General

  • Target

    dcf22da8ea10781b56794a28ec64503e41bb32648ab56e9d6a86040eb3bbaf15

  • Size

    406KB

  • Sample

    240425-ev5zxafc5v

  • MD5

    12825ab5c0692e852c2c3907f85dd143

  • SHA1

    91b44cf5a49cb87471b25e1ecf7273a8d72e058a

  • SHA256

    dcf22da8ea10781b56794a28ec64503e41bb32648ab56e9d6a86040eb3bbaf15

  • SHA512

    c2f38703c968bb2119a3e0a58393494ca43c3c4719b1cf76440c3850e95404bd22bf092e0c2ecd55765c46ef816124557448f42e581d5799a1dc84d1b4e6bd1c

  • SSDEEP

    6144:ZAuhQxtgcHEOgazi/NtXZ8mzVoq/6Jj4M2T1sRg9ivUUfFURO6dEL4tOKrY:ZAuhQTg22NzVoPSMSsRkUfu/dELuOKrY

Malware Config

Targets

    • Target

      dcf22da8ea10781b56794a28ec64503e41bb32648ab56e9d6a86040eb3bbaf15

    • Size

      406KB

    • MD5

      12825ab5c0692e852c2c3907f85dd143

    • SHA1

      91b44cf5a49cb87471b25e1ecf7273a8d72e058a

    • SHA256

      dcf22da8ea10781b56794a28ec64503e41bb32648ab56e9d6a86040eb3bbaf15

    • SHA512

      c2f38703c968bb2119a3e0a58393494ca43c3c4719b1cf76440c3850e95404bd22bf092e0c2ecd55765c46ef816124557448f42e581d5799a1dc84d1b4e6bd1c

    • SSDEEP

      6144:ZAuhQxtgcHEOgazi/NtXZ8mzVoq/6Jj4M2T1sRg9ivUUfFURO6dEL4tOKrY:ZAuhQTg22NzVoPSMSsRkUfu/dELuOKrY

    • Detect ZGRat V1

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Stealc

      Stealc is an infostealer written in C++.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks