General
-
Target
fatura6764355,pdf.exe
-
Size
365KB
-
Sample
230120-kpv6eaac92
-
MD5
b5eebe5b039a57b5c16495873a66b312
-
SHA1
df2a0fe56668093a1301e05fb849edb4cfef2de7
-
SHA256
a9d460abe6b2e92e101bcf8d0d3a713c604019d385537590125699b4e5918108
-
SHA512
072fc10c2a1bd4d71b1232264b77dc8cd434d0065c6a0ef1752eae2c57af628e40fa13ad1972d28336cb96eeb9a76df05a967655e3aadf20a295d3406f3f9308
-
SSDEEP
6144:YYa6YcpJFi31vGQkE/XKxNYk08nDfL6AJ8J0HK+IprN4h:YY/JIlv7eN24DfeAJ20HKxN6
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5468731092:AAGGNQWBVRhX622u6xp1moMhaunIGtXuIxg/sendMessage?chat_id=1639214896
Targets
-
-
Target
fatura6764355,pdf.exe
-
Size
365KB
-
MD5
b5eebe5b039a57b5c16495873a66b312
-
SHA1
df2a0fe56668093a1301e05fb849edb4cfef2de7
-
SHA256
a9d460abe6b2e92e101bcf8d0d3a713c604019d385537590125699b4e5918108
-
SHA512
072fc10c2a1bd4d71b1232264b77dc8cd434d0065c6a0ef1752eae2c57af628e40fa13ad1972d28336cb96eeb9a76df05a967655e3aadf20a295d3406f3f9308
-
SSDEEP
6144:YYa6YcpJFi31vGQkE/XKxNYk08nDfL6AJ8J0HK+IprN4h:YY/JIlv7eN24DfeAJ20HKxN6
Score10/10-
BluStealer
A Modular information stealer written in Visual Basic.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-