blustealer | 761e4a0314cfb25685a468b01de973e51405f0de560a6c85d8cc1efa3e6ac013 | Triage

Submit
Reports

Overview

overview

Static

static

fatura64383,pdf.exe

windows7-x64

fatura64383,pdf.exe

windows10-2004-x64

Sharing

General

Target

fatura64383,pdf.exe
Size

362KB
Sample

230103-bnyqgaha73
MD5

bb77706ba6e7c684bdd0b1b11fb7f5e1
SHA1

e092bad0cf6528e64f0798279e7bc02f45748f82
SHA256

761e4a0314cfb25685a468b01de973e51405f0de560a6c85d8cc1efa3e6ac013
SHA512

01c64294fc9ca1a74b8e3921bb412ef442d2beabe2862db69e9d24f23cd568602bd926a75ca4551f56e68bc7a4a1a5c867ec3faf5169e9c7019b06c7b6a00e43
SSDEEP

6144:IYa6h0+uhQMTNBGSeHP/GVLfNVfPluPVDIJ:IYQ+uhQMTDrtIPNk

Score

10^/10

blustealer stormkitty collection persistence stealer

Static task

static1

Behavioral task

behavioral1

Sample

fatura64383,pdf.exe

Resource

win7-20220812-en

blustealer stormkitty collection persistence stealer

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

fatura64383,pdf.exe

Resource

win10v2004-20221111-en

blustealer stormkitty collection persistence stealer

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5468731092:AAGGNQWBVRhX622u6xp1moMhaunIGtXuIxg/sendMessage?chat_id=1639214896

Targets

- Target
  
  fatura64383,pdf.exe
- Size
  
  362KB
- MD5
  
  bb77706ba6e7c684bdd0b1b11fb7f5e1
- SHA1
  
  e092bad0cf6528e64f0798279e7bc02f45748f82
- SHA256
  
  761e4a0314cfb25685a468b01de973e51405f0de560a6c85d8cc1efa3e6ac013
- SHA512
  
  01c64294fc9ca1a74b8e3921bb412ef442d2beabe2862db69e9d24f23cd568602bd926a75ca4551f56e68bc7a4a1a5c867ec3faf5169e9c7019b06c7b6a00e43
- SSDEEP
  
  6144:IYa6h0+uhQMTNBGSeHP/GVLfNVfPluPVDIJ:IYQ+uhQMTDrtIPNk
Score

10^/10

blustealer stormkitty collection persistence stealer
- BluStealer
  A Modular information stealer written in Visual Basic.
  stealer blustealer
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

blustealerstormkittycollectionpersistencestealer

behavioral2

blustealerstormkittycollectionpersistencestealer

© 2018-2024

Terms | Privacy