General

  • Target

    64cbe0c31f9cff7215653a5cb20276e3e7bea8f9d02e7a45b1202dd41e33ec66.exe

  • Size

    347KB

  • Sample

    240430-btlyvsgg3y

  • MD5

    2aec21f2d3d862bce7ea8ec69e84a107

  • SHA1

    d911e77badf927eb57d20a14ef6d898737ad2b58

  • SHA256

    64cbe0c31f9cff7215653a5cb20276e3e7bea8f9d02e7a45b1202dd41e33ec66

  • SHA512

    c446c286704b7027c919d359c4c627e30a7ecf56923df76184bf9c20505c565dfbdf0965e35f03abc26a581d3b01e18582e9d64e92cc4e32df0badbb94ba4844

  • SSDEEP

    6144:aGNJdD4C4xkIsmIqLoSj9hXc6+Bl7+sysO+ThbGlN50BdYjFqv:d5a+IsmhoSZG5lysynD50Hbv

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.150

Attributes
  • url_path

    /c698e1bc8a2f5e6d.php

Targets

    • Target

      64cbe0c31f9cff7215653a5cb20276e3e7bea8f9d02e7a45b1202dd41e33ec66.exe

    • Size

      347KB

    • MD5

      2aec21f2d3d862bce7ea8ec69e84a107

    • SHA1

      d911e77badf927eb57d20a14ef6d898737ad2b58

    • SHA256

      64cbe0c31f9cff7215653a5cb20276e3e7bea8f9d02e7a45b1202dd41e33ec66

    • SHA512

      c446c286704b7027c919d359c4c627e30a7ecf56923df76184bf9c20505c565dfbdf0965e35f03abc26a581d3b01e18582e9d64e92cc4e32df0badbb94ba4844

    • SSDEEP

      6144:aGNJdD4C4xkIsmIqLoSj9hXc6+Bl7+sysO+ThbGlN50BdYjFqv:d5a+IsmhoSZG5lysynD50Hbv

    • Detect ZGRat V1

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Stealc

      Stealc is an infostealer written in C++.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Detect binaries embedding considerable number of MFA browser extension IDs.

    • Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects encrypted or obfuscated .NET executables

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks