blustealer | 5afb4e6a861525cd433a70e5249c5a85573b4282f1b292e175f4737ba13eff56

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
08-08-2023 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5afb4e6a861525cd433a70e5249c5a85573b4282f1b292e175f4737ba13eff56.exe
Size

205KB
MD5

31503bd1455f4dc0288263ecbc7af2d4
SHA1

ac35a7aa76f1b8c9be148f2a835adb12295125ce
SHA256

5afb4e6a861525cd433a70e5249c5a85573b4282f1b292e175f4737ba13eff56
SHA512

0dc1124cf9b6189e43a4cddd9045e2f13845e6d935fd72faee52331fc070c0a979a66657df0332c91850e620bdf368bab0d33561fc6051055b1597ad2a7e0f5a
SSDEEP

3072:ayEdA7fMpvQVOl3uutPT8ahmHwbQ6rLr4UEW4FP1y86vLabNCdRQav3Iyc2Ab8Fs:a23UTLhmQs6rlEWApqLaUdRrPAbin4

Score

10^/10

blustealer stormkitty stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot6055609563:AAEfBlANuysNS3Feagncr0tioVRR2TOueCY/sendMessage?chat_id=6188873948

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/3300-141-0x0000000000720000-0x000000000073A000-memory.dmp	family_stormkitty

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	icanhazip.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3532 set thread context of 2648	3532	5afb4e6a861525cd433a70e5249c5a85573b4282f1b292e175f4737ba13eff56.exe	83
PID 2648 set thread context of 3300	2648	Caspol.exe	84

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3300	AppLaunch.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2648	Caspol.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 2648	3532	5afb4e6a861525cd433a70e5249c5a85573b4282f1b292e175f4737ba13eff56.exe	83
PID 3532 wrote to memory of 2648	3532	5afb4e6a861525cd433a70e5249c5a85573b4282f1b292e175f4737ba13eff56.exe	83
PID 3532 wrote to memory of 2648	3532	5afb4e6a861525cd433a70e5249c5a85573b4282f1b292e175f4737ba13eff56.exe	83
PID 3532 wrote to memory of 2648	3532	5afb4e6a861525cd433a70e5249c5a85573b4282f1b292e175f4737ba13eff56.exe	83
PID 3532 wrote to memory of 2648	3532	5afb4e6a861525cd433a70e5249c5a85573b4282f1b292e175f4737ba13eff56.exe	83
PID 3532 wrote to memory of 2648	3532	5afb4e6a861525cd433a70e5249c5a85573b4282f1b292e175f4737ba13eff56.exe	83
PID 3532 wrote to memory of 2648	3532	5afb4e6a861525cd433a70e5249c5a85573b4282f1b292e175f4737ba13eff56.exe	83
PID 3532 wrote to memory of 2648	3532	5afb4e6a861525cd433a70e5249c5a85573b4282f1b292e175f4737ba13eff56.exe	83
PID 2648 wrote to memory of 3300	2648	Caspol.exe	84
PID 2648 wrote to memory of 3300	2648	Caspol.exe	84
PID 2648 wrote to memory of 3300	2648	Caspol.exe	84
PID 2648 wrote to memory of 3300	2648	Caspol.exe	84
PID 2648 wrote to memory of 3300	2648	Caspol.exe	84

C:\Users\Admin\AppData\Local\Temp\5afb4e6a861525cd433a70e5249c5a85573b4282f1b292e175f4737ba13eff56.exe
"C:\Users\Admin\AppData\Local\Temp\5afb4e6a861525cd433a70e5249c5a85573b4282f1b292e175f4737ba13eff56.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3300

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2648-134-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2648-138-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2648-149-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3300-141-0x0000000000720000-0x000000000073A000-memory.dmp

Filesize
104KB

Download
memory/3300-142-0x00000000742F0000-0x0000000074AA0000-memory.dmp

Filesize
7.7MB

Download
memory/3300-143-0x0000000004D30000-0x0000000004D96000-memory.dmp

Filesize
408KB

Download
memory/3300-144-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/3300-145-0x00000000055B0000-0x000000000564C000-memory.dmp

Filesize
624KB

Download
memory/3300-147-0x00000000742F0000-0x0000000074AA0000-memory.dmp

Filesize
7.7MB

Download
memory/3532-133-0x000002642B090000-0x000002642B0C4000-memory.dmp

Filesize
208KB

Download
memory/3532-136-0x00007FFC1E5C0000-0x00007FFC1F081000-memory.dmp

Filesize
10.8MB

Download
memory/3532-148-0x00007FFC1E5C0000-0x00007FFC1F081000-memory.dmp

Filesize
10.8MB

Download