Overview

overview

10

Static

static

3

1c6bb4115d...84.exe

windows7-x64

10

1c6bb4115d...84.exe

windows10-2004-x64

7

$PLUGINSDIR/INetC.dll

windows7-x64

3

$PLUGINSDIR/INetC.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6781c522f3390cc4947959d168e61bbc.bin

  • Size

    36KB

  • Sample

    240428-bqme8adb9y

  • MD5

    d6dafc7fdb29056ca2b69eac1482cc3b

  • SHA1

    e0b54aa09e29283ee408c0a3b07b5faa83734306

  • SHA256

    03ec55805a5f2294793d116bc75c7da56e7a791a20e198125beb7a5a52a16744

  • SHA512

    b4e38d69516626b926407981ff58b3890986c663370ed82b6aa48a24dcd8cece338e812b8cc351ca49f59c81a99a55c4378c418eeb629063b5c72e9d74b4d33a

  • SSDEEP

    768:b7RQbw4p8JymHYHmnf6Z7Zoy8a2Twbbr1fS3YIu7T9WuuMNS0JpDE:3RQX8V0Zloy8a2TwhV/97/i

Score
10/10
sectopratstealczgratdiscoveryratspywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://d68kcn56pzfb4.cloudfront.net/load/th.php?c=1000

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=425&c=1000

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=444

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=1667

Extracted

Family

stealc

C2

http://185.172.128.62

Attributes
  • url_path

    /902e53a07830e030.php

Targets

    • Target

      1c6bb4115d8b51391fd600bc70d88a8e9cc9e6406cd7f626087ff4cead341784.exe

    • Size

      49KB

    • MD5

      6781c522f3390cc4947959d168e61bbc

    • SHA1

      8c94b577b260a9a1606af373ee25ab65478d797d

    • SHA256

      1c6bb4115d8b51391fd600bc70d88a8e9cc9e6406cd7f626087ff4cead341784

    • SHA512

      e6478ff7939e4527814539962959f0a2f869960796d392f2b97b5e5a1d371319bf4d060fe1f095b29250797eb9a9d0ba934c270d838837651dc9f5db4ca9b7de

    • SSDEEP

      1536:XferrLkSRoe8C4UZsys0Dh1duFpmFI+PlU:Xfi3k+oWDBDh1duFpbWlU

    Score
    10/10
    sectopratstealczgratdiscoveryratspywarestealertrojan

    • Detect ZGRat V1

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/INetC.dll

    • Size

      25KB

    • MD5

      40d7eca32b2f4d29db98715dd45bfac5

    • SHA1

      124df3f617f562e46095776454e1c0c7bb791cc7

    • SHA256

      85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

    • SHA512

      5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

    • SSDEEP

      384:pjj9e9dE95XD+iTx58Y5oMM3O9MEoLr1VcQZ/ZwcSyekMRlZ4L4:dAvE90GuY2tO93oLrJRM7Z4E

    Score
    3/10
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks