stealc | 400cb48c8d22a69febceb65d8be4a632aa376232257372e4555d8a2c6236c99f

Analysis

max time kernel
27s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
09/05/2024, 00:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

400cb48c8d22a69febceb65d8be4a632aa376232257372e4555d8a2c6236c99f.exe
Size

364KB
MD5

6b088264e25fdf73a516a0797b665971
SHA1

622fdd113c160002b159ad777d53e05348fa2763
SHA256

400cb48c8d22a69febceb65d8be4a632aa376232257372e4555d8a2c6236c99f
SHA512

1e26b0a6cdc86259584f702ba7039d901c04c428f51ea031a3b39ecefe5d26768ae2d06416af15561fdb737430a5623a86eece37e0ebd3610bdc4dea57609e5e
SSDEEP

6144:aEToWW+sKejNKsTbTpfSl2JyRVc6TI2DNJeTNPcOlE/r1EHSRKYTpWM:awot+LKwy/pfSl2Jy7fTPNopJya6tpWM

Score

10^/10

stealc zgrat rat stealer

Malware Config

Extracted

Family

stealc

http://185.172.128.150

Attributes

url_path
/c698e1bc8a2f5e6d.php

Signatures

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral2/memory/1856-67-0x000002C146230000-0x000002C14633A000-memory.dmp	family_zgrat_v1
behavioral2/memory/1856-71-0x000002C146160000-0x000002C146184000-memory.dmp	family_zgrat_v1

Stealc
Stealc is an infostealer written in C++.
stealer stealc
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
740	uu4.0.exe
3132	uu4.1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2284	1084	WerFault.exe	79
1384	740	WerFault.exe	82

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uu4.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uu4.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uu4.1.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
3132	uu4.1.exe
3132	uu4.1.exe
3132	uu4.1.exe
3132	uu4.1.exe
3132	uu4.1.exe
3132	uu4.1.exe
3132	uu4.1.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
3132	uu4.1.exe
3132	uu4.1.exe
3132	uu4.1.exe
3132	uu4.1.exe
3132	uu4.1.exe
3132	uu4.1.exe
3132	uu4.1.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 740	1084	400cb48c8d22a69febceb65d8be4a632aa376232257372e4555d8a2c6236c99f.exe	82
PID 1084 wrote to memory of 740	1084	400cb48c8d22a69febceb65d8be4a632aa376232257372e4555d8a2c6236c99f.exe	82
PID 1084 wrote to memory of 740	1084	400cb48c8d22a69febceb65d8be4a632aa376232257372e4555d8a2c6236c99f.exe	82
PID 1084 wrote to memory of 3132	1084	400cb48c8d22a69febceb65d8be4a632aa376232257372e4555d8a2c6236c99f.exe	85
PID 1084 wrote to memory of 3132	1084	400cb48c8d22a69febceb65d8be4a632aa376232257372e4555d8a2c6236c99f.exe	85
PID 1084 wrote to memory of 3132	1084	400cb48c8d22a69febceb65d8be4a632aa376232257372e4555d8a2c6236c99f.exe	85

C:\Users\Admin\AppData\Local\Temp\400cb48c8d22a69febceb65d8be4a632aa376232257372e4555d8a2c6236c99f.exe
"C:\Users\Admin\AppData\Local\Temp\400cb48c8d22a69febceb65d8be4a632aa376232257372e4555d8a2c6236c99f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Users\Admin\AppData\Local\Temp\uu4.0.exe
  "C:\Users\Admin\AppData\Local\Temp\uu4.0.exe"
  2⤵
  - Executes dropped EXE
  PID:740
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 1240
    3⤵
    - Program crash
    PID:1384
- C:\Users\Admin\AppData\Local\Temp\uu4.1.exe
  "C:\Users\Admin\AppData\Local\Temp\uu4.1.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3132
- - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
    "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
    3⤵
    PID:1856
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 684
  2⤵
  - Program crash
  PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1084 -ip 1084
1⤵
PID:2080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 740 -ip 740
1⤵
PID:3464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\uu4.0.exe

Filesize
223KB

MD5
816cbc57fc20eb01645497ed35bdeb19

SHA1
3222b725c5031a12b310ef8c1b8bb120b345c80e

SHA256
c15c3a1a771770d1f3a838cdb6d0fcffea562e42d118b37087dd6022fff13c53

SHA512
2bf23ac407844682107c68705e0ac072d7a8767f0c9a8c2bb913cc394e6c85bd22a7024c5253130f4a5b26a083e9518f2d4f21b775da6d2812ab808587aa399e

Download Submit
C:\Users\Admin\AppData\Local\Temp\uu4.1.exe

Filesize
3.6MB

MD5
bdd4b83b24911fa921092e096d399ac9

SHA1
1a9d97edbce74e14676b7362a1f35ee87e934448

SHA256
86e8ec464f8b3a2877085e8f0e05d75f451f099cbd8d9973bad7a3e113145b4a

SHA512
ba1382c9cae8242f78ebc6c61a636c167e8efbd5500cd0848c1deb26708d17e033ebc19835677ceb68d96a1c7b5b49b091b047db070dfa31809bdcf3ea791f1d

Download Submit
memory/740-13-0x0000000000400000-0x0000000002574000-memory.dmp

Filesize
33.5MB

Download
memory/740-14-0x0000000000400000-0x0000000002574000-memory.dmp

Filesize
33.5MB

Download
memory/740-94-0x0000000000400000-0x0000000002574000-memory.dmp

Filesize
33.5MB

Download
memory/740-110-0x0000000000400000-0x0000000002574000-memory.dmp

Filesize
33.5MB

Download
memory/740-106-0x0000000000400000-0x0000000002574000-memory.dmp

Filesize
33.5MB

Download
memory/740-102-0x0000000000400000-0x0000000002574000-memory.dmp

Filesize
33.5MB

Download
memory/1084-1-0x00000000027D0000-0x00000000028D0000-memory.dmp

Filesize
1024KB

Download
memory/1084-3-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1084-29-0x0000000000400000-0x0000000002597000-memory.dmp

Filesize
33.6MB

Download
memory/1084-36-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1084-2-0x00000000042B0000-0x000000000431C000-memory.dmp

Filesize
432KB

Download
memory/1856-93-0x000002C14B0B0000-0x000002C14B0BC000-memory.dmp

Filesize
48KB

Download
memory/1856-89-0x000002C14B090000-0x000002C14B0B2000-memory.dmp

Filesize
136KB

Download
memory/1856-69-0x000002C146100000-0x000002C14610C000-memory.dmp

Filesize
48KB

Download
memory/1856-74-0x000002C146490000-0x000002C146542000-memory.dmp

Filesize
712KB

Download
memory/1856-76-0x000002C1465E0000-0x000002C146602000-memory.dmp

Filesize
136KB

Download
memory/1856-75-0x000002C146590000-0x000002C1465E0000-memory.dmp

Filesize
320KB

Download
memory/1856-73-0x000002C1461F0000-0x000002C14621A000-memory.dmp

Filesize
168KB

Download
memory/1856-72-0x000002C146190000-0x000002C14619A000-memory.dmp

Filesize
40KB

Download
memory/1856-81-0x000002C146610000-0x000002C146910000-memory.dmp

Filesize
3.0MB

Download
memory/1856-77-0x000002C12D6B0000-0x000002C12D6BA000-memory.dmp

Filesize
40KB

Download
memory/1856-68-0x000002C145F10000-0x000002C145F20000-memory.dmp

Filesize
64KB

Download
memory/1856-83-0x000002C14A2A0000-0x000002C14A2A8000-memory.dmp

Filesize
32KB

Download
memory/1856-86-0x000002C14A990000-0x000002C14A998000-memory.dmp

Filesize
32KB

Download
memory/1856-71-0x000002C146160000-0x000002C146184000-memory.dmp

Filesize
144KB

Download
memory/1856-88-0x000002C14B320000-0x000002C14B382000-memory.dmp

Filesize
392KB

Download
memory/1856-90-0x000002C14B8B0000-0x000002C14BDD8000-memory.dmp

Filesize
5.2MB

Download
memory/1856-70-0x000002C145F20000-0x000002C145F34000-memory.dmp

Filesize
80KB

Download
memory/1856-67-0x000002C146230000-0x000002C14633A000-memory.dmp

Filesize
1.0MB

Download
memory/1856-87-0x000002C14AA30000-0x000002C14AA3A000-memory.dmp

Filesize
40KB

Download
memory/1856-85-0x000002C14A970000-0x000002C14A97E000-memory.dmp

Filesize
56KB

Download
memory/1856-84-0x000002C14A9B0000-0x000002C14A9E8000-memory.dmp

Filesize
224KB

Download
memory/1856-95-0x000002C14B190000-0x000002C14B206000-memory.dmp

Filesize
472KB

Download
memory/1856-96-0x000002C14B0F0000-0x000002C14B10E000-memory.dmp

Filesize
120KB

Download
memory/1856-99-0x000002C145F40000-0x000002C1460F3000-memory.dmp

Filesize
1.7MB

Download
memory/1856-66-0x000002C128040000-0x000002C12B874000-memory.dmp

Filesize
56.2MB

Download
memory/3132-65-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/3132-52-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download