General

  • Target

    45061e4da841c2587d0890148705a142.exe

  • Size

    406KB

  • Sample

    220805-hn7rpshbej

  • MD5

    45061e4da841c2587d0890148705a142

  • SHA1

    eb68218c1d70f3ba00f8190c8171ad1cfa2fb42a

  • SHA256

    6731f235ff78e22e5a0f1503542926bb707a95251b8cbd22c56fbd7fc5a8cbbf

  • SHA512

    01a561bbb8418364078e4751e69a5d61075220cfbaa7582a0b664ccc1fd45b6dd1accc4ef3dd2b2e6b0dc1a99d9e5f5605ee453eb6c1010c28a189109a51c294

Malware Config

Targets

    • Target

      45061e4da841c2587d0890148705a142.exe

    • Size

      406KB

    • MD5

      45061e4da841c2587d0890148705a142

    • SHA1

      eb68218c1d70f3ba00f8190c8171ad1cfa2fb42a

    • SHA256

      6731f235ff78e22e5a0f1503542926bb707a95251b8cbd22c56fbd7fc5a8cbbf

    • SHA512

      01a561bbb8418364078e4751e69a5d61075220cfbaa7582a0b664ccc1fd45b6dd1accc4ef3dd2b2e6b0dc1a99d9e5f5605ee453eb6c1010c28a189109a51c294

    • BluStealer

      A Modular information stealer written in Visual Basic.

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Hidden Files and Directories

1
T1158

Registry Run Keys / Startup Folder

2
T1060

Defense Evasion

Modify Registry

4
T1112

Hidden Files and Directories

1
T1158

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Collection

Email Collection

1
T1114

Tasks