General

  • Target

    eda9de6005d8b240fcd625ca6e2c2ec385343f2fb88c9d7233892e8302488a9f.exe

  • Size

    347KB

  • Sample

    240430-cg52mshc63

  • MD5

    850a2a0eee8fe41dc2b84bcf4f692aa2

  • SHA1

    f5e822915d65c96bdb32f441651aaa0ed2884201

  • SHA256

    eda9de6005d8b240fcd625ca6e2c2ec385343f2fb88c9d7233892e8302488a9f

  • SHA512

    df839bcc45fcfebd776b21bbd85948fc69f50110fd3cabf7a53cda39edafd543a86fa40b200df4a45e5022651a2e538d888be3cf8addd6171e2c24d223f2d479

  • SSDEEP

    6144:qQnVK4NKrO3Eg2ASnfP10KVEI9iBmxf4AUkF10KobAMGuRcEEI7lpg2QF:+4NKh1RnfP1bVH9iB+PUkF10BhGuRNEp

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.151

Attributes
  • url_path

    /7043a0c6a68d9c65.php

Targets

    • Target

      eda9de6005d8b240fcd625ca6e2c2ec385343f2fb88c9d7233892e8302488a9f.exe

    • Size

      347KB

    • MD5

      850a2a0eee8fe41dc2b84bcf4f692aa2

    • SHA1

      f5e822915d65c96bdb32f441651aaa0ed2884201

    • SHA256

      eda9de6005d8b240fcd625ca6e2c2ec385343f2fb88c9d7233892e8302488a9f

    • SHA512

      df839bcc45fcfebd776b21bbd85948fc69f50110fd3cabf7a53cda39edafd543a86fa40b200df4a45e5022651a2e538d888be3cf8addd6171e2c24d223f2d479

    • SSDEEP

      6144:qQnVK4NKrO3Eg2ASnfP10KVEI9iBmxf4AUkF10KobAMGuRcEEI7lpg2QF:+4NKh1RnfP1bVH9iB+PUkF10BhGuRNEp

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Stealc

      Stealc is an infostealer written in C++.

    • Detect binaries embedding considerable number of MFA browser extension IDs.

    • Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks