Overview

overview

10

Static

static

3

b852f511fb...c6.exe

windows7-x64

10

b852f511fb...c6.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b852f511fbaf0000cb6ff92519a399df2c594f20464fd26a9bbe887dac7f61c6

  • Size

    387KB

  • Sample

    240512-c6bjbscf2z

  • MD5

    49ab2ca250abb273e1381e594917cc01

  • SHA1

    13eca084b2d46780bece6c54e8e92169cbc339b8

  • SHA256

    b852f511fbaf0000cb6ff92519a399df2c594f20464fd26a9bbe887dac7f61c6

  • SHA512

    e866f166bbab59ddbdb38d44294ca5a730a48b6e9296eaddb6e7d40cf68ce3c591ae1d4990ea942944767ead78d3c9e5b5d23c7ebdc6cc5fdfb2396811600ce3

  • SSDEEP

    6144:JzP+6ZWEAS2YtQTTtNLiamb2gWwfGtUyeWPwj7Z9o4T9o1:JzP+6sjS3EjLKbdGtqfjC1

Score
10/10
stealczgratdiscoveryratspywarestealer

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.150

Attributes
  • url_path

    /c698e1bc8a2f5e6d.php

Targets

    • Target

      b852f511fbaf0000cb6ff92519a399df2c594f20464fd26a9bbe887dac7f61c6

    • Size

      387KB

    • MD5

      49ab2ca250abb273e1381e594917cc01

    • SHA1

      13eca084b2d46780bece6c54e8e92169cbc339b8

    • SHA256

      b852f511fbaf0000cb6ff92519a399df2c594f20464fd26a9bbe887dac7f61c6

    • SHA512

      e866f166bbab59ddbdb38d44294ca5a730a48b6e9296eaddb6e7d40cf68ce3c591ae1d4990ea942944767ead78d3c9e5b5d23c7ebdc6cc5fdfb2396811600ce3

    • SSDEEP

      6144:JzP+6ZWEAS2YtQTTtNLiamb2gWwfGtUyeWPwj7Z9o4T9o1:JzP+6sjS3EjLKbdGtqfjC1

    Score
    10/10
    stealczgratdiscoveryratspywarestealer

    • Detect ZGRat V1

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Detect binaries embedding considerable number of MFA browser extension IDs.

    • Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects encrypted or obfuscated .NET executables

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks