General

  • Target

    8d69727c2a46b71e091671436d75d53a55809a052ab2b36db999cdc622ef7119

  • Size

    405KB

  • Sample

    240429-ftc36sbc96

  • MD5

    252ee57fe3ca6ac598b0c32da01c7a32

  • SHA1

    b9eec61fa3102da89045b72ecac37b954335af2f

  • SHA256

    8d69727c2a46b71e091671436d75d53a55809a052ab2b36db999cdc622ef7119

  • SHA512

    0c841d23d6475dc8dcac0833fec1729dc46fcb75a3d40d9936f45b8de894a4c2de8b9edb3db76c74c3c26d0e5d66317c65b6f6ddbf2730d37938238ef101ca82

  • SSDEEP

    6144:6lvgNss1kOj6Ljn7bgDKzgH3SYfmwdG2mFdEL4tOJDs:6lvgmaeH4KzgXxfFGDdELuOJDs

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.151

Attributes
  • url_path

    /7043a0c6a68d9c65.php

Targets

    • Target

      8d69727c2a46b71e091671436d75d53a55809a052ab2b36db999cdc622ef7119

    • Size

      405KB

    • MD5

      252ee57fe3ca6ac598b0c32da01c7a32

    • SHA1

      b9eec61fa3102da89045b72ecac37b954335af2f

    • SHA256

      8d69727c2a46b71e091671436d75d53a55809a052ab2b36db999cdc622ef7119

    • SHA512

      0c841d23d6475dc8dcac0833fec1729dc46fcb75a3d40d9936f45b8de894a4c2de8b9edb3db76c74c3c26d0e5d66317c65b6f6ddbf2730d37938238ef101ca82

    • SSDEEP

      6144:6lvgNss1kOj6Ljn7bgDKzgH3SYfmwdG2mFdEL4tOJDs:6lvgmaeH4KzgXxfFGDdELuOJDs

    • Detects Arechclient2 RAT

      Arechclient2.

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Stealc

      Stealc is an infostealer written in C++.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks