Extracted

• • Target

    fatura64383,pdf.exe

  • Size

    377KB

  • MD5

    83518d0443578cfc48983898d2d92ba5

  • SHA1

    4e40ef75cfccf1c4bbb91835d80c700ab244703c

  • SHA256

    df8573405d1b9e0d3bbd88adf1f5db88f8ced9d603b78b41881bd50de1d26cc5

  • SHA512

    b66b9ffcd5f411f8c59dc3a0c55bb888ec76f3ce2885c9ea476ca36d79c6e42c66b4b343997bc9ff82ef391dda6671dc50d6c704558c8ee454a766a5893f5517

  • SSDEEP

    6144:cYa6OHPGTjpoBdZfRq5D3IcW6BLs3EqKyFTlY7Y2s44Xb+It:cY8HPGpeVKW6BY3UyNlYb143

  Score

  10^/10

  blustealerstormkittycollectionpersistencestealer

  • BluStealer

    A Modular information stealer written in Visual Basic.

    stealerblustealer

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty

  • StormKitty payload

  • Executes dropped EXE

  • Loads dropped DLL

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2