General

  • Target

    cacdd063765d8392c5170288190233117fd8c99fee8290613c0834f4e1f4fa83.exe

  • Size

    1.0MB

  • Sample

    221021-we54eahddn

  • MD5

    4d978699b2bfe1caa498959e6f8d24c6

  • SHA1

    5b3741f09c2a9a43deaa46ed96df18d01c7813c6

  • SHA256

    cacdd063765d8392c5170288190233117fd8c99fee8290613c0834f4e1f4fa83

  • SHA512

    4a9fd3e03d0c1dae3edd3caaf11cd0d38bc2a15609ace7998bdd151d0ef80a70d7928418db4dfbd63af7e743fccb64df45bad6ec4f9017209d92e805d0f9e040

  • SSDEEP

    24576:Nqymo1qR8bFCvTsBmx8NMMnGNHR3kQKSBm:Nq6QBwBmx8mCkJkmg

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5412597166:AAGUaWxuTxxhNb-NRhiURcTMzuW9nhGoEs/sendMessage?chat_id=932962718

Targets

    • Target

      cacdd063765d8392c5170288190233117fd8c99fee8290613c0834f4e1f4fa83.exe

    • Size

      1.0MB

    • MD5

      4d978699b2bfe1caa498959e6f8d24c6

    • SHA1

      5b3741f09c2a9a43deaa46ed96df18d01c7813c6

    • SHA256

      cacdd063765d8392c5170288190233117fd8c99fee8290613c0834f4e1f4fa83

    • SHA512

      4a9fd3e03d0c1dae3edd3caaf11cd0d38bc2a15609ace7998bdd151d0ef80a70d7928418db4dfbd63af7e743fccb64df45bad6ec4f9017209d92e805d0f9e040

    • SSDEEP

      24576:Nqymo1qR8bFCvTsBmx8NMMnGNHR3kQKSBm:Nq6QBwBmx8mCkJkmg

    • BluStealer

      A Modular information stealer written in Visual Basic.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks