General
-
Target
b2afce1839f2c1f26dc497b16d200bedb16e6a81bb979a6a45f9371c549fc50f
-
Size
390KB
-
Sample
240508-kfky3seb99
-
MD5
fa9503d377b5c90c92af37af6da509ca
-
SHA1
b423382eb3e3229653803c0e8694df8ebf48fe2e
-
SHA256
b2afce1839f2c1f26dc497b16d200bedb16e6a81bb979a6a45f9371c549fc50f
-
SHA512
c5c6ab335bfca43f078ba18ffc068236344e6415af0a230a540b2673e89c8027dd09d39ee99c1cbc19d45fa4cc4e1c2b481b8f12087e58afb7db70dccc742602
-
SSDEEP
6144:lh+g4TK8VxKA8N6EI4/4XwQKEoph1I1JfCfnWxnqnoNGAIJxEPRnvssk:lrUK20r6E5/4XgEw2OOQo0AIJxARnkJ
Static task
static1
Behavioral task
behavioral1
Sample
b2afce1839f2c1f26dc497b16d200bedb16e6a81bb979a6a45f9371c549fc50f.exe
Resource
win10v2004-20240426-en
Malware Config
Extracted
stealc
http://185.172.128.150
-
url_path
/c698e1bc8a2f5e6d.php
Targets
-
-
Target
b2afce1839f2c1f26dc497b16d200bedb16e6a81bb979a6a45f9371c549fc50f
-
Size
390KB
-
MD5
fa9503d377b5c90c92af37af6da509ca
-
SHA1
b423382eb3e3229653803c0e8694df8ebf48fe2e
-
SHA256
b2afce1839f2c1f26dc497b16d200bedb16e6a81bb979a6a45f9371c549fc50f
-
SHA512
c5c6ab335bfca43f078ba18ffc068236344e6415af0a230a540b2673e89c8027dd09d39ee99c1cbc19d45fa4cc4e1c2b481b8f12087e58afb7db70dccc742602
-
SSDEEP
6144:lh+g4TK8VxKA8N6EI4/4XwQKEoph1I1JfCfnWxnqnoNGAIJxEPRnvssk:lrUK20r6E5/4XgEw2OOQo0AIJxARnkJ
-
Detect ZGRat V1
-
Glupteba payload
-
Modifies firewall policy service
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Virtualization/Sandbox Evasion
1