General

  • Target

    182376,PDF.exe

  • Size

    107KB

  • Sample

    221028-jgdeysehe4

  • MD5

    d97e41f8d67fbb966509824bf34191df

  • SHA1

    f7475eee9fe28e196d2d65f4803ffe48a3dc2b26

  • SHA256

    da1affe84e54055e68af38dc7fda253d538925805b563d7a87686338a7b8d0e6

  • SHA512

    1d699ee7f3f537fa3e4ba1510cf19160cf25cbcd1a669bc1316b517f9891bc9fac8cbc332b0d1a6b729c3c1e9a71cd3a3f7331de86d9f633aeac5bbb14921484

  • SSDEEP

    1536:gx/tmQiKh0Ovt0Xo++vw/18AyMMK4MIy+ZmVcl:6tD3OXo+mwNJb4MIy+Z8Y

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5583812995:AAFKzjSLC2-pDvMQ8X47-80XjrRiWrDtxA/sendMessage?chat_id=5434600361

Targets

    • Target

      182376,PDF.exe

    • Size

      107KB

    • MD5

      d97e41f8d67fbb966509824bf34191df

    • SHA1

      f7475eee9fe28e196d2d65f4803ffe48a3dc2b26

    • SHA256

      da1affe84e54055e68af38dc7fda253d538925805b563d7a87686338a7b8d0e6

    • SHA512

      1d699ee7f3f537fa3e4ba1510cf19160cf25cbcd1a669bc1316b517f9891bc9fac8cbc332b0d1a6b729c3c1e9a71cd3a3f7331de86d9f633aeac5bbb14921484

    • SSDEEP

      1536:gx/tmQiKh0Ovt0Xo++vw/18AyMMK4MIy+ZmVcl:6tD3OXo+mwNJb4MIy+Z8Y

    • BluStealer

      A Modular information stealer written in Visual Basic.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks