General

  • Target

    xt7veCXp-FiO53wlOYiWrGleDALEQnb8Q4IhiAewHhc.bin

  • Size

    943KB

  • Sample

    221129-qkxrbsfa91

  • MD5

    779aba07d9e38600f5d56b1cdb4b13b3

  • SHA1

    978dbdd1de6938658fd2bb7fa62504bc9854e7df

  • SHA256

    c6deef7825e9fc588ee77c25398896ac695e0c02c44276fc4382218807b01e17

  • SHA512

    c1cb51a4be7c0c76b038aa22bdb3e171e7a07104ca87195f5dd854bfd56b48d101b630addce08d3bae5b86e6cf6ac82c5ce01cf0d2d1c8254b0f3e6c51a743ad

  • SSDEEP

    12288:njm1ajgVIqHZCWRehw84H+ZzF0ImT9JfeDH8EM1xr:cajysjhw+MImTbfmrwxr

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5412597166:AAGUaWxuTxxhNb-NRhiURcTMzuW9nhGoEs/sendMessage?chat_id=932962718

Targets

    • Target

      xt7veCXp-FiO53wlOYiWrGleDALEQnb8Q4IhiAewHhc.bin

    • Size

      943KB

    • MD5

      779aba07d9e38600f5d56b1cdb4b13b3

    • SHA1

      978dbdd1de6938658fd2bb7fa62504bc9854e7df

    • SHA256

      c6deef7825e9fc588ee77c25398896ac695e0c02c44276fc4382218807b01e17

    • SHA512

      c1cb51a4be7c0c76b038aa22bdb3e171e7a07104ca87195f5dd854bfd56b48d101b630addce08d3bae5b86e6cf6ac82c5ce01cf0d2d1c8254b0f3e6c51a743ad

    • SSDEEP

      12288:njm1ajgVIqHZCWRehw84H+ZzF0ImT9JfeDH8EM1xr:cajysjhw+MImTbfmrwxr

    • BluStealer

      A Modular information stealer written in Visual Basic.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks