blustealer | 1727599b52e24b71b4dc2e5e752f653bd9160dc77d6734bd0686bae753b0e362 | Triage

Submit
Reports

Overview

overview

Static

static

150c37f096...47.exe

windows7-x64

150c37f096...47.exe

windows10-2004-x64

Sharing

General

Target

150c37f09606d999aed77f1621657847.exe
Size

422KB
Sample

220921-gbrpaafcf3
MD5

150c37f09606d999aed77f1621657847
SHA1

a75789d5c83d6b2605dc1565f9af298610c557ec
SHA256

1727599b52e24b71b4dc2e5e752f653bd9160dc77d6734bd0686bae753b0e362
SHA512

55143a949d24649a7520c621f97c132e1f3aaa40a943096c78b43c021a7e22ef7f424d5d0eb3b4a95f6917deb44e33198c4be047d80630bc318d7f8f42de2e86
SSDEEP

12288:GENN+T5xYrllrU7QY6MGmp13LEiX5QypIUbMp6OHf:K5xolYQY65mp13LEiX5QypIUbMp6OHf

Score

10^/10

blustealer stormkitty collection evasion persistence stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

150c37f09606d999aed77f1621657847.exe

Resource

win7-20220812-en

blustealer stormkitty collection evasion persistence stealer

windows7-x64

22 signatures

150 seconds

Behavioral task

behavioral2

Sample

150c37f09606d999aed77f1621657847.exe

Resource

win10v2004-20220812-en

blustealer stormkitty collection evasion persistence stealer

windows10-2004-x64

21 signatures

150 seconds

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5651446034:AAHNSrQ1aoBX2vvQwJ01g6tQEdX-Me4aDUI/sendMessage?chat_id=5529858195

Targets

- Target
  
  150c37f09606d999aed77f1621657847.exe
- Size
  
  422KB
- MD5
  
  150c37f09606d999aed77f1621657847
- SHA1
  
  a75789d5c83d6b2605dc1565f9af298610c557ec
- SHA256
  
  1727599b52e24b71b4dc2e5e752f653bd9160dc77d6734bd0686bae753b0e362
- SHA512
  
  55143a949d24649a7520c621f97c132e1f3aaa40a943096c78b43c021a7e22ef7f424d5d0eb3b4a95f6917deb44e33198c4be047d80630bc318d7f8f42de2e86
- SSDEEP
  
  12288:GENN+T5xYrllrU7QY6MGmp13LEiX5QypIUbMp6OHf:K5xolYQY65mp13LEiX5QypIUbMp6OHf
Score

10^/10

blustealer stormkitty collection evasion persistence stealer
- BluStealer
  A Modular information stealer written in Visual Basic.
  stealer blustealer
- Modifies WinLogon for persistence
  persistence
- Modifies visiblity of hidden/system files in Explorer
  evasion
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

blustealerstormkittycollectionevasionpersistencestealer

behavioral2

blustealerstormkittycollectionevasionpersistencestealer

© 2018-2025

Terms | Privacy