General

  • Target

    8223906122.zip

  • Size

    797KB

  • Sample

    221013-y3rxsscehn

  • MD5

    569c3fd9448b293cf111b5069203769f

  • SHA1

    010a9f2af2e95022d5330aa24006ce05e8e5964b

  • SHA256

    46e9dd942a0ac14a2d73e9058997275cd3cbdb024fded3598f9970c98b31becf

  • SHA512

    de6528be0740df498b6cf35890fe50a11687f88c48ba57ee263b0a0e0ad1e1c4adde30772369f808ec931cabfacc0865622a75c7861d10550d33c0f34b4dce8a

  • SSDEEP

    12288:Za/Lv2wm4tBtDvJi282YlccaI+5b1StB4czdxWAzjQ93wtHGE95Ni8GWMwRlaSB5:8C03vMacazStB4e/Qk7TaWmPiZqY+m

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5402813712:AAG__8vfwqo_1K9XHIpxzTR9T7UW4raysO4/sendMessage?chat_id=5034680713

Targets

    • Target

      account.exe

    • Size

      834KB

    • MD5

      ed087331c9c97859d6d30bca5245b42d

    • SHA1

      6f1f422171174486c9de328041a0606273b763aa

    • SHA256

      15af08408332677507425dd21c6e04fa469e1129c21dc9ae2d830cc5c8aa0642

    • SHA512

      336290c2b7b578fd9022b8d2b5708f27be6e56a8ac2cdcc2369a705896ad00a6920c76d295f24715c3063de4e71e7829cccd80a1c63558dc662b7544522daf0a

    • SSDEEP

      12288:nF75eRgPwqoXY+mzoRtbvRT7PJ7Na+6ZmvatTu7Fm8gAxYS6L9ETD:nZ5wXY+mzo3bv/Ra+CmiRusyYD

    • BluStealer

      A Modular information stealer written in Visual Basic.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks