General

  • Target

    file

  • Size

    49KB

  • Sample

    240426-k2mpssdc2y

  • MD5

    6781c522f3390cc4947959d168e61bbc

  • SHA1

    8c94b577b260a9a1606af373ee25ab65478d797d

  • SHA256

    1c6bb4115d8b51391fd600bc70d88a8e9cc9e6406cd7f626087ff4cead341784

  • SHA512

    e6478ff7939e4527814539962959f0a2f869960796d392f2b97b5e5a1d371319bf4d060fe1f095b29250797eb9a9d0ba934c270d838837651dc9f5db4ca9b7de

  • SSDEEP

    1536:XferrLkSRoe8C4UZsys0Dh1duFpmFI+PlU:Xfi3k+oWDBDh1duFpbWlU

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://dsepc5ud74wta.cloudfront.net/load/th.php?c=1000

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://dsepc5ud74wta.cloudfront.net/load/dl.php?id=425&c=1000

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://dsepc5ud74wta.cloudfront.net/load/dl.php?id=444

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://dsepc5ud74wta.cloudfront.net/load/dl.php?id=456

Targets

    • Target

      file

    • Size

      49KB

    • MD5

      6781c522f3390cc4947959d168e61bbc

    • SHA1

      8c94b577b260a9a1606af373ee25ab65478d797d

    • SHA256

      1c6bb4115d8b51391fd600bc70d88a8e9cc9e6406cd7f626087ff4cead341784

    • SHA512

      e6478ff7939e4527814539962959f0a2f869960796d392f2b97b5e5a1d371319bf4d060fe1f095b29250797eb9a9d0ba934c270d838837651dc9f5db4ca9b7de

    • SSDEEP

      1536:XferrLkSRoe8C4UZsys0Dh1duFpmFI+PlU:Xfi3k+oWDBDh1duFpbWlU

    • Detect ZGRat V1

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Stealc

      Stealc is an infostealer written in C++.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/INetC.dll

    • Size

      25KB

    • MD5

      40d7eca32b2f4d29db98715dd45bfac5

    • SHA1

      124df3f617f562e46095776454e1c0c7bb791cc7

    • SHA256

      85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

    • SHA512

      5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

    • SSDEEP

      384:pjj9e9dE95XD+iTx58Y5oMM3O9MEoLr1VcQZ/ZwcSyekMRlZ4L4:dAvE90GuY2tO93oLrJRM7Z4E

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks