General

  • Target

    475a80e9f7b9922f505595624de5d08d0c89b2ef2bb89cc6c2bdb921205ec220.exe

  • Size

    777KB

  • Sample

    221010-m188hsbed7

  • MD5

    d12022ca18d335ee92a96b409d9d55cf

  • SHA1

    4c6e97447466c3615b8b564d928ae95461717947

  • SHA256

    475a80e9f7b9922f505595624de5d08d0c89b2ef2bb89cc6c2bdb921205ec220

  • SHA512

    1334717e0dba0246a9f1ac5f645d67ddcfa1a259e934dae54fb4fabc7fd72638dacabb2d5d3c6cd0b91c8a3270a3a3eb35fed34c15e5c608fd70eee69e358f38

  • SSDEEP

    6144:pfzfih0m+3no6/PNLf2FNoDCSAbWnkkdylvez5LPh5O3a7M8nY4S3aIAATf6GfcE:pfwnJEkXUVPh8K7s3d3TmCtYY7LBZw

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5732817033:AAFBYIIZmJ7NuvVwD7WRcbV9qwcOqT7RpwM/sendMessage?chat_id=1638137774

Targets

    • Target

      475a80e9f7b9922f505595624de5d08d0c89b2ef2bb89cc6c2bdb921205ec220.exe

    • Size

      777KB

    • MD5

      d12022ca18d335ee92a96b409d9d55cf

    • SHA1

      4c6e97447466c3615b8b564d928ae95461717947

    • SHA256

      475a80e9f7b9922f505595624de5d08d0c89b2ef2bb89cc6c2bdb921205ec220

    • SHA512

      1334717e0dba0246a9f1ac5f645d67ddcfa1a259e934dae54fb4fabc7fd72638dacabb2d5d3c6cd0b91c8a3270a3a3eb35fed34c15e5c608fd70eee69e358f38

    • SSDEEP

      6144:pfzfih0m+3no6/PNLf2FNoDCSAbWnkkdylvez5LPh5O3a7M8nY4S3aIAATf6GfcE:pfwnJEkXUVPh8K7s3d3TmCtYY7LBZw

    • BluStealer

      A Modular information stealer written in Visual Basic.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks