Overview

overview

10

Static

static

fatura65383,pdf.exe

windows7-x64

10

fatura65383,pdf.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fatura65383,pdf.exe

  • Size

    370KB

  • Sample

    230103-vvaf1acb56

  • MD5

    5383ccf578fed8fe968c47cc1a0b885d

  • SHA1

    4f3f7f5510599a0c02842fede2cc2b19ea6df73c

  • SHA256

    9ba020588bb1e8787177acbe57fd14f643519cf3b58532111015f7402d12bfdc

  • SHA512

    14d93445830488bb6eb0e2681aa10f22e15cb6d30e61b16acdd082502fae906ed3defd84067d25a5493fb84f71ebe0d2f9dbb74cb89c943e2b997e8ca3f5f463

  • SSDEEP

    6144:IYa6B0+uhQM/xCGODuDnhXAHyftP6Nzb+o143fA9EniGCdY/e/8:IYw+uhQM/xV0uDn9qyftP6Nziu1uiHYR

Score
10/10
blustealerstormkittycollectionpersistencestealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5732817033:AAFBYIIZmJ7NuvVwD7WRcbV9qwcOqT7RpwM/sendMessage?chat_id=1638137774

Targets

    • Target

      fatura65383,pdf.exe

    • Size

      370KB

    • MD5

      5383ccf578fed8fe968c47cc1a0b885d

    • SHA1

      4f3f7f5510599a0c02842fede2cc2b19ea6df73c

    • SHA256

      9ba020588bb1e8787177acbe57fd14f643519cf3b58532111015f7402d12bfdc

    • SHA512

      14d93445830488bb6eb0e2681aa10f22e15cb6d30e61b16acdd082502fae906ed3defd84067d25a5493fb84f71ebe0d2f9dbb74cb89c943e2b997e8ca3f5f463

    • SSDEEP

      6144:IYa6B0+uhQM/xCGODuDnhXAHyftP6Nzb+o143fA9EniGCdY/e/8:IYw+uhQM/xV0uDn9qyftP6Nziu1uiHYR

    Score
    10/10
    blustealerstormkittycollectionpersistencestealer

    • BluStealer

      A Modular information stealer written in Visual Basic.

      stealerblustealer

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks