General

  • Target

    71f134655c1be04282acfbf0944314f016c26a50f34dbaea9122013d2cc1d351.exe

  • Size

    411KB

  • Sample

    240430-bv6dwsgg8t

  • MD5

    303c5121cbdf0b7db668ee2cfed6b8e9

  • SHA1

    c366f445632a5076ba253aadbc8ab3af40da28c7

  • SHA256

    71f134655c1be04282acfbf0944314f016c26a50f34dbaea9122013d2cc1d351

  • SHA512

    a53dd46ae38e4b06a6921df8637f5a146ef3c9ef77fb315f0fba666319056c7ee3f9cb22964abe2581a6defd9066f67080aabf61fd9fb88561ece04ed279cacf

  • SSDEEP

    6144:I+x1ShTyz9EqOq21LVVb7ZpK2FoICp+fGqhDbSe8Lbp779ZLzW6f:9xo2X2xV1ZpKJICpZqR2bdhc6f

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.150

Attributes
  • url_path

    /c698e1bc8a2f5e6d.php

Targets

    • Target

      71f134655c1be04282acfbf0944314f016c26a50f34dbaea9122013d2cc1d351.exe

    • Size

      411KB

    • MD5

      303c5121cbdf0b7db668ee2cfed6b8e9

    • SHA1

      c366f445632a5076ba253aadbc8ab3af40da28c7

    • SHA256

      71f134655c1be04282acfbf0944314f016c26a50f34dbaea9122013d2cc1d351

    • SHA512

      a53dd46ae38e4b06a6921df8637f5a146ef3c9ef77fb315f0fba666319056c7ee3f9cb22964abe2581a6defd9066f67080aabf61fd9fb88561ece04ed279cacf

    • SSDEEP

      6144:I+x1ShTyz9EqOq21LVVb7ZpK2FoICp+fGqhDbSe8Lbp779ZLzW6f:9xo2X2xV1ZpKJICpZqR2bdhc6f

    • Detect ZGRat V1

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Stealc

      Stealc is an infostealer written in C++.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Detect binaries embedding considerable number of MFA browser extension IDs.

    • Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects encrypted or obfuscated .NET executables

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks