General
-
Target
Payslips - Week Ending 19 October 2022.xlsm
-
Size
42KB
-
Sample
221019-qhs1cshch4
-
MD5
4cdbf369aea35107af766f0c4a928dc2
-
SHA1
657b4e5c370ace1326b311d251d77bb3dec8a64b
-
SHA256
ce4298647b014560cc454b87587301f11ffe7478170e7de2af59705ddf87ecc6
-
SHA512
54407c6c226d4eba55a0afea35456224a1a9da8742c668810f0e29b112e4364ca7bff1df22257fcf21a9820a1e6e19104cf330c92e5fa5183c26340a8490c912
-
SSDEEP
768:gvDsavqssnHOBIJYfTH+niSpyvDHrdv+nWxFFiKk/f+qtmUEURC+nQHwSrH:gvLvqTHOG1BaTrdv+KFFi3/Gq09UHQHH
Static task
static1
Behavioral task
behavioral1
Sample
Payslips - Week Ending 19 October 2022.xlsm
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Payslips - Week Ending 19 October 2022.xlsm
Resource
win10v2004-20220812-en
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5576673774:AAF__hFRh9bcJV72HkFb-9eZR9JNNyuOmFM/sendMessage?chat_id=1194722650
Targets
-
-
Target
Payslips - Week Ending 19 October 2022.xlsm
-
Size
42KB
-
MD5
4cdbf369aea35107af766f0c4a928dc2
-
SHA1
657b4e5c370ace1326b311d251d77bb3dec8a64b
-
SHA256
ce4298647b014560cc454b87587301f11ffe7478170e7de2af59705ddf87ecc6
-
SHA512
54407c6c226d4eba55a0afea35456224a1a9da8742c668810f0e29b112e4364ca7bff1df22257fcf21a9820a1e6e19104cf330c92e5fa5183c26340a8490c912
-
SSDEEP
768:gvDsavqssnHOBIJYfTH+niSpyvDHrdv+nWxFFiKk/f+qtmUEURC+nQHwSrH:gvLvqTHOG1BaTrdv+KFFi3/Gq09UHQHH
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
StormKitty payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-