General

  • Target

    09876789.PDF.ISO.zip

  • Size

    499KB

  • Sample

    221027-rmvkescdgk

  • MD5

    08aaf0c554929b6a9f030561e2e1617b

  • SHA1

    858540fec5a75500172ce18ca645fcb2d5f159eb

  • SHA256

    66aba750defce5cd91b0b49e1d220dee17eb71ec88ced2743c7990ef10c15da4

  • SHA512

    21d9660f10c0e59d40608eabde125e14c00d89538debfbd447d1ae060d298ff705d2df11c20a44176369a3a43783b2b6e823c7ece851dc300d0f639d7d545930

  • SSDEEP

    12288:OilmQN3TiKYs8ecDrhCw5+lq1/zwu/OiwbZ39o1Bl7BJGhG:pkQ0KYs8fF5+ly7L/OZ3yBb4hG

Malware Config

Targets

    • Target

      09876789.exe

    • Size

      534KB

    • MD5

      059ad08d9e8eef31013b815016bf2c50

    • SHA1

      ec7aca3235e337104cae18b08519445907e33400

    • SHA256

      7e8cb2531d08a6c664969bcbecbdb946fd7e3088ee8a3b4dab805536bf026571

    • SHA512

      5f496575852ca180ca92df1aeaa221613259d1666936c37602f5ca605a24b8dc3394cb0323683bfef257f9b71e9235984482482df237afe4cf59ed232a30ff68

    • SSDEEP

      12288:lnC3ziKYs6O6D7zkoT+lqp/7Iu/O2ybZx9Y9rl7jjGH1:ln5KYs6ZlT+lQTD/O3BArRCH1

    • BluStealer

      A Modular information stealer written in Visual Basic.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks