blustealer | b80d30b287b4ba5c153bac042a1a9eec6d746181b893717cbcb05ed3180d8d71 | Triage

Submit
Reports

Overview

overview

Static

static

NewXOrder.xlsm

windows7-x64

NewXOrder.xlsm

windows10-2004-x64

Sharing

General

Target

NewXOrder.xlsm
Size

42KB
Sample

220815-hms7xsfeer
MD5

1f972129c268128a9e63b03f166cd65a
SHA1

e19b5eed24f6d881338793e9f7218ff99c1d7981
SHA256

b80d30b287b4ba5c153bac042a1a9eec6d746181b893717cbcb05ed3180d8d71
SHA512

421fc17d3bb396d84907190a46df51851ddfafc7549e15f728f4a549d27f9fe2ab2723e0126599f260c58a3e165a5e128cc677a0cdeb7839e3e7e39ac6a0d90b

Score

10^/10

blustealer stormkitty collection stealer

Static task

static1

Behavioral task

behavioral1

Sample

NewXOrder.xlsm

Resource

win7-20220812-en

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

NewXOrder.xlsm

Resource

win10v2004-20220812-en

blustealer stormkitty collection stealer

windows10-2004-x64

22 signatures

150 seconds

Malware Config

Targets

- Target
  
  NewXOrder.xlsm
- Size
  
  42KB
- MD5
  
  1f972129c268128a9e63b03f166cd65a
- SHA1
  
  e19b5eed24f6d881338793e9f7218ff99c1d7981
- SHA256
  
  b80d30b287b4ba5c153bac042a1a9eec6d746181b893717cbcb05ed3180d8d71
- SHA512
  
  421fc17d3bb396d84907190a46df51851ddfafc7549e15f728f4a549d27f9fe2ab2723e0126599f260c58a3e165a5e128cc677a0cdeb7839e3e7e39ac6a0d90b
Score

10^/10

blustealer stormkitty collection stealer
- BluStealer
  A Modular information stealer written in Visual Basic.
  stealer blustealer
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

blustealerstormkittycollectionstealer

© 2018-2025

Terms | Privacy