General

  • Target

    SecuriteInfo.com.Trojan.DownLoaderNET.447.20530.9920.exe

  • Size

    185KB

  • Sample

    221107-l8g9bsbba6

  • MD5

    9511a74b28e3fecc899c07231fa8af5d

  • SHA1

    65f642a4bd81f5f5355bf82fc79f8df2f291a144

  • SHA256

    2cd01ed98525d509bfa350ef7e618a0342b0a4b1214adfe5d9b89696ab645d49

  • SHA512

    a6836225ecd0d54c2916f50f10d8e94326244ca62094082a457092c04edc874b91e055814654df8f137735a52db7ad0a077f629b24bca34784a8708b065ad89a

  • SSDEEP

    1536:pcKHPHdUGOsVUch/1ZjhGIBOrPaOYdSkjiRNqOP3G:LHDSch/71hEbaFSkjiRrP2

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5627356603:AAG-Mx0TbSHRRW6IwndrpX3VLZdhd6C-Zac/sendMessage?chat_id=5472437377

Targets

    • Target

      SecuriteInfo.com.Trojan.DownLoaderNET.447.20530.9920.exe

    • Size

      185KB

    • MD5

      9511a74b28e3fecc899c07231fa8af5d

    • SHA1

      65f642a4bd81f5f5355bf82fc79f8df2f291a144

    • SHA256

      2cd01ed98525d509bfa350ef7e618a0342b0a4b1214adfe5d9b89696ab645d49

    • SHA512

      a6836225ecd0d54c2916f50f10d8e94326244ca62094082a457092c04edc874b91e055814654df8f137735a52db7ad0a077f629b24bca34784a8708b065ad89a

    • SSDEEP

      1536:pcKHPHdUGOsVUch/1ZjhGIBOrPaOYdSkjiRNqOP3G:LHDSch/71hEbaFSkjiRrP2

    • BluStealer

      A Modular information stealer written in Visual Basic.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks