Extracted

• • Target

    fatura6764355,pdf.exe

  • Size

    365KB

  • MD5

    b5eebe5b039a57b5c16495873a66b312

  • SHA1

    df2a0fe56668093a1301e05fb849edb4cfef2de7

  • SHA256

    a9d460abe6b2e92e101bcf8d0d3a713c604019d385537590125699b4e5918108

  • SHA512

    072fc10c2a1bd4d71b1232264b77dc8cd434d0065c6a0ef1752eae2c57af628e40fa13ad1972d28336cb96eeb9a76df05a967655e3aadf20a295d3406f3f9308

  • SSDEEP

    6144:YYa6YcpJFi31vGQkE/XKxNYk08nDfL6AJ8J0HK+IprN4h:YY/JIlv7eN24DfeAJ20HKxN6

  Score

  10^/10

  blustealerstormkittycollectionpersistencestealer

  • BluStealer

    A Modular information stealer written in Visual Basic.

    stealerblustealer

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty

  • StormKitty payload

  • Executes dropped EXE

  • Loads dropped DLL

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2