General

  • Target

    SecuriteInfo.com.Trojan.PackedNET.1293.27162.15596.exe

  • Size

    660KB

  • Sample

    221209-mjvnssch93

  • MD5

    873bfbea840976bb63f1e7eae546725e

  • SHA1

    7175df3680987e75f1ebb7430c8246400ebf71f4

  • SHA256

    9e9f338d922f809d4ecac31b1b2c1bc38de325e848782308997d76eef549951f

  • SHA512

    f3916908c555f105c3bc293d7d27e5592381a8586dda4d4771742bb537a84040d9d538447b8d22571d941b0caed9443f264b0bf495a7745fb556d9a7b58cdc87

  • SSDEEP

    6144:k4uIrm6rLfOhXDBkyFhI8OZiLsyJ0If3+Nm3cxgU/ZzU:kv6rLClkyFhI8OZiIyJ1us3cxgU/Zz

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5627356603:AAG-Mx0TbSHRRW6IwndrpX3VLZdhd6C-Zac/sendMessage?chat_id=5472437377

Targets

    • Target

      SecuriteInfo.com.Trojan.PackedNET.1293.27162.15596.exe

    • Size

      660KB

    • MD5

      873bfbea840976bb63f1e7eae546725e

    • SHA1

      7175df3680987e75f1ebb7430c8246400ebf71f4

    • SHA256

      9e9f338d922f809d4ecac31b1b2c1bc38de325e848782308997d76eef549951f

    • SHA512

      f3916908c555f105c3bc293d7d27e5592381a8586dda4d4771742bb537a84040d9d538447b8d22571d941b0caed9443f264b0bf495a7745fb556d9a7b58cdc87

    • SSDEEP

      6144:k4uIrm6rLfOhXDBkyFhI8OZiLsyJ0If3+Nm3cxgU/ZzU:kv6rLClkyFhI8OZiIyJ1us3cxgU/Zz

    • BluStealer

      A Modular information stealer written in Visual Basic.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks