redline | 2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d

General

Target

2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe
Size

4.6MB
MD5

1713300ba962c869477e37e4b31e40af
SHA1

d5c4835bc910acccd28dbed0c451043ea8de95ef
SHA256

2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d
SHA512

70b2a2b17c6b3a0a295baf536451ef38c6e9e292a3c967a9fc950a6de321bbac0dc45e942ef151ba81b717f8ede3166388e68ce75f2afff0ec16aea98ea742e1
SSDEEP

49152:H3rPT2lx2/lJe0f3+EGqX9QB+Vhc5fLBwR/WaMiukso0vOAtPeEvpDKYSEsVhbSm:H/jDem3Lc5FTVkso0vOclpeYSHhIs

Score

10^/10

redline zgrat 666 infostealer rat

Malware Config

Extracted

Family

redline

Botnet

666

C2

195.20.16.103:18305

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral1/memory/1680-0-0x0000000000280000-0x000000000071E000-memory.dmp	family_zgrat_v1

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

resource	yara_rule
behavioral1/memory/2496-37-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/memory/2496-39-0x0000000007380000-0x00000000073C0000-memory.dmp	family_redline
behavioral1/memory/2496-35-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/memory/2496-33-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/memory/2496-29-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/memory/2496-27-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Loads dropped DLL 1 IoCs

pid	Process
1680	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1680 set thread context of 2496	1680	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	28

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 2496	1680	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	28
PID 1680 wrote to memory of 2496	1680	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	28
PID 1680 wrote to memory of 2496	1680	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	28
PID 1680 wrote to memory of 2496	1680	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	28
PID 1680 wrote to memory of 2496	1680	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	28
PID 1680 wrote to memory of 2496	1680	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	28
PID 1680 wrote to memory of 2496	1680	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	28
PID 1680 wrote to memory of 2496	1680	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	28
PID 1680 wrote to memory of 2496	1680	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	28
PID 1680 wrote to memory of 2496	1680	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	28
PID 1680 wrote to memory of 2496	1680	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	28
PID 1680 wrote to memory of 2496	1680	2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe	28

C:\Users\Admin\AppData\Local\Temp\2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe
"C:\Users\Admin\AppData\Local\Temp\2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  2⤵
  PID:2496

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

Filesize
381KB

MD5
4fa83336ea99429112131ee63e612150

SHA1
3e3ae7fef9e746a46ad2887ccf7cea92012924fb

SHA256
a004a2f08363682c8067d22afb58050ba5d4faf17d024f737d0adc9e5c0b1089

SHA512
34a4fe6d6e18a9dd64ad1cf9fe037e46393b0eaa716781cbe210389bafd7f35d5ebdcffbd349a582c791dd5dc722e0851d15979f3b2c435cf5671e74856e16bf

Download Submit
memory/1680-9-0x0000000004D30000-0x0000000004D70000-memory.dmp

Filesize
256KB

Download
memory/1680-21-0x0000000004D30000-0x0000000004D70000-memory.dmp

Filesize
256KB

Download
memory/1680-3-0x0000000005560000-0x0000000005728000-memory.dmp

Filesize
1.8MB

Download
memory/1680-4-0x0000000006840000-0x00000000069D2000-memory.dmp

Filesize
1.6MB

Download
memory/1680-13-0x0000000004D30000-0x0000000004D70000-memory.dmp

Filesize
256KB

Download
memory/1680-14-0x0000000004D30000-0x0000000004D70000-memory.dmp

Filesize
256KB

Download
memory/1680-40-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/1680-10-0x00000000021D0000-0x00000000021E0000-memory.dmp

Filesize
64KB

Download
memory/1680-19-0x00000000070E0000-0x00000000071E0000-memory.dmp

Filesize
1024KB

Download
memory/1680-2-0x0000000004D30000-0x0000000004D70000-memory.dmp

Filesize
256KB

Download
memory/1680-1-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/1680-11-0x0000000004D30000-0x0000000004D70000-memory.dmp

Filesize
256KB

Download
memory/1680-12-0x0000000004D30000-0x0000000004D70000-memory.dmp

Filesize
256KB

Download
memory/1680-15-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/1680-16-0x0000000004D30000-0x0000000004D70000-memory.dmp

Filesize
256KB

Download
memory/1680-17-0x0000000004D30000-0x0000000004D70000-memory.dmp

Filesize
256KB

Download
memory/1680-22-0x0000000004D30000-0x0000000004D70000-memory.dmp

Filesize
256KB

Download
memory/1680-18-0x0000000004D30000-0x0000000004D70000-memory.dmp

Filesize
256KB

Download
memory/1680-20-0x0000000004D30000-0x0000000004D70000-memory.dmp

Filesize
256KB

Download
memory/1680-0-0x0000000000280000-0x000000000071E000-memory.dmp

Filesize
4.6MB

Download
memory/2496-39-0x0000000007380000-0x00000000073C0000-memory.dmp

Filesize
256KB

Download
memory/2496-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2496-25-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2496-27-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2496-29-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2496-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2496-33-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2496-35-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2496-38-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/2496-37-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2496-41-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/2496-42-0x0000000007380000-0x00000000073C0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing