General

  • Target

    TXAUCYB.EXE.exe

  • Size

    21KB

  • Sample

    221019-mv5m5sfcd7

  • MD5

    e2a5f92b1a73e9637e035d65cfc44e51

  • SHA1

    7c27fd80421f732ab36c583c0fb709703da48c52

  • SHA256

    ab9ca095a67588bf3dd26d2531b38cc5d5a2837ffc1b08859bf31538a414362e

  • SHA512

    ec7fbd159fa3638fc5b1b828c84185b93ddb3c7c7c589c3a65054a57a868e1f6c552f0455cd67dc7e70f0076ba904e19a2aa23ecf3260a1921bb3d326cf23d81

  • SSDEEP

    384:PZcW7LjumpBLqQFtXBMh2+DGi0mZqNewLrKcC/kXjRqmxWE4OB/uc2v42A:bfqQFtY2G4mIewLCsXjwmxWtOB/ucCA

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5583812995:AAFKzjSLC2-pDvMQ8X47-80XjrRiWrDtxA/sendMessage?chat_id=5434600361

Targets

    • Target

      TXAUCYB.EXE.exe

    • Size

      21KB

    • MD5

      e2a5f92b1a73e9637e035d65cfc44e51

    • SHA1

      7c27fd80421f732ab36c583c0fb709703da48c52

    • SHA256

      ab9ca095a67588bf3dd26d2531b38cc5d5a2837ffc1b08859bf31538a414362e

    • SHA512

      ec7fbd159fa3638fc5b1b828c84185b93ddb3c7c7c589c3a65054a57a868e1f6c552f0455cd67dc7e70f0076ba904e19a2aa23ecf3260a1921bb3d326cf23d81

    • SSDEEP

      384:PZcW7LjumpBLqQFtXBMh2+DGi0mZqNewLrKcC/kXjRqmxWE4OB/uc2v42A:bfqQFtY2G4mIewLCsXjwmxWtOB/ucCA

    • BluStealer

      A Modular information stealer written in Visual Basic.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks