Extracted

• • Target

    fatura643976_pdf.exe

  • Size

    353KB

  • MD5

    3b3a92de582ab24c08a82e9a845e4254

  • SHA1

    2b5a886fbcf838b5837e6a3f980c6da06238b64a

  • SHA256

    342f87e6bb76f4915621c2c494c08be7cf1c265c9c6b41a7f5ac9fb50f2cbf06

  • SHA512

    f3daa31bb2153aa45bbe252ec4f88ef477207c8a542aa768e7e763bb85f070e3083ceda18f88448105729edac26452aedce47e9e11608f28f7a3b616efcb84ca

  • SSDEEP

    6144:2Ya6UAmTALugWJ52FikZ4rk4aDvo/SOlqmizhHhu6edC:2YtO0ugWJw5Z4rQDmS9u6eI

  Score

  10^/10

  blustealerstormkittycollectionpersistencestealer

  • BluStealer

    A Modular information stealer written in Visual Basic.

    stealerblustealer

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty

  • StormKitty payload

  • Executes dropped EXE

  • Loads dropped DLL

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2