General

  • Target

    ca3fdca32778040dd55de919f29e997c.bin

  • Size

    332KB

  • Sample

    240430-b8jr2sgh27

  • MD5

    4a7fe64ada0d80d67b2c339872462b49

  • SHA1

    8477c4fbf323c3d4b893360adc53eb5afe706003

  • SHA256

    63073d56bc9600bf17c63a94d717c410b55a7b4901b2178710867aae0ca3fe7f

  • SHA512

    64d63d881c875de80f7030623a85c9ace624961937063d30c0ae5411dc630d75e0e2e9b8a37a4218036daf97bd72e60da7d88ada35c6c16e61da6f598dc70cd2

  • SSDEEP

    6144:GyTKwEq0IDVRAag2RlTZzaIwWE4Bn8pfMrxr9cuTWK9LPuwzVxth:GI+Vgn22R1xbES80rxrZTWKL2Exz

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.150

Attributes
  • url_path

    /c698e1bc8a2f5e6d.php

Targets

    • Target

      412242dc8dd566b6062d501a952253e2a4ef130e646f308e60da4eef123b09dd.exe

    • Size

      451KB

    • MD5

      ca3fdca32778040dd55de919f29e997c

    • SHA1

      7d736e3b6f84d72af135e300a3ec4af4d6951b0b

    • SHA256

      412242dc8dd566b6062d501a952253e2a4ef130e646f308e60da4eef123b09dd

    • SHA512

      d91e13cc49afe5846c997cfa9808e46a6b1ec203a9a8345cd6f663b3327ed25511022b7285b39f5e390bc4a0874685a5e71496e5751b802e87a0e494e7ff2a61

    • SSDEEP

      6144:EbizKU6CpA9+9+HDs15JInfn07l7Ro9+mdb7nrAUYj9To2BwMt2jBse7NUo:EbMKUHmcQs7Po9+esUYjq2SUUTBUo

    • Detect ZGRat V1

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Stealc

      Stealc is an infostealer written in C++.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks