Overview

overview

10

Static

static

SWIFT_IMG_...df.exe

windows7-x64

9

SWIFT_IMG_...df.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SWIFT_IMG_20220901_00078666587900.pdf.exe

  • Size

    18KB

  • Sample

    220902-pe82qsdffp

  • MD5

    3ed262a5efb4d40d672c223b158a6b8a

  • SHA1

    8cfdcaab8fa52ed91f52fadef21a8489d24e5011

  • SHA256

    e9a11e6b848b855b9de1d62c8c5d75bb5b850b9e93b2d9d49ee9422950eff9ce

  • SHA512

    bca13e92ef2b67556df52cfa4f187be5c7bf8c4ea8d4799a5729dd680031f42c4e648aa47db49798785797dbd69f9f68f9b49165b16c62f02ea73435f1f6f42d

  • SSDEEP

    384:XasMoP+isALT5me9CI/euqrnHaFVoJagj6JKA4Q27u1wGuhGm:L3sE9LPdzNsXvuuGIG

Score
10/10
blustealerstormkittycollectiondiscoverypersistencestealer

Malware Config

Targets

    • Target

      SWIFT_IMG_20220901_00078666587900.pdf.exe

    • Size

      18KB

    • MD5

      3ed262a5efb4d40d672c223b158a6b8a

    • SHA1

      8cfdcaab8fa52ed91f52fadef21a8489d24e5011

    • SHA256

      e9a11e6b848b855b9de1d62c8c5d75bb5b850b9e93b2d9d49ee9422950eff9ce

    • SHA512

      bca13e92ef2b67556df52cfa4f187be5c7bf8c4ea8d4799a5729dd680031f42c4e648aa47db49798785797dbd69f9f68f9b49165b16c62f02ea73435f1f6f42d

    • SSDEEP

      384:XasMoP+isALT5me9CI/euqrnHaFVoJagj6JKA4Q27u1wGuhGm:L3sE9LPdzNsXvuuGIG

    Score
    10/10
    discoveryblustealerstormkittycollectionpersistencestealer

    • BluStealer

      A Modular information stealer written in Visual Basic.

      stealerblustealer

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks