Resubmissions

20-12-2022 23:15

221220-28xl1sbc85 10

20-12-2022 06:45

221220-hh292aca3v 10

General

  • Target

    FACTURA.exe

  • Size

    164KB

  • Sample

    221220-hh292aca3v

  • MD5

    ed569d6f146f9101293b60dee2e726f6

  • SHA1

    24a5c1579b090e1f8c9a5ff128f9545542fa8a69

  • SHA256

    7cde481029d0f331c932ffb79f04c8113ab6d5b36bbd4cc18f4c54b086910b58

  • SHA512

    36820914cd1605f058a97ecaf2ce5af808648a533abcbb3d5d567f9fc4978d6acc056d28eb629299785b6064481b74f760744c6d8acefb05d8ddb8de3edea974

  • SSDEEP

    3072:DGpmGTuaBefnv1TkuFDMyDGdV0j/uwmyJ+aXE/8brg0TKC0gDm6:qLuaQfv1TkuFDMyD6V0zusJRklI

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5627356603:AAG-Mx0TbSHRRW6IwndrpX3VLZdhd6C-Zac/sendMessage?chat_id=5472437377

Targets

    • Target

      FACTURA.exe

    • Size

      164KB

    • MD5

      ed569d6f146f9101293b60dee2e726f6

    • SHA1

      24a5c1579b090e1f8c9a5ff128f9545542fa8a69

    • SHA256

      7cde481029d0f331c932ffb79f04c8113ab6d5b36bbd4cc18f4c54b086910b58

    • SHA512

      36820914cd1605f058a97ecaf2ce5af808648a533abcbb3d5d567f9fc4978d6acc056d28eb629299785b6064481b74f760744c6d8acefb05d8ddb8de3edea974

    • SSDEEP

      3072:DGpmGTuaBefnv1TkuFDMyDGdV0j/uwmyJ+aXE/8brg0TKC0gDm6:qLuaQfv1TkuFDMyD6V0zusJRklI

    • BluStealer

      A Modular information stealer written in Visual Basic.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks