General
-
Target
Pago pendiente 01-05-2023.exe
-
Size
892KB
-
Sample
230303-nmxs1agg3w
-
MD5
63c05e9cefd9e149912798971d3bac59
-
SHA1
2647d01bad450859a0237da0cf8c577afea02f28
-
SHA256
4213052d1b9d7daa7ca2d2e17eded80218602122bd697c72adbb88139d60ce7d
-
SHA512
865adeccbbea012401713ef6315b3bed3b1eff6f35d5d2bda984bd3545dd0696bc0b1e272ba94fd92374bad4224962dc779938be07166a7abee78d4752a0ad29
-
SSDEEP
24576:kudWVLuCLQA+hhbaRVqLHiRMKiyMKrMEC1+lGuCf:/dvYLgHiRMKiyMKbC1+Iu0
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5627356603:AAG-Mx0TbSHRRW6IwndrpX3VLZdhd6C-Zac/sendMessage?chat_id=5472437377
Targets
-
-
Target
Pago pendiente 01-05-2023.exe
-
Size
892KB
-
MD5
63c05e9cefd9e149912798971d3bac59
-
SHA1
2647d01bad450859a0237da0cf8c577afea02f28
-
SHA256
4213052d1b9d7daa7ca2d2e17eded80218602122bd697c72adbb88139d60ce7d
-
SHA512
865adeccbbea012401713ef6315b3bed3b1eff6f35d5d2bda984bd3545dd0696bc0b1e272ba94fd92374bad4224962dc779938be07166a7abee78d4752a0ad29
-
SSDEEP
24576:kudWVLuCLQA+hhbaRVqLHiRMKiyMKrMEC1+lGuCf:/dvYLgHiRMKiyMKbC1+Iu0
Score10/10-
BluStealer
A Modular information stealer written in Visual Basic.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-