blustealer | f4ad7b13417d362b3b2d2fbc085f85065da00f486a97a66643badb5d3a2d74ea

General

Target

ba6268a4198e952cbf7f0cd2af1151207dd0271331069176394539011db32354.js
Size

410KB
MD5

bcb9093850861749082e61b189227937
SHA1

0af77c3cd52b18828eb1a77867ce05e05d5bc31b
SHA256

ba6268a4198e952cbf7f0cd2af1151207dd0271331069176394539011db32354
SHA512

ce52bdd09673a56d968f14ca5c25ffa7040c143045f582f00630720bfa3f29b24f45145c6374cd051052411846cc14cb6c2d6bce0715dbf9b0153ebbef4e91db
SSDEEP

6144:8Fo+/qDQ5e3ID89uFO1U0PZbXWDtZTuAMmoqME+NYloH:vh8uID8O0xbyZTxZOYQ

Score

10^/10

blustealer stormkitty stealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5374342837:AAHF-c1HAIvNCdF89VuEdNggsL2YBlpgkSE/sendMessage?chat_id=2133303215

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 3 IoCs

resource	yara_rule
behavioral1/memory/2832-82-0x0000000000090000-0x00000000000AA000-memory.dmp	family_stormkitty
behavioral1/memory/2832-84-0x0000000000090000-0x00000000000AA000-memory.dmp	family_stormkitty
behavioral1/memory/2832-86-0x0000000000090000-0x00000000000AA000-memory.dmp	family_stormkitty

Executes dropped EXE 2 IoCs

pid	Process
2584	hesaphareketi-01.pdf.exe
2772	hesaphareketi-01.pdf.exe

Loads dropped DLL 1 IoCs

pid	Process
2584	hesaphareketi-01.pdf.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	icanhazip.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2584 set thread context of 2772	2584	hesaphareketi-01.pdf.exe	29
PID 2772 set thread context of 2832	2772	hesaphareketi-01.pdf.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2832	AppLaunch.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2772	hesaphareketi-01.pdf.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 2584	1152	wscript.exe	28
PID 1152 wrote to memory of 2584	1152	wscript.exe	28
PID 1152 wrote to memory of 2584	1152	wscript.exe	28
PID 1152 wrote to memory of 2584	1152	wscript.exe	28
PID 2584 wrote to memory of 2772	2584	hesaphareketi-01.pdf.exe	29
PID 2584 wrote to memory of 2772	2584	hesaphareketi-01.pdf.exe	29
PID 2584 wrote to memory of 2772	2584	hesaphareketi-01.pdf.exe	29
PID 2584 wrote to memory of 2772	2584	hesaphareketi-01.pdf.exe	29
PID 2584 wrote to memory of 2772	2584	hesaphareketi-01.pdf.exe	29
PID 2584 wrote to memory of 2772	2584	hesaphareketi-01.pdf.exe	29
PID 2584 wrote to memory of 2772	2584	hesaphareketi-01.pdf.exe	29
PID 2584 wrote to memory of 2772	2584	hesaphareketi-01.pdf.exe	29
PID 2584 wrote to memory of 2772	2584	hesaphareketi-01.pdf.exe	29
PID 2772 wrote to memory of 2832	2772	hesaphareketi-01.pdf.exe	30
PID 2772 wrote to memory of 2832	2772	hesaphareketi-01.pdf.exe	30
PID 2772 wrote to memory of 2832	2772	hesaphareketi-01.pdf.exe	30
PID 2772 wrote to memory of 2832	2772	hesaphareketi-01.pdf.exe	30
PID 2772 wrote to memory of 2832	2772	hesaphareketi-01.pdf.exe	30
PID 2772 wrote to memory of 2832	2772	hesaphareketi-01.pdf.exe	30
PID 2772 wrote to memory of 2832	2772	hesaphareketi-01.pdf.exe	30
PID 2772 wrote to memory of 2832	2772	hesaphareketi-01.pdf.exe	30
PID 2772 wrote to memory of 2832	2772	hesaphareketi-01.pdf.exe	30

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ba6268a4198e952cbf7f0cd2af1151207dd0271331069176394539011db32354.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.pdf.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.pdf.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.pdf.exe

Filesize
307KB

MD5
2c3fbb2cee9b79530534e53064ff68a2

SHA1
0f8a016173e7202ec2abe46ae038016fcd1b7742

SHA256
0107b32e98dba4ef3826e16bd3d5e03a8b277a5bfe9bd20c5ee110596cf00f07

SHA512
d605dcef74eba2509d171b7853b95595d2166f0001974d25716b52a790939e0b3b563efb14d336c6eefdf8adf52f3f4a56782eb037ec31f4d8c7515b0bfd78ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.pdf.exe

Filesize
307KB

MD5
2c3fbb2cee9b79530534e53064ff68a2

SHA1
0f8a016173e7202ec2abe46ae038016fcd1b7742

SHA256
0107b32e98dba4ef3826e16bd3d5e03a8b277a5bfe9bd20c5ee110596cf00f07

SHA512
d605dcef74eba2509d171b7853b95595d2166f0001974d25716b52a790939e0b3b563efb14d336c6eefdf8adf52f3f4a56782eb037ec31f4d8c7515b0bfd78ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.pdf.exe

Filesize
307KB

MD5
2c3fbb2cee9b79530534e53064ff68a2

SHA1
0f8a016173e7202ec2abe46ae038016fcd1b7742

SHA256
0107b32e98dba4ef3826e16bd3d5e03a8b277a5bfe9bd20c5ee110596cf00f07

SHA512
d605dcef74eba2509d171b7853b95595d2166f0001974d25716b52a790939e0b3b563efb14d336c6eefdf8adf52f3f4a56782eb037ec31f4d8c7515b0bfd78ec

Download Submit
\Users\Admin\AppData\Local\Temp\hesaphareketi-01.pdf.exe

Filesize
307KB

MD5
2c3fbb2cee9b79530534e53064ff68a2

SHA1
0f8a016173e7202ec2abe46ae038016fcd1b7742

SHA256
0107b32e98dba4ef3826e16bd3d5e03a8b277a5bfe9bd20c5ee110596cf00f07

SHA512
d605dcef74eba2509d171b7853b95595d2166f0001974d25716b52a790939e0b3b563efb14d336c6eefdf8adf52f3f4a56782eb037ec31f4d8c7515b0bfd78ec

Download Submit
memory/2584-60-0x0000000000F80000-0x0000000000FD4000-memory.dmp

Filesize
336KB

Download
memory/2584-61-0x0000000074D40000-0x000000007542E000-memory.dmp

Filesize
6.9MB

Download
memory/2584-62-0x0000000004960000-0x00000000049A0000-memory.dmp

Filesize
256KB

Download
memory/2584-63-0x00000000009E0000-0x0000000000A20000-memory.dmp

Filesize
256KB

Download
memory/2584-64-0x00000000008F0000-0x00000000008FA000-memory.dmp

Filesize
40KB

Download
memory/2584-76-0x0000000074D40000-0x000000007542E000-memory.dmp

Filesize
6.9MB

Download
memory/2772-72-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2772-67-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2772-70-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2772-68-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2772-75-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2772-66-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2772-90-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2832-81-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2832-82-0x0000000000090000-0x00000000000AA000-memory.dmp

Filesize
104KB

Download
memory/2832-84-0x0000000000090000-0x00000000000AA000-memory.dmp

Filesize
104KB

Download
memory/2832-86-0x0000000000090000-0x00000000000AA000-memory.dmp

Filesize
104KB

Download
memory/2832-87-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2832-88-0x0000000000A60000-0x0000000000AA0000-memory.dmp

Filesize
256KB

Download
memory/2832-89-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2832-79-0x0000000000090000-0x00000000000AA000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing