blustealer | 342f87e6bb76f4915621c2c494c08be7cf1c265c9c6b41a7f5ac9fb50f2cbf06 | Triage

Submit
Reports

Overview

overview

Static

static

fatura643976_pdf.exe

windows7-x64

fatura643976_pdf.exe

windows10-2004-x64

Sharing

General

Target

fatura643976_pdf.exe
Size

353KB
Sample

230118-xd8ctafc35
MD5

3b3a92de582ab24c08a82e9a845e4254
SHA1

2b5a886fbcf838b5837e6a3f980c6da06238b64a
SHA256

342f87e6bb76f4915621c2c494c08be7cf1c265c9c6b41a7f5ac9fb50f2cbf06
SHA512

f3daa31bb2153aa45bbe252ec4f88ef477207c8a542aa768e7e763bb85f070e3083ceda18f88448105729edac26452aedce47e9e11608f28f7a3b616efcb84ca
SSDEEP

6144:2Ya6UAmTALugWJ52FikZ4rk4aDvo/SOlqmizhHhu6edC:2YtO0ugWJw5Z4rQDmS9u6eI

Score

10^/10

blustealer stormkitty collection persistence stealer

Static task

static1

Behavioral task

behavioral1

Sample

fatura643976_pdf.exe

Resource

win7-20221111-en

blustealer stormkitty collection persistence stealer

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

fatura643976_pdf.exe

Resource

win10v2004-20221111-en

blustealer stormkitty collection persistence stealer

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5468731092:AAGGNQWBVRhX622u6xp1moMhaunIGtXuIxg/sendMessage?chat_id=1639214896

Targets

- Target
  
  fatura643976_pdf.exe
- Size
  
  353KB
- MD5
  
  3b3a92de582ab24c08a82e9a845e4254
- SHA1
  
  2b5a886fbcf838b5837e6a3f980c6da06238b64a
- SHA256
  
  342f87e6bb76f4915621c2c494c08be7cf1c265c9c6b41a7f5ac9fb50f2cbf06
- SHA512
  
  f3daa31bb2153aa45bbe252ec4f88ef477207c8a542aa768e7e763bb85f070e3083ceda18f88448105729edac26452aedce47e9e11608f28f7a3b616efcb84ca
- SSDEEP
  
  6144:2Ya6UAmTALugWJ52FikZ4rk4aDvo/SOlqmizhHhu6edC:2YtO0ugWJw5Z4rQDmS9u6eI
Score

10^/10

blustealer stormkitty collection persistence stealer
- BluStealer
  A Modular information stealer written in Visual Basic.
  stealer blustealer
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

blustealerstormkittycollectionpersistencestealer

behavioral2

blustealerstormkittycollectionpersistencestealer

© 2018-2024

Terms | Privacy