General

  • Target

    f3499823ccca35d858ae2653142ded48.bin

  • Size

    332KB

  • Sample

    240430-cdc7fshb38

  • MD5

    f08bf8009202a102a8183ac44b95ac58

  • SHA1

    75998ec98eda44ceac560ef58c57e18c978005b7

  • SHA256

    202fac821dc6809cfd6ff4b4a991065e9c84010a81068578c3f746d60ac55527

  • SHA512

    148658ace3cd650f37bb2538dd455510a1a30e2d73632816be0e9eb274b9eb4fada97eca29436063129a65c6c2e052d76560eb25c747871312731b253595446d

  • SSDEEP

    6144:LIib+vQhHrueagqrFAGLuzyKI11+1TdvKWxVMbHlPw+At7FBKFkLpU1/WTj:LJ+vQhHKlgqrmc/NP+LvKeVMbFPwLhFt

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.150

Attributes
  • url_path

    /c698e1bc8a2f5e6d.php

Targets

    • Target

      c22e7af2dbc1c8349559c3aa56a868d77541cab76a0fef74c248af97a1957d23.exe

    • Size

      451KB

    • MD5

      f3499823ccca35d858ae2653142ded48

    • SHA1

      86477f41bd8cb48a2cf7922cc89acdb3b7a4f58d

    • SHA256

      c22e7af2dbc1c8349559c3aa56a868d77541cab76a0fef74c248af97a1957d23

    • SHA512

      721a7b13d4d2fd85f267cf62840ca0e26c3b36f601dfce64731b96db0edd0b526535a0008449a4e7a44ba67ea097a69b147792393fb1581f55e380d63c22d68d

    • SSDEEP

      6144:+0HYlMeYOX8mE94DowCxV0jZVqmnvi1UVX1Zbt2S0gjaUI:+04lMXmQ4LCxWjZji1U/rhaUI

    • Detect ZGRat V1

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Stealc

      Stealc is an infostealer written in C++.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks