General

  • Target

    be91111bb1e1de2451c5b71d3c8632b229c01322ea81715d30f4ba49b955ff4f

  • Size

    395KB

  • Sample

    240426-endbbahg8t

  • MD5

    1636f66b20c18c5a2922f5b5515e43ce

  • SHA1

    bf99312b4f3ee07395e7596d7089e301a21f437c

  • SHA256

    be91111bb1e1de2451c5b71d3c8632b229c01322ea81715d30f4ba49b955ff4f

  • SHA512

    8c133187e2a57096a856e8006bd2f2066eb7566686abf8c17cf81a6a9ed08abd1cec620c4ba15bf6f846d6d2b8f076bfcf068eba64b9fdb839831affa63091ea

  • SSDEEP

    6144:tJCwBabC3kBgaI2oQGIbxBlzI6V3EKOyepROs4MPF:tJTs9gaIpQp1/zI6EKOyepRO0F

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.76

Attributes
  • url_path

    /3cd2b41cbde8fc9c.php

Targets

    • Target

      be91111bb1e1de2451c5b71d3c8632b229c01322ea81715d30f4ba49b955ff4f

    • Size

      395KB

    • MD5

      1636f66b20c18c5a2922f5b5515e43ce

    • SHA1

      bf99312b4f3ee07395e7596d7089e301a21f437c

    • SHA256

      be91111bb1e1de2451c5b71d3c8632b229c01322ea81715d30f4ba49b955ff4f

    • SHA512

      8c133187e2a57096a856e8006bd2f2066eb7566686abf8c17cf81a6a9ed08abd1cec620c4ba15bf6f846d6d2b8f076bfcf068eba64b9fdb839831affa63091ea

    • SSDEEP

      6144:tJCwBabC3kBgaI2oQGIbxBlzI6V3EKOyepROs4MPF:tJTs9gaIpQp1/zI6EKOyepRO0F

    • Detect ZGRat V1

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Stealc

      Stealc is an infostealer written in C++.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks