General

  • Target

    b48b5e0f8213844cc4298aa07945ec2dd82591212b5b6fffb51e8e8035669967

  • Size

    418KB

  • Sample

    240427-e7phpabh7y

  • MD5

    124aebf2659e3b02f3d5fd9525a6ff11

  • SHA1

    ba9c0af13177768d84ae02f47ec5a04941aa9f62

  • SHA256

    b48b5e0f8213844cc4298aa07945ec2dd82591212b5b6fffb51e8e8035669967

  • SHA512

    273ec83703d6c0951f0cff1ec1b9141a9068e2768a513442d6ee93e96d51fb73ed917b7abb5d52563f0455c2b1a4d88c3540fd1bcf39bdb1bf328ef1fdee49a6

  • SSDEEP

    6144:77moGeb6RptVKAv+9sWfx/eLmt6SAQeVTEu680BXs+tTbAo:77+ebCV9LWfx/zUSKVQushT8o

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.76

Attributes
  • url_path

    /3cd2b41cbde8fc9c.php

Targets

    • Target

      b48b5e0f8213844cc4298aa07945ec2dd82591212b5b6fffb51e8e8035669967

    • Size

      418KB

    • MD5

      124aebf2659e3b02f3d5fd9525a6ff11

    • SHA1

      ba9c0af13177768d84ae02f47ec5a04941aa9f62

    • SHA256

      b48b5e0f8213844cc4298aa07945ec2dd82591212b5b6fffb51e8e8035669967

    • SHA512

      273ec83703d6c0951f0cff1ec1b9141a9068e2768a513442d6ee93e96d51fb73ed917b7abb5d52563f0455c2b1a4d88c3540fd1bcf39bdb1bf328ef1fdee49a6

    • SSDEEP

      6144:77moGeb6RptVKAv+9sWfx/eLmt6SAQeVTEu680BXs+tTbAo:77+ebCV9LWfx/zUSKVQushT8o

    • Detect ZGRat V1

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Stealc

      Stealc is an infostealer written in C++.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks