blustealer | 1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1

General

Target

1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe
Size

522KB
MD5

6874fa404214cace1c3e0607f827e16e
SHA1

110ca7ad3965a397badae82729be1c43ede7c670
SHA256

1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1
SHA512

41b384435b0ec80f44df6b4e2d45877b84160dd1067a6d04e7b5684a29e06ed4fddeef6e7fa8da08997c2aa3baebfc4a3a293ffe186b1d95bb757ef1db3dd26f
SSDEEP

12288:2GTIYlV2h+RZu5ZcgnziDG/kYiOaONNoZiXL1MkrupND6e:hIYlVDK8m2SsOVNNWiRMuFe

Score

10^/10

blustealer stormkitty stealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5374342837:AAHF-c1HAIvNCdF89VuEdNggsL2YBlpgkSE/sendMessage?chat_id=2133303215

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/4904-149-0x0000000001310000-0x000000000132A000-memory.dmp	family_stormkitty

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
29	icanhazip.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3936 set thread context of 4720	3936	1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe	92
PID 4720 set thread context of 4904	4720	1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3936	1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe
3936	1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3936	1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe
Token: SeDebugPrivilege	4904	AppLaunch.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4720	1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3936 wrote to memory of 2180	3936	1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe	91
PID 3936 wrote to memory of 2180	3936	1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe	91
PID 3936 wrote to memory of 2180	3936	1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe	91
PID 3936 wrote to memory of 4720	3936	1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe	92
PID 3936 wrote to memory of 4720	3936	1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe	92
PID 3936 wrote to memory of 4720	3936	1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe	92
PID 3936 wrote to memory of 4720	3936	1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe	92
PID 3936 wrote to memory of 4720	3936	1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe	92
PID 3936 wrote to memory of 4720	3936	1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe	92
PID 3936 wrote to memory of 4720	3936	1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe	92
PID 3936 wrote to memory of 4720	3936	1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe	92
PID 4720 wrote to memory of 4904	4720	1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe	93
PID 4720 wrote to memory of 4904	4720	1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe	93
PID 4720 wrote to memory of 4904	4720	1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe	93
PID 4720 wrote to memory of 4904	4720	1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe	93
PID 4720 wrote to memory of 4904	4720	1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe	93

C:\Users\Admin\AppData\Local\Temp\1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe
"C:\Users\Admin\AppData\Local\Temp\1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3936
- C:\Users\Admin\AppData\Local\Temp\1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe"
  2⤵
  PID:2180
- C:\Users\Admin\AppData\Local\Temp\1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4720
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3936-141-0x000000000AE50000-0x000000000AEEC000-memory.dmp

Filesize
624KB

Download
memory/3936-147-0x0000000075240000-0x00000000759F0000-memory.dmp

Filesize
7.7MB

Download
memory/3936-135-0x0000000005D50000-0x00000000062F4000-memory.dmp

Filesize
5.6MB

Download
memory/3936-136-0x0000000005840000-0x00000000058D2000-memory.dmp

Filesize
584KB

Download
memory/3936-137-0x00000000059F0000-0x0000000005A00000-memory.dmp

Filesize
64KB

Download
memory/3936-138-0x00000000057E0000-0x00000000057EA000-memory.dmp

Filesize
40KB

Download
memory/3936-139-0x0000000075240000-0x00000000759F0000-memory.dmp

Filesize
7.7MB

Download
memory/3936-140-0x00000000059F0000-0x0000000005A00000-memory.dmp

Filesize
64KB

Download
memory/3936-134-0x0000000075240000-0x00000000759F0000-memory.dmp

Filesize
7.7MB

Download
memory/3936-133-0x0000000000D50000-0x0000000000DD8000-memory.dmp

Filesize
544KB

Download
memory/4720-145-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4720-142-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4720-155-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4904-149-0x0000000001310000-0x000000000132A000-memory.dmp

Filesize
104KB

Download
memory/4904-151-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/4904-150-0x00000000057B0000-0x0000000005816000-memory.dmp

Filesize
408KB

Download
memory/4904-152-0x00000000058D0000-0x00000000058E0000-memory.dmp

Filesize
64KB

Download
memory/4904-154-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing