General

  • Target

    b2afce1839f2c1f26dc497b16d200bedb16e6a81bb979a6a45f9371c549fc50f

  • Size

    390KB

  • Sample

    240508-kfky3seb99

  • MD5

    fa9503d377b5c90c92af37af6da509ca

  • SHA1

    b423382eb3e3229653803c0e8694df8ebf48fe2e

  • SHA256

    b2afce1839f2c1f26dc497b16d200bedb16e6a81bb979a6a45f9371c549fc50f

  • SHA512

    c5c6ab335bfca43f078ba18ffc068236344e6415af0a230a540b2673e89c8027dd09d39ee99c1cbc19d45fa4cc4e1c2b481b8f12087e58afb7db70dccc742602

  • SSDEEP

    6144:lh+g4TK8VxKA8N6EI4/4XwQKEoph1I1JfCfnWxnqnoNGAIJxEPRnvssk:lrUK20r6E5/4XgEw2OOQo0AIJxARnkJ

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.150

Attributes
  • url_path

    /c698e1bc8a2f5e6d.php

Targets

    • Target

      b2afce1839f2c1f26dc497b16d200bedb16e6a81bb979a6a45f9371c549fc50f

    • Size

      390KB

    • MD5

      fa9503d377b5c90c92af37af6da509ca

    • SHA1

      b423382eb3e3229653803c0e8694df8ebf48fe2e

    • SHA256

      b2afce1839f2c1f26dc497b16d200bedb16e6a81bb979a6a45f9371c549fc50f

    • SHA512

      c5c6ab335bfca43f078ba18ffc068236344e6415af0a230a540b2673e89c8027dd09d39ee99c1cbc19d45fa4cc4e1c2b481b8f12087e58afb7db70dccc742602

    • SSDEEP

      6144:lh+g4TK8VxKA8N6EI4/4XwQKEoph1I1JfCfnWxnqnoNGAIJxEPRnvssk:lrUK20r6E5/4XgEw2OOQo0AIJxARnkJ

    • Detect ZGRat V1

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba payload

    • Modifies firewall policy service

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • Stealc

      Stealc is an infostealer written in C++.

    • UAC bypass

    • Windows security bypass

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.