General

  • Target

    fatura64390089,pdf.exe

  • Size

    407KB

  • Sample

    230123-zwzvhaha9t

  • MD5

    c05d621f037ac3934058043187adec75

  • SHA1

    be6482abbdf88b6462293f4058f00c9b5d8de995

  • SHA256

    dbbd97938b7195d695adbf9d86f4a0efe9b044aaf3da437e02f187ec6323a177

  • SHA512

    8d3db7aacecc65ce982ee4f0168d52d3059b5c94a8307bcff6b5c7a6b628020682e090bd909c18b6991c1a94adea7af39c83bc850747d34b65898eff73fc0091

  • SSDEEP

    12288:gYEP7r9r/+ppppppppppppppppppppppppppppp0YGspBGc52epgqIM4l5q4/:gYE1MGsnGAQPn

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5732817033:AAFBYIIZmJ7NuvVwD7WRcbV9qwcOqT7RpwM/sendMessage?chat_id=1638137774

Targets

    • Target

      fatura64390089,pdf.exe

    • Size

      407KB

    • MD5

      c05d621f037ac3934058043187adec75

    • SHA1

      be6482abbdf88b6462293f4058f00c9b5d8de995

    • SHA256

      dbbd97938b7195d695adbf9d86f4a0efe9b044aaf3da437e02f187ec6323a177

    • SHA512

      8d3db7aacecc65ce982ee4f0168d52d3059b5c94a8307bcff6b5c7a6b628020682e090bd909c18b6991c1a94adea7af39c83bc850747d34b65898eff73fc0091

    • SSDEEP

      12288:gYEP7r9r/+ppppppppppppppppppppppppppppp0YGspBGc52epgqIM4l5q4/:gYE1MGsnGAQPn

    • BluStealer

      A Modular information stealer written in Visual Basic.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks