redline | f98794ad3364950618b5eae55d60842b083975bc73e9ca5628d718195e25bc4f

General

Target

Executor.exe
Size

449KB
MD5

459e8bdeb3cce5eb125daaca4f9801db
SHA1

fe111daa4fca9ef50fa284b207a11efaccf556d6
SHA256

f98794ad3364950618b5eae55d60842b083975bc73e9ca5628d718195e25bc4f
SHA512

f043fd7d7547292aa122f8d3b0af35489a39e20735ad18994124c77e4a73f3cb3a94fe0ef961552dd8bc7763323b887b583ffc103a40224a2d154b37f9b7c751
SSDEEP

6144:UjuyZCYHHoHEf8mrUF/wUVh1GgyejeMJbunO29OIndKU+vAiBxSXCM:yFHHgF/wUVyzMsnO58n+rBxSSM

Score

10^/10

redline zgrat discovery infostealer rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral1/memory/1384-0-0x00000000005D0000-0x0000000000628000-memory.dmp	family_zgrat_v1

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/1384-0-0x00000000005D0000-0x0000000000628000-memory.dmp	family_redline

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Executor.exe

Executes dropped EXE 1 IoCs

pid	Process
3056	qemu-ga.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1384	Executor.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1384	Executor.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2144	notepad.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 3056	1384	Executor.exe	78
PID 1384 wrote to memory of 3056	1384	Executor.exe	78

C:\Users\Admin\AppData\Local\Temp\Executor.exe
"C:\Users\Admin\AppData\Local\Temp\Executor.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
  2⤵
  - Executes dropped EXE
  PID:3056

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

Filesize
4KB

MD5
a5ce3aba68bdb438e98b1d0c70a3d95c

SHA1
013f5aa9057bf0b3c0c24824de9d075434501354

SHA256
9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a

SHA512
7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

Download Submit
memory/1384-13-0x0000000005AA0000-0x0000000005B32000-memory.dmp

Filesize
584KB

Download
memory/1384-5-0x00000000024D0000-0x00000000024E0000-memory.dmp

Filesize
64KB

Download
memory/1384-6-0x0000000004AF0000-0x00000000050F6000-memory.dmp

Filesize
6.0MB

Download
memory/1384-7-0x00000000051A0000-0x00000000051B2000-memory.dmp

Filesize
72KB

Download
memory/1384-8-0x00000000051C0000-0x00000000052CA000-memory.dmp

Filesize
1.0MB

Download
memory/1384-9-0x00000000052D0000-0x000000000530E000-memory.dmp

Filesize
248KB

Download
memory/1384-10-0x0000000005390000-0x00000000053DB000-memory.dmp

Filesize
300KB

Download
memory/1384-11-0x0000000005580000-0x00000000055E6000-memory.dmp

Filesize
408KB

Download
memory/1384-0-0x00000000005D0000-0x0000000000628000-memory.dmp

Filesize
352KB

Download
memory/1384-12-0x00000000059E0000-0x0000000005A56000-memory.dmp

Filesize
472KB

Download
memory/1384-16-0x00000000066C0000-0x0000000006710000-memory.dmp

Filesize
320KB

Download
memory/1384-15-0x0000000006380000-0x000000000639E000-memory.dmp

Filesize
120KB

Download
memory/1384-14-0x0000000005B50000-0x000000000604E000-memory.dmp

Filesize
5.0MB

Download
memory/1384-17-0x0000000006C00000-0x0000000006DC2000-memory.dmp

Filesize
1.8MB

Download
memory/1384-18-0x0000000007B30000-0x000000000805C000-memory.dmp

Filesize
5.2MB

Download
memory/1384-4-0x00000000739C0000-0x00000000740AE000-memory.dmp

Filesize
6.9MB

Download
memory/1384-27-0x00000000739C0000-0x00000000740AE000-memory.dmp

Filesize
6.9MB

Download
memory/3056-26-0x00000000004E0000-0x00000000004E8000-memory.dmp

Filesize
32KB

Download
memory/3056-28-0x00007FF88AE30000-0x00007FF88B81C000-memory.dmp

Filesize
9.9MB

Download
memory/3056-29-0x00007FF88AE30000-0x00007FF88B81C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing