blustealer | dbbd97938b7195d695adbf9d86f4a0efe9b044aaf3da437e02f187ec6323a177 | Triage

Submit
Reports

Overview

overview

Static

static

fatura6439...df.exe

windows7-x64

fatura6439...df.exe

windows10-2004-x64

Sharing

General

Target

fatura64390089,pdf.exe
Size

407KB
Sample

230123-zw6caaha9v
MD5

c05d621f037ac3934058043187adec75
SHA1

be6482abbdf88b6462293f4058f00c9b5d8de995
SHA256

dbbd97938b7195d695adbf9d86f4a0efe9b044aaf3da437e02f187ec6323a177
SHA512

8d3db7aacecc65ce982ee4f0168d52d3059b5c94a8307bcff6b5c7a6b628020682e090bd909c18b6991c1a94adea7af39c83bc850747d34b65898eff73fc0091
SSDEEP

12288:gYEP7r9r/+ppppppppppppppppppppppppppppp0YGspBGc52epgqIM4l5q4/:gYE1MGsnGAQPn

Score

10^/10

blustealer stormkitty collection persistence stealer

Static task

static1

Behavioral task

behavioral1

Sample

fatura64390089,pdf.exe

Resource

win7-20220901-en

blustealer stormkitty collection persistence stealer

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

fatura64390089,pdf.exe

Resource

win10v2004-20221111-en

blustealer stormkitty collection persistence stealer

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5732817033:AAFBYIIZmJ7NuvVwD7WRcbV9qwcOqT7RpwM/sendMessage?chat_id=1638137774

Targets

- Target
  
  fatura64390089,pdf.exe
- Size
  
  407KB
- MD5
  
  c05d621f037ac3934058043187adec75
- SHA1
  
  be6482abbdf88b6462293f4058f00c9b5d8de995
- SHA256
  
  dbbd97938b7195d695adbf9d86f4a0efe9b044aaf3da437e02f187ec6323a177
- SHA512
  
  8d3db7aacecc65ce982ee4f0168d52d3059b5c94a8307bcff6b5c7a6b628020682e090bd909c18b6991c1a94adea7af39c83bc850747d34b65898eff73fc0091
- SSDEEP
  
  12288:gYEP7r9r/+ppppppppppppppppppppppppppppp0YGspBGc52epgqIM4l5q4/:gYE1MGsnGAQPn
Score

10^/10

blustealer stormkitty collection persistence stealer
- BluStealer
  A Modular information stealer written in Visual Basic.
  stealer blustealer
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

blustealerstormkittycollectionpersistencestealer

behavioral2

blustealerstormkittycollectionpersistencestealer

© 2018-2024

Terms | Privacy