General

  • Target

    4c260c37ff0426ee70b74a8eced50bbf526be0ecb1789ef9bbcc1db1b9df94b4

  • Size

    396KB

  • Sample

    240425-y6agxseb8w

  • MD5

    a7d85b87c4e80d382f0c5b152c58b54c

  • SHA1

    d2bd90a39aec985deda625923bf703761a2b4c79

  • SHA256

    4c260c37ff0426ee70b74a8eced50bbf526be0ecb1789ef9bbcc1db1b9df94b4

  • SHA512

    dfbf3a7e02a7e4fde1539a02bc5411f5b60ffaae9dbedb4b1f18e0aa9cb037528f1f5d8d28d89c5d5908dab47dae4382df1da5d3514f607c321e78b1530b8f9f

  • SSDEEP

    6144:4bUya3+rSZfUNPi77LXMIoTKsmQ3ol2nb14ov0d6:sUyaySdnLXvoTmWol4b1j46

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.76

Attributes
  • url_path

    /3cd2b41cbde8fc9c.php

Targets

    • Target

      4c260c37ff0426ee70b74a8eced50bbf526be0ecb1789ef9bbcc1db1b9df94b4

    • Size

      396KB

    • MD5

      a7d85b87c4e80d382f0c5b152c58b54c

    • SHA1

      d2bd90a39aec985deda625923bf703761a2b4c79

    • SHA256

      4c260c37ff0426ee70b74a8eced50bbf526be0ecb1789ef9bbcc1db1b9df94b4

    • SHA512

      dfbf3a7e02a7e4fde1539a02bc5411f5b60ffaae9dbedb4b1f18e0aa9cb037528f1f5d8d28d89c5d5908dab47dae4382df1da5d3514f607c321e78b1530b8f9f

    • SSDEEP

      6144:4bUya3+rSZfUNPi77LXMIoTKsmQ3ol2nb14ov0d6:sUyaySdnLXvoTmWol4b1j46

    • Detect ZGRat V1

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Stealc

      Stealc is an infostealer written in C++.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks