Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
13-08-2023 09:12
Static task
static1
Behavioral task
behavioral1
Sample
1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe
Resource
win10v2004-20230703-en
General
-
Target
1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe
-
Size
522KB
-
MD5
6874fa404214cace1c3e0607f827e16e
-
SHA1
110ca7ad3965a397badae82729be1c43ede7c670
-
SHA256
1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1
-
SHA512
41b384435b0ec80f44df6b4e2d45877b84160dd1067a6d04e7b5684a29e06ed4fddeef6e7fa8da08997c2aa3baebfc4a3a293ffe186b1d95bb757ef1db3dd26f
-
SSDEEP
12288:2GTIYlV2h+RZu5ZcgnziDG/kYiOaONNoZiXL1MkrupND6e:hIYlVDK8m2SsOVNNWiRMuFe
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5374342837:AAHF-c1HAIvNCdF89VuEdNggsL2YBlpgkSE/sendMessage?chat_id=2133303215
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral2/memory/4904-149-0x0000000001310000-0x000000000132A000-memory.dmp family_stormkitty -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 29 icanhazip.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3936 set thread context of 4720 3936 1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe 92 PID 4720 set thread context of 4904 4720 1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe 93 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3936 1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe 3936 1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3936 1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe Token: SeDebugPrivilege 4904 AppLaunch.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4720 1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3936 wrote to memory of 2180 3936 1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe 91 PID 3936 wrote to memory of 2180 3936 1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe 91 PID 3936 wrote to memory of 2180 3936 1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe 91 PID 3936 wrote to memory of 4720 3936 1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe 92 PID 3936 wrote to memory of 4720 3936 1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe 92 PID 3936 wrote to memory of 4720 3936 1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe 92 PID 3936 wrote to memory of 4720 3936 1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe 92 PID 3936 wrote to memory of 4720 3936 1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe 92 PID 3936 wrote to memory of 4720 3936 1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe 92 PID 3936 wrote to memory of 4720 3936 1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe 92 PID 3936 wrote to memory of 4720 3936 1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe 92 PID 4720 wrote to memory of 4904 4720 1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe 93 PID 4720 wrote to memory of 4904 4720 1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe 93 PID 4720 wrote to memory of 4904 4720 1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe 93 PID 4720 wrote to memory of 4904 4720 1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe 93 PID 4720 wrote to memory of 4904 4720 1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe"C:\Users\Admin\AppData\Local\Temp\1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Users\Admin\AppData\Local\Temp\1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe"C:\Users\Admin\AppData\Local\Temp\1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe"2⤵PID:2180
-
-
C:\Users\Admin\AppData\Local\Temp\1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe"C:\Users\Admin\AppData\Local\Temp\1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4904
-
-
Network
-
Remote address:8.8.8.8:53Request146.78.124.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request69.31.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request108.211.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request103.169.127.40.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request103.169.127.40.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request103.169.127.40.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request103.169.127.40.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request103.169.127.40.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request108.211.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesticanhazip.comIN AResponseicanhazip.comIN A104.18.114.97icanhazip.comIN A104.18.115.97
-
Remote address:104.18.114.97:80RequestGET / HTTP/1.1
Host: icanhazip.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/plain
Content-Length: 13
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET
Set-Cookie: __cf_bm=Wef1w8fdw9Sw7FwreuKfDs1aoQVB_PEX5YQmYNeZWBg-1691918028-0-AZkAIYmQTwQGU9jlPLIm6zqc26pvBOTztMnxUkMeueBt+0QPgNgSHTNDrDVqMbrXY0nW7NgCRsljAJBPqfEmZdQ=; path=/; expires=Sun, 13-Aug-23 09:43:48 GMT; domain=.icanhazip.com; HttpOnly
Server: cloudflare
CF-RAY: 7f5fd81cce000c69-AMS
alt-svc: h3=":443"; ma=86400
-
Remote address:8.8.8.8:53Request97.114.18.104.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request1.208.79.178.in-addr.arpaIN PTRResponse1.208.79.178.in-addr.arpaIN PTRhttps-178-79-208-1amsllnwnet
-
Remote address:8.8.8.8:53Request11.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request254.136.241.8.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request210.143.182.52.in-addr.arpaIN PTRResponse
-
293 B 663 B 5 3
HTTP Request
GET http://icanhazip.com/HTTP Response
200
-
72 B 158 B 1 1
DNS Request
146.78.124.51.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
69.31.126.40.in-addr.arpa
-
74 B 145 B 1 1
DNS Request
108.211.229.192.in-addr.arpa
-
365 B 5
DNS Request
103.169.127.40.in-addr.arpa
DNS Request
103.169.127.40.in-addr.arpa
DNS Request
103.169.127.40.in-addr.arpa
DNS Request
103.169.127.40.in-addr.arpa
DNS Request
103.169.127.40.in-addr.arpa
-
74 B 145 B 1 1
DNS Request
108.211.229.192.in-addr.arpa
-
59 B 91 B 1 1
DNS Request
icanhazip.com
DNS Response
104.18.114.97104.18.115.97
-
72 B 134 B 1 1
DNS Request
97.114.18.104.in-addr.arpa
-
71 B 116 B 1 1
DNS Request
1.208.79.178.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
11.227.111.52.in-addr.arpa
-
72 B 126 B 1 1
DNS Request
254.136.241.8.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
210.143.182.52.in-addr.arpa