General

  • Target

    5f07907b56589f833d0916aa6b4428977082a844878e620f49053dc868670f52

  • Size

    396KB

  • Sample

    240425-yrne8sea5y

  • MD5

    f8010cfbb1ea6f0c8525eaba77721cf7

  • SHA1

    cf5e7b72af904301fa13f7ec8a8be324dde5c3ea

  • SHA256

    5f07907b56589f833d0916aa6b4428977082a844878e620f49053dc868670f52

  • SHA512

    f295deaf43a8a6f1ec8fc2172da6c569914e8e91f814ff575be2856b227a7ad3be889913113d8c0f690dcf7b321ba74adc74eac00b05e1abeb3a288b6ab5dcec

  • SSDEEP

    6144:4bUya3+rSZfUNPi77LXMIoTKsmQ3ol2nb14ov0d4:sUyaySdnLXvoTmWol4b1j44

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.76

Attributes
  • url_path

    /3cd2b41cbde8fc9c.php

Targets

    • Target

      5f07907b56589f833d0916aa6b4428977082a844878e620f49053dc868670f52

    • Size

      396KB

    • MD5

      f8010cfbb1ea6f0c8525eaba77721cf7

    • SHA1

      cf5e7b72af904301fa13f7ec8a8be324dde5c3ea

    • SHA256

      5f07907b56589f833d0916aa6b4428977082a844878e620f49053dc868670f52

    • SHA512

      f295deaf43a8a6f1ec8fc2172da6c569914e8e91f814ff575be2856b227a7ad3be889913113d8c0f690dcf7b321ba74adc74eac00b05e1abeb3a288b6ab5dcec

    • SSDEEP

      6144:4bUya3+rSZfUNPi77LXMIoTKsmQ3ol2nb14ov0d4:sUyaySdnLXvoTmWol4b1j44

    • Detect ZGRat V1

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Stealc

      Stealc is an infostealer written in C++.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks