General

  • Target

    tmp

  • Size

    386KB

  • Sample

    240427-tkl7dadd6y

  • MD5

    73f40e4d6b322bf4d7c8b18d120af5c7

  • SHA1

    533e7400d1264fe8fb740366e700c035224f83d1

  • SHA256

    9317408100896c9251defb1a2f2cfca2627ac72dce9f4d7f0d5c3bfdc736e179

  • SHA512

    c1e2e2cfa9dc2f829c7bdda1af9dd432a19ff8f3818a1a3ad1b73d6f08f666cbf5cbfb6573e75a7cb0b5288aeccfda6927e5723337a0e822b892fb1d6f280260

  • SSDEEP

    6144:USzVvkBage3IgFEbPijF94P0JK4oivly+5Nicq8mDLKQH8q8am6mWF:DZnFEbqBrK7T6ic237XF

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.62

Attributes
  • url_path

    /902e53a07830e030.php

Targets

    • Target

      tmp

    • Size

      386KB

    • MD5

      73f40e4d6b322bf4d7c8b18d120af5c7

    • SHA1

      533e7400d1264fe8fb740366e700c035224f83d1

    • SHA256

      9317408100896c9251defb1a2f2cfca2627ac72dce9f4d7f0d5c3bfdc736e179

    • SHA512

      c1e2e2cfa9dc2f829c7bdda1af9dd432a19ff8f3818a1a3ad1b73d6f08f666cbf5cbfb6573e75a7cb0b5288aeccfda6927e5723337a0e822b892fb1d6f280260

    • SSDEEP

      6144:USzVvkBage3IgFEbPijF94P0JK4oivly+5Nicq8mDLKQH8q8am6mWF:DZnFEbqBrK7T6ic237XF

    • Detect ZGRat V1

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Stealc

      Stealc is an infostealer written in C++.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks