General

  • Target

    0f8ce0c2f6ba4d92ad06eb6974f3eb58aed1ad968865a3da513a2770e825f34d

  • Size

    395KB

  • Sample

    240426-emg8wahg72

  • MD5

    dedaba31a5cb0155c9bb6d9b2e3f6569

  • SHA1

    3a9702f4ad5999bdbdcd4629fa4de6c0ae779b19

  • SHA256

    0f8ce0c2f6ba4d92ad06eb6974f3eb58aed1ad968865a3da513a2770e825f34d

  • SHA512

    ec9744ac5a5e7bddfdefe2aba43bc30ace9e7021371f837480976b4dc6595745d5303b057c930b484ab382700bc1caf2a1e38970925a4b48ce60982a3bef9a1c

  • SSDEEP

    6144:tJCwBabC3kBgaI2oQGIbxBlzI6V3EKOyepROs4MPK:tJTs9gaIpQp1/zI6EKOyepRO0K

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.76

Attributes
  • url_path

    /3cd2b41cbde8fc9c.php

Targets

    • Target

      0f8ce0c2f6ba4d92ad06eb6974f3eb58aed1ad968865a3da513a2770e825f34d

    • Size

      395KB

    • MD5

      dedaba31a5cb0155c9bb6d9b2e3f6569

    • SHA1

      3a9702f4ad5999bdbdcd4629fa4de6c0ae779b19

    • SHA256

      0f8ce0c2f6ba4d92ad06eb6974f3eb58aed1ad968865a3da513a2770e825f34d

    • SHA512

      ec9744ac5a5e7bddfdefe2aba43bc30ace9e7021371f837480976b4dc6595745d5303b057c930b484ab382700bc1caf2a1e38970925a4b48ce60982a3bef9a1c

    • SSDEEP

      6144:tJCwBabC3kBgaI2oQGIbxBlzI6V3EKOyepROs4MPK:tJTs9gaIpQp1/zI6EKOyepRO0K

    • Detect ZGRat V1

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Stealc

      Stealc is an infostealer written in C++.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks