General

  • Target

    RFQ.gz

  • Size

    466KB

  • Sample

    221130-yw8lzaeb7z

  • MD5

    38eb0f0fb796fa14b1fdddf9937a343e

  • SHA1

    b0331d1fa7ff210e6822f9cbdaff5aef761b9af4

  • SHA256

    5ca2237bf4f41e455bb122ec22e4ff1e4c8f19ab9df374d813bec103cf15c8b8

  • SHA512

    457c8855210da408f94665554fdeaa1ba9a7a0d499ab434c1958bdd785605746a806418af2f8549aa30079bd5aab1ce4fd59109608c06f493fd71baaadf2d819

  • SSDEEP

    12288:0Zqczav+uqu7Ijjf5NUYdjUIjH3TB3I6BDYBCM4c8O:00Pv+u7UXRN5djUIjDB39YaO

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5412597166:AAGUaWxuTxxhNb-NRhiURcTMzuW9nhGoEs/sendMessage?chat_id=932962718

Targets

    • Target

      RFQ.exe

    • Size

      717KB

    • MD5

      adfe5763366becc479e84b0b1269c8cc

    • SHA1

      baf4764638d384e5075d453fad14ac0fd85f7790

    • SHA256

      0c2ab8c24c4c1d47f3c1417e5e0fd327336e9a88203e414b94b66e81fa45c316

    • SHA512

      e20e62e8cc91b5c713950eef6a9164e649ea1e7c946a600c2e0ef472ee9face6cf675a3636a25a19d5dd8ef93e9b5dbb925584e9d2ed694af37deabad89b5c48

    • SSDEEP

      12288:YoqTTjquLI9jf5NsYdjsEjHnTB3IaBrB04sGNn/lBij2l0/eGRYpyuD8Iy/Je/XG:YoqD7kFRNxdjsEjzB37B04sGNn/lBijT

    • BluStealer

      A Modular information stealer written in Visual Basic.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks