General

  • Target

    18112022365.scr.exe

  • Size

    229KB

  • Sample

    221118-zpaa9sgb94

  • MD5

    2c948d99fb2c74bc2e1065a83c9ac423

  • SHA1

    5e6443132bb31fff16d94f823bc3df467de8dc84

  • SHA256

    9111218e89daf7e547af7777d2cde1fe35e029c1eff85f991349308a51af3d3d

  • SHA512

    6fffcc394750b99a57f438eef410333b941ced543126b2aa69ceade7b56136742104aeada34a46b7dfe090184ced384975a14b71721718c3d87ea3ccd00f3fab

  • SSDEEP

    3072:F0k+T6gqPPIvuvHQFpaIYkKEPIFJzE17vt:F59HsaIYkb

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5412597166:AAGUaWxuTxxhNb-NRhiURcTMzuW9nhGoEs/sendMessage?chat_id=932962718

Targets

    • Target

      18112022365.scr.exe

    • Size

      229KB

    • MD5

      2c948d99fb2c74bc2e1065a83c9ac423

    • SHA1

      5e6443132bb31fff16d94f823bc3df467de8dc84

    • SHA256

      9111218e89daf7e547af7777d2cde1fe35e029c1eff85f991349308a51af3d3d

    • SHA512

      6fffcc394750b99a57f438eef410333b941ced543126b2aa69ceade7b56136742104aeada34a46b7dfe090184ced384975a14b71721718c3d87ea3ccd00f3fab

    • SSDEEP

      3072:F0k+T6gqPPIvuvHQFpaIYkKEPIFJzE17vt:F59HsaIYkb

    • BluStealer

      A Modular information stealer written in Visual Basic.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks