blustealer | f4ad7b13417d362b3b2d2fbc085f85065da00f486a97a66643badb5d3a2d74ea

General

Target

ba6268a4198e952cbf7f0cd2af1151207dd0271331069176394539011db32354.js
Size

410KB
MD5

bcb9093850861749082e61b189227937
SHA1

0af77c3cd52b18828eb1a77867ce05e05d5bc31b
SHA256

ba6268a4198e952cbf7f0cd2af1151207dd0271331069176394539011db32354
SHA512

ce52bdd09673a56d968f14ca5c25ffa7040c143045f582f00630720bfa3f29b24f45145c6374cd051052411846cc14cb6c2d6bce0715dbf9b0153ebbef4e91db
SSDEEP

6144:8Fo+/qDQ5e3ID89uFO1U0PZbXWDtZTuAMmoqME+NYloH:vh8uID8O0xbyZTxZOYQ

Score

10^/10

blustealer stormkitty stealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5374342837:AAHF-c1HAIvNCdF89VuEdNggsL2YBlpgkSE/sendMessage?chat_id=2133303215

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/2204-160-0x0000000000390000-0x00000000003AA000-memory.dmp	family_stormkitty

Executes dropped EXE 2 IoCs

pid	Process
4372	hesaphareketi-01.pdf.exe
4252	hesaphareketi-01.pdf.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	icanhazip.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4372 set thread context of 4252	4372	hesaphareketi-01.pdf.exe	83
PID 4252 set thread context of 2204	4252	hesaphareketi-01.pdf.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2204	AppLaunch.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4252	hesaphareketi-01.pdf.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4112 wrote to memory of 4372	4112	wscript.exe	81
PID 4112 wrote to memory of 4372	4112	wscript.exe	81
PID 4112 wrote to memory of 4372	4112	wscript.exe	81
PID 4372 wrote to memory of 4252	4372	hesaphareketi-01.pdf.exe	83
PID 4372 wrote to memory of 4252	4372	hesaphareketi-01.pdf.exe	83
PID 4372 wrote to memory of 4252	4372	hesaphareketi-01.pdf.exe	83
PID 4372 wrote to memory of 4252	4372	hesaphareketi-01.pdf.exe	83
PID 4372 wrote to memory of 4252	4372	hesaphareketi-01.pdf.exe	83
PID 4372 wrote to memory of 4252	4372	hesaphareketi-01.pdf.exe	83
PID 4372 wrote to memory of 4252	4372	hesaphareketi-01.pdf.exe	83
PID 4372 wrote to memory of 4252	4372	hesaphareketi-01.pdf.exe	83
PID 4252 wrote to memory of 2204	4252	hesaphareketi-01.pdf.exe	86
PID 4252 wrote to memory of 2204	4252	hesaphareketi-01.pdf.exe	86
PID 4252 wrote to memory of 2204	4252	hesaphareketi-01.pdf.exe	86
PID 4252 wrote to memory of 2204	4252	hesaphareketi-01.pdf.exe	86
PID 4252 wrote to memory of 2204	4252	hesaphareketi-01.pdf.exe	86

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ba6268a4198e952cbf7f0cd2af1151207dd0271331069176394539011db32354.js
1⤵
- Suspicious use of WriteProcessMemory
PID:4112
- C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.pdf.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.pdf.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4252
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.pdf.exe

Filesize
307KB

MD5
2c3fbb2cee9b79530534e53064ff68a2

SHA1
0f8a016173e7202ec2abe46ae038016fcd1b7742

SHA256
0107b32e98dba4ef3826e16bd3d5e03a8b277a5bfe9bd20c5ee110596cf00f07

SHA512
d605dcef74eba2509d171b7853b95595d2166f0001974d25716b52a790939e0b3b563efb14d336c6eefdf8adf52f3f4a56782eb037ec31f4d8c7515b0bfd78ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.pdf.exe

Filesize
307KB

MD5
2c3fbb2cee9b79530534e53064ff68a2

SHA1
0f8a016173e7202ec2abe46ae038016fcd1b7742

SHA256
0107b32e98dba4ef3826e16bd3d5e03a8b277a5bfe9bd20c5ee110596cf00f07

SHA512
d605dcef74eba2509d171b7853b95595d2166f0001974d25716b52a790939e0b3b563efb14d336c6eefdf8adf52f3f4a56782eb037ec31f4d8c7515b0bfd78ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.pdf.exe

Filesize
307KB

MD5
2c3fbb2cee9b79530534e53064ff68a2

SHA1
0f8a016173e7202ec2abe46ae038016fcd1b7742

SHA256
0107b32e98dba4ef3826e16bd3d5e03a8b277a5bfe9bd20c5ee110596cf00f07

SHA512
d605dcef74eba2509d171b7853b95595d2166f0001974d25716b52a790939e0b3b563efb14d336c6eefdf8adf52f3f4a56782eb037ec31f4d8c7515b0bfd78ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.pdf.exe

Filesize
307KB

MD5
2c3fbb2cee9b79530534e53064ff68a2

SHA1
0f8a016173e7202ec2abe46ae038016fcd1b7742

SHA256
0107b32e98dba4ef3826e16bd3d5e03a8b277a5bfe9bd20c5ee110596cf00f07

SHA512
d605dcef74eba2509d171b7853b95595d2166f0001974d25716b52a790939e0b3b563efb14d336c6eefdf8adf52f3f4a56782eb037ec31f4d8c7515b0bfd78ec

Download Submit
memory/2204-165-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/2204-163-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/2204-162-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/2204-161-0x0000000004B40000-0x0000000004BA6000-memory.dmp

Filesize
408KB

Download
memory/2204-160-0x0000000000390000-0x00000000003AA000-memory.dmp

Filesize
104KB

Download
memory/4252-166-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4252-156-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4252-152-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4372-146-0x0000000005B90000-0x0000000006134000-memory.dmp

Filesize
5.6MB

Download
memory/4372-157-0x0000000074DB0000-0x0000000075560000-memory.dmp

Filesize
7.7MB

Download
memory/4372-151-0x00000000056A0000-0x00000000056BE000-memory.dmp

Filesize
120KB

Download
memory/4372-150-0x0000000005840000-0x00000000058B6000-memory.dmp

Filesize
472KB

Download
memory/4372-149-0x0000000005720000-0x00000000057BC000-memory.dmp

Filesize
624KB

Download
memory/4372-148-0x0000000005830000-0x0000000005840000-memory.dmp

Filesize
64KB

Download
memory/4372-147-0x00000000055E0000-0x0000000005672000-memory.dmp

Filesize
584KB

Download
memory/4372-145-0x0000000000B60000-0x0000000000BB4000-memory.dmp

Filesize
336KB

Download
memory/4372-144-0x0000000074DB0000-0x0000000075560000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing