General
-
Target
48ed48f4db001bd7e5a5bfa03b7c8b6cb20aa22593ad8454e8d54c65234b8d73
-
Size
451KB
-
Sample
240428-t9wgcacb27
-
MD5
9d7c0fcbfea97ac283f4e68707245250
-
SHA1
7d4f5822aee7512b308db3baaeb5d0557abf2469
-
SHA256
48ed48f4db001bd7e5a5bfa03b7c8b6cb20aa22593ad8454e8d54c65234b8d73
-
SHA512
b7377ae1af7f6867ac1a5ae67c8a9ccbcaffb41f201a0f57c9b792cb4515571cd50ff3718057e431fb31e673b85102fea8c82a58821ee84d22d0d5e28657bdd2
-
SSDEEP
6144:EbizKU6CpA9+9+HDs15JInfn07l7Ro9+mdb7nrAUYj9To2BwMt2jBse7NU:EbMKUHmcQs7Po9+esUYjq2SUUTBU
Static task
static1
Behavioral task
behavioral1
Sample
48ed48f4db001bd7e5a5bfa03b7c8b6cb20aa22593ad8454e8d54c65234b8d73.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
48ed48f4db001bd7e5a5bfa03b7c8b6cb20aa22593ad8454e8d54c65234b8d73.exe
Resource
win11-20240419-en
Malware Config
Extracted
stealc
http://185.172.128.151
-
url_path
/7043a0c6a68d9c65.php
Targets
-
-
Target
48ed48f4db001bd7e5a5bfa03b7c8b6cb20aa22593ad8454e8d54c65234b8d73
-
Size
451KB
-
MD5
9d7c0fcbfea97ac283f4e68707245250
-
SHA1
7d4f5822aee7512b308db3baaeb5d0557abf2469
-
SHA256
48ed48f4db001bd7e5a5bfa03b7c8b6cb20aa22593ad8454e8d54c65234b8d73
-
SHA512
b7377ae1af7f6867ac1a5ae67c8a9ccbcaffb41f201a0f57c9b792cb4515571cd50ff3718057e431fb31e673b85102fea8c82a58821ee84d22d0d5e28657bdd2
-
SSDEEP
6144:EbizKU6CpA9+9+HDs15JInfn07l7Ro9+mdb7nrAUYj9To2BwMt2jBse7NU:EbMKUHmcQs7Po9+esUYjq2SUUTBU
-
SectopRAT payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-