General
-
Target
Demurrage_INV.pdf.exe
-
Size
1.1MB
-
Sample
220912-jnn52agegl
-
MD5
54eaae9681e7c7ae7dedfab196e2f5bb
-
SHA1
7c8ff9bf1fad84d2761a7afd951a33ac752d0fe2
-
SHA256
1e2429d09e5be15e508b698e1800ba6d3c961d577d49ec21282f5b2f100a971f
-
SHA512
3b64610fa0f5d537aa17b95a78107975b0854478ef91571cde1d367a7b903d340ef1e6ad63b13664d343895443df052a762bf349238719b5ceee3228a42d2c83
-
SSDEEP
12288:1BUaDvrv6xqVb6RMQhgTvv7RrDIJyPuc2claJKlll6gmsASYe4lbxKcXLnMYv9W:1TDvrvOqbl5NOwJ2cl9lllJYv
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5472661190:AAH0_Es3-7EvHKo3diARLmBSPyMQ64sYLC8/sendMessage?chat_id=1148000519
Targets
-
-
Target
Demurrage_INV.pdf.exe
-
Size
1.1MB
-
MD5
54eaae9681e7c7ae7dedfab196e2f5bb
-
SHA1
7c8ff9bf1fad84d2761a7afd951a33ac752d0fe2
-
SHA256
1e2429d09e5be15e508b698e1800ba6d3c961d577d49ec21282f5b2f100a971f
-
SHA512
3b64610fa0f5d537aa17b95a78107975b0854478ef91571cde1d367a7b903d340ef1e6ad63b13664d343895443df052a762bf349238719b5ceee3228a42d2c83
-
SSDEEP
12288:1BUaDvrv6xqVb6RMQhgTvv7RrDIJyPuc2claJKlll6gmsASYe4lbxKcXLnMYv9W:1TDvrvOqbl5NOwJ2cl9lllJYv
Score10/10-
BluStealer
A Modular information stealer written in Visual Basic.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-