General

  • Target

    01a908923cbc76874658c47d432424a0.exe

  • Size

    86KB

  • Sample

    240130-egsgnagaa9

  • MD5

    01a908923cbc76874658c47d432424a0

  • SHA1

    5397fdeeb8e9365b3d9a6b8f599e658e050de1d7

  • SHA256

    6ba75d8e032bf1a23d50f4426c9f00444bec1b5396f29042a72b652a515b4247

  • SHA512

    77b789fd17f8ea650ecb68a04238b195d1cfea9885f7fce637c83bfada95974326831b610509e18b5886fe48bb5ec0f70b57a835bc565af655a7ab0253614140

  • SSDEEP

    1536:Em65rG4SzbXVzjvf1nRmyr20DmjyleT0FfWU4f23F0Wbub7B4B/:E6HXVzhvI0FfWU4O10kuPKF

Malware Config

Extracted

Family

stealerium

C2

https://discordapp.com/api/webhooks/1197850806213431377/-zU9uA2NeaYEk4-ozdhgmNljI6NS_w_qcT_cbtxYxZdkUD3JeaKChZp4GXdod-MX3D1Q

Targets

    • Target

      01a908923cbc76874658c47d432424a0.exe

    • Size

      86KB

    • MD5

      01a908923cbc76874658c47d432424a0

    • SHA1

      5397fdeeb8e9365b3d9a6b8f599e658e050de1d7

    • SHA256

      6ba75d8e032bf1a23d50f4426c9f00444bec1b5396f29042a72b652a515b4247

    • SHA512

      77b789fd17f8ea650ecb68a04238b195d1cfea9885f7fce637c83bfada95974326831b610509e18b5886fe48bb5ec0f70b57a835bc565af655a7ab0253614140

    • SSDEEP

      1536:Em65rG4SzbXVzjvf1nRmyr20DmjyleT0FfWU4f23F0Wbub7B4B/:E6HXVzhvI0FfWU4O10kuPKF

    • Detect ZGRat V1

    • Stealerium

      An open source info stealer written in C# first seen in May 2022.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks