Overview

overview

10

Static

static

1

716741d858...6d.exe

windows7-x64

10

716741d858...6d.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d2f812118c89341715fbff0ba9530396.bin

  • Size

    1.2MB

  • Sample

    240512-dw1adahb95

  • MD5

    157e2812bb2cac89081abfb2ed722e27

  • SHA1

    5f765caa7278b0f196b28c33bca06653e3064c11

  • SHA256

    157315402efce5f8705b3a957aba92bbc2c573a031ef1f7383454e1be0cdf073

  • SHA512

    9010e21bf454b922b8b904f28ee3a7d447d221982a25c50d0f4656ea55af1be77edbacc4120354f7397b9ca5fa320e0ee7d58f9046d794ab8a65a77c87fc0f18

  • SSDEEP

    24576:4YPjXOSouG9lnQt0U0OK8LPD7itv5Xq2EPsSOeaI35fxJvR3sNVmp8UsRujGjYnU:42jnouG9JLu8D/SOyJfxJp3s3m+dujGv

Score
10/10
gluptebaprivateloaderstealczgratdiscoverydropperevasionexecutionloaderratspywarestealer

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.150

Attributes
  • url_path

    /c698e1bc8a2f5e6d.php

Targets

    • Target

      716741d85859c7c4747395deb709dc0b4b2741a0d15850aa3a706cc05d61bf6d.exe

    • Size

      2.7MB

    • MD5

      d2f812118c89341715fbff0ba9530396

    • SHA1

      8e9cfa2ebe51e9f71d55b161fb13aae13ee3744f

    • SHA256

      716741d85859c7c4747395deb709dc0b4b2741a0d15850aa3a706cc05d61bf6d

    • SHA512

      7a1884c5b2130db511f318103ece6ae1499c1e877e4dfc39d6c83b762febea258b5921fa72ae3b413ecfc752b571b2ce33f6fa1f680461d94fc3d2f1988d6c77

    • SSDEEP

      24576:tRoBHi3buy4toE1jC6Ayo2xhWLbSPlqRvc68XzRVGvQB5VA0UC1dUUKj/LZ8j3gy:boKmo4jC6Tov2RUC1doj/wgy

    Score
    10/10
    gluptebaprivateloaderstealczgratdiscoverydropperevasionexecutionloaderratspywarestealer

    • Detect ZGRat V1

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba payload

    • Modifies firewall policy service

      evasion

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Modifies boot configuration data using bcdedit

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      evasion

    • Possible attempt to disable PatchGuard

      Rootkits can use kernel patching to embed themselves in an operating system.

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks