General
-
Target
fatura643900089,pdf.exe
-
Size
283KB
-
Sample
230113-reeh8shd89
-
MD5
a5ab578b9acbbecc8eb7f52cfe6b53b5
-
SHA1
575935612d4f0d7e8c481251a13782a4ab2c9eaa
-
SHA256
b66a64b70d5d0e02f35afc5b2ba9fffe6365fd876d1d83e50419d1caff4f3868
-
SHA512
b53ba18ba9c535315d3ba23ad6e9fbd0d6d98536b4f09c42a684b8ad10bc5ea72763be36cd0bd023ca292b98954b667b3440f0ad68e06ef3e56640c3bdbd81ce
-
SSDEEP
6144:QYa6NgSECqpOY0DsSezKB0IvZ9v5R/ihbq/YS2S+dXIorT1ws7:QYbgQqpOY0DAKOI/v5R/i25B+dXIo9z7
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5468731092:AAGGNQWBVRhX622u6xp1moMhaunIGtXuIxg/sendMessage?chat_id=1639214896
Targets
-
-
Target
fatura643900089,pdf.exe
-
Size
283KB
-
MD5
a5ab578b9acbbecc8eb7f52cfe6b53b5
-
SHA1
575935612d4f0d7e8c481251a13782a4ab2c9eaa
-
SHA256
b66a64b70d5d0e02f35afc5b2ba9fffe6365fd876d1d83e50419d1caff4f3868
-
SHA512
b53ba18ba9c535315d3ba23ad6e9fbd0d6d98536b4f09c42a684b8ad10bc5ea72763be36cd0bd023ca292b98954b667b3440f0ad68e06ef3e56640c3bdbd81ce
-
SSDEEP
6144:QYa6NgSECqpOY0DsSezKB0IvZ9v5R/ihbq/YS2S+dXIorT1ws7:QYbgQqpOY0DAKOI/v5R/i25B+dXIo9z7
Score10/10-
BluStealer
A Modular information stealer written in Visual Basic.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-