General

  • Target

    a440e88b2c1d1746b82ffaadaef0571a14f3d76dbabba87b0c3de6ac5eff2f35

  • Size

    782KB

  • Sample

    240429-fw5wzabd82

  • MD5

    7fabf15848c951f6665ec449c8c77098

  • SHA1

    f9ef6114a8e2d3838d0cadd4a71d6baf95e133cf

  • SHA256

    a440e88b2c1d1746b82ffaadaef0571a14f3d76dbabba87b0c3de6ac5eff2f35

  • SHA512

    4e8b84b13bf04befb12d2f1b2f36a1a7285be640315c1a8eb61137f77ca2202b62892d95fee02debaa75ca3b5d782a5d0a7a08a010206929187504a91e9ddb0a

  • SSDEEP

    24576:msP3PswaTgF2US1BHcFZ4wIu3p+3BCku+mzy3EKA+G:mzgFBIjhuZwhu+8EEF9

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.150

Attributes
  • url_path

    /c698e1bc8a2f5e6d.php

Targets

    • Target

      a440e88b2c1d1746b82ffaadaef0571a14f3d76dbabba87b0c3de6ac5eff2f35

    • Size

      782KB

    • MD5

      7fabf15848c951f6665ec449c8c77098

    • SHA1

      f9ef6114a8e2d3838d0cadd4a71d6baf95e133cf

    • SHA256

      a440e88b2c1d1746b82ffaadaef0571a14f3d76dbabba87b0c3de6ac5eff2f35

    • SHA512

      4e8b84b13bf04befb12d2f1b2f36a1a7285be640315c1a8eb61137f77ca2202b62892d95fee02debaa75ca3b5d782a5d0a7a08a010206929187504a91e9ddb0a

    • SSDEEP

      24576:msP3PswaTgF2US1BHcFZ4wIu3p+3BCku+mzy3EKA+G:mzgFBIjhuZwhu+8EEF9

    • Detect ZGRat V1

    • Detects Arechclient2 RAT

      Arechclient2.

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Stealc

      Stealc is an infostealer written in C++.

    • UAC bypass

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks