General

  • Target

    SecuriteInfo.com.Win64.PWSX-gen.31026.16859.exe

  • Size

    175KB

  • Sample

    221130-mjs5zaeh8t

  • MD5

    abe6ca791db534c12bef5ea422084c09

  • SHA1

    3f27e6e2860e37ec43d95e56544baee9d7c5ba2d

  • SHA256

    126f5c52f11be3cd3a1d0abfb756975a103999757b90e64abc5d415d04c6689c

  • SHA512

    7e6c4b33f4ddbb2cd947fa07230e615d2dd5cdb27be3f3b959e51db79646f480c74bbf61decb071a80e5855acfd055b765fe71cc6b1e114f0b5857ef07bb9fb9

  • SSDEEP

    3072:d2mRPME2xzNrb7Hac9VjFGfe/B8bv8zYUvsNs14avcvLtSzqJEVDR:d202xzNf7HauVjFGfmKiYhsGavMLtXEV

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5627356603:AAG-Mx0TbSHRRW6IwndrpX3VLZdhd6C-Zac/sendMessage?chat_id=5472437377

Targets

    • Target

      SecuriteInfo.com.Win64.PWSX-gen.31026.16859.exe

    • Size

      175KB

    • MD5

      abe6ca791db534c12bef5ea422084c09

    • SHA1

      3f27e6e2860e37ec43d95e56544baee9d7c5ba2d

    • SHA256

      126f5c52f11be3cd3a1d0abfb756975a103999757b90e64abc5d415d04c6689c

    • SHA512

      7e6c4b33f4ddbb2cd947fa07230e615d2dd5cdb27be3f3b959e51db79646f480c74bbf61decb071a80e5855acfd055b765fe71cc6b1e114f0b5857ef07bb9fb9

    • SSDEEP

      3072:d2mRPME2xzNrb7Hac9VjFGfe/B8bv8zYUvsNs14avcvLtSzqJEVDR:d202xzNf7HauVjFGfmKiYhsGavMLtXEV

    • BluStealer

      A Modular information stealer written in Visual Basic.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks