General

  • Target

    af0c49cd5e2b41f27d460deb736e47c58009be3fcef52c8720926a0a6bdfc103.exe

  • Size

    644KB

  • Sample

    221020-s6l8tscbg8

  • MD5

    2291920ad0a80650cba8a6d8e62fca40

  • SHA1

    f2f42f00f1c9337636f9615e0eebd38d86b46f14

  • SHA256

    af0c49cd5e2b41f27d460deb736e47c58009be3fcef52c8720926a0a6bdfc103

  • SHA512

    2c793123997b31f7ae8b94d4ffbb8d8e2fffbbd35da0f8f0b6f5e1c326a71cd0e4431c276ff2fc470f2f77d57343259f6b07036a2c6a0319958416ae53470245

  • SSDEEP

    12288:D+cPxGu+EjNjdUeJ2IZWAtb5xgtk5Atl3vF9uMW9e3fdn:HGzExjOejXxYkKdN9ck1n

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5627356603:AAG-Mx0TbSHRRW6IwndrpX3VLZdhd6C-Zac/sendMessage?chat_id=5472437377

Targets

    • Target

      af0c49cd5e2b41f27d460deb736e47c58009be3fcef52c8720926a0a6bdfc103.exe

    • Size

      644KB

    • MD5

      2291920ad0a80650cba8a6d8e62fca40

    • SHA1

      f2f42f00f1c9337636f9615e0eebd38d86b46f14

    • SHA256

      af0c49cd5e2b41f27d460deb736e47c58009be3fcef52c8720926a0a6bdfc103

    • SHA512

      2c793123997b31f7ae8b94d4ffbb8d8e2fffbbd35da0f8f0b6f5e1c326a71cd0e4431c276ff2fc470f2f77d57343259f6b07036a2c6a0319958416ae53470245

    • SSDEEP

      12288:D+cPxGu+EjNjdUeJ2IZWAtb5xgtk5Atl3vF9uMW9e3fdn:HGzExjOejXxYkKdN9ck1n

    • BluStealer

      A Modular information stealer written in Visual Basic.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks