blustealer | 810acdb822af195ddb50ce857992f3d78ab45d5dae9496456106180b43e7b1c7 | Triage

Submit
Reports

Overview

overview

Static

static

fatura6245687,pdf.exe

windows7-x64

fatura6245687,pdf.exe

windows10-2004-x64

Sharing

General

Target

fatura6245687,pdf.exe
Size

309KB
Sample

230110-tsgxmagf37
MD5

b8226f71e477852a471bf6789c2973ce
SHA1

1dd378577e31562f343de35b8019b2cbaf7b2a2e
SHA256

810acdb822af195ddb50ce857992f3d78ab45d5dae9496456106180b43e7b1c7
SHA512

354419176d07cfd905ab1b7632b441ea3ae589874b14c15ae656e87f5343d22b13b1198763e555eb89bbea4482c674b48d824768ed5940eede62a96966c50a75
SSDEEP

6144:2Ya6BgSECqpOY018iutYxWtsidNqts5sHqVbXa+M08f:2Y3gQqpOY018i/lG06CHIK+MH

Score

10^/10

blustealer stormkitty collection persistence stealer

Static task

static1

Behavioral task

behavioral1

Sample

fatura6245687,pdf.exe

Resource

win7-20220812-en

blustealer stormkitty collection persistence stealer

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

fatura6245687,pdf.exe

Resource

win10v2004-20221111-en

blustealer stormkitty collection persistence stealer

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5732817033:AAFBYIIZmJ7NuvVwD7WRcbV9qwcOqT7RpwM/sendMessage?chat_id=1638137774

Targets

- Target
  
  fatura6245687,pdf.exe
- Size
  
  309KB
- MD5
  
  b8226f71e477852a471bf6789c2973ce
- SHA1
  
  1dd378577e31562f343de35b8019b2cbaf7b2a2e
- SHA256
  
  810acdb822af195ddb50ce857992f3d78ab45d5dae9496456106180b43e7b1c7
- SHA512
  
  354419176d07cfd905ab1b7632b441ea3ae589874b14c15ae656e87f5343d22b13b1198763e555eb89bbea4482c674b48d824768ed5940eede62a96966c50a75
- SSDEEP
  
  6144:2Ya6BgSECqpOY018iutYxWtsidNqts5sHqVbXa+M08f:2Y3gQqpOY018i/lG06CHIK+MH
Score

10^/10

blustealer stormkitty collection persistence stealer
- BluStealer
  A Modular information stealer written in Visual Basic.
  stealer blustealer
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

blustealerstormkittycollectionpersistencestealer

behavioral2

blustealerstormkittycollectionpersistencestealer

© 2018-2024

Terms | Privacy