General

  • Target

    ba9cbc88e931954d07f5c067e67699d3a91cf9e0917a4ccd4e5065296f2da80b

  • Size

    395KB

  • Sample

    240426-ekwy9ahg51

  • MD5

    71c036b28ca03baf96cc1cbfcfb7281e

  • SHA1

    bdf33cd1ced7176f06c7210a36c48faf57e4227e

  • SHA256

    ba9cbc88e931954d07f5c067e67699d3a91cf9e0917a4ccd4e5065296f2da80b

  • SHA512

    c4964e78ab408f0f72a77c7956aa2bb502633fe77e40daea840e4b7e3cfc2d119f083ab9c12c02a88f1a053f2529285fa31626c933ff9d3e0f10a99ea4e202b8

  • SSDEEP

    6144:tJCwBabC3kBgaI2oQGIbxBlzI6V3EKOyepROs4MPP:tJTs9gaIpQp1/zI6EKOyepRO0P

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.76

Attributes
  • url_path

    /3cd2b41cbde8fc9c.php

Targets

    • Target

      ba9cbc88e931954d07f5c067e67699d3a91cf9e0917a4ccd4e5065296f2da80b

    • Size

      395KB

    • MD5

      71c036b28ca03baf96cc1cbfcfb7281e

    • SHA1

      bdf33cd1ced7176f06c7210a36c48faf57e4227e

    • SHA256

      ba9cbc88e931954d07f5c067e67699d3a91cf9e0917a4ccd4e5065296f2da80b

    • SHA512

      c4964e78ab408f0f72a77c7956aa2bb502633fe77e40daea840e4b7e3cfc2d119f083ab9c12c02a88f1a053f2529285fa31626c933ff9d3e0f10a99ea4e202b8

    • SSDEEP

      6144:tJCwBabC3kBgaI2oQGIbxBlzI6V3EKOyepROs4MPP:tJTs9gaIpQp1/zI6EKOyepRO0P

    • Detect ZGRat V1

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Stealc

      Stealc is an infostealer written in C++.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks