General
-
Target
705685a8deace858e7fc849471c045f3.bin
-
Size
36KB
-
Sample
240428-bq4dqsch49
-
MD5
f007377ed5d49973a56300b6eeda6e6f
-
SHA1
0b6f34b84e7f93448784a0aab18e90a82bf09340
-
SHA256
61808802cf5808232043a5659d064395a10953bffe31b4a2807055b59a945b0e
-
SHA512
ac6fc120d3ef26dff01f622a3d09cf25f6ab4642e006525398120e1f6b97d70bee936fcea879b32a5fc566ac76765c84594da1d5c609d5d5e9e9d580c8c58b49
-
SSDEEP
768:UceE4o0WLi2GSO88j6omX+eGEDWX2HFQfo/+CZjUIG1taWR1lZ:veE70WLkrJtpED02lQfS+CJUv1P
Static task
static1
Behavioral task
behavioral1
Sample
7ff9182009a077962d7c00b287caaa60fe7888e5d6cf6018c14f967a2441a3f9.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
7ff9182009a077962d7c00b287caaa60fe7888e5d6cf6018c14f967a2441a3f9.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/INetC.dll
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/INetC.dll
Resource
win10v2004-20240226-en
Malware Config
Extracted
https://d68kcn56pzfb4.cloudfront.net/load/th.php?c=1000
Extracted
https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=425&c=1000
Extracted
https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=444
Extracted
https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=1667
Extracted
stealc
http://185.172.128.62
-
url_path
/902e53a07830e030.php
Targets
-
-
Target
7ff9182009a077962d7c00b287caaa60fe7888e5d6cf6018c14f967a2441a3f9.exe
-
Size
49KB
-
MD5
705685a8deace858e7fc849471c045f3
-
SHA1
10132365b465a6f231c8e292f462c2d005b4f9b0
-
SHA256
7ff9182009a077962d7c00b287caaa60fe7888e5d6cf6018c14f967a2441a3f9
-
SHA512
b9dd7d5ca384ff4ad053d5f01d721f1180b1028e40c96cd94e04f2b2965e2f4be6cf4d2595f67c3e62039320b517e32200ffec165a9c544344d666732a57c56d
-
SSDEEP
1536:XferrLkSRoe8C4UZsys0Dh1duFpyFI+Plt:Xfi3k+oWDBDh1duFpXWlt
-
Detect ZGRat V1
-
SectopRAT payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
-
-
Target
$PLUGINSDIR/INetC.dll
-
Size
25KB
-
MD5
40d7eca32b2f4d29db98715dd45bfac5
-
SHA1
124df3f617f562e46095776454e1c0c7bb791cc7
-
SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
-
SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d
-
SSDEEP
384:pjj9e9dE95XD+iTx58Y5oMM3O9MEoLr1VcQZ/ZwcSyekMRlZ4L4:dAvE90GuY2tO93oLrJRM7Z4E
Score3/10 -