General

  • Target

    fa5a7ade729b8f91728866b5eb4047a598248bc574a495452b76a980c7bf444a

  • Size

    442KB

  • Sample

    240426-kymkmadb41

  • MD5

    c24473674ac278799684d5456d2d362e

  • SHA1

    e54104a9365c21c1c48cc0faad058e509ba29bfd

  • SHA256

    fa5a7ade729b8f91728866b5eb4047a598248bc574a495452b76a980c7bf444a

  • SHA512

    a816731fb4f2f2c78e54abcc0660c57332d392ccc96c235fa1ca4eba747817b77bbdac334f6896bf830498f89af1a2145a1f47998ad1fd419aaf941ee9007557

  • SSDEEP

    6144:Ovlp7/pMTkjSJX3KkOyhJOF1zL1vMVi0jYZF3Z0DKh8n/QrV:Ovlp7/KQOJnHsLhUKh8n/QrV

Malware Config

Targets

    • Target

      fa5a7ade729b8f91728866b5eb4047a598248bc574a495452b76a980c7bf444a

    • Size

      442KB

    • MD5

      c24473674ac278799684d5456d2d362e

    • SHA1

      e54104a9365c21c1c48cc0faad058e509ba29bfd

    • SHA256

      fa5a7ade729b8f91728866b5eb4047a598248bc574a495452b76a980c7bf444a

    • SHA512

      a816731fb4f2f2c78e54abcc0660c57332d392ccc96c235fa1ca4eba747817b77bbdac334f6896bf830498f89af1a2145a1f47998ad1fd419aaf941ee9007557

    • SSDEEP

      6144:Ovlp7/pMTkjSJX3KkOyhJOF1zL1vMVi0jYZF3Z0DKh8n/QrV:Ovlp7/KQOJnHsLhUKh8n/QrV

    • Detect ZGRat V1

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Stealc

      Stealc is an infostealer written in C++.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks