General

  • Target

    892d1bd5b0c5dc59d8581b50352c061e2874bbfb819812a1a12439cfe504bc68

  • Size

    395KB

  • Sample

    240425-21h4nagb4t

  • MD5

    a8f2c2dc53f8bd76ed060fa37cb9319f

  • SHA1

    ba9fd09bc26a1912eb16f3413165f3c0c88c83cb

  • SHA256

    892d1bd5b0c5dc59d8581b50352c061e2874bbfb819812a1a12439cfe504bc68

  • SHA512

    168fc2c0a62669417c6e937f997ffbb5a8b447c52400e168821e5dab296b0af98c618c1ad451161d3dcce68cd798e0d5baa15dcdb50fce56cf2785b385bb1d50

  • SSDEEP

    6144:wfvZZIElv79VasTMGa6tc4F4LiHOWfBmu+rbCmkLiCjj8/UXewVljd1:wPIER79VFXawc4DaDPCmAiz/UXzR1

Malware Config

Targets

    • Target

      892d1bd5b0c5dc59d8581b50352c061e2874bbfb819812a1a12439cfe504bc68

    • Size

      395KB

    • MD5

      a8f2c2dc53f8bd76ed060fa37cb9319f

    • SHA1

      ba9fd09bc26a1912eb16f3413165f3c0c88c83cb

    • SHA256

      892d1bd5b0c5dc59d8581b50352c061e2874bbfb819812a1a12439cfe504bc68

    • SHA512

      168fc2c0a62669417c6e937f997ffbb5a8b447c52400e168821e5dab296b0af98c618c1ad451161d3dcce68cd798e0d5baa15dcdb50fce56cf2785b385bb1d50

    • SSDEEP

      6144:wfvZZIElv79VasTMGa6tc4F4LiHOWfBmu+rbCmkLiCjj8/UXewVljd1:wPIER79VFXawc4DaDPCmAiz/UXzR1

    • Detect ZGRat V1

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Stealc

      Stealc is an infostealer written in C++.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks