stealc | 9e207b9ccdca9e8dcf77295a5ca62e7245f48a9b86b4e8b659d63719a70960f0

Analysis

max time kernel
2s
max time network
128s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
08/05/2024, 23:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e207b9ccdca9e8dcf77295a5ca62e7245f48a9b86b4e8b659d63719a70960f0.exe
Size

365KB
MD5

493cf2ea13df55a095a64e890695cf3b
SHA1

0bec79b9fd343195ad28748bdcfb3a6273487b37
SHA256

9e207b9ccdca9e8dcf77295a5ca62e7245f48a9b86b4e8b659d63719a70960f0
SHA512

db5fcde0ba6d77cb55b08336de8bf1f1b87a742ba1a073dc2e2c8015cf0b961513e1f771ced5c98ff9dd4bdc0c3aafb2f1edfdf84276e65aed9022920657681d
SSDEEP

6144:mfcBWeUkksvXwBbM4HxlzmJp2C5kbX1Z0DR7M1jTs5gYTmWM:mfcUeGzhHxNQKX1eDR7un0mWM

Score

10^/10

stealc zgrat rat stealer

Malware Config

Extracted

Family

stealc

http://185.172.128.150

Attributes

url_path
/c698e1bc8a2f5e6d.php

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral2/memory/2332-64-0x000002AA48A90000-0x000002AA4C2C4000-memory.dmp	family_zgrat_v1
behavioral2/memory/2332-69-0x000002AA66B30000-0x000002AA66B54000-memory.dmp	family_zgrat_v1
behavioral2/memory/2332-65-0x000002AA66A20000-0x000002AA66B2A000-memory.dmp	family_zgrat_v1

Stealc
Stealc is an infostealer written in C++.
stealer stealc
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4820	3344	WerFault.exe	76
4880	3512	WerFault.exe	77

C:\Users\Admin\AppData\Local\Temp\9e207b9ccdca9e8dcf77295a5ca62e7245f48a9b86b4e8b659d63719a70960f0.exe
"C:\Users\Admin\AppData\Local\Temp\9e207b9ccdca9e8dcf77295a5ca62e7245f48a9b86b4e8b659d63719a70960f0.exe"
1⤵
PID:3344
- C:\Users\Admin\AppData\Local\Temp\u2kw.0.exe
  "C:\Users\Admin\AppData\Local\Temp\u2kw.0.exe"
  2⤵
  PID:3512
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 1304
    3⤵
    - Program crash
    PID:4880
- C:\Users\Admin\AppData\Local\Temp\u2kw.1.exe
  "C:\Users\Admin\AppData\Local\Temp\u2kw.1.exe"
  2⤵
  PID:2944
- - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
    "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
    3⤵
    PID:2332
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 976
  2⤵
  - Program crash
  PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3344 -ip 3344
1⤵
PID:2808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3512 -ip 3512
1⤵
PID:416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\u2kw.0.exe

Filesize
223KB

MD5
ac3b1a30e96b6d89ce98a21bb5b2093a

SHA1
4270104678195b8cad3520a704c556155a0a65b5

SHA256
803946c2712aec2b60b54b3cd7c3375a9a0158e7ccbfbd4ab8a66e6ddfc7d463

SHA512
65e74527ffa9d6e776d063db44322080315a5a9eb13bb67acd61be6e65862ec127366d742beca349c7ca8281e2f67193bafc14c8c0ee3f222b19b452d05c8491

Download Submit
C:\Users\Admin\AppData\Local\Temp\u2kw.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
memory/2332-86-0x000002AA6BBB0000-0x000002AA6BC12000-memory.dmp

Filesize
392KB

Download
memory/2332-68-0x000002AA668B0000-0x000002AA668C4000-memory.dmp

Filesize
80KB

Download
memory/2332-94-0x000002AA6B950000-0x000002AA6B96E000-memory.dmp

Filesize
120KB

Download
memory/2332-93-0x000002AA6B9F0000-0x000002AA6BA66000-memory.dmp

Filesize
472KB

Download
memory/2332-82-0x000002AA6B220000-0x000002AA6B258000-memory.dmp

Filesize
224KB

Download
memory/2332-66-0x000002AA668A0000-0x000002AA668B0000-memory.dmp

Filesize
64KB

Download
memory/2332-83-0x000002AA6B1F0000-0x000002AA6B1FE000-memory.dmp

Filesize
56KB

Download
memory/2332-85-0x000002AA6BB90000-0x000002AA6BB9A000-memory.dmp

Filesize
40KB

Download
memory/2332-91-0x000002AA6B910000-0x000002AA6B91C000-memory.dmp

Filesize
48KB

Download
memory/2332-64-0x000002AA48A90000-0x000002AA4C2C4000-memory.dmp

Filesize
56.2MB

Download
memory/2332-67-0x000002AA668C0000-0x000002AA668CC000-memory.dmp

Filesize
48KB

Download
memory/2332-69-0x000002AA66B30000-0x000002AA66B54000-memory.dmp

Filesize
144KB

Download
memory/2332-72-0x000002AA66D60000-0x000002AA66E12000-memory.dmp

Filesize
712KB

Download
memory/2332-74-0x000002AA66E10000-0x000002AA66E32000-memory.dmp

Filesize
136KB

Download
memory/2332-73-0x000002AA66E60000-0x000002AA66EB0000-memory.dmp

Filesize
320KB

Download
memory/2332-71-0x000002AA66B80000-0x000002AA66BAA000-memory.dmp

Filesize
168KB

Download
memory/2332-70-0x000002AA66B60000-0x000002AA66B6A000-memory.dmp

Filesize
40KB

Download
memory/2332-79-0x000002AA66EB0000-0x000002AA671B0000-memory.dmp

Filesize
3.0MB

Download
memory/2332-88-0x000002AA6C160000-0x000002AA6C688000-memory.dmp

Filesize
5.2MB

Download
memory/2332-75-0x000002AA4E080000-0x000002AA4E08A000-memory.dmp

Filesize
40KB

Download
memory/2332-87-0x000002AA6BC10000-0x000002AA6BC32000-memory.dmp

Filesize
136KB

Download
memory/2332-65-0x000002AA66A20000-0x000002AA66B2A000-memory.dmp

Filesize
1.0MB

Download
memory/2332-81-0x000002AA6B8E0000-0x000002AA6B8E8000-memory.dmp

Filesize
32KB

Download
memory/2332-84-0x000002AA6B210000-0x000002AA6B218000-memory.dmp

Filesize
32KB

Download
memory/2944-63-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/2944-51-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/3344-34-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3344-3-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3344-1-0x0000000002870000-0x0000000002970000-memory.dmp

Filesize
1024KB

Download
memory/3344-2-0x0000000004310000-0x000000000437C000-memory.dmp

Filesize
432KB

Download
memory/3344-33-0x0000000000400000-0x0000000002597000-memory.dmp

Filesize
33.6MB

Download
memory/3512-101-0x0000000000400000-0x0000000002574000-memory.dmp

Filesize
33.5MB

Download
memory/3512-13-0x0000000000400000-0x0000000002574000-memory.dmp

Filesize
33.5MB

Download
memory/3512-96-0x0000000000400000-0x0000000002574000-memory.dmp

Filesize
33.5MB

Download
memory/3512-99-0x0000000000400000-0x0000000002574000-memory.dmp

Filesize
33.5MB

Download
memory/3512-14-0x0000000000400000-0x0000000002574000-memory.dmp

Filesize
33.5MB

Download
memory/3512-103-0x0000000000400000-0x0000000002574000-memory.dmp

Filesize
33.5MB

Download