General

  • Target

    4a4ce6ec040bc9218e968e392a46a9e19380bf8be1bc7f989715e2d53770c77f

  • Size

    871KB

  • Sample

    221012-sxjfkshdf8

  • MD5

    48ed3a5b89df4c83f43c231d190c4726

  • SHA1

    7acba69249c5081577c60d5e05c5b96ffc3bf1de

  • SHA256

    4a4ce6ec040bc9218e968e392a46a9e19380bf8be1bc7f989715e2d53770c77f

  • SHA512

    d1a89fa9fdbe13912a45a69084bd14a3ad593106b061e55c872d7985407e118da33741db81de4565b99d613db139bf3cd32c33ed015a73bf82582ed0d8cddc38

  • SSDEEP

    6144:1Rlbcr0FdRmvct7YOjTZGN6O46h5iIWROT+e1L1ludK0INglez2YNnIkta8mhiKS:d3pz05iveBludK0EhNIkQ900pw3bK

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5617443580:AAFX8iYrXMCASkw95O815OVGuLWLdSgh8Qo/sendMessage?chat_id=5334267822

Targets

    • Target

      4a4ce6ec040bc9218e968e392a46a9e19380bf8be1bc7f989715e2d53770c77f

    • Size

      871KB

    • MD5

      48ed3a5b89df4c83f43c231d190c4726

    • SHA1

      7acba69249c5081577c60d5e05c5b96ffc3bf1de

    • SHA256

      4a4ce6ec040bc9218e968e392a46a9e19380bf8be1bc7f989715e2d53770c77f

    • SHA512

      d1a89fa9fdbe13912a45a69084bd14a3ad593106b061e55c872d7985407e118da33741db81de4565b99d613db139bf3cd32c33ed015a73bf82582ed0d8cddc38

    • SSDEEP

      6144:1Rlbcr0FdRmvct7YOjTZGN6O46h5iIWROT+e1L1ludK0INglez2YNnIkta8mhiKS:d3pz05iveBludK0EhNIkQ900pw3bK

    • BluStealer

      A Modular information stealer written in Visual Basic.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks