General

  • Target

    7346830995d79cf8e952b5d03120959cbf80f4227a3eed9f100a4dca88697754.exe

  • Size

    454KB

  • Sample

    240408-b182zach51

  • MD5

    55c11e10adbfc2c18a1d7211e31edc4d

  • SHA1

    80f1e6d691f3ec96a3f506b276dc12c9ec9bb7a3

  • SHA256

    7346830995d79cf8e952b5d03120959cbf80f4227a3eed9f100a4dca88697754

  • SHA512

    078fdd9a75920abc674826669178db7d4b1eb60081de5d153d850208539e3527969e1722267c3606463da5465fa1830c1efe4307bcef8ecdf94869a086f7462d

  • SSDEEP

    6144:+pin8J11lQFGDhTjpjpg50uNZRvqj4PYz9c5SfZmdZX+I0f2F5hpZUI66/Qk:Ii8J11lQFG1Hp+PHqj4Qmi2xXY8hP94k

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.209

Attributes
  • url_path

    /3cd2b41cbde8fc9c.php

Targets

    • Target

      7346830995d79cf8e952b5d03120959cbf80f4227a3eed9f100a4dca88697754.exe

    • Size

      454KB

    • MD5

      55c11e10adbfc2c18a1d7211e31edc4d

    • SHA1

      80f1e6d691f3ec96a3f506b276dc12c9ec9bb7a3

    • SHA256

      7346830995d79cf8e952b5d03120959cbf80f4227a3eed9f100a4dca88697754

    • SHA512

      078fdd9a75920abc674826669178db7d4b1eb60081de5d153d850208539e3527969e1722267c3606463da5465fa1830c1efe4307bcef8ecdf94869a086f7462d

    • SSDEEP

      6144:+pin8J11lQFGDhTjpjpg50uNZRvqj4PYz9c5SfZmdZX+I0f2F5hpZUI66/Qk:Ii8J11lQFG1Hp+PHqj4Qmi2xXY8hP94k

    • Detect ZGRat V1

    • Stealc

      Stealc is an infostealer written in C++.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Detect binaries embedding considerable number of MFA browser extension IDs.

    • Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects encrypted or obfuscated .NET executables

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v15

Tasks