General
-
Target
RFQ.gz
-
Size
466KB
-
Sample
221130-yw8lzaeb7z
-
MD5
38eb0f0fb796fa14b1fdddf9937a343e
-
SHA1
b0331d1fa7ff210e6822f9cbdaff5aef761b9af4
-
SHA256
5ca2237bf4f41e455bb122ec22e4ff1e4c8f19ab9df374d813bec103cf15c8b8
-
SHA512
457c8855210da408f94665554fdeaa1ba9a7a0d499ab434c1958bdd785605746a806418af2f8549aa30079bd5aab1ce4fd59109608c06f493fd71baaadf2d819
-
SSDEEP
12288:0Zqczav+uqu7Ijjf5NUYdjUIjH3TB3I6BDYBCM4c8O:00Pv+u7UXRN5djUIjDB39YaO
Static task
static1
Behavioral task
behavioral1
Sample
RFQ.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
RFQ.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5412597166:AAGUaWxuTxxhNb-NRhiURcTMzuW9nhGoEs/sendMessage?chat_id=932962718
Targets
-
-
Target
RFQ.exe
-
Size
717KB
-
MD5
adfe5763366becc479e84b0b1269c8cc
-
SHA1
baf4764638d384e5075d453fad14ac0fd85f7790
-
SHA256
0c2ab8c24c4c1d47f3c1417e5e0fd327336e9a88203e414b94b66e81fa45c316
-
SHA512
e20e62e8cc91b5c713950eef6a9164e649ea1e7c946a600c2e0ef472ee9face6cf675a3636a25a19d5dd8ef93e9b5dbb925584e9d2ed694af37deabad89b5c48
-
SSDEEP
12288:YoqTTjquLI9jf5NsYdjsEjHnTB3IaBrB04sGNn/lBij2l0/eGRYpyuD8Iy/Je/XG:YoqD7kFRNxdjsEjzB37B04sGNn/lBijT
Score10/10-
StormKitty payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-