Extracted

• • Target

    fatura64383,pdf.exe

  • Size

    366KB

  • MD5

    ed637030ae7f20a8af6b08fc5401b2eb

  • SHA1

    07d6ea65d57216d032a547cd41596f7f0d77fce6

  • SHA256

    288a470426cff4110e23d8d2a531a19bae23149bba818a86e1e79341f10548d0

  • SHA512

    c8b7216d4bfd486da62b54cb414bfd33e29304ef9d837306f01ecf36a116e2b101ab45424d1a9a7cff931947458de2dfd8af01ddcdc71b0fe89b10cc9baaf6e3

  • SSDEEP

    6144:8Ya6hpFXx6WGu1PGgl95W9YBw1SrPK9a17TCd7FgibOJrdhEk:8YTpFXxLG6Gg09Yrr9f27vbOJd

  Score

  10^/10

  blustealerstormkittycollectionpersistencestealer

  • BluStealer

    A Modular information stealer written in Visual Basic.

    stealerblustealer

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty

  • StormKitty payload

  • Executes dropped EXE

  • Loads dropped DLL

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2