General

  • Target

    PEDIDO NOVIEMBRE_29-11-22.exe

  • Size

    152KB

  • Sample

    221129-kap1vaca28

  • MD5

    d0d391c303b24cbd513b9ebae7a6b129

  • SHA1

    c157d3d7e445dc82b60c354f8f2e098b55c7f162

  • SHA256

    f483db634b30a9f6bc88ff71dbddcf9f7b3fdca4de047386415da681b5e35685

  • SHA512

    a490ea7260abd922cfc5b00c3b9b0b59e66ab34bd37a8e77650782b7943b40cbee28f0eb3a1317379fb30accbb6c6af1fc8511a961f243cffa80404fbb3aea48

  • SSDEEP

    3072:E3rXF6PQysW7XnXifYO1FL7/52Df/vIAwtkBXf6DVqb:YXFvLWXIHfL7/52Df/ANkBXf6

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5627356603:AAG-Mx0TbSHRRW6IwndrpX3VLZdhd6C-Zac/sendMessage?chat_id=5472437377

Targets

    • Target

      PEDIDO NOVIEMBRE_29-11-22.exe

    • Size

      152KB

    • MD5

      d0d391c303b24cbd513b9ebae7a6b129

    • SHA1

      c157d3d7e445dc82b60c354f8f2e098b55c7f162

    • SHA256

      f483db634b30a9f6bc88ff71dbddcf9f7b3fdca4de047386415da681b5e35685

    • SHA512

      a490ea7260abd922cfc5b00c3b9b0b59e66ab34bd37a8e77650782b7943b40cbee28f0eb3a1317379fb30accbb6c6af1fc8511a961f243cffa80404fbb3aea48

    • SSDEEP

      3072:E3rXF6PQysW7XnXifYO1FL7/52Df/vIAwtkBXf6DVqb:YXFvLWXIHfL7/52Df/ANkBXf6

    • BluStealer

      A Modular information stealer written in Visual Basic.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks