General

  • Target

    3827576c88bf7d2e73b4b1ccbfe22d7ec843fc56b4118e7f86b3206c696e3f3b

  • Size

    347KB

  • Sample

    240429-y7spwsca4t

  • MD5

    8c2f414cf86fbac77f0164a64522b5bf

  • SHA1

    b50323b973d045e4a16777f69f309fa46ebcf023

  • SHA256

    3827576c88bf7d2e73b4b1ccbfe22d7ec843fc56b4118e7f86b3206c696e3f3b

  • SHA512

    4f1f2a3b0b85ac934aed6371fc3a95498072bb445a13c4d5aa4e4c86e48de2896f84c8ec072bd127e66439abf6763d9a562f282dbd4014899061633bcbd327de

  • SSDEEP

    6144:Iow3n4zYeN4lwlXFWI46PcJ+bbdtuBx4rEZGl0HIsitMuM:1eeyOl1WI46PcJYSBxSMGl0I9M

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.150

Attributes
  • url_path

    /c698e1bc8a2f5e6d.php

Targets

    • Target

      3827576c88bf7d2e73b4b1ccbfe22d7ec843fc56b4118e7f86b3206c696e3f3b

    • Size

      347KB

    • MD5

      8c2f414cf86fbac77f0164a64522b5bf

    • SHA1

      b50323b973d045e4a16777f69f309fa46ebcf023

    • SHA256

      3827576c88bf7d2e73b4b1ccbfe22d7ec843fc56b4118e7f86b3206c696e3f3b

    • SHA512

      4f1f2a3b0b85ac934aed6371fc3a95498072bb445a13c4d5aa4e4c86e48de2896f84c8ec072bd127e66439abf6763d9a562f282dbd4014899061633bcbd327de

    • SSDEEP

      6144:Iow3n4zYeN4lwlXFWI46PcJ+bbdtuBx4rEZGl0HIsitMuM:1eeyOl1WI46PcJYSBxSMGl0I9M

    • Detect ZGRat V1

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Stealc

      Stealc is an infostealer written in C++.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Detect binaries embedding considerable number of MFA browser extension IDs.

    • Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects encrypted or obfuscated .NET executables

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks