General

  • Target

    5166f78d79dd4747fd9b2215b272427b8cf4cd80fa4fee5f1a291a81fb5f50cd

  • Size

    396KB

  • Sample

    240425-yscecsea97

  • MD5

    5639162c3324d30242a477f678cdf7ae

  • SHA1

    6383b421604381f6418a65219e47629d110d5a9a

  • SHA256

    5166f78d79dd4747fd9b2215b272427b8cf4cd80fa4fee5f1a291a81fb5f50cd

  • SHA512

    02528ebb3e42f38b65152fb341e01dfe0d9aa6c381bdb742432335d8850af1fd7813d1369d05b03d884d61910fa5d1140ee6553bc25a0d5e043ef1c6d3aabd61

  • SSDEEP

    6144:4bUya3+rSZfUNPi77LXMIoTKsmQ3ol2nb14ov0d/:sUyaySdnLXvoTmWol4b1j4/

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.76

Attributes
  • url_path

    /3cd2b41cbde8fc9c.php

Targets

    • Target

      5166f78d79dd4747fd9b2215b272427b8cf4cd80fa4fee5f1a291a81fb5f50cd

    • Size

      396KB

    • MD5

      5639162c3324d30242a477f678cdf7ae

    • SHA1

      6383b421604381f6418a65219e47629d110d5a9a

    • SHA256

      5166f78d79dd4747fd9b2215b272427b8cf4cd80fa4fee5f1a291a81fb5f50cd

    • SHA512

      02528ebb3e42f38b65152fb341e01dfe0d9aa6c381bdb742432335d8850af1fd7813d1369d05b03d884d61910fa5d1140ee6553bc25a0d5e043ef1c6d3aabd61

    • SSDEEP

      6144:4bUya3+rSZfUNPi77LXMIoTKsmQ3ol2nb14ov0d/:sUyaySdnLXvoTmWol4b1j4/

    • Detect ZGRat V1

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Stealc

      Stealc is an infostealer written in C++.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks