General

  • Target

    28be1b525319b02993d31a3d45330e8924f40b4ebeb8696a89bcd3333bea26d5.exe

  • Size

    856KB

  • Sample

    221020-y87kfadcdj

  • MD5

    e3c3961c460143a9ecf527e1821b89cc

  • SHA1

    db1b4f8b3383eee78296cc69d3d101a2a23012ca

  • SHA256

    28be1b525319b02993d31a3d45330e8924f40b4ebeb8696a89bcd3333bea26d5

  • SHA512

    a439568155ebf0e85eee3104fe98e9001141f8a8e5178b7e011c5c24554b8eb8f2a734c60b68bea05bf9170fa3001a081a93233de2d2f5414e1b1f4e607c59c9

  • SSDEEP

    12288:yPLQR/4veFNM4rKd3zIEEqBSP3JJxP7xINKJhJf3wZh:g+4vevrXH7P3vxP7xINOP

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5374342837:AAHF-c1HAIvNCdF89VuEdNggsL2YBlpgkSE/sendMessage?chat_id=2133303215

Targets

    • Target

      28be1b525319b02993d31a3d45330e8924f40b4ebeb8696a89bcd3333bea26d5.exe

    • Size

      856KB

    • MD5

      e3c3961c460143a9ecf527e1821b89cc

    • SHA1

      db1b4f8b3383eee78296cc69d3d101a2a23012ca

    • SHA256

      28be1b525319b02993d31a3d45330e8924f40b4ebeb8696a89bcd3333bea26d5

    • SHA512

      a439568155ebf0e85eee3104fe98e9001141f8a8e5178b7e011c5c24554b8eb8f2a734c60b68bea05bf9170fa3001a081a93233de2d2f5414e1b1f4e607c59c9

    • SSDEEP

      12288:yPLQR/4veFNM4rKd3zIEEqBSP3JJxP7xINKJhJf3wZh:g+4vevrXH7P3vxP7xINOP

    • BluStealer

      A Modular information stealer written in Visual Basic.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks