General

  • Target

    Adjunto comprobante de transferencia.bin.zip

  • Size

    132KB

  • Sample

    221018-j874msfba3

  • MD5

    c60fbca5f71a80277172a484696e45da

  • SHA1

    6f4363200595f16a199f525d1d79f957f9bf6de3

  • SHA256

    6ee0666ac13cde16eed1e8ac0fed35481958e386143a319cd8d2473f2b947990

  • SHA512

    5d73ebf3f48a9719177ee895072c279b06151694e0b8cc090447f52ab905bbbf11638b91bc07147996bf225d1e13646e762dfbf194a0a6228ef52d03af7a7cb8

  • SSDEEP

    3072:QTjNrVhmlx2Q6sR+hkixRxto7f2S6zBvnG1Xg:QFhQ6sWDto7f2b41w

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5627356603:AAG-Mx0TbSHRRW6IwndrpX3VLZdhd6C-Zac/sendMessage?chat_id=5472437377

Targets

    • Target

      Adjunto comprobante de transferencia.bin

    • Size

      144KB

    • MD5

      66cb0bdbdad8b6f432fec880e8f30139

    • SHA1

      e0c501a8d1a6c85a5e534b83a52bc2feda43d6b5

    • SHA256

      3dd0236bc47173fb5b7f6cddd06d5ca36bb00431f3eb0f4e641ac58e9244222e

    • SHA512

      87d69debe9c7cea39fadfb021ab1688cf67d6340b6d0f658d1a42746a18b5e33f583f13312ced950d7da7bd7070db892db1b06756da17622fe2ab7d07601fd36

    • SSDEEP

      3072:VcHL0ZrxLvY9i7NeKw4MNaCJYctsJVJRxODdIjGiC7okl4SA:KQfeBNNNKJV/xs9in

    • BluStealer

      A Modular information stealer written in Visual Basic.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks