Overview

overview

10

Static

static

3

3b73d0b407...a7.exe

windows7-x64

10

3b73d0b407...a7.exe

windows10-2004-x64

10

$PLUGINSDIR/INetC.dll

windows7-x64

3

$PLUGINSDIR/INetC.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    213c0265511727869c959abd24ea3677.bin

  • Size

    36KB

  • Sample

    240511-cs56safh9z

  • MD5

    943d93675feeef4d13adee565594c470

  • SHA1

    4f70d5285e716049c9875647283992c145b06e5a

  • SHA256

    e122cd08f4c29e85c278fd23dc628c5ca65bce7362bae6f1e38899dcd6724257

  • SHA512

    292ba9d75ff4482c6aaa0950d1005cf232728e2a9194a4ccd49a1c8587b5c4d32015361dca2143c0f7dd81ceb0fea0392574ffda28a54b221e1673850d9bc8ea

  • SSDEEP

    768:jWoGXUch5tyEYOH2bRJDp2p45HuSZt16vPH0GovKfKyPqb3hYnfdF2U2V:sph5tYC2vl2p45Oyt6f0GeKi3b3Wff2r

Score
10/10
stealczgratdiscoveryexecutionratspywarestealer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://d2iv78ooxaijb6.cloudfront.net/load/th.php?a=2836&c=1000

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=425&c=1000

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=444&c=1000

Extracted

Family

stealc

C2

http://185.172.128.150

Attributes
  • url_path

    /c698e1bc8a2f5e6d.php

Targets

    • Target

      3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7.exe

    • Size

      49KB

    • MD5

      213c0265511727869c959abd24ea3677

    • SHA1

      22ea6fe23eeb57d0048d1b0e2a826dd66c6969d9

    • SHA256

      3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7

    • SHA512

      bfa4d229ade2e47d91f3fb761e68f727aab86980a2697cb06955324e9b61b384569a285edfaa1d1dd7aea95e24d171a770a4f573a19ec795325c68250720f41e

    • SSDEEP

      1536:XferrLkSRoe8C4UZsys0Dh1duFpxFI+PlZ:Xfi3k+oWDBDh1duFpkWlZ

    Score
    10/10
    stealczgratdiscoveryexecutionratspywarestealer

    • Detect ZGRat V1

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

    • Target

      $PLUGINSDIR/INetC.dll

    • Size

      25KB

    • MD5

      40d7eca32b2f4d29db98715dd45bfac5

    • SHA1

      124df3f617f562e46095776454e1c0c7bb791cc7

    • SHA256

      85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

    • SHA512

      5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

    • SSDEEP

      384:pjj9e9dE95XD+iTx58Y5oMM3O9MEoLr1VcQZ/ZwcSyekMRlZ4L4:dAvE90GuY2tO93oLrJRM7Z4E

    Score
    3/10
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks