General

  • Target

    2821c25553ee020c2c2152e736807d2fe944a3264b7098db064f24c3b19558f3

  • Size

    396KB

  • Sample

    240425-yszjwsea99

  • MD5

    458384b4ab999837531ee8a8e5f5670b

  • SHA1

    e5d1a104a54771ccaa84de2cfc7be5763726f429

  • SHA256

    2821c25553ee020c2c2152e736807d2fe944a3264b7098db064f24c3b19558f3

  • SHA512

    eb1b20e4f91ec3a25e44f02e0d9baa5b33b52230a6b5637ea1774569c6bc278f4b89627bcb2840fe7826870498178c10f9916bf3710de6395a248d40aef40def

  • SSDEEP

    6144:4bUya3+rSZfUNPi77LXMIoTKsmQ3ol2nb14ov0d1:sUyaySdnLXvoTmWol4b1j41

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.76

Attributes
  • url_path

    /3cd2b41cbde8fc9c.php

Targets

    • Target

      2821c25553ee020c2c2152e736807d2fe944a3264b7098db064f24c3b19558f3

    • Size

      396KB

    • MD5

      458384b4ab999837531ee8a8e5f5670b

    • SHA1

      e5d1a104a54771ccaa84de2cfc7be5763726f429

    • SHA256

      2821c25553ee020c2c2152e736807d2fe944a3264b7098db064f24c3b19558f3

    • SHA512

      eb1b20e4f91ec3a25e44f02e0d9baa5b33b52230a6b5637ea1774569c6bc278f4b89627bcb2840fe7826870498178c10f9916bf3710de6395a248d40aef40def

    • SSDEEP

      6144:4bUya3+rSZfUNPi77LXMIoTKsmQ3ol2nb14ov0d1:sUyaySdnLXvoTmWol4b1j41

    • Detect ZGRat V1

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Stealc

      Stealc is an infostealer written in C++.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks