General

  • Target

    d4974e7ebe68940a377c047f30095e402770e225f30aa72fee5330d39781f4ea

  • Size

    357KB

  • Sample

    240430-ababnsec78

  • MD5

    42b8298151b4469fc0b1f50d6f40c634

  • SHA1

    5b3f5fe3a3be334775458a25959b6f179f3abf0c

  • SHA256

    d4974e7ebe68940a377c047f30095e402770e225f30aa72fee5330d39781f4ea

  • SHA512

    728ba82f79fc44054de045417ae990d52663aae34e4beac3f9717fc6b9187cb5722ed3442791d1176426f20fc2f174fd6fe89f23f90d0305b6a953b86fe2d166

  • SSDEEP

    6144:C1lNMgxBrplOypd3pj4IvhGkcnokcjh+QyrmqVnUWHBNBW2dGjV5Jl:gNMgbplOq3eysDcjUrBV7doJl

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.150

Attributes
  • url_path

    /c698e1bc8a2f5e6d.php

Targets

    • Target

      d4974e7ebe68940a377c047f30095e402770e225f30aa72fee5330d39781f4ea

    • Size

      357KB

    • MD5

      42b8298151b4469fc0b1f50d6f40c634

    • SHA1

      5b3f5fe3a3be334775458a25959b6f179f3abf0c

    • SHA256

      d4974e7ebe68940a377c047f30095e402770e225f30aa72fee5330d39781f4ea

    • SHA512

      728ba82f79fc44054de045417ae990d52663aae34e4beac3f9717fc6b9187cb5722ed3442791d1176426f20fc2f174fd6fe89f23f90d0305b6a953b86fe2d166

    • SSDEEP

      6144:C1lNMgxBrplOypd3pj4IvhGkcnokcjh+QyrmqVnUWHBNBW2dGjV5Jl:gNMgbplOq3eysDcjUrBV7doJl

    • Detect ZGRat V1

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Stealc

      Stealc is an infostealer written in C++.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks