General

  • Target

    COTIZAR EL PEDIDO2022.IMG

  • Size

    1.2MB

  • Sample

    221019-kyy9esfbc9

  • MD5

    32079e0d5df81b1acc72c5cc01c2e1c7

  • SHA1

    4a54079242890f8a6eba7aaee2c3bd11767463d4

  • SHA256

    ffbfee81490d1ff3b7a33aeaac56ef01dcb0b533c13b0d7bb43be3c5e0155212

  • SHA512

    e3333b84353fd56a1570ffd90f528ce20d2da0180e921701674cd335bb8c7190c9265a26b2ce650d85c7fde4f81e32c69faf9a9fde745ec9d08566f8286fb11c

  • SSDEEP

    384:KUzmyPIfwSaB6m71+Tes8ZpHzGovUJAYkr5kYZF:kygfwTcesiRPPrk+F

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5627356603:AAG-Mx0TbSHRRW6IwndrpX3VLZdhd6C-Zac/sendMessage?chat_id=5472437377

Targets

    • Target

      COTIZAR_.EXE

    • Size

      19KB

    • MD5

      496c17c3ffba9e26c620d7bf6f14ecbf

    • SHA1

      c16449a9b28e207148cc5d6a4a1c28cafb8273ee

    • SHA256

      54aea79392cacfa0125aec072799e235bb3d18f6c45aeba807099fd0b6be873f

    • SHA512

      2840e98115db24f21e04e7e020317bf5daa7fbe0836f2752ff41fdfdd9d7c55d41c869874fa0d2fe5de4b734cc173498d80a9dab3b99a69455874811a093c55f

    • SSDEEP

      384:iyPIfwSaB6m71+Tes8ZpHzGovUJAYkr5kYZFP:iygfwTcesiRPPrk+FP

    • BluStealer

      A Modular information stealer written in Visual Basic.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks