General

  • Target

    7f7e1c02807a2ac57f765a80b3ae2dde.bin

  • Size

    332KB

  • Sample

    240430-bvx3hsgd23

  • MD5

    7c8ea979685dc56a7f064d03cad22817

  • SHA1

    8b9e2948c9e316a357e5abb4b60dc3b9ba1d4b93

  • SHA256

    c4cedc3010e1e396083b7956b1eeef4cdd92f10943c926f1de63611da0795c29

  • SHA512

    e6e040116b6f044642646f2099b4e732e3f19b3346309dbfbe116795ea9fabe0e5df41265f6307cc222385d38023560bdee71b2cb45bc1faa49d919875378d87

  • SSDEEP

    6144:I5ByG7nEqsjjS0CC6Jd+aPrdg+J3Ev+qvpukf9kJV:ICGAdjjSBC6vzixv+qviJV

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.150

Attributes
  • url_path

    /c698e1bc8a2f5e6d.php

Targets

    • Target

      84aabb05fa24bb4994957177e3721ed6666aadd821b63360ac4417009dfb7db9.exe

    • Size

      451KB

    • MD5

      7f7e1c02807a2ac57f765a80b3ae2dde

    • SHA1

      07139ac51e6664319c8f3490796f8def8ae34660

    • SHA256

      84aabb05fa24bb4994957177e3721ed6666aadd821b63360ac4417009dfb7db9

    • SHA512

      c3ccfb2852bfba2c3f2cf53336a42d18ed96096ed2aabbd1084e8fd48e447303b30a3109199e784afab8e1fd9cdc8e327a653664c6897c863c37dbde1ba46eaf

    • SSDEEP

      6144:NeMRwnTgfMmxqWWKFj/T/WpiCWy6P/cWRk2HdZdqte0w+fFaOs2jyjaUL:NzRwnEfMmxqDOj/DBJcHM7ZKtm+gaUL

    • Detect ZGRat V1

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Stealc

      Stealc is an infostealer written in C++.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks