redline | 2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d

General

Target

2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe
Size

4.6MB
MD5

1713300ba962c869477e37e4b31e40af
SHA1

d5c4835bc910acccd28dbed0c451043ea8de95ef
SHA256

2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d
SHA512

70b2a2b17c6b3a0a295baf536451ef38c6e9e292a3c967a9fc950a6de321bbac0dc45e942ef151ba81b717f8ede3166388e68ce75f2afff0ec16aea98ea742e1
SSDEEP

49152:H3rPT2lx2/lJe0f3+EGqX9QB+Vhc5fLBwR/WaMiukso0vOAtPeEvpDKYSEsVhbSm:H/jDem3Lc5FTVkso0vOclpeYSHhIs

Score

10^/10

redline zgrat 666 infostealer rat spyware

Malware Config

Extracted

Family

redline

Botnet

666

C2

195.20.16.103:18305

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral2/memory/1524-0-0x0000000000570000-0x0000000000A0E000-memory.dmp	family_zgrat_v1

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/4912-23-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Loads dropped DLL 1 IoCs

pid	Process
1524	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1524 set thread context of 4912	1524	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	72

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4912	RegSvcs.exe
4912	RegSvcs.exe
4912	RegSvcs.exe
4912	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4912	RegSvcs.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 4912	1524	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	72
PID 1524 wrote to memory of 4912	1524	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	72
PID 1524 wrote to memory of 4912	1524	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	72
PID 1524 wrote to memory of 4912	1524	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	72
PID 1524 wrote to memory of 4912	1524	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	72
PID 1524 wrote to memory of 4912	1524	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	72
PID 1524 wrote to memory of 4912	1524	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	72
PID 1524 wrote to memory of 4912	1524	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	72

C:\Users\Admin\AppData\Local\Temp\2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe
"C:\Users\Admin\AppData\Local\Temp\2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

Filesize
504KB

MD5
21eabb51f195b9fe598739bf12b8c3ea

SHA1
49f658a101ea5a980714e57b11edc9e54d49e70b

SHA256
5b8b1437a802bde82a4e0035d2efcb00ee5af4d98d143d51919a458f41af03da

SHA512
b98e33a97e305a2c0c12571a763b895c4b42a4260a0656ea9cdf7d961d05f0acca14169ff9b2dee0acb7310fe312e8528ed1e51c5aa36275b6fcb52f07087518

Download Submit
memory/1524-15-0x00000000056C0000-0x00000000056D0000-memory.dmp

Filesize
64KB

Download
memory/1524-0-0x0000000000570000-0x0000000000A0E000-memory.dmp

Filesize
4.6MB

Download
memory/1524-3-0x0000000005430000-0x00000000054C2000-memory.dmp

Filesize
584KB

Download
memory/1524-4-0x00000000054D0000-0x000000000556C000-memory.dmp

Filesize
624KB

Download
memory/1524-5-0x00000000056C0000-0x00000000056D0000-memory.dmp

Filesize
64KB

Download
memory/1524-6-0x00000000053E0000-0x00000000053EA000-memory.dmp

Filesize
40KB

Download
memory/1524-22-0x0000000007900000-0x0000000007A00000-memory.dmp

Filesize
1024KB

Download
memory/1524-8-0x0000000007090000-0x0000000007222000-memory.dmp

Filesize
1.6MB

Download
memory/1524-14-0x0000000005420000-0x0000000005430000-memory.dmp

Filesize
64KB

Download
memory/1524-26-0x00000000730D0000-0x00000000737BE000-memory.dmp

Filesize
6.9MB

Download
memory/1524-19-0x00000000056C0000-0x00000000056D0000-memory.dmp

Filesize
64KB

Download
memory/1524-18-0x00000000056C0000-0x00000000056D0000-memory.dmp

Filesize
64KB

Download
memory/1524-17-0x00000000056C0000-0x00000000056D0000-memory.dmp

Filesize
64KB

Download
memory/1524-16-0x00000000056C0000-0x00000000056D0000-memory.dmp

Filesize
64KB

Download
memory/1524-20-0x0000000007900000-0x0000000007A00000-memory.dmp

Filesize
1024KB

Download
memory/1524-2-0x0000000005890000-0x0000000005D8E000-memory.dmp

Filesize
5.0MB

Download
memory/1524-7-0x0000000005D90000-0x0000000005F58000-memory.dmp

Filesize
1.8MB

Download
memory/1524-21-0x0000000007900000-0x0000000007A00000-memory.dmp

Filesize
1024KB

Download
memory/1524-1-0x00000000730D0000-0x00000000737BE000-memory.dmp

Filesize
6.9MB

Download
memory/4912-35-0x000000000A310000-0x000000000A83C000-memory.dmp

Filesize
5.2MB

Download
memory/4912-25-0x00000000730D0000-0x00000000737BE000-memory.dmp

Filesize
6.9MB

Download
memory/4912-27-0x00000000075F0000-0x0000000007600000-memory.dmp

Filesize
64KB

Download
memory/4912-30-0x0000000007600000-0x0000000007612000-memory.dmp

Filesize
72KB

Download
memory/4912-31-0x0000000007620000-0x000000000765E000-memory.dmp

Filesize
248KB

Download
memory/4912-32-0x0000000007660000-0x00000000076AB000-memory.dmp

Filesize
300KB

Download
memory/4912-29-0x0000000007710000-0x000000000781A000-memory.dmp

Filesize
1.0MB

Download
memory/4912-28-0x0000000008350000-0x0000000008956000-memory.dmp

Filesize
6.0MB

Download
memory/4912-33-0x0000000007E50000-0x0000000007EB6000-memory.dmp

Filesize
408KB

Download
memory/4912-34-0x0000000009C10000-0x0000000009DD2000-memory.dmp

Filesize
1.8MB

Download
memory/4912-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4912-36-0x0000000009B80000-0x0000000009BD0000-memory.dmp

Filesize
320KB

Download
memory/4912-38-0x00000000730D0000-0x00000000737BE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing