General
-
Target
fatura64390089,pdf.exe
-
Size
407KB
-
Sample
230123-zwzvhaha9t
-
MD5
c05d621f037ac3934058043187adec75
-
SHA1
be6482abbdf88b6462293f4058f00c9b5d8de995
-
SHA256
dbbd97938b7195d695adbf9d86f4a0efe9b044aaf3da437e02f187ec6323a177
-
SHA512
8d3db7aacecc65ce982ee4f0168d52d3059b5c94a8307bcff6b5c7a6b628020682e090bd909c18b6991c1a94adea7af39c83bc850747d34b65898eff73fc0091
-
SSDEEP
12288:gYEP7r9r/+ppppppppppppppppppppppppppppp0YGspBGc52epgqIM4l5q4/:gYE1MGsnGAQPn
Static task
static1
Behavioral task
behavioral1
Sample
fatura64390089,pdf.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
fatura64390089,pdf.exe
Resource
win10v2004-20221111-en
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5732817033:AAFBYIIZmJ7NuvVwD7WRcbV9qwcOqT7RpwM/sendMessage?chat_id=1638137774
Targets
-
-
Target
fatura64390089,pdf.exe
-
Size
407KB
-
MD5
c05d621f037ac3934058043187adec75
-
SHA1
be6482abbdf88b6462293f4058f00c9b5d8de995
-
SHA256
dbbd97938b7195d695adbf9d86f4a0efe9b044aaf3da437e02f187ec6323a177
-
SHA512
8d3db7aacecc65ce982ee4f0168d52d3059b5c94a8307bcff6b5c7a6b628020682e090bd909c18b6991c1a94adea7af39c83bc850747d34b65898eff73fc0091
-
SSDEEP
12288:gYEP7r9r/+ppppppppppppppppppppppppppppp0YGspBGc52epgqIM4l5q4/:gYE1MGsnGAQPn
Score10/10-
StormKitty payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-