General

  • Target

    9980dfcbb40e06f805dc8ad0d33d5ba063bf914e54f15f3b42d16aa494eafc45.exe

  • Size

    780KB

  • Sample

    221010-nsv7csbfd7

  • MD5

    a4d36cd35902d578b47f4df2fc122f89

  • SHA1

    2786e84c4f4a32a2113061c4798109f78e36f001

  • SHA256

    9980dfcbb40e06f805dc8ad0d33d5ba063bf914e54f15f3b42d16aa494eafc45

  • SHA512

    76fd3ed7609deb143e4c490bb40defc5473d9e164cda1bc9e2d3b58ecbb9b9d7cad52696503e3ef7d17a13797eedd734d6e8f1c9dbe8ccb0da1183d2426921da

  • SSDEEP

    12288:i/8LhfMZtCa6VjHv06y62IfpsrQxq6naK9A4Sp:TlTfp2IsAlna2Sp

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5412597166:AAGUaWxuTxxhNb-NRhiURcTMzuW9nhGoEs/sendMessage?chat_id=932962718

Targets

    • Target

      9980dfcbb40e06f805dc8ad0d33d5ba063bf914e54f15f3b42d16aa494eafc45.exe

    • Size

      780KB

    • MD5

      a4d36cd35902d578b47f4df2fc122f89

    • SHA1

      2786e84c4f4a32a2113061c4798109f78e36f001

    • SHA256

      9980dfcbb40e06f805dc8ad0d33d5ba063bf914e54f15f3b42d16aa494eafc45

    • SHA512

      76fd3ed7609deb143e4c490bb40defc5473d9e164cda1bc9e2d3b58ecbb9b9d7cad52696503e3ef7d17a13797eedd734d6e8f1c9dbe8ccb0da1183d2426921da

    • SSDEEP

      12288:i/8LhfMZtCa6VjHv06y62IfpsrQxq6naK9A4Sp:TlTfp2IsAlna2Sp

    • BluStealer

      A Modular information stealer written in Visual Basic.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks