Overview

overview

10

Static

static

Payment Sl...22.exe

windows7-x64

9

Payment Sl...22.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Payment Slip_CityBank010922.exe

  • Size

    230KB

  • Sample

    220902-qg8pesgge6

  • MD5

    12efd73394350c0076c6839c475a8821

  • SHA1

    2f62d39d5742fa95e49b1cffce09bcf0b5638993

  • SHA256

    9ccd495500c30bd78504986105407a90a33189abba44925eb0877b494693026c

  • SHA512

    45c48509945314723844fc6af2e528121c3b7ded541ffe79106ea70540556269afcb26720b52559d8677425fc7a0f460abba6f5dd138580bf5ea1795a0fdac11

  • SSDEEP

    3072:nTN/T7gqPHIvuvHQFpaIYkKEPIFJzE17vte:F5VHsaIYkb

Score
10/10
blustealerstormkittycollectiondiscoverypersistencestealer

Malware Config

Targets

    • Target

      Payment Slip_CityBank010922.exe

    • Size

      230KB

    • MD5

      12efd73394350c0076c6839c475a8821

    • SHA1

      2f62d39d5742fa95e49b1cffce09bcf0b5638993

    • SHA256

      9ccd495500c30bd78504986105407a90a33189abba44925eb0877b494693026c

    • SHA512

      45c48509945314723844fc6af2e528121c3b7ded541ffe79106ea70540556269afcb26720b52559d8677425fc7a0f460abba6f5dd138580bf5ea1795a0fdac11

    • SSDEEP

      3072:nTN/T7gqPHIvuvHQFpaIYkKEPIFJzE17vte:F5VHsaIYkb

    Score
    10/10
    discoveryblustealerstormkittycollectionpersistencestealer

    • BluStealer

      A Modular information stealer written in Visual Basic.

      stealerblustealer

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks