General

  • Target

    COTIZAR_.EXE

  • Size

    19KB

  • Sample

    221019-k1jlrafbd4

  • MD5

    496c17c3ffba9e26c620d7bf6f14ecbf

  • SHA1

    c16449a9b28e207148cc5d6a4a1c28cafb8273ee

  • SHA256

    54aea79392cacfa0125aec072799e235bb3d18f6c45aeba807099fd0b6be873f

  • SHA512

    2840e98115db24f21e04e7e020317bf5daa7fbe0836f2752ff41fdfdd9d7c55d41c869874fa0d2fe5de4b734cc173498d80a9dab3b99a69455874811a093c55f

  • SSDEEP

    384:iyPIfwSaB6m71+Tes8ZpHzGovUJAYkr5kYZFP:iygfwTcesiRPPrk+FP

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5627356603:AAG-Mx0TbSHRRW6IwndrpX3VLZdhd6C-Zac/sendMessage?chat_id=5472437377

Targets

    • Target

      COTIZAR_.EXE

    • Size

      19KB

    • MD5

      496c17c3ffba9e26c620d7bf6f14ecbf

    • SHA1

      c16449a9b28e207148cc5d6a4a1c28cafb8273ee

    • SHA256

      54aea79392cacfa0125aec072799e235bb3d18f6c45aeba807099fd0b6be873f

    • SHA512

      2840e98115db24f21e04e7e020317bf5daa7fbe0836f2752ff41fdfdd9d7c55d41c869874fa0d2fe5de4b734cc173498d80a9dab3b99a69455874811a093c55f

    • SSDEEP

      384:iyPIfwSaB6m71+Tes8ZpHzGovUJAYkr5kYZFP:iygfwTcesiRPPrk+FP

    • BluStealer

      A Modular information stealer written in Visual Basic.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks