General

  • Target

    7a73a594c084542382bfdd764ca6b08941232397f35437b74782ae5b1fb42659.exe

  • Size

    348KB

  • Sample

    240430-bxa1rsgh4z

  • MD5

    12b99c7364914b58406fc6d3b6a4cf99

  • SHA1

    f331dfb6496c09a7db09649267cd0e53f3a1fd6e

  • SHA256

    7a73a594c084542382bfdd764ca6b08941232397f35437b74782ae5b1fb42659

  • SHA512

    b6d0bf56725b372f1ee1f1298b99121291ed11093057af4a1a8ec4b2fb8f89382201f285ef7469f856c7ec79d9db126401911dc4a955bdcd2eaee78d39d4dae1

  • SSDEEP

    6144:rduS03pdQbVg12jXuaGWkJ0Oey7lZr1asn3e5mV/9+D9f/a4ENTUh8d5a1o:ZoXQHy3WkH8sn3e5maa4MYo

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.150

Attributes
  • url_path

    /c698e1bc8a2f5e6d.php

Targets

    • Target

      7a73a594c084542382bfdd764ca6b08941232397f35437b74782ae5b1fb42659.exe

    • Size

      348KB

    • MD5

      12b99c7364914b58406fc6d3b6a4cf99

    • SHA1

      f331dfb6496c09a7db09649267cd0e53f3a1fd6e

    • SHA256

      7a73a594c084542382bfdd764ca6b08941232397f35437b74782ae5b1fb42659

    • SHA512

      b6d0bf56725b372f1ee1f1298b99121291ed11093057af4a1a8ec4b2fb8f89382201f285ef7469f856c7ec79d9db126401911dc4a955bdcd2eaee78d39d4dae1

    • SSDEEP

      6144:rduS03pdQbVg12jXuaGWkJ0Oey7lZr1asn3e5mV/9+D9f/a4ENTUh8d5a1o:ZoXQHy3WkH8sn3e5maa4MYo

    • Detect ZGRat V1

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Stealc

      Stealc is an infostealer written in C++.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Detect binaries embedding considerable number of MFA browser extension IDs.

    • Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects encrypted or obfuscated .NET executables

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks