redline | 2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24-12-2023 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe
Size

4.6MB
MD5

1713300ba962c869477e37e4b31e40af
SHA1

d5c4835bc910acccd28dbed0c451043ea8de95ef
SHA256

2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d
SHA512

70b2a2b17c6b3a0a295baf536451ef38c6e9e292a3c967a9fc950a6de321bbac0dc45e942ef151ba81b717f8ede3166388e68ce75f2afff0ec16aea98ea742e1
SSDEEP

49152:H3rPT2lx2/lJe0f3+EGqX9QB+Vhc5fLBwR/WaMiukso0vOAtPeEvpDKYSEsVhbSm:H/jDem3Lc5FTVkso0vOclpeYSHhIs

Score

10^/10

redline zgrat 666 infostealer rat

Malware Config

Extracted

Family

redline

Botnet

666

195.20.16.103:18305

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral1/memory/2860-0-0x0000000000D90000-0x000000000122E000-memory.dmp	family_zgrat_v1

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/memory/2496-27-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/memory/2496-25-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Loads dropped DLL 1 IoCs

pid	Process
2860	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2980	2860	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	31
PID 2860 wrote to memory of 2980	2860	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	31
PID 2860 wrote to memory of 2980	2860	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	31
PID 2860 wrote to memory of 2980	2860	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	31
PID 2860 wrote to memory of 2980	2860	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	31
PID 2860 wrote to memory of 2980	2860	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	31
PID 2860 wrote to memory of 2980	2860	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	31
PID 2860 wrote to memory of 2036	2860	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	30
PID 2860 wrote to memory of 2036	2860	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	30
PID 2860 wrote to memory of 2036	2860	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	30
PID 2860 wrote to memory of 2036	2860	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	30
PID 2860 wrote to memory of 2036	2860	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	30
PID 2860 wrote to memory of 2036	2860	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	30
PID 2860 wrote to memory of 2036	2860	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	30
PID 2860 wrote to memory of 2088	2860	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	29
PID 2860 wrote to memory of 2088	2860	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	29
PID 2860 wrote to memory of 2088	2860	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	29
PID 2860 wrote to memory of 2088	2860	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	29
PID 2860 wrote to memory of 2088	2860	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	29
PID 2860 wrote to memory of 2088	2860	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	29
PID 2860 wrote to memory of 2088	2860	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	29
PID 2860 wrote to memory of 2496	2860	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	28
PID 2860 wrote to memory of 2496	2860	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	28
PID 2860 wrote to memory of 2496	2860	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	28
PID 2860 wrote to memory of 2496	2860	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	28
PID 2860 wrote to memory of 2496	2860	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	28
PID 2860 wrote to memory of 2496	2860	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	28
PID 2860 wrote to memory of 2496	2860	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	28
PID 2860 wrote to memory of 2496	2860	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	28
PID 2860 wrote to memory of 2496	2860	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	28
PID 2860 wrote to memory of 2496	2860	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	28
PID 2860 wrote to memory of 2496	2860	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	28

C:\Users\Admin\AppData\Local\Temp\2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe
"C:\Users\Admin\AppData\Local\Temp\2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  2⤵
  PID:2496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  2⤵
  PID:2088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  2⤵
  PID:2036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  2⤵
  PID:2980

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

Filesize
112KB

MD5
d389963b09ec476b956eb9998b0d4821

SHA1
3a4230cae42169cf4a7f634327ebce12be375e01

SHA256
1605034c6563726c7a60b296eb27b48bded996b8002e63f9134b405b7b7196ca

SHA512
e0078f43d6a6a7607b8e452a7e2c1fecc7ccb63c04e4e632cde1a48ab95254f2655c18751e2ab6346a823b4d6597745043a37ec98b99d8076d51835705946727

Download Submit
memory/2496-27-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2496-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2496-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2496-25-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2860-11-0x0000000004ED0000-0x0000000004F10000-memory.dmp

Filesize
256KB

Download
memory/2860-17-0x0000000007000000-0x0000000007100000-memory.dmp

Filesize
1024KB

Download
memory/2860-20-0x0000000004ED0000-0x0000000004F10000-memory.dmp

Filesize
256KB

Download
memory/2860-1-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/2860-4-0x00000000068E0000-0x0000000006A72000-memory.dmp

Filesize
1.6MB

Download
memory/2860-3-0x00000000051F0000-0x00000000053B8000-memory.dmp

Filesize
1.8MB

Download
memory/2860-2-0x0000000004ED0000-0x0000000004F10000-memory.dmp

Filesize
256KB

Download
memory/2860-19-0x0000000004ED0000-0x0000000004F10000-memory.dmp

Filesize
256KB

Download
memory/2860-18-0x0000000004ED0000-0x0000000004F10000-memory.dmp

Filesize
256KB

Download
memory/2860-15-0x0000000004ED0000-0x0000000004F10000-memory.dmp

Filesize
256KB

Download
memory/2860-16-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/2860-14-0x0000000004ED0000-0x0000000004F10000-memory.dmp

Filesize
256KB

Download
memory/2860-13-0x0000000004ED0000-0x0000000004F10000-memory.dmp

Filesize
256KB

Download
memory/2860-12-0x00000000004D0000-0x00000000004E0000-memory.dmp

Filesize
64KB

Download
memory/2860-10-0x0000000004ED0000-0x0000000004F10000-memory.dmp

Filesize
256KB

Download
memory/2860-9-0x0000000004ED0000-0x0000000004F10000-memory.dmp

Filesize
256KB

Download
memory/2860-0-0x0000000000D90000-0x000000000122E000-memory.dmp

Filesize
4.6MB

Download
memory/2860-28-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads