General

  • Target

    e2419d65e2d88ed19b494daaccc05712.exe

  • Size

    105KB

  • Sample

    221021-km5xtsbhbp

  • MD5

    e2419d65e2d88ed19b494daaccc05712

  • SHA1

    3e3db7a4f0beafa3c41827020b76b20d27cb6767

  • SHA256

    8d07cd7ceb888ec77c8f28fc6f3e61791605c4c2cdaad7ff31450cb9c94358fd

  • SHA512

    eade4b4d24b17a95cb0f6163ee2c3df5442f3581ca11a68ee831e436c3f2f95e2fadf833d128b03ac40f6bb6d637ed53792c04ee43eedf397301a0ce9d010109

  • SSDEEP

    3072:9Cc53RIZ2BtFUQd7JrnQjm7szl7sC7wwn:lIZ25UUQj9zl7I

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5576673774:AAF__hFRh9bcJV72HkFb-9eZR9JNNyuOmFM/sendMessage?chat_id=1194722650

Targets

    • Target

      e2419d65e2d88ed19b494daaccc05712.exe

    • Size

      105KB

    • MD5

      e2419d65e2d88ed19b494daaccc05712

    • SHA1

      3e3db7a4f0beafa3c41827020b76b20d27cb6767

    • SHA256

      8d07cd7ceb888ec77c8f28fc6f3e61791605c4c2cdaad7ff31450cb9c94358fd

    • SHA512

      eade4b4d24b17a95cb0f6163ee2c3df5442f3581ca11a68ee831e436c3f2f95e2fadf833d128b03ac40f6bb6d637ed53792c04ee43eedf397301a0ce9d010109

    • SSDEEP

      3072:9Cc53RIZ2BtFUQd7JrnQjm7szl7sC7wwn:lIZ25UUQj9zl7I

    • BluStealer

      A Modular information stealer written in Visual Basic.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks