blustealer | b66a64b70d5d0e02f35afc5b2ba9fffe6365fd876d1d83e50419d1caff4f3868 | Triage

Submit
Reports

Overview

overview

Static

static

fatura6439...df.exe

windows7-x64

fatura6439...df.exe

windows10-2004-x64

Sharing

General

Target

fatura643900089,pdf.exe
Size

283KB
Sample

230113-reeh8shd89
MD5

a5ab578b9acbbecc8eb7f52cfe6b53b5
SHA1

575935612d4f0d7e8c481251a13782a4ab2c9eaa
SHA256

b66a64b70d5d0e02f35afc5b2ba9fffe6365fd876d1d83e50419d1caff4f3868
SHA512

b53ba18ba9c535315d3ba23ad6e9fbd0d6d98536b4f09c42a684b8ad10bc5ea72763be36cd0bd023ca292b98954b667b3440f0ad68e06ef3e56640c3bdbd81ce
SSDEEP

6144:QYa6NgSECqpOY0DsSezKB0IvZ9v5R/ihbq/YS2S+dXIorT1ws7:QYbgQqpOY0DAKOI/v5R/i25B+dXIo9z7

Score

10^/10

blustealer stormkitty collection persistence stealer

Static task

static1

Behavioral task

behavioral1

Sample

fatura643900089,pdf.exe

Resource

win7-20221111-en

blustealer stormkitty collection persistence stealer

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

fatura643900089,pdf.exe

Resource

win10v2004-20220812-en

blustealer stormkitty collection persistence stealer

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5468731092:AAGGNQWBVRhX622u6xp1moMhaunIGtXuIxg/sendMessage?chat_id=1639214896

Targets

- Target
  
  fatura643900089,pdf.exe
- Size
  
  283KB
- MD5
  
  a5ab578b9acbbecc8eb7f52cfe6b53b5
- SHA1
  
  575935612d4f0d7e8c481251a13782a4ab2c9eaa
- SHA256
  
  b66a64b70d5d0e02f35afc5b2ba9fffe6365fd876d1d83e50419d1caff4f3868
- SHA512
  
  b53ba18ba9c535315d3ba23ad6e9fbd0d6d98536b4f09c42a684b8ad10bc5ea72763be36cd0bd023ca292b98954b667b3440f0ad68e06ef3e56640c3bdbd81ce
- SSDEEP
  
  6144:QYa6NgSECqpOY0DsSezKB0IvZ9v5R/ihbq/YS2S+dXIorT1ws7:QYbgQqpOY0DAKOI/v5R/i25B+dXIo9z7
Score

10^/10

blustealer stormkitty collection persistence stealer
- BluStealer
  A Modular information stealer written in Visual Basic.
  stealer blustealer
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

blustealerstormkittycollectionpersistencestealer

behavioral2

blustealerstormkittycollectionpersistencestealer

© 2018-2024

Terms | Privacy