General

  • Target

    dad0d104a652c82b4b0d0b9754b1528a6ec1d68a6bf9f21e7a9cb49c6c2501f9.exe

  • Size

    755KB

  • Sample

    221010-nevcxabgdr

  • MD5

    d490726d76a507a9ac7a4dfaf7bf40e6

  • SHA1

    6ca8c6e26b79c90681a7d0d60b904128852de9ad

  • SHA256

    dad0d104a652c82b4b0d0b9754b1528a6ec1d68a6bf9f21e7a9cb49c6c2501f9

  • SHA512

    bbfbe614d8e5dbf7f909d6a06eeffb35f1536d951885c41dd69f9030e334159464c74d41a8d8845892fdf897627e4b23c632b0e12de46610a524e88988cba813

  • SSDEEP

    12288:3Eas0qVbqJYhl669sg1Sv4nNRfm+zk19ovX9iE:qVbqJorSSSv8IjUX9iE

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5374342837:AAHF-c1HAIvNCdF89VuEdNggsL2YBlpgkSE/sendMessage?chat_id=2133303215

Targets

    • Target

      dad0d104a652c82b4b0d0b9754b1528a6ec1d68a6bf9f21e7a9cb49c6c2501f9.exe

    • Size

      755KB

    • MD5

      d490726d76a507a9ac7a4dfaf7bf40e6

    • SHA1

      6ca8c6e26b79c90681a7d0d60b904128852de9ad

    • SHA256

      dad0d104a652c82b4b0d0b9754b1528a6ec1d68a6bf9f21e7a9cb49c6c2501f9

    • SHA512

      bbfbe614d8e5dbf7f909d6a06eeffb35f1536d951885c41dd69f9030e334159464c74d41a8d8845892fdf897627e4b23c632b0e12de46610a524e88988cba813

    • SSDEEP

      12288:3Eas0qVbqJYhl669sg1Sv4nNRfm+zk19ovX9iE:qVbqJorSSSv8IjUX9iE

    • BluStealer

      A Modular information stealer written in Visual Basic.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks