Overview

overview

10

Static

static

7

PAGO_PEN.exe

windows7-x64

10

PAGO_PEN.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Pago pendiente 01-05-2023.iso

  • Size

    1.4MB

  • Sample

    230303-nmxg8shc45

  • MD5

    6aec3d6f2bcabe23b9b66d7746c853d7

  • SHA1

    7697cf5c78e7f9ee2fb97722e1b8e02bf3a0f085

  • SHA256

    a5c53268a387b731d24fd2b30dbf5fd49775d6ccf6ffe90e5c5c4c924df32087

  • SHA512

    521c9b986c734836796dc9b6717c5ff0c2f71484fdfd878d8f980ba1633eadd07cdc0dc2a2651d25e5ed863dfbaab7bcdfce01432a55664623642015fc699369

  • SSDEEP

    24576:xudWVLuCLQA+hhbaRVqLHiRMKiyMKrMEC1+lGuCf:wdvYLgHiRMKiyMKbC1+Iu0

Score
10/10
blustealerstormkittycollectionspywarestealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5627356603:AAG-Mx0TbSHRRW6IwndrpX3VLZdhd6C-Zac/sendMessage?chat_id=5472437377

Targets

    • Target

      PAGO_PEN.EXE

    • Size

      892KB

    • MD5

      63c05e9cefd9e149912798971d3bac59

    • SHA1

      2647d01bad450859a0237da0cf8c577afea02f28

    • SHA256

      4213052d1b9d7daa7ca2d2e17eded80218602122bd697c72adbb88139d60ce7d

    • SHA512

      865adeccbbea012401713ef6315b3bed3b1eff6f35d5d2bda984bd3545dd0696bc0b1e272ba94fd92374bad4224962dc779938be07166a7abee78d4752a0ad29

    • SSDEEP

      24576:kudWVLuCLQA+hhbaRVqLHiRMKiyMKrMEC1+lGuCf:/dvYLgHiRMKiyMKbC1+Iu0

    Score
    10/10
    blustealerstormkittycollectionspywarestealer

    • BluStealer

      A Modular information stealer written in Visual Basic.

      stealerblustealer

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks