General

  • Target

    f069178921c8a21f98bd6a1011e7943fa49e067c7112506f4c90036b82862d3e.exe

  • Size

    347KB

  • Sample

    240430-chlpdshc76

  • MD5

    ed95a84c31c965f436ae8ccaa9712fd9

  • SHA1

    d4dfe32aaf0e1f1d0d63107f13eaf29a40d38ea1

  • SHA256

    f069178921c8a21f98bd6a1011e7943fa49e067c7112506f4c90036b82862d3e

  • SHA512

    092ee5d1616fcd7787af91984fee4b67ce2625d8ae6eb621b9c39d59d6a42bc88a9550ccf42920514cd9b342aef36a09a8efd04c32dbaa05df5a18e5af6c7b20

  • SSDEEP

    6144:B0zWKrKBpVw9PVu+AJdTvClKgvkWJG1HYcVABLulAGeJY:ukfw9PqduMVW41HnWlqreJY

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.150

Attributes
  • url_path

    /c698e1bc8a2f5e6d.php

Targets

    • Target

      f069178921c8a21f98bd6a1011e7943fa49e067c7112506f4c90036b82862d3e.exe

    • Size

      347KB

    • MD5

      ed95a84c31c965f436ae8ccaa9712fd9

    • SHA1

      d4dfe32aaf0e1f1d0d63107f13eaf29a40d38ea1

    • SHA256

      f069178921c8a21f98bd6a1011e7943fa49e067c7112506f4c90036b82862d3e

    • SHA512

      092ee5d1616fcd7787af91984fee4b67ce2625d8ae6eb621b9c39d59d6a42bc88a9550ccf42920514cd9b342aef36a09a8efd04c32dbaa05df5a18e5af6c7b20

    • SSDEEP

      6144:B0zWKrKBpVw9PVu+AJdTvClKgvkWJG1HYcVABLulAGeJY:ukfw9PqduMVW41HnWlqreJY

    • Detect ZGRat V1

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Stealc

      Stealc is an infostealer written in C++.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Detect binaries embedding considerable number of MFA browser extension IDs.

    • Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects encrypted or obfuscated .NET executables

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks