General

  • Target

    0aee4483f97a3a3989ede57f5260f585fa8a622064993729a9ede5b0adc88a1e

  • Size

    394KB

  • Sample

    240427-fyl7mscf7v

  • MD5

    8ab890785d569d1a5b2c09fe772b77ae

  • SHA1

    ae3b12ac67062336df10b73d50db872c27885385

  • SHA256

    0aee4483f97a3a3989ede57f5260f585fa8a622064993729a9ede5b0adc88a1e

  • SHA512

    8c179ac53821b5cceb7e62cde6ea68c8fe5de98d5cd89f8853efcfb4694d798c14d27f7e6b5236646d54cb2e2a125b094b3f319e21c9496243629121f435842b

  • SSDEEP

    6144:fsJVip+l5fK53hCfPr+ICF1ggQyGiezkMza6:fszip+7K52P/+tQdq6

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.76

Attributes
  • url_path

    /3cd2b41cbde8fc9c.php

Targets

    • Target

      0aee4483f97a3a3989ede57f5260f585fa8a622064993729a9ede5b0adc88a1e

    • Size

      394KB

    • MD5

      8ab890785d569d1a5b2c09fe772b77ae

    • SHA1

      ae3b12ac67062336df10b73d50db872c27885385

    • SHA256

      0aee4483f97a3a3989ede57f5260f585fa8a622064993729a9ede5b0adc88a1e

    • SHA512

      8c179ac53821b5cceb7e62cde6ea68c8fe5de98d5cd89f8853efcfb4694d798c14d27f7e6b5236646d54cb2e2a125b094b3f319e21c9496243629121f435842b

    • SSDEEP

      6144:fsJVip+l5fK53hCfPr+ICF1ggQyGiezkMza6:fszip+7K52P/+tQdq6

    • Detect ZGRat V1

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Stealc

      Stealc is an infostealer written in C++.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks