General

  • Target

    0FERTA_Y.EXE.exe

  • Size

    202KB

  • Sample

    230426-kn98yagb94

  • MD5

    a9419910dc159e785f4f7d060b99703d

  • SHA1

    164c8c53881f9e65d19233c6b9eed1d0231e7cfb

  • SHA256

    56fe514e3ea3eda0569cf8b79741fe9ed9b391fe06f07b33d847ccdd7fda18ae

  • SHA512

    f8dad0c0825aab81f9ad4ca4d138b7e653181b3c4d9ad8162f99568ea55168b82265097afa8be8afc23ad571547647b32bf49f0247fbe14b67269e8144b80358

  • SSDEEP

    6144:tH6xBmSbrrTTCgb9/z2qBop/Nkt9Tdz/6R36:tAWgbdgp/NktrWR

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5627356603:AAG-Mx0TbSHRRW6IwndrpX3VLZdhd6C-Zac/sendMessage?chat_id=5472437377

Targets

    • Target

      0FERTA_Y.EXE.exe

    • Size

      202KB

    • MD5

      a9419910dc159e785f4f7d060b99703d

    • SHA1

      164c8c53881f9e65d19233c6b9eed1d0231e7cfb

    • SHA256

      56fe514e3ea3eda0569cf8b79741fe9ed9b391fe06f07b33d847ccdd7fda18ae

    • SHA512

      f8dad0c0825aab81f9ad4ca4d138b7e653181b3c4d9ad8162f99568ea55168b82265097afa8be8afc23ad571547647b32bf49f0247fbe14b67269e8144b80358

    • SSDEEP

      6144:tH6xBmSbrrTTCgb9/z2qBop/Nkt9Tdz/6R36:tAWgbdgp/NktrWR

    • BluStealer

      A Modular information stealer written in Visual Basic.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks