stealc | 9aa0d408fa75257650fb24033f83808fd958a4e8e01e1ca247f4c3c103b287f3

General

Target

990458f3c4f2c6d2007245bd95ca1ba0_NEIKI.exe
Size

416KB
MD5

990458f3c4f2c6d2007245bd95ca1ba0
SHA1

d2d0dab2ee6fb4a8223fe97a861b27a8f8765264
SHA256

9aa0d408fa75257650fb24033f83808fd958a4e8e01e1ca247f4c3c103b287f3
SHA512

51974da1b25af80ebdcd5949c27a955743f4f71d658688c5e168aff5f3f42618cc61cebf863d82defbe7785a5f4c37e5fc398b982a2a9f6051187cfe6e8f1b0b
SSDEEP

12288:V/36Qn32mOgeVztEMz3Jx8fnLd4S3Ntcq:t7deXP8fnRTcq

Score

10^/10

stealc zgrat discovery rat stealer

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.150

Attributes

url_path
/c698e1bc8a2f5e6d.php

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral1/memory/1456-73-0x0000000000BD0000-0x0000000004404000-memory.dmp	family_zgrat_v1
behavioral1/memory/1456-74-0x000000001EE80000-0x000000001EF8A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1456-78-0x000000001EBE0000-0x000000001EC04000-memory.dmp	family_zgrat_v1

Stealc
Stealc is an infostealer written in C++.
stealer stealc
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2564	u27s.0.exe
3040	u27s.1.exe

Loads dropped DLL 8 IoCs

pid	Process
2872	990458f3c4f2c6d2007245bd95ca1ba0_NEIKI.exe
2872	990458f3c4f2c6d2007245bd95ca1ba0_NEIKI.exe
2872	990458f3c4f2c6d2007245bd95ca1ba0_NEIKI.exe
2872	990458f3c4f2c6d2007245bd95ca1ba0_NEIKI.exe
2872	990458f3c4f2c6d2007245bd95ca1ba0_NEIKI.exe
2872	990458f3c4f2c6d2007245bd95ca1ba0_NEIKI.exe
2872	990458f3c4f2c6d2007245bd95ca1ba0_NEIKI.exe
2872	990458f3c4f2c6d2007245bd95ca1ba0_NEIKI.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u27s.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u27s.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u27s.1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u27s.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u27s.0.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1456	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
1456	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
1456	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
1456	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
1456	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2564	u27s.0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1456	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
3040	u27s.1.exe
3040	u27s.1.exe
3040	u27s.1.exe
3040	u27s.1.exe
3040	u27s.1.exe
3040	u27s.1.exe
3040	u27s.1.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
3040	u27s.1.exe
3040	u27s.1.exe
3040	u27s.1.exe
3040	u27s.1.exe
3040	u27s.1.exe
3040	u27s.1.exe
3040	u27s.1.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2564	2872	990458f3c4f2c6d2007245bd95ca1ba0_NEIKI.exe	28
PID 2872 wrote to memory of 2564	2872	990458f3c4f2c6d2007245bd95ca1ba0_NEIKI.exe	28
PID 2872 wrote to memory of 2564	2872	990458f3c4f2c6d2007245bd95ca1ba0_NEIKI.exe	28
PID 2872 wrote to memory of 2564	2872	990458f3c4f2c6d2007245bd95ca1ba0_NEIKI.exe	28
PID 2872 wrote to memory of 3040	2872	990458f3c4f2c6d2007245bd95ca1ba0_NEIKI.exe	29
PID 2872 wrote to memory of 3040	2872	990458f3c4f2c6d2007245bd95ca1ba0_NEIKI.exe	29
PID 2872 wrote to memory of 3040	2872	990458f3c4f2c6d2007245bd95ca1ba0_NEIKI.exe	29
PID 2872 wrote to memory of 3040	2872	990458f3c4f2c6d2007245bd95ca1ba0_NEIKI.exe	29
PID 3040 wrote to memory of 1456	3040	u27s.1.exe	31
PID 3040 wrote to memory of 1456	3040	u27s.1.exe	31
PID 3040 wrote to memory of 1456	3040	u27s.1.exe	31
PID 3040 wrote to memory of 1456	3040	u27s.1.exe	31

C:\Users\Admin\AppData\Local\Temp\990458f3c4f2c6d2007245bd95ca1ba0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\990458f3c4f2c6d2007245bd95ca1ba0_NEIKI.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Users\Admin\AppData\Local\Temp\u27s.0.exe
  "C:\Users\Admin\AppData\Local\Temp\u27s.0.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2564
- C:\Users\Admin\AppData\Local\Temp\u27s.1.exe
  "C:\Users\Admin\AppData\Local\Temp\u27s.1.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
    "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\049b7335d372bd07248452d0b58e37cfb8420ac5b148b226adcb19ae95655a7b\f0b49752388645c4b0a6bee88bd69613.tmp

Filesize
1KB

MD5
b0a1c2a82822801e4004ea7152b72636

SHA1
3ebfb2fbbae6281633136b0c2be32f5fff9f0ecd

SHA256
3ed714cad6946ad149753a6c6a165bbb9fc6fb6738284b2edf703aa3babdef56

SHA512
e5f8db6ff71954284de5b344b9145757fdd14a1029bf04ef2729293f05d7109c0644ab7c983b1638331a01b8abccf4bbdeeaec607d5debe17ef2b56c40dc75fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
2KB

MD5
6a43c6f4356a56dd1e5b00a941da2e7a

SHA1
8bdb0b784237311f5cc51323a448c4a1f0a3fe0e

SHA256
08b68110867f3e4e3dc9a42e547900ddc96464e6ba52d8fe15ab1c13b8fedc6c

SHA512
e2c3f762962471a271e360a9fd81de2ca76cf7ad1ad5fb72201a77251136f3b057b137fda802af9384b4a091604648f9cf2cf0f9f34e27f1758048f14440c4d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
3KB

MD5
a510655f32f9e529a3144a805f9561ed

SHA1
6192ee08e7bc622c488f755b5ab3a9cd54548908

SHA256
2d5273934f99468d733f6b7e6473e150bd9691ad6c8dd100c00015fc718317f3

SHA512
d9f14792563444e550369396078c352a983bc062158522527629c5a3fa2f9e2b57018f78c6020ee602b7a82491b7d162e318590ff989cd2a3cbf30421be9fd42

Download Submit
\Users\Admin\AppData\Local\Temp\u27s.0.exe

Filesize
226KB

MD5
8cb22c6d983d9e4c3d48df67207e888f

SHA1
a2ddf20c0854f12fa40802d9b9df5fb6ee287089

SHA256
feb7155e62062e6f3f7ab92c1702b36315a1aebad706741d939bde25de43002d

SHA512
5ae36d56e576ccdbefc2a7ab151eb72f5e6aaf0b6e0ae72eb58e9073e2a05cc485046865e1a9764acd2cc18ba69f844cb27b3deeba8a5baac02a8a13a7ba20ea

Download Submit
\Users\Admin\AppData\Local\Temp\u27s.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
memory/1456-77-0x0000000005B60000-0x0000000005B74000-memory.dmp

Filesize
80KB

Download
memory/1456-80-0x000000001EC10000-0x000000001EC1A000-memory.dmp

Filesize
40KB

Download
memory/1456-95-0x00000000059C0000-0x00000000059CC000-memory.dmp

Filesize
48KB

Download
memory/1456-92-0x00000000059A0000-0x00000000059C2000-memory.dmp

Filesize
136KB

Download
memory/1456-90-0x0000000005990000-0x000000000599A000-memory.dmp

Filesize
40KB

Download
memory/1456-91-0x0000000005BF0000-0x0000000005C52000-memory.dmp

Filesize
392KB

Download
memory/1456-89-0x0000000000600000-0x000000000060A000-memory.dmp

Filesize
40KB

Download
memory/1456-73-0x0000000000BD0000-0x0000000004404000-memory.dmp

Filesize
56.2MB

Download
memory/1456-74-0x000000001EE80000-0x000000001EF8A000-memory.dmp

Filesize
1.0MB

Download
memory/1456-76-0x0000000005C80000-0x0000000005C8C000-memory.dmp

Filesize
48KB

Download
memory/1456-75-0x0000000000BC0000-0x0000000000BD0000-memory.dmp

Filesize
64KB

Download
memory/1456-87-0x000000001FAC0000-0x000000001FDC0000-memory.dmp

Filesize
3.0MB

Download
memory/1456-78-0x000000001EBE0000-0x000000001EC04000-memory.dmp

Filesize
144KB

Download
memory/1456-83-0x00000000005E0000-0x00000000005EA000-memory.dmp

Filesize
40KB

Download
memory/1456-82-0x000000001F530000-0x000000001F5E2000-memory.dmp

Filesize
712KB

Download
memory/1456-81-0x000000001F360000-0x000000001F38A000-memory.dmp

Filesize
168KB

Download
memory/2564-61-0x0000000000400000-0x0000000001A03000-memory.dmp

Filesize
22.0MB

Download
memory/2564-112-0x0000000000400000-0x0000000001A03000-memory.dmp

Filesize
22.0MB

Download
memory/2564-121-0x0000000000400000-0x0000000001A03000-memory.dmp

Filesize
22.0MB

Download
memory/2564-130-0x0000000000400000-0x0000000001A03000-memory.dmp

Filesize
22.0MB

Download
memory/2872-36-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2872-1-0x0000000001B70000-0x0000000001C70000-memory.dmp

Filesize
1024KB

Download
memory/2872-2-0x0000000000230000-0x000000000029C000-memory.dmp

Filesize
432KB

Download
memory/2872-35-0x0000000001B70000-0x0000000001C70000-memory.dmp

Filesize
1024KB

Download
memory/2872-34-0x0000000000400000-0x0000000001A32000-memory.dmp

Filesize
22.2MB

Download
memory/2872-3-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3040-72-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads