stealc | 364e800c0cf1962f36e41f8f1a5a1029decb25007c712277275729e299543683

General

Target

364e800c0cf1962f36e41f8f1a5a1029decb25007c712277275729e299543683.exe
Size

408KB
MD5

a4dcfaa13e52e432fc8fdca623c6f01e
SHA1

a31d46c6989187943a2ff623c0ce40989dc22739
SHA256

364e800c0cf1962f36e41f8f1a5a1029decb25007c712277275729e299543683
SHA512

ef19c81dfbc921c4e2201f97b3e42895bad3a8783f92ed4d0a69b5e76729115e6b127591041cdd245e9f32db36f0955b12ee4ab1014ac53ab5560ad6aaa5b6bb
SSDEEP

6144:Et/Mq3iBOHmgiOSbXEX1Hj09wKU2mvAJgiBthwUl:LaRilbUX2jS2Bt2Ul

Score

10^/10

stealc zgrat discovery rat stealer

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.150

Attributes

url_path
/c698e1bc8a2f5e6d.php

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral1/memory/2996-72-0x0000000001030000-0x0000000004864000-memory.dmp	family_zgrat_v1
behavioral1/memory/2996-73-0x000000001ED90000-0x000000001EE9A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2996-77-0x000000001E100000-0x000000001E124000-memory.dmp	family_zgrat_v1

Stealc
Stealc is an infostealer written in C++.
stealer stealc
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2224	u1ys.0.exe
2592	u1ys.1.exe

Loads dropped DLL 8 IoCs

pid	Process
2548	364e800c0cf1962f36e41f8f1a5a1029decb25007c712277275729e299543683.exe
2548	364e800c0cf1962f36e41f8f1a5a1029decb25007c712277275729e299543683.exe
2548	364e800c0cf1962f36e41f8f1a5a1029decb25007c712277275729e299543683.exe
2548	364e800c0cf1962f36e41f8f1a5a1029decb25007c712277275729e299543683.exe
2548	364e800c0cf1962f36e41f8f1a5a1029decb25007c712277275729e299543683.exe
2548	364e800c0cf1962f36e41f8f1a5a1029decb25007c712277275729e299543683.exe
2548	364e800c0cf1962f36e41f8f1a5a1029decb25007c712277275729e299543683.exe
2548	364e800c0cf1962f36e41f8f1a5a1029decb25007c712277275729e299543683.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1ys.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1ys.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1ys.1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u1ys.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u1ys.0.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2996	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2996	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2996	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2996	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2996	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2224	u1ys.0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2996	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
2592	u1ys.1.exe
2592	u1ys.1.exe
2592	u1ys.1.exe
2592	u1ys.1.exe
2592	u1ys.1.exe
2592	u1ys.1.exe
2592	u1ys.1.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
2592	u1ys.1.exe
2592	u1ys.1.exe
2592	u1ys.1.exe
2592	u1ys.1.exe
2592	u1ys.1.exe
2592	u1ys.1.exe
2592	u1ys.1.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2224	2548	364e800c0cf1962f36e41f8f1a5a1029decb25007c712277275729e299543683.exe	28
PID 2548 wrote to memory of 2224	2548	364e800c0cf1962f36e41f8f1a5a1029decb25007c712277275729e299543683.exe	28
PID 2548 wrote to memory of 2224	2548	364e800c0cf1962f36e41f8f1a5a1029decb25007c712277275729e299543683.exe	28
PID 2548 wrote to memory of 2224	2548	364e800c0cf1962f36e41f8f1a5a1029decb25007c712277275729e299543683.exe	28
PID 2548 wrote to memory of 2592	2548	364e800c0cf1962f36e41f8f1a5a1029decb25007c712277275729e299543683.exe	29
PID 2548 wrote to memory of 2592	2548	364e800c0cf1962f36e41f8f1a5a1029decb25007c712277275729e299543683.exe	29
PID 2548 wrote to memory of 2592	2548	364e800c0cf1962f36e41f8f1a5a1029decb25007c712277275729e299543683.exe	29
PID 2548 wrote to memory of 2592	2548	364e800c0cf1962f36e41f8f1a5a1029decb25007c712277275729e299543683.exe	29
PID 2592 wrote to memory of 2996	2592	u1ys.1.exe	31
PID 2592 wrote to memory of 2996	2592	u1ys.1.exe	31
PID 2592 wrote to memory of 2996	2592	u1ys.1.exe	31
PID 2592 wrote to memory of 2996	2592	u1ys.1.exe	31

C:\Users\Admin\AppData\Local\Temp\364e800c0cf1962f36e41f8f1a5a1029decb25007c712277275729e299543683.exe
"C:\Users\Admin\AppData\Local\Temp\364e800c0cf1962f36e41f8f1a5a1029decb25007c712277275729e299543683.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\u1ys.0.exe
  "C:\Users\Admin\AppData\Local\Temp\u1ys.0.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2224
- C:\Users\Admin\AppData\Local\Temp\u1ys.1.exe
  "C:\Users\Admin\AppData\Local\Temp\u1ys.1.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
    "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\63f93027eed6195cee9d6793abbff365863d6c04fe54f71a30d295ffeacda31a\a77176e52ea549d1934de8bba7ea701c.tmp

Filesize
1KB

MD5
d43bda5364085cd942e024093fa3d74b

SHA1
4fce1525020ae31b29f973417a09a50b8f9e8be1

SHA256
a29dfe9969fa286fb8e52b80bc28f388f1f0fe761cf6f5f6d6ea456168633a52

SHA512
bf150a5045942aed7514e0d1b901ed45e9abf879b8d044b88f3cbec5d0858ee73db84ab7e90b9d487375b877141fb6a961c5eda0a03a50ce2f3dc19251a931a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
2KB

MD5
f5f1a30ebe48ef78ad15f751da612f48

SHA1
c378f66bd10f46c2f4847f65841d9427aed927dd

SHA256
862b0ce25299316f6b33f240532476952f74a489bee6e44241a05e42491e8efa

SHA512
d23b8c49046474ab22a42c38b8aa773e2bad1957292230a02de270c6561f3605257569afd4519bea205ea397ea60bdd71f425bc166f19ade1361b9d9f76ba1d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
3KB

MD5
0da5f42483ff7e4d2208a9236bab10b8

SHA1
ed5b8a27f1a36bdcf3a52a2ff27f74ba479a8f91

SHA256
51a8ef3e0405141c845b83a5635c45fbb7c07e31fa4b81ab41c2a0b9cdb21f4d

SHA512
b9abd1e44188dc3702b06a7d187aa7288e7c2ecb1194c51db1b18a157127ea30211cb711a2600a903e41166230e49ab5dd0b5f6119ea64d961a3873dc5216f8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1ys.0.exe

Filesize
223KB

MD5
280229b137b0f36f2b18b9bc7841995d

SHA1
d800c8ecc758ccacfe9a91efd45904efcc17b84a

SHA256
49533fc0ca008e430d35fdabab4b200a70e629e62f5b16f9157b5a82b6494536

SHA512
aeb7566ad83b6b1a01e2d8f6e557a18a75a8bd4229f72cc9e1b1ffe9dd86d14469937eea221e0d436274d4444d4f1732098b98ca3ddc3c7aec65867107fbdec5

Download Submit
\Users\Admin\AppData\Local\Temp\u1ys.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
memory/2224-60-0x0000000000400000-0x0000000002574000-memory.dmp

Filesize
33.5MB

Download
memory/2224-134-0x0000000000400000-0x0000000002574000-memory.dmp

Filesize
33.5MB

Download
memory/2224-130-0x0000000000400000-0x0000000002574000-memory.dmp

Filesize
33.5MB

Download
memory/2224-126-0x0000000000400000-0x0000000002574000-memory.dmp

Filesize
33.5MB

Download
memory/2224-115-0x0000000000400000-0x0000000002574000-memory.dmp

Filesize
33.5MB

Download
memory/2548-34-0x0000000000400000-0x0000000002B23000-memory.dmp

Filesize
39.1MB

Download
memory/2548-35-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2548-1-0x0000000002CF0000-0x0000000002DF0000-memory.dmp

Filesize
1024KB

Download
memory/2548-3-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2548-2-0x0000000000230000-0x000000000029C000-memory.dmp

Filesize
432KB

Download
memory/2592-71-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/2996-77-0x000000001E100000-0x000000001E124000-memory.dmp

Filesize
144KB

Download
memory/2996-91-0x00000000005C0000-0x00000000005E2000-memory.dmp

Filesize
136KB

Download
memory/2996-80-0x000000001E120000-0x000000001E14A000-memory.dmp

Filesize
168KB

Download
memory/2996-81-0x000000001F5B0000-0x000000001F662000-memory.dmp

Filesize
712KB

Download
memory/2996-82-0x0000000000170000-0x000000000017A000-memory.dmp

Filesize
40KB

Download
memory/2996-86-0x000000001FC90000-0x000000001FF90000-memory.dmp

Filesize
3.0MB

Download
memory/2996-88-0x0000000000190000-0x000000000019A000-memory.dmp

Filesize
40KB

Download
memory/2996-89-0x00000000005B0000-0x00000000005BA000-memory.dmp

Filesize
40KB

Download
memory/2996-90-0x0000000000B20000-0x0000000000B82000-memory.dmp

Filesize
392KB

Download
memory/2996-79-0x0000000000CE0000-0x0000000000CEA000-memory.dmp

Filesize
40KB

Download
memory/2996-94-0x0000000000CB0000-0x0000000000CBC000-memory.dmp

Filesize
48KB

Download
memory/2996-99-0x0000000000190000-0x000000000019A000-memory.dmp

Filesize
40KB

Download
memory/2996-76-0x00000000004F0000-0x0000000000504000-memory.dmp

Filesize
80KB

Download
memory/2996-75-0x0000000000B80000-0x0000000000B8C000-memory.dmp

Filesize
48KB

Download
memory/2996-74-0x00000000001A0000-0x00000000001B0000-memory.dmp

Filesize
64KB

Download
memory/2996-73-0x000000001ED90000-0x000000001EE9A000-memory.dmp

Filesize
1.0MB

Download
memory/2996-72-0x0000000001030000-0x0000000004864000-memory.dmp

Filesize
56.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads