Download
memory/2604-71-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2604-74-0x0000000000090000-0x00000000000AA000-memory.dmp

Filesize
104KB

Download
memory/2604-76-0x0000000000090000-0x00000000000AA000-memory.dmp

Filesize
104KB

Download
memory/2604-77-0x0000000073A00000-0x00000000740EE000-memory.dmp

Filesize
6.9MB

Download
memory/2604-78-0x0000000000E70000-0x0000000000EB0000-memory.dmp

Filesize
256KB

Download
memory/2604-79-0x0000000073A00000-0x00000000740EE000-memory.dmp

Filesize
6.9MB

Download
memory/2604-69-0x0000000000090000-0x00000000000AA000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing