blustealer | 5d1d48e562d8aa8f1da58485b809b0642a6eec54d043c183d7519020214232af | Triage

Submit
Reports

Overview

overview

Static

static

Comprobant...cia.js

windows7-x64

8

Comprobant...cia.js

windows10-2004-x64

Sharing

General

Target

Comprobante transferencia.js
Size

9KB
Sample

221219-j9kdzahe91
MD5

b6c2df8872800fb0ff88a0a8e18d30cd
SHA1

7f4c653be69760ba00e27eed161a7357095e2766
SHA256

5d1d48e562d8aa8f1da58485b809b0642a6eec54d043c183d7519020214232af
SHA512

9fca0dae9ae82ab230c54f8c5c9e73376918198ec5613685b3438fd37a60f352f441c141b105b596d35464c9dfe9c386b7e291f446e0b4b8323ffafadcbba1fe
SSDEEP

192:yxl1ldLn3HPgwaNjoymWe+UtEM6TKAkXqoKCpltawnbqbMzJDuDm5cttDgpjDjdW:oLrCsyzeLtEMZ/qojlhbqbANU9DglBH2

Score

10^/10

blustealer stormkitty collection spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

Comprobante transferencia.js

Resource

win7-20221111-en

windows7-x64

1 signatures

150 seconds

Behavioral task

behavioral2

Sample

Comprobante transferencia.js

Resource

win10v2004-20221111-en

blustealer stormkitty collection spyware stealer

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5627356603:AAG-Mx0TbSHRRW6IwndrpX3VLZdhd6C-Zac/sendMessage?chat_id=5472437377

Targets

- Target
  
  Comprobante transferencia.js
- Size
  
  9KB
- MD5
  
  b6c2df8872800fb0ff88a0a8e18d30cd
- SHA1
  
  7f4c653be69760ba00e27eed161a7357095e2766
- SHA256
  
  5d1d48e562d8aa8f1da58485b809b0642a6eec54d043c183d7519020214232af
- SHA512
  
  9fca0dae9ae82ab230c54f8c5c9e73376918198ec5613685b3438fd37a60f352f441c141b105b596d35464c9dfe9c386b7e291f446e0b4b8323ffafadcbba1fe
- SSDEEP
  
  192:yxl1ldLn3HPgwaNjoymWe+UtEM6TKAkXqoKCpltawnbqbMzJDuDm5cttDgpjDjdW:oLrCsyzeLtEMZ/qojlhbqbANU9DglBH2
Score

10^/10

blustealer stormkitty collection spyware stealer
- BluStealer
  A Modular information stealer written in Visual Basic.
  stealer blustealer
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

blustealerstormkittycollectionspywarestealer

© 2018-2024

Terms | Privacy