General

  • Target

    Payslips - Week Ending 19 October 2022.xlsm

  • Size

    42KB

  • Sample

    221019-qhs1cshch4

  • MD5

    4cdbf369aea35107af766f0c4a928dc2

  • SHA1

    657b4e5c370ace1326b311d251d77bb3dec8a64b

  • SHA256

    ce4298647b014560cc454b87587301f11ffe7478170e7de2af59705ddf87ecc6

  • SHA512

    54407c6c226d4eba55a0afea35456224a1a9da8742c668810f0e29b112e4364ca7bff1df22257fcf21a9820a1e6e19104cf330c92e5fa5183c26340a8490c912

  • SSDEEP

    768:gvDsavqssnHOBIJYfTH+niSpyvDHrdv+nWxFFiKk/f+qtmUEURC+nQHwSrH:gvLvqTHOG1BaTrdv+KFFi3/Gq09UHQHH

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5576673774:AAF__hFRh9bcJV72HkFb-9eZR9JNNyuOmFM/sendMessage?chat_id=1194722650

Targets

    • Target

      Payslips - Week Ending 19 October 2022.xlsm

    • Size

      42KB

    • MD5

      4cdbf369aea35107af766f0c4a928dc2

    • SHA1

      657b4e5c370ace1326b311d251d77bb3dec8a64b

    • SHA256

      ce4298647b014560cc454b87587301f11ffe7478170e7de2af59705ddf87ecc6

    • SHA512

      54407c6c226d4eba55a0afea35456224a1a9da8742c668810f0e29b112e4364ca7bff1df22257fcf21a9820a1e6e19104cf330c92e5fa5183c26340a8490c912

    • SSDEEP

      768:gvDsavqssnHOBIJYfTH+niSpyvDHrdv+nWxFFiKk/f+qtmUEURC+nQHwSrH:gvLvqTHOG1BaTrdv+KFFi3/Gq09UHQHH

    • BluStealer

      A Modular information stealer written in Visual Basic.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks