stealc | 65cb316887cf8c4f1c5bbdfa226fa957f0a91cd5f858bb5f5f244d64da58077b

General

Target

65cb316887cf8c4f1c5bbdfa226fa957f0a91cd5f858bb5f5f244d64da58077b.exe
Size

445KB
MD5

a8985bb70c650992e207ddd25c5e6a3e
SHA1

0329a58e279c966e17c667774d6f0c649475bffa
SHA256

65cb316887cf8c4f1c5bbdfa226fa957f0a91cd5f858bb5f5f244d64da58077b
SHA512

4c7c0c5a4a66ee91fcb7da3bcd45f9600f5d1c1f601b96cda283671c77342183d9156e1333b7cbadd1366d9f805b25b2e32e9b30b9e108bd61a6f22d81b61035
SSDEEP

12288:f9zyluCg7RvcQ7tZRsuPE16N0N9k9ptHMx:PCg7RvcKKnitHMx

Score

10^/10

stealc zgrat discovery rat spyware stealer

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.150

Attributes

url_path
/c698e1bc8a2f5e6d.php

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral1/memory/1640-133-0x0000000000DE0000-0x00000000046D8000-memory.dmp	family_zgrat_v1
behavioral1/memory/1640-134-0x000000001F030000-0x000000001F140000-memory.dmp	family_zgrat_v1
behavioral1/memory/1640-138-0x0000000005BE0000-0x0000000005C04000-memory.dmp	family_zgrat_v1

Stealc
Stealc is an infostealer written in C++.
stealer stealc
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detect binaries embedding considerable number of MFA browser extension IDs. 2 IoCs

resource	yara_rule
behavioral1/memory/2540-119-0x0000000000400000-0x0000000002B06000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs
behavioral1/memory/2540-129-0x0000000000400000-0x0000000002B06000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 2 IoCs

resource	yara_rule
behavioral1/memory/2540-119-0x0000000000400000-0x0000000002B06000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
behavioral1/memory/2540-129-0x0000000000400000-0x0000000002B06000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs

resource	yara_rule
behavioral1/memory/2540-119-0x0000000000400000-0x0000000002B06000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2540-129-0x0000000000400000-0x0000000002B06000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects encrypted or obfuscated .NET executables 1 IoCs

resource	yara_rule
behavioral1/memory/1640-133-0x0000000000DE0000-0x00000000046D8000-memory.dmp	INDICATOR_EXE_DotNET_Encrypted

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2540	u1l4.0.exe
2712	u1l4.1.exe

Loads dropped DLL 11 IoCs

pid	Process
2056	65cb316887cf8c4f1c5bbdfa226fa957f0a91cd5f858bb5f5f244d64da58077b.exe
2056	65cb316887cf8c4f1c5bbdfa226fa957f0a91cd5f858bb5f5f244d64da58077b.exe
2056	65cb316887cf8c4f1c5bbdfa226fa957f0a91cd5f858bb5f5f244d64da58077b.exe
2056	65cb316887cf8c4f1c5bbdfa226fa957f0a91cd5f858bb5f5f244d64da58077b.exe
2056	65cb316887cf8c4f1c5bbdfa226fa957f0a91cd5f858bb5f5f244d64da58077b.exe
2056	65cb316887cf8c4f1c5bbdfa226fa957f0a91cd5f858bb5f5f244d64da58077b.exe
2056	65cb316887cf8c4f1c5bbdfa226fa957f0a91cd5f858bb5f5f244d64da58077b.exe
2056	65cb316887cf8c4f1c5bbdfa226fa957f0a91cd5f858bb5f5f244d64da58077b.exe
2056	65cb316887cf8c4f1c5bbdfa226fa957f0a91cd5f858bb5f5f244d64da58077b.exe
2540	u1l4.0.exe
2540	u1l4.0.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1l4.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1l4.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1l4.1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u1l4.0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u1l4.0.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2540	u1l4.0.exe
2540	u1l4.0.exe
1640	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
1640	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
1640	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
1640	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
1640	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1640	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
2712	u1l4.1.exe
2712	u1l4.1.exe
2712	u1l4.1.exe
2712	u1l4.1.exe
2712	u1l4.1.exe
2712	u1l4.1.exe
2712	u1l4.1.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
2712	u1l4.1.exe
2712	u1l4.1.exe
2712	u1l4.1.exe
2712	u1l4.1.exe
2712	u1l4.1.exe
2712	u1l4.1.exe
2712	u1l4.1.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2540	2056	65cb316887cf8c4f1c5bbdfa226fa957f0a91cd5f858bb5f5f244d64da58077b.exe	28
PID 2056 wrote to memory of 2540	2056	65cb316887cf8c4f1c5bbdfa226fa957f0a91cd5f858bb5f5f244d64da58077b.exe	28
PID 2056 wrote to memory of 2540	2056	65cb316887cf8c4f1c5bbdfa226fa957f0a91cd5f858bb5f5f244d64da58077b.exe	28
PID 2056 wrote to memory of 2540	2056	65cb316887cf8c4f1c5bbdfa226fa957f0a91cd5f858bb5f5f244d64da58077b.exe	28
PID 2056 wrote to memory of 2712	2056	65cb316887cf8c4f1c5bbdfa226fa957f0a91cd5f858bb5f5f244d64da58077b.exe	29
PID 2056 wrote to memory of 2712	2056	65cb316887cf8c4f1c5bbdfa226fa957f0a91cd5f858bb5f5f244d64da58077b.exe	29
PID 2056 wrote to memory of 2712	2056	65cb316887cf8c4f1c5bbdfa226fa957f0a91cd5f858bb5f5f244d64da58077b.exe	29
PID 2056 wrote to memory of 2712	2056	65cb316887cf8c4f1c5bbdfa226fa957f0a91cd5f858bb5f5f244d64da58077b.exe	29
PID 2712 wrote to memory of 1640	2712	u1l4.1.exe	31
PID 2712 wrote to memory of 1640	2712	u1l4.1.exe	31
PID 2712 wrote to memory of 1640	2712	u1l4.1.exe	31
PID 2712 wrote to memory of 1640	2712	u1l4.1.exe	31

C:\Users\Admin\AppData\Local\Temp\65cb316887cf8c4f1c5bbdfa226fa957f0a91cd5f858bb5f5f244d64da58077b.exe
"C:\Users\Admin\AppData\Local\Temp\65cb316887cf8c4f1c5bbdfa226fa957f0a91cd5f858bb5f5f244d64da58077b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Users\Admin\AppData\Local\Temp\u1l4.0.exe
  "C:\Users\Admin\AppData\Local\Temp\u1l4.0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2540
- C:\Users\Admin\AppData\Local\Temp\u1l4.1.exe
  "C:\Users\Admin\AppData\Local\Temp\u1l4.1.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
    "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\049b7335d372bd07248452d0b58e37cfb8420ac5b148b226adcb19ae95655a7b\46f644179b8f4e139748fe27fe7cc0b8.tmp

Filesize
1KB

MD5
3f17c11b8fb54286c0f45e4d80420a32

SHA1
a52c51e44bcceba5c0adedb8388eaf58cbfd19e5

SHA256
8695854571f2938c940d8c0bb3f7fdfed82169a281c7e94639f1e0b5ea6c573f

SHA512
d44061be636edab9727a97d3dcd27d97d313b9d576924becddfe58b4e1ea36b2b00b24e76a0387849ea8ed12009faf7b26e073d339414ef3ffe0bc082dd48aee

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
3KB

MD5
ea698d941b40756c9b989a1c8bfeb1d7

SHA1
5eb7e9b25c13cbd74265ea9d0fc65edce5eef45e

SHA256
93a0301a1a1c562b3c6942eacf613f3a979c7cf828d0c7d51797ffe6602ab024

SHA512
71c86ade049f453d0d12f2c9d1a1e7c44d145a76e872052fde058850c5bca95647038f6d7109c8e17b68da442bf485137368f97cf543a4f49d692294ce1fb78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
2KB

MD5
89fc7fce062c3f61f7440fcae97dd56e

SHA1
998b159129d4d3eb646341058e72856bdaf063e4

SHA256
f886b729d8a5786c0827469381735c6e2be31ede4b70c1812f2c1dff21ae7cb8

SHA512
682372afbf3679f491a3757972a129105914576a3d7e5ab0dddcbdbb12a8bf9c4b45e1d5592f32155468dfae19947289fac0b3a7ffd0a59cee04fc60ca5608c5

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Local\Temp\u1l4.0.exe

Filesize
291KB

MD5
612893f3af1d76a58eddb1399cb8a75e

SHA1
170080d0a93308ee7eabc2949a8f3342b809228c

SHA256
e71a371b4619a44df81513dd372ea02741ebf9d6438624503ff432c45329a256

SHA512
5c0a47a2a9a17dad4546601048d2b91447434f11eedce9629909c672c5e40edfa6c4ae101961c196fdccaa96bab5b428bd282bb9a6e5a96011e1c9a63c3541f7

Download Submit
\Users\Admin\AppData\Local\Temp\u1l4.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
memory/1640-134-0x000000001F030000-0x000000001F140000-memory.dmp

Filesize
1.1MB

Download
memory/1640-144-0x0000000000500000-0x000000000050A000-memory.dmp

Filesize
40KB

Download
memory/1640-160-0x0000000000520000-0x000000000052A000-memory.dmp

Filesize
40KB

Download
memory/1640-159-0x0000000000520000-0x000000000052A000-memory.dmp

Filesize
40KB

Download
memory/1640-155-0x000000001E0F0000-0x000000001E0FC000-memory.dmp

Filesize
48KB

Download
memory/1640-151-0x000000001E0C0000-0x000000001E0CA000-memory.dmp

Filesize
40KB

Download
memory/1640-152-0x000000001E0D0000-0x000000001E0F2000-memory.dmp

Filesize
136KB

Download
memory/1640-150-0x0000000000520000-0x000000000052A000-memory.dmp

Filesize
40KB

Download
memory/1640-133-0x0000000000DE0000-0x00000000046D8000-memory.dmp

Filesize
57.0MB

Download
memory/1640-148-0x000000001FC40000-0x000000001FF40000-memory.dmp

Filesize
3.0MB

Download
memory/1640-135-0x00000000001E0000-0x00000000001F0000-memory.dmp

Filesize
64KB

Download
memory/1640-136-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/1640-137-0x0000000000550000-0x0000000000564000-memory.dmp

Filesize
80KB

Download
memory/1640-138-0x0000000005BE0000-0x0000000005C04000-memory.dmp

Filesize
144KB

Download
memory/1640-141-0x000000001ED60000-0x000000001EE12000-memory.dmp

Filesize
712KB

Download
memory/1640-140-0x000000001ED30000-0x000000001ED5A000-memory.dmp

Filesize
168KB

Download
memory/1640-139-0x0000000000DD0000-0x0000000000DDA000-memory.dmp

Filesize
40KB

Download
memory/1640-143-0x0000000000D70000-0x0000000000DD2000-memory.dmp

Filesize
392KB

Download
memory/1640-142-0x000000001F510000-0x000000001F58A000-memory.dmp

Filesize
488KB

Download
memory/2056-3-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2056-1-0x0000000000680000-0x0000000000780000-memory.dmp

Filesize
1024KB

Download
memory/2056-36-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/2056-37-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2056-2-0x0000000000230000-0x000000000029C000-memory.dmp

Filesize
432KB

Download
memory/2540-42-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2540-129-0x0000000000400000-0x0000000002B06000-memory.dmp

Filesize
39.0MB

Download
memory/2540-119-0x0000000000400000-0x0000000002B06000-memory.dmp

Filesize
39.0MB

Download
memory/2712-132-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads