General
-
Target
TXAUCYB.EXE.exe
-
Size
21KB
-
Sample
221019-mv5m5sfcd7
-
MD5
e2a5f92b1a73e9637e035d65cfc44e51
-
SHA1
7c27fd80421f732ab36c583c0fb709703da48c52
-
SHA256
ab9ca095a67588bf3dd26d2531b38cc5d5a2837ffc1b08859bf31538a414362e
-
SHA512
ec7fbd159fa3638fc5b1b828c84185b93ddb3c7c7c589c3a65054a57a868e1f6c552f0455cd67dc7e70f0076ba904e19a2aa23ecf3260a1921bb3d326cf23d81
-
SSDEEP
384:PZcW7LjumpBLqQFtXBMh2+DGi0mZqNewLrKcC/kXjRqmxWE4OB/uc2v42A:bfqQFtY2G4mIewLCsXjwmxWtOB/ucCA
Static task
static1
Behavioral task
behavioral1
Sample
TXAUCYB.EXE.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
TXAUCYB.EXE.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5583812995:AAFKzjSLC2-pDvMQ8X47-80XjrRiWrDtxA/sendMessage?chat_id=5434600361
Targets
-
-
Target
TXAUCYB.EXE.exe
-
Size
21KB
-
MD5
e2a5f92b1a73e9637e035d65cfc44e51
-
SHA1
7c27fd80421f732ab36c583c0fb709703da48c52
-
SHA256
ab9ca095a67588bf3dd26d2531b38cc5d5a2837ffc1b08859bf31538a414362e
-
SHA512
ec7fbd159fa3638fc5b1b828c84185b93ddb3c7c7c589c3a65054a57a868e1f6c552f0455cd67dc7e70f0076ba904e19a2aa23ecf3260a1921bb3d326cf23d81
-
SSDEEP
384:PZcW7LjumpBLqQFtXBMh2+DGi0mZqNewLrKcC/kXjRqmxWE4OB/uc2v42A:bfqQFtY2G4mIewLCsXjwmxWtOB/ucCA
-
StormKitty payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-