stealc | 3edc87036c550aed647cf1df76715f1c8ee1d03a1500560a5dec130736bf9421

Analysis

max time kernel
274s
max time network
161s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-03-2024 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3edc87036c550aed647cf1df76715f1c8ee1d03a1500560a5dec130736bf9421.exe
Size

414KB
MD5

5b6b27b8f3e90d5c67d9f90bab751f1e
SHA1

a163cc72d5ce24ddd9e86f586876bb9f9547a51e
SHA256

3edc87036c550aed647cf1df76715f1c8ee1d03a1500560a5dec130736bf9421
SHA512

5b8888583acaa6a33ae85429d4f3d717d15e8deda1fbfae6f1c9a9837d326e0b84dd04e1d866fe5a4857f0d4017b9970621dab1cf766b15629000c7dcf5eb34a
SSDEEP

6144:kUBes6jA+uS+YRiXbr41hssVhBM+gOmHs0EE2ovTCsqXd3zCEKe:1j6U+ulYRYv4zx4pMBAvTmFKe

Score

10^/10

stealc zgrat discovery rat stealer

Malware Config

Extracted

Family

stealc

http://185.172.128.209

Attributes

url_path
/3cd2b41cbde8fc9c.php

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral1/memory/1088-95-0x0000000000EA0000-0x0000000004798000-memory.dmp	family_zgrat_v1
behavioral1/memory/1088-99-0x000000001EC40000-0x000000001ED50000-memory.dmp	family_zgrat_v1
behavioral1/memory/1088-103-0x0000000000E00000-0x0000000000E24000-memory.dmp	family_zgrat_v1

Stealc
Stealc is an infostealer written in C++.
stealer stealc
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1700	u1bo.0.exe
2792	u1bo.1.exe

Loads dropped DLL 8 IoCs

pid	Process
1716	3edc87036c550aed647cf1df76715f1c8ee1d03a1500560a5dec130736bf9421.exe
1716	3edc87036c550aed647cf1df76715f1c8ee1d03a1500560a5dec130736bf9421.exe
1716	3edc87036c550aed647cf1df76715f1c8ee1d03a1500560a5dec130736bf9421.exe
1716	3edc87036c550aed647cf1df76715f1c8ee1d03a1500560a5dec130736bf9421.exe
1716	3edc87036c550aed647cf1df76715f1c8ee1d03a1500560a5dec130736bf9421.exe
1716	3edc87036c550aed647cf1df76715f1c8ee1d03a1500560a5dec130736bf9421.exe
1716	3edc87036c550aed647cf1df76715f1c8ee1d03a1500560a5dec130736bf9421.exe
1716	3edc87036c550aed647cf1df76715f1c8ee1d03a1500560a5dec130736bf9421.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1bo.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1bo.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1bo.1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u1bo.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u1bo.0.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1700	u1bo.0.exe
1088	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
1088	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
1088	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
1088	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
1088	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1088	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
2792	u1bo.1.exe
2792	u1bo.1.exe
2792	u1bo.1.exe
2792	u1bo.1.exe
2792	u1bo.1.exe
2792	u1bo.1.exe
2792	u1bo.1.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
2792	u1bo.1.exe
2792	u1bo.1.exe
2792	u1bo.1.exe
2792	u1bo.1.exe
2792	u1bo.1.exe
2792	u1bo.1.exe
2792	u1bo.1.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 1700	1716	3edc87036c550aed647cf1df76715f1c8ee1d03a1500560a5dec130736bf9421.exe	28
PID 1716 wrote to memory of 1700	1716	3edc87036c550aed647cf1df76715f1c8ee1d03a1500560a5dec130736bf9421.exe	28
PID 1716 wrote to memory of 1700	1716	3edc87036c550aed647cf1df76715f1c8ee1d03a1500560a5dec130736bf9421.exe	28
PID 1716 wrote to memory of 1700	1716	3edc87036c550aed647cf1df76715f1c8ee1d03a1500560a5dec130736bf9421.exe	28
PID 1716 wrote to memory of 2792	1716	3edc87036c550aed647cf1df76715f1c8ee1d03a1500560a5dec130736bf9421.exe	30
PID 1716 wrote to memory of 2792	1716	3edc87036c550aed647cf1df76715f1c8ee1d03a1500560a5dec130736bf9421.exe	30
PID 1716 wrote to memory of 2792	1716	3edc87036c550aed647cf1df76715f1c8ee1d03a1500560a5dec130736bf9421.exe	30
PID 1716 wrote to memory of 2792	1716	3edc87036c550aed647cf1df76715f1c8ee1d03a1500560a5dec130736bf9421.exe	30
PID 2792 wrote to memory of 1088	2792	u1bo.1.exe	31
PID 2792 wrote to memory of 1088	2792	u1bo.1.exe	31
PID 2792 wrote to memory of 1088	2792	u1bo.1.exe	31
PID 2792 wrote to memory of 1088	2792	u1bo.1.exe	31

C:\Users\Admin\AppData\Local\Temp\3edc87036c550aed647cf1df76715f1c8ee1d03a1500560a5dec130736bf9421.exe
"C:\Users\Admin\AppData\Local\Temp\3edc87036c550aed647cf1df76715f1c8ee1d03a1500560a5dec130736bf9421.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Local\Temp\u1bo.0.exe
  "C:\Users\Admin\AppData\Local\Temp\u1bo.0.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1700
- C:\Users\Admin\AppData\Local\Temp\u1bo.1.exe
  "C:\Users\Admin\AppData\Local\Temp\u1bo.1.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
    "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\bc5a16429b969030a00931a912ea760b7142040cd6caa90f2a646358beabd092\69aabfb1cc564adb8076bf33c7aa2af6.tmp

Filesize
1KB

MD5
8f89de43ebf2f72d08bed94553937784

SHA1
13df00c8a646944eb1deb5d940effae88c9825c6

SHA256
ee43093fb8c6122ec7efc4b5b9ea46c53e724aabeba940f8a2dd7e886301e136

SHA512
d2656d3f8f0133e7511229457d7e2ef3f894832c677b1b7300e1c3d8861ac4462dbd53011127dd4f3687a0ee1c2c5b0a2d6fcf177cbd025db2e1ff04f555167b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
2KB

MD5
56ee8940cc1cc5a9fcbefdd2d539eeeb

SHA1
d98ea064e6fc28309365bebed62df936b24fa19a

SHA256
d7798c45a46c38bdac77005c7056f9a2fce1dbe02e5cb570bda85e663a210401

SHA512
dc22dd2dbcb8a2265d61caf625b8bd4dfde23650db24de0631d5b78b094de77d1f4ff05cfe806146bb2cdf7903e88e528382f40dbc20f1ae6176c99d4afc331f

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
3KB

MD5
03f9fe7640c8508f2c7e651c95e41941

SHA1
4e49b17248f12df3c01286202ed14fdb2a94ac2a

SHA256
2dfa4369639a6c50257b29f32656a05956d89a7d530d812cde38f430c8c01108

SHA512
eedf2f9c813d67a3c2c2dfb81df21d90e0b587134e0341a163874e594988085cbfd63d2e01dea88d471062dd0c7c0f344144b448fd83a5dad65aaaea8f4f9401

Download Submit
\Users\Admin\AppData\Local\Temp\u1bo.0.exe

Filesize
259KB

MD5
4524e1a1e2725e159d68b3bca2c1b296

SHA1
0e3b226d0ebd227b911c5fc25d6a28478ed0a957

SHA256
12a5bac24e4e354bfc93a989c398df11ac5ec63c9d9834e0a9062bd8857cdda7

SHA512
870e0e4e86593a3f060643b043d41f2aa6108af8075f19c0ba6c9d276a28df5c6f6e02a6cd088eb88382af35a41bcd626ea5add747494d468158abb7e610f3ca

Download Submit
\Users\Admin\AppData\Local\Temp\u1bo.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
memory/1088-116-0x0000000000410000-0x000000000041A000-memory.dmp

Filesize
40KB

Download
memory/1088-120-0x0000000000470000-0x000000000047A000-memory.dmp

Filesize
40KB

Download
memory/1088-135-0x0000000000490000-0x0000000000510000-memory.dmp

Filesize
512KB

Download
memory/1088-133-0x0000000000490000-0x0000000000510000-memory.dmp

Filesize
512KB

Download
memory/1088-132-0x0000000000410000-0x000000000041A000-memory.dmp

Filesize
40KB

Download
memory/1088-131-0x0000000000410000-0x000000000041A000-memory.dmp

Filesize
40KB

Download
memory/1088-130-0x0000000000490000-0x0000000000510000-memory.dmp

Filesize
512KB

Download
memory/1088-129-0x000007FEF5320000-0x000007FEF5D0C000-memory.dmp

Filesize
9.9MB

Download
memory/1088-125-0x00000000006B0000-0x00000000006BC000-memory.dmp

Filesize
48KB

Download
memory/1088-124-0x0000000000490000-0x0000000000510000-memory.dmp

Filesize
512KB

Download
memory/1088-121-0x0000000000690000-0x00000000006B2000-memory.dmp

Filesize
136KB

Download
memory/1088-119-0x0000000000490000-0x0000000000510000-memory.dmp

Filesize
512KB

Download
memory/1088-117-0x0000000000490000-0x0000000000510000-memory.dmp

Filesize
512KB

Download
memory/1088-95-0x0000000000EA0000-0x0000000004798000-memory.dmp

Filesize
57.0MB

Download
memory/1088-96-0x000007FEF5320000-0x000007FEF5D0C000-memory.dmp

Filesize
9.9MB

Download
memory/1088-98-0x0000000000490000-0x0000000000510000-memory.dmp

Filesize
512KB

Download
memory/1088-99-0x000000001EC40000-0x000000001ED50000-memory.dmp

Filesize
1.1MB

Download
memory/1088-100-0x0000000000480000-0x0000000000490000-memory.dmp

Filesize
64KB

Download
memory/1088-101-0x00000000006D0000-0x00000000006DC000-memory.dmp

Filesize
48KB

Download
memory/1088-102-0x00000000006C0000-0x00000000006D4000-memory.dmp

Filesize
80KB

Download
memory/1088-103-0x0000000000E00000-0x0000000000E24000-memory.dmp

Filesize
144KB

Download
memory/1088-105-0x0000000000BF0000-0x0000000000BFA000-memory.dmp

Filesize
40KB

Download
memory/1088-106-0x000000001EB00000-0x000000001EB2A000-memory.dmp

Filesize
168KB

Download
memory/1088-107-0x000000001F110000-0x000000001F1C2000-memory.dmp

Filesize
712KB

Download
memory/1088-108-0x000000001E180000-0x000000001E1FA000-memory.dmp

Filesize
488KB

Download
memory/1088-109-0x000000001F1C0000-0x000000001F222000-memory.dmp

Filesize
392KB

Download
memory/1088-110-0x00000000003F0000-0x00000000003FA000-memory.dmp

Filesize
40KB

Download
memory/1088-114-0x000000001F820000-0x000000001FB20000-memory.dmp

Filesize
3.0MB

Download
memory/1700-20-0x0000000000C70000-0x0000000000D70000-memory.dmp

Filesize
1024KB

Download
memory/1700-68-0x0000000000400000-0x0000000000AEA000-memory.dmp

Filesize
6.9MB

Download
memory/1700-21-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download
memory/1700-22-0x0000000000400000-0x0000000000AEA000-memory.dmp

Filesize
6.9MB

Download
memory/1700-81-0x0000000000C70000-0x0000000000D70000-memory.dmp

Filesize
1024KB

Download
memory/1700-36-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1716-1-0x0000000000C60000-0x0000000000D60000-memory.dmp

Filesize
1024KB

Download
memory/1716-40-0x0000000000230000-0x000000000029E000-memory.dmp

Filesize
440KB

Download
memory/1716-37-0x0000000000400000-0x0000000000B10000-memory.dmp

Filesize
7.1MB

Download
memory/1716-3-0x0000000000400000-0x0000000000B10000-memory.dmp

Filesize
7.1MB

Download
memory/1716-2-0x0000000000230000-0x000000000029E000-memory.dmp

Filesize
440KB

Download
memory/2792-93-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/2792-54-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2792-79-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download