redline | 6f931cb7abe25efabadf2dbed01920d8c559f362149c422af5228745ab413f65

Analysis

max time kernel
8s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 10:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f931cb7abe25efabadf2dbed01920d8c559f362149c422af5228745ab413f65.exe
Size

448KB
MD5

c22c31718d4cbb0365695f68edb57ada
SHA1

8dbf94484835c0b0112208704a513ba95e096f3b
SHA256

6f931cb7abe25efabadf2dbed01920d8c559f362149c422af5228745ab413f65
SHA512

51fd5c1784d1152736cb6ac3337fc7a6241ac4e502dea3770f05f89a6e558536e48c3c522c70f9a096ba6e21eb113054db413240d0b55381708c3517b42e2ce6
SSDEEP

6144:F1NMnDetY9tuM+cZ6/eFCdax1Y888KMgiiKIEAjIwYqcPr4ESDUF5:jNMn4M+HGeX8Uz1HzEsU

Score

10^/10

redline zgrat @cham1ng infostealer rat

Malware Config

Extracted

Family

redline

Botnet

@cham1ng

45.15.156.167:80

Signatures

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2148-0-0x0000000000A00000-0x0000000000A76000-memory.dmp	family_zgrat_v1

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2880-4-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

6f931cb7abe25efabadf2dbed01920d8c559f362149c422af5228745ab413f65.exe

description	pid	process	target process
PID 2148 set thread context of 2880	2148	6f931cb7abe25efabadf2dbed01920d8c559f362149c422af5228745ab413f65.exe	RegAsm.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

6f931cb7abe25efabadf2dbed01920d8c559f362149c422af5228745ab413f65.exe

description	pid	process	target process
PID 2148 wrote to memory of 3404	2148	6f931cb7abe25efabadf2dbed01920d8c559f362149c422af5228745ab413f65.exe	RegAsm.exe
PID 2148 wrote to memory of 3404	2148	6f931cb7abe25efabadf2dbed01920d8c559f362149c422af5228745ab413f65.exe	RegAsm.exe
PID 2148 wrote to memory of 3404	2148	6f931cb7abe25efabadf2dbed01920d8c559f362149c422af5228745ab413f65.exe	RegAsm.exe
PID 2148 wrote to memory of 2880	2148	6f931cb7abe25efabadf2dbed01920d8c559f362149c422af5228745ab413f65.exe	RegAsm.exe
PID 2148 wrote to memory of 2880	2148	6f931cb7abe25efabadf2dbed01920d8c559f362149c422af5228745ab413f65.exe	RegAsm.exe
PID 2148 wrote to memory of 2880	2148	6f931cb7abe25efabadf2dbed01920d8c559f362149c422af5228745ab413f65.exe	RegAsm.exe
PID 2148 wrote to memory of 2880	2148	6f931cb7abe25efabadf2dbed01920d8c559f362149c422af5228745ab413f65.exe	RegAsm.exe
PID 2148 wrote to memory of 2880	2148	6f931cb7abe25efabadf2dbed01920d8c559f362149c422af5228745ab413f65.exe	RegAsm.exe
PID 2148 wrote to memory of 2880	2148	6f931cb7abe25efabadf2dbed01920d8c559f362149c422af5228745ab413f65.exe	RegAsm.exe
PID 2148 wrote to memory of 2880	2148	6f931cb7abe25efabadf2dbed01920d8c559f362149c422af5228745ab413f65.exe	RegAsm.exe
PID 2148 wrote to memory of 2880	2148	6f931cb7abe25efabadf2dbed01920d8c559f362149c422af5228745ab413f65.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\6f931cb7abe25efabadf2dbed01920d8c559f362149c422af5228745ab413f65.exe
"C:\Users\Admin\AppData\Local\Temp\6f931cb7abe25efabadf2dbed01920d8c559f362149c422af5228745ab413f65.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:2880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:3404

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2148-3-0x0000000001530000-0x0000000001531000-memory.dmp

Filesize
4KB

Download
memory/2148-6-0x0000000001530000-0x0000000001531000-memory.dmp

Filesize
4KB

Download
memory/2148-8-0x0000000074FE0000-0x0000000075790000-memory.dmp

Filesize
7.7MB

Download
memory/2148-0-0x0000000000A00000-0x0000000000A76000-memory.dmp

Filesize
472KB

Download
memory/2148-2-0x0000000005410000-0x0000000005420000-memory.dmp

Filesize
64KB

Download
memory/2148-1-0x0000000074FE0000-0x0000000075790000-memory.dmp

Filesize
7.7MB

Download
memory/2880-9-0x0000000074FE0000-0x0000000075790000-memory.dmp

Filesize
7.7MB

Download
memory/2880-12-0x0000000005790000-0x000000000579A000-memory.dmp

Filesize
40KB

Download
memory/2880-13-0x0000000006C10000-0x0000000007228000-memory.dmp

Filesize
6.1MB

Download
memory/2880-15-0x0000000008560000-0x0000000008572000-memory.dmp

Filesize
72KB

Download
memory/2880-16-0x00000000085C0000-0x00000000085FC000-memory.dmp

Filesize
240KB

Download
memory/2880-14-0x0000000008640000-0x000000000874A000-memory.dmp

Filesize
1.0MB

Download
memory/2880-17-0x0000000008790000-0x00000000087DC000-memory.dmp

Filesize
304KB

Download
memory/2880-4-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2880-11-0x00000000056E0000-0x0000000005772000-memory.dmp

Filesize
584KB

Download
memory/2880-10-0x0000000005BF0000-0x0000000006194000-memory.dmp

Filesize
5.6MB

Download
memory/2880-18-0x0000000009450000-0x00000000094B6000-memory.dmp

Filesize
408KB

Download
memory/2880-19-0x00000000096C0000-0x0000000009710000-memory.dmp

Filesize
320KB

Download
memory/2880-20-0x000000000A5C0000-0x000000000A782000-memory.dmp

Filesize
1.8MB

Download
memory/2880-21-0x000000000ACC0000-0x000000000B1EC000-memory.dmp

Filesize
5.2MB

Download
memory/2880-22-0x0000000074FE0000-0x0000000075790000-memory.dmp

Filesize
7.7MB

Download
memory/2880-23-0x0000000005810000-0x0000000005820000-memory.dmp

Filesize
64KB

Download