General

  • Target

    af8b4b4921cb5c71980a0c33d85e20f87ff9c393962e177b33441401f3d9f0c6

  • Size

    451KB

  • Sample

    240428-nhb1qseg3x

  • MD5

    df7086dc5aa791eded3dca69d4e74f84

  • SHA1

    7cdc39b8348f150d7e37688df4dd3d790feffd87

  • SHA256

    af8b4b4921cb5c71980a0c33d85e20f87ff9c393962e177b33441401f3d9f0c6

  • SHA512

    c567275d51215610e6159b77bb26ef76d0ae5b63d46789938bb9bdaa6a8f53eb12aad579781396debfb551d7816ce96fa6bb8b54c65f51e09ab5ba340541a344

  • SSDEEP

    12288:rBwwS3fz8A9Hmzef9HrPQyczMNoFnc1ND:rKHmzM9HroEoFnc1ND

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.62

Attributes
  • url_path

    /902e53a07830e030.php

Targets

    • Target

      af8b4b4921cb5c71980a0c33d85e20f87ff9c393962e177b33441401f3d9f0c6

    • Size

      451KB

    • MD5

      df7086dc5aa791eded3dca69d4e74f84

    • SHA1

      7cdc39b8348f150d7e37688df4dd3d790feffd87

    • SHA256

      af8b4b4921cb5c71980a0c33d85e20f87ff9c393962e177b33441401f3d9f0c6

    • SHA512

      c567275d51215610e6159b77bb26ef76d0ae5b63d46789938bb9bdaa6a8f53eb12aad579781396debfb551d7816ce96fa6bb8b54c65f51e09ab5ba340541a344

    • SSDEEP

      12288:rBwwS3fz8A9Hmzef9HrPQyczMNoFnc1ND:rKHmzM9HroEoFnc1ND

    • Detect ZGRat V1

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Stealc

      Stealc is an infostealer written in C++.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks