blustealer | 946fa8826403d58c6694d18b89af7bf80c078f792f9aae820ac9ced395450f63 | Triage

Submit
Reports

Overview

overview

Static

static

New_Inquiry.scr.exe

windows7-x64

New_Inquiry.scr.exe

windows10-2004-x64

Sharing

General

Target

New_Inquiry.scr.exe
Size

622KB
Sample

221117-vgtmqaba2z
MD5

839d91ad6b1ad96150fb2c31431ab21b
SHA1

51bc3becc236098b9fee553a6f811dab513f585a
SHA256

946fa8826403d58c6694d18b89af7bf80c078f792f9aae820ac9ced395450f63
SHA512

29fc5bc119543053f12a3018fea5171d55216c63bd5ad317c897450ee7d8420dd753d8ec843ca4fbb5446ee3cd10daf7f326748283a00f93e2d5ec9d7cd7e30f
SSDEEP

12288:81w6sNLoD5jDqHBNfoD3UbRUPXzER/U/5s5BhcjZnbCkI:Kw67DYPbubEe/5djZnbCkI

Score

10^/10

blustealer stormkitty collection evasion stealer

Static task

static1

Behavioral task

behavioral1

Sample

New_Inquiry.scr.exe

Resource

win7-20221111-en

blustealer stormkitty collection evasion stealer

windows7-x64

20 signatures

150 seconds

Behavioral task

behavioral2

Sample

New_Inquiry.scr.exe

Resource

win10v2004-20220812-en

blustealer stormkitty collection evasion stealer

windows10-2004-x64

21 signatures

150 seconds

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5412597166:AAGUaWxuTxxhNb-NRhiURcTMzuW9nhGoEs/sendMessage?chat_id=932962718

Targets

- Target
  
  New_Inquiry.scr.exe
- Size
  
  622KB
- MD5
  
  839d91ad6b1ad96150fb2c31431ab21b
- SHA1
  
  51bc3becc236098b9fee553a6f811dab513f585a
- SHA256
  
  946fa8826403d58c6694d18b89af7bf80c078f792f9aae820ac9ced395450f63
- SHA512
  
  29fc5bc119543053f12a3018fea5171d55216c63bd5ad317c897450ee7d8420dd753d8ec843ca4fbb5446ee3cd10daf7f326748283a00f93e2d5ec9d7cd7e30f
- SSDEEP
  
  12288:81w6sNLoD5jDqHBNfoD3UbRUPXzER/U/5s5BhcjZnbCkI:Kw67DYPbubEe/5djZnbCkI
Score

10^/10

blustealer stormkitty collection evasion stealer
- BluStealer
  A Modular information stealer written in Visual Basic.
  stealer blustealer
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

blustealerstormkittycollectionevasionstealer

behavioral2

blustealerstormkittycollectionevasionstealer

© 2018-2024

Terms | Privacy