redline | 2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d

General

Target

2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe
Size

4.6MB
MD5

1713300ba962c869477e37e4b31e40af
SHA1

d5c4835bc910acccd28dbed0c451043ea8de95ef
SHA256

2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d
SHA512

70b2a2b17c6b3a0a295baf536451ef38c6e9e292a3c967a9fc950a6de321bbac0dc45e942ef151ba81b717f8ede3166388e68ce75f2afff0ec16aea98ea742e1
SSDEEP

49152:H3rPT2lx2/lJe0f3+EGqX9QB+Vhc5fLBwR/WaMiukso0vOAtPeEvpDKYSEsVhbSm:H/jDem3Lc5FTVkso0vOclpeYSHhIs

Score

10^/10

redline zgrat 666 infostealer rat spyware

Malware Config

Extracted

Family

redline

Botnet

666

C2

195.20.16.103:18305

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral2/memory/2980-0-0x0000000000E70000-0x000000000130E000-memory.dmp	family_zgrat_v1

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/392-21-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Loads dropped DLL 1 IoCs

pid	Process
2980	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2980 set thread context of 392	2980	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	73

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
392	RegSvcs.exe
392	RegSvcs.exe
392	RegSvcs.exe
392	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	392	RegSvcs.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 392	2980	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	73
PID 2980 wrote to memory of 392	2980	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	73
PID 2980 wrote to memory of 392	2980	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	73
PID 2980 wrote to memory of 392	2980	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	73
PID 2980 wrote to memory of 392	2980	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	73
PID 2980 wrote to memory of 392	2980	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	73
PID 2980 wrote to memory of 392	2980	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	73
PID 2980 wrote to memory of 392	2980	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	73

C:\Users\Admin\AppData\Local\Temp\2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe
"C:\Users\Admin\AppData\Local\Temp\2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

Filesize
447KB

MD5
bdad836d9a73813e6e35139d5d01f7e0

SHA1
f107e383665b3207add9dab2128b962a2fcab526

SHA256
87602d8d816d4969ef807ed6fa4fdc42754d45df65712eaddabff59cfda0db2f

SHA512
20073d9e5741144b40ba9850231442fe2161a5c0b4f4483ba84d091b8cc0a6b9a1b3ad4a11b9991590564cfa80f078700640cac228af52b8e6d1668542f7ff4d

Download Submit
memory/392-39-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/392-37-0x0000000009900000-0x0000000009E2C000-memory.dmp

Filesize
5.2MB

Download
memory/392-36-0x0000000009200000-0x00000000093C2000-memory.dmp

Filesize
1.8MB

Download
memory/392-35-0x0000000008290000-0x00000000082F6000-memory.dmp

Filesize
408KB

Download
memory/392-34-0x00000000079F0000-0x0000000007A3B000-memory.dmp

Filesize
300KB

Download
memory/392-33-0x0000000007A60000-0x0000000007A9E000-memory.dmp

Filesize
248KB

Download
memory/392-31-0x0000000008110000-0x000000000821A000-memory.dmp

Filesize
1.0MB

Download
memory/392-32-0x00000000079C0000-0x00000000079D2000-memory.dmp

Filesize
72KB

Download
memory/392-30-0x0000000008720000-0x0000000008D26000-memory.dmp

Filesize
6.0MB

Download
memory/392-29-0x0000000007A50000-0x0000000007A60000-memory.dmp

Filesize
64KB

Download
memory/392-27-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/392-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2980-8-0x00000000079C0000-0x0000000007B52000-memory.dmp

Filesize
1.6MB

Download
memory/2980-14-0x0000000005F70000-0x0000000005F80000-memory.dmp

Filesize
64KB

Download
memory/2980-20-0x0000000005F70000-0x0000000005F80000-memory.dmp

Filesize
64KB

Download
memory/2980-19-0x00000000081D0000-0x00000000082D0000-memory.dmp

Filesize
1024KB

Download
memory/2980-17-0x00000000061B0000-0x00000000061C0000-memory.dmp

Filesize
64KB

Download
memory/2980-24-0x00000000081D0000-0x00000000082D0000-memory.dmp

Filesize
1024KB

Download
memory/2980-23-0x00000000081D0000-0x00000000082D0000-memory.dmp

Filesize
1024KB

Download
memory/2980-22-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/2980-25-0x0000000005F70000-0x0000000005F80000-memory.dmp

Filesize
64KB

Download
memory/2980-18-0x0000000005F70000-0x0000000005F80000-memory.dmp

Filesize
64KB

Download
memory/2980-28-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/2980-16-0x0000000005F70000-0x0000000005F80000-memory.dmp

Filesize
64KB

Download
memory/2980-15-0x0000000005F70000-0x0000000005F80000-memory.dmp

Filesize
64KB

Download
memory/2980-0-0x0000000000E70000-0x000000000130E000-memory.dmp

Filesize
4.6MB

Download
memory/2980-7-0x00000000066C0000-0x0000000006888000-memory.dmp

Filesize
1.8MB

Download
memory/2980-6-0x0000000005F50000-0x0000000005F5A000-memory.dmp

Filesize
40KB

Download
memory/2980-5-0x0000000005F70000-0x0000000005F80000-memory.dmp

Filesize
64KB

Download
memory/2980-4-0x0000000005F80000-0x000000000601C000-memory.dmp

Filesize
624KB

Download
memory/2980-3-0x0000000005CC0000-0x0000000005D52000-memory.dmp

Filesize
584KB

Download
memory/2980-2-0x00000000061C0000-0x00000000066BE000-memory.dmp

Filesize
5.0MB

Download
memory/2980-1-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing