General

  • Target

    NHHhHhab.exe

  • Size

    764KB

  • Sample

    230508-hw8c7sbb9z

  • MD5

    072fa2c24d833a4d1370c4830977ee5a

  • SHA1

    74b2abcae6491d617225b5b430bd3309ee212fb4

  • SHA256

    980d032454e0f471a820a594683ae833ac86d4c074fbf43cb47798ca774b35f6

  • SHA512

    9589f213e00648acfac43bc56e5b3b74746dfd688ef052017b9f0d53ffb12c20f4257ebde497bb8bdd03829ea0e8a92879d625076af9a4919284cf16f1256495

  • SSDEEP

    12288:AQHFUlKANJ2yE8qMg+dEOrCG0D7SKHBweeSXXYrzQ70W:AFk+EOrCG0DmgBwerHYo0W

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5627356603:AAG-Mx0TbSHRRW6IwndrpX3VLZdhd6C-Zac/sendMessage?chat_id=5472437377

Targets

    • Target

      NHHhHhab.exe

    • Size

      764KB

    • MD5

      072fa2c24d833a4d1370c4830977ee5a

    • SHA1

      74b2abcae6491d617225b5b430bd3309ee212fb4

    • SHA256

      980d032454e0f471a820a594683ae833ac86d4c074fbf43cb47798ca774b35f6

    • SHA512

      9589f213e00648acfac43bc56e5b3b74746dfd688ef052017b9f0d53ffb12c20f4257ebde497bb8bdd03829ea0e8a92879d625076af9a4919284cf16f1256495

    • SSDEEP

      12288:AQHFUlKANJ2yE8qMg+dEOrCG0D7SKHBweeSXXYrzQ70W:AFk+EOrCG0DmgBwerHYo0W

    • BluStealer

      A Modular information stealer written in Visual Basic.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks