General

  • Target

    GFSBHDHDHDHHD.exe

  • Size

    140KB

  • Sample

    221019-qfjnxahgaj

  • MD5

    35c0717be78278ae5819daea4df7b636

  • SHA1

    77162cdbbb1b8ff5c1cfa8b151f65c3dc3bf0ce0

  • SHA256

    541dcecae2d6ac17d9af5291b3d05cca35631c72279759b8b44c98d54416454f

  • SHA512

    d9826b94d7af1eb792958abb479d55665f3722f298879a104a44a76af0c8531e383f7184d51a1c281b577248800bccd273dc0d50573f39dd78e9fcf03b5dc66c

  • SSDEEP

    3072:M6Iq60Sma/wfKbm3+AHrJuVTBychy4M+3CZG5kKPyA:Uma/wib++0rJuVochyxE

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5627356603:AAG-Mx0TbSHRRW6IwndrpX3VLZdhd6C-Zac/sendMessage?chat_id=5472437377

Targets

    • Target

      GFSBHDHDHDHHD.exe

    • Size

      140KB

    • MD5

      35c0717be78278ae5819daea4df7b636

    • SHA1

      77162cdbbb1b8ff5c1cfa8b151f65c3dc3bf0ce0

    • SHA256

      541dcecae2d6ac17d9af5291b3d05cca35631c72279759b8b44c98d54416454f

    • SHA512

      d9826b94d7af1eb792958abb479d55665f3722f298879a104a44a76af0c8531e383f7184d51a1c281b577248800bccd273dc0d50573f39dd78e9fcf03b5dc66c

    • SSDEEP

      3072:M6Iq60Sma/wfKbm3+AHrJuVTBychy4M+3CZG5kKPyA:Uma/wib++0rJuVochyxE

    • BluStealer

      A Modular information stealer written in Visual Basic.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks