General

  • Target

    tmp

  • Size

    454KB

  • Sample

    240407-y2xrnadg89

  • MD5

    ff5102331f070d44be63a3446d9a583a

  • SHA1

    5df265bdd7f9302ef089b5c03183f3c6ecf11a56

  • SHA256

    c76e1dc0b8436bd1dfb05c050fb5fd7c890c031088b0698377e0a50c556f01d8

  • SHA512

    4d25a03b35f745d6a3f512add819cfd312aa42598bac555cb781e8621ae01b4111d83a67f2c69ab6b3c640517d5ae533bb19de201561edb7cf12774bc7a2c00e

  • SSDEEP

    12288:2iB9S1zi63i/LYjQogh7cz3EP4Fn4IWneiS6f:2irSI63iTYkogh4DlKrf

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.209

Attributes
  • url_path

    /3cd2b41cbde8fc9c.php

Targets

    • Target

      tmp

    • Size

      454KB

    • MD5

      ff5102331f070d44be63a3446d9a583a

    • SHA1

      5df265bdd7f9302ef089b5c03183f3c6ecf11a56

    • SHA256

      c76e1dc0b8436bd1dfb05c050fb5fd7c890c031088b0698377e0a50c556f01d8

    • SHA512

      4d25a03b35f745d6a3f512add819cfd312aa42598bac555cb781e8621ae01b4111d83a67f2c69ab6b3c640517d5ae533bb19de201561edb7cf12774bc7a2c00e

    • SSDEEP

      12288:2iB9S1zi63i/LYjQogh7cz3EP4Fn4IWneiS6f:2irSI63iTYkogh4DlKrf

    • Detect ZGRat V1

    • Stealc

      Stealc is an infostealer written in C++.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v15

Tasks