General

  • Target

    af79a9b723c54624d8dea2731d129d5fd69c30a77e8244d6b7964f414224ce3f

  • Size

    714KB

  • Sample

    221010-m7ebqabef4

  • MD5

    78f6fb28169a919b41474529ec8a59bc

  • SHA1

    f34f60fe15ef696a0e666d9a32157e695aa334a3

  • SHA256

    af79a9b723c54624d8dea2731d129d5fd69c30a77e8244d6b7964f414224ce3f

  • SHA512

    333aef1e84ccbdc32c4e1016663516c2932be0e5e7f8d4299a5111236f4f8f5ff942686088531b45d0942c0136a71538d39932063844d60ee075a9411080f7d5

  • SSDEEP

    12288:rKa+70n6pT/3Eb47XK6hTBr1pUviaB5jM24QE/+Fz:f+7ZTvEs2ql5AXHjz4Uz

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5732817033:AAFBYIIZmJ7NuvVwD7WRcbV9qwcOqT7RpwM/sendMessage?chat_id=1638137774

Targets

    • Target

      af79a9b723c54624d8dea2731d129d5fd69c30a77e8244d6b7964f414224ce3f

    • Size

      714KB

    • MD5

      78f6fb28169a919b41474529ec8a59bc

    • SHA1

      f34f60fe15ef696a0e666d9a32157e695aa334a3

    • SHA256

      af79a9b723c54624d8dea2731d129d5fd69c30a77e8244d6b7964f414224ce3f

    • SHA512

      333aef1e84ccbdc32c4e1016663516c2932be0e5e7f8d4299a5111236f4f8f5ff942686088531b45d0942c0136a71538d39932063844d60ee075a9411080f7d5

    • SSDEEP

      12288:rKa+70n6pT/3Eb47XK6hTBr1pUviaB5jM24QE/+Fz:f+7ZTvEs2ql5AXHjz4Uz

    • BluStealer

      A Modular information stealer written in Visual Basic.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks