General

  • Target

    SecuriteInfo.com.Win32.PWSX-gen.12246.12715.exe

  • Size

    359KB

  • Sample

    240404-qnc64agh8y

  • MD5

    902ac8e78936748f1c2a65eebe2a5bd7

  • SHA1

    2a1c8a1ddfce7b784b4f67ddf48445a5e3e6affe

  • SHA256

    c5dbbac2c89a06d432aa237cc3af96f33e5848c9ffc3226ecf9a7fa5a5309463

  • SHA512

    adc1fc0cc60804b44bf7b2e240c4faf34109c4893d78c81c8031325d0636a6b537a9af9bc6d93d93a1117b6be0f1ef2155e3fd965af4f5082803a8405eab0a6c

  • SSDEEP

    6144:XnqaECNPTFkBgWFtBaNzFbwhkzp/LU++d0RIxgZk+mGMeja/K5+QEhIv:6a9NPTF8LFt6Jvzp/L2+Ixp1Gxj4KihK

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.209

Attributes
  • url_path

    /3cd2b41cbde8fc9c.php

Targets

    • Target

      SecuriteInfo.com.Win32.PWSX-gen.12246.12715.exe

    • Size

      359KB

    • MD5

      902ac8e78936748f1c2a65eebe2a5bd7

    • SHA1

      2a1c8a1ddfce7b784b4f67ddf48445a5e3e6affe

    • SHA256

      c5dbbac2c89a06d432aa237cc3af96f33e5848c9ffc3226ecf9a7fa5a5309463

    • SHA512

      adc1fc0cc60804b44bf7b2e240c4faf34109c4893d78c81c8031325d0636a6b537a9af9bc6d93d93a1117b6be0f1ef2155e3fd965af4f5082803a8405eab0a6c

    • SSDEEP

      6144:XnqaECNPTFkBgWFtBaNzFbwhkzp/LU++d0RIxgZk+mGMeja/K5+QEhIv:6a9NPTF8LFt6Jvzp/L2+Ixp1Gxj4KihK

    • Detect ZGRat V1

    • Stealc

      Stealc is an infostealer written in C++.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v15

Tasks