General

  • Target

    de3c10b71100b4579358589b88f4bfb336b1ec050a8fc1c8caad7814d31f7c1f

  • Size

    357KB

  • Sample

    240430-aed42aeh5s

  • MD5

    60b7c0f1de74ec652eb9139d354d5c90

  • SHA1

    dc1048d25ce34d683481cc9662418fbfea6d1d96

  • SHA256

    de3c10b71100b4579358589b88f4bfb336b1ec050a8fc1c8caad7814d31f7c1f

  • SHA512

    14017c5cdc04b5179709ef8b7a0e35cf27fbbedbc63e81f45453f2685c4429e160c4a9838551edade1f8cc9b58e3ff62967fe978ebf27957fab3a4f9f98988c9

  • SSDEEP

    6144:C1lNMgxBrplOypd3pj4IvhGkcnokcjh+QyrmqVnUWHBNBW2dGjV5Jv:gNMgbplOq3eysDcjUrBV7doJv

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.150

Attributes
  • url_path

    /c698e1bc8a2f5e6d.php

Targets

    • Target

      de3c10b71100b4579358589b88f4bfb336b1ec050a8fc1c8caad7814d31f7c1f

    • Size

      357KB

    • MD5

      60b7c0f1de74ec652eb9139d354d5c90

    • SHA1

      dc1048d25ce34d683481cc9662418fbfea6d1d96

    • SHA256

      de3c10b71100b4579358589b88f4bfb336b1ec050a8fc1c8caad7814d31f7c1f

    • SHA512

      14017c5cdc04b5179709ef8b7a0e35cf27fbbedbc63e81f45453f2685c4429e160c4a9838551edade1f8cc9b58e3ff62967fe978ebf27957fab3a4f9f98988c9

    • SSDEEP

      6144:C1lNMgxBrplOypd3pj4IvhGkcnokcjh+QyrmqVnUWHBNBW2dGjV5Jv:gNMgbplOq3eysDcjUrBV7doJv

    • Detect ZGRat V1

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Stealc

      Stealc is an infostealer written in C++.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks