blustealer | 5fcd4e3a9fcbd19f89d73919311d52abdcf95994123942ac533e60a9f198e1d6 | Triage

Submit
Reports

Overview

overview

Static

static

palmicc.exe

windows7-x64

palmicc.exe

windows10-2004-x64

Sharing

General

Target

palmicc.exe
Size

144KB
Sample

221116-jtn28adf4t
MD5

21080c64225c8f730626c293703cc378
SHA1

574eb72eefc0264c2149daae53fd26c5494b6071
SHA256

5fcd4e3a9fcbd19f89d73919311d52abdcf95994123942ac533e60a9f198e1d6
SHA512

1114cdbd08afba2798a61c3b600a0781290bea0497c243e97bc27f0983627e98e0452df1640f7799c184fe0d57a9e5199f37edc10208e9b37cb6a9555f3b2942
SSDEEP

1536:r65/Zws3kTnvzbhNBPmxue2SRQg0dkEwiqoVioOO4yX5t4l7yYipCa:r69ZTkLfhjFSiO3ocO4yX34lmYg9

Score

10^/10

blustealer stormkitty collection spyware stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

palmicc.exe

Resource

win7-20221111-en

stormkitty collection spyware stealer

windows7-x64

13 signatures

60 seconds

Behavioral task

behavioral2

Sample

palmicc.exe

Resource

win10v2004-20221111-en

stormkitty collection spyware stealer

windows10-2004-x64

13 signatures

60 seconds

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5627356603:AAG-Mx0TbSHRRW6IwndrpX3VLZdhd6C-Zac/sendMessage?chat_id=5472437377

Targets

- Target
  
  palmicc.exe
- Size
  
  144KB
- MD5
  
  21080c64225c8f730626c293703cc378
- SHA1
  
  574eb72eefc0264c2149daae53fd26c5494b6071
- SHA256
  
  5fcd4e3a9fcbd19f89d73919311d52abdcf95994123942ac533e60a9f198e1d6
- SHA512
  
  1114cdbd08afba2798a61c3b600a0781290bea0497c243e97bc27f0983627e98e0452df1640f7799c184fe0d57a9e5199f37edc10208e9b37cb6a9555f3b2942
- SSDEEP
  
  1536:r65/Zws3kTnvzbhNBPmxue2SRQg0dkEwiqoVioOO4yX5t4l7yYipCa:r69ZTkLfhjFSiO3ocO4yX34lmYg9
Score

10^/10

stormkitty collection spyware stealer
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

stormkittycollectionspywarestealer

behavioral2

stormkittycollectionspywarestealer

© 2018-2024

Terms | Privacy