redline | 4e6015f1e7c8790a2907de407d2ea9e14ccc04e925c81607fb815bd73c372389

Analysis

max time kernel
92s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2024 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.7MB
MD5

a615f2eee64c5d7449a8792cc782b6d6
SHA1

cf1dff4fbbf172c6870c30fc3784bdbd53d49a69
SHA256

4e6015f1e7c8790a2907de407d2ea9e14ccc04e925c81607fb815bd73c372389
SHA512

9b0a2e7c7c4310300cb7f1f14d8b9ec11c7e5d6013b0bdf5c33af9e8f3de92be74ac95d83c0b637e6919f61cdffd8f7a9bf7c5411c23fcdf56b2a753a2830f0c
SSDEEP

49152:8kQTAxXCwWJ7d2JtVYtcbQk4fkr73Vreyvi1wwlaYjYMm3:8axbhJItfxMP3Visi1r7sMm

Score

10^/10

redline zgrat @oleh_ps discovery infostealer rat spyware stealer

Malware Config

Extracted

Family

redline

Botnet

@oleh_ps

185.172.128.33:8924

Signatures

Detect ZGRat V1 5 IoCs

resource	yara_rule
behavioral2/memory/4564-46-0x0000000000400000-0x0000000000592000-memory.dmp	family_zgrat_v1
behavioral2/files/0x000a000000023115-60.dat	family_zgrat_v1
behavioral2/memory/5068-75-0x0000000000140000-0x0000000000198000-memory.dmp	family_zgrat_v1
behavioral2/files/0x000a000000023115-74.dat	family_zgrat_v1
behavioral2/files/0x000a000000023115-73.dat	family_zgrat_v1

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 8 IoCs

resource	yara_rule
behavioral2/files/0x00070000000231e3-65.dat	family_redline
behavioral2/files/0x000a000000023115-60.dat	family_redline
behavioral2/files/0x00070000000231e3-72.dat	family_redline
behavioral2/files/0x00070000000231e3-71.dat	family_redline
behavioral2/memory/5068-75-0x0000000000140000-0x0000000000198000-memory.dmp	family_redline
behavioral2/memory/976-77-0x00000000000A0000-0x00000000000F4000-memory.dmp	family_redline
behavioral2/files/0x000a000000023115-74.dat	family_redline
behavioral2/files/0x000a000000023115-73.dat	family_redline

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

.NET Reactor proctector 22 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/memory/2420-0-0x0000000005250000-0x00000000053FC000-memory.dmp	net_reactor
behavioral2/memory/2420-6-0x00000000050A0000-0x000000000524C000-memory.dmp	net_reactor
behavioral2/memory/2420-8-0x00000000050A0000-0x0000000005245000-memory.dmp	net_reactor
behavioral2/memory/2420-9-0x00000000050A0000-0x0000000005245000-memory.dmp	net_reactor
behavioral2/memory/2420-11-0x00000000050A0000-0x0000000005245000-memory.dmp	net_reactor
behavioral2/memory/2420-19-0x00000000050A0000-0x0000000005245000-memory.dmp	net_reactor
behavioral2/memory/2420-23-0x00000000050A0000-0x0000000005245000-memory.dmp	net_reactor
behavioral2/memory/2420-25-0x00000000050A0000-0x0000000005245000-memory.dmp	net_reactor
behavioral2/memory/2420-27-0x00000000050A0000-0x0000000005245000-memory.dmp	net_reactor
behavioral2/memory/2420-29-0x00000000050A0000-0x0000000005245000-memory.dmp	net_reactor
behavioral2/memory/2420-31-0x00000000050A0000-0x0000000005245000-memory.dmp	net_reactor
behavioral2/memory/2420-21-0x00000000050A0000-0x0000000005245000-memory.dmp	net_reactor
behavioral2/memory/2420-17-0x00000000050A0000-0x0000000005245000-memory.dmp	net_reactor
behavioral2/memory/2420-15-0x00000000050A0000-0x0000000005245000-memory.dmp	net_reactor
behavioral2/memory/2420-13-0x00000000050A0000-0x0000000005245000-memory.dmp	net_reactor
behavioral2/memory/2420-33-0x00000000050A0000-0x0000000005245000-memory.dmp	net_reactor
behavioral2/memory/2420-35-0x00000000050A0000-0x0000000005245000-memory.dmp	net_reactor
behavioral2/memory/2420-39-0x00000000050A0000-0x0000000005245000-memory.dmp	net_reactor
behavioral2/memory/2420-37-0x00000000050A0000-0x0000000005245000-memory.dmp	net_reactor
behavioral2/memory/2420-43-0x00000000050A0000-0x0000000005245000-memory.dmp	net_reactor
behavioral2/memory/2420-41-0x00000000050A0000-0x0000000005245000-memory.dmp	net_reactor
behavioral2/memory/4564-46-0x0000000000400000-0x0000000000592000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Logs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Logs.exe

Executes dropped EXE 3 IoCs

pid	Process
976	olehps.exe
5068	Logs.exe
4760	qemu-ga.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2420 set thread context of 4564	2420	file.exe	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5068	Logs.exe
976	olehps.exe
976	olehps.exe
976	olehps.exe
976	olehps.exe
976	olehps.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2420	file.exe
Token: SeDebugPrivilege	5068	Logs.exe
Token: SeDebugPrivilege	976	olehps.exe
Token: SeDebugPrivilege	4564	RegAsm.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 4564	2420	file.exe	87
PID 2420 wrote to memory of 4564	2420	file.exe	87
PID 2420 wrote to memory of 4564	2420	file.exe	87
PID 2420 wrote to memory of 4564	2420	file.exe	87
PID 2420 wrote to memory of 4564	2420	file.exe	87
PID 2420 wrote to memory of 4564	2420	file.exe	87
PID 2420 wrote to memory of 4564	2420	file.exe	87
PID 2420 wrote to memory of 4564	2420	file.exe	87
PID 4564 wrote to memory of 976	4564	RegAsm.exe	89
PID 4564 wrote to memory of 976	4564	RegAsm.exe	89
PID 4564 wrote to memory of 976	4564	RegAsm.exe	89
PID 4564 wrote to memory of 5068	4564	RegAsm.exe	88
PID 4564 wrote to memory of 5068	4564	RegAsm.exe	88
PID 4564 wrote to memory of 5068	4564	RegAsm.exe	88
PID 5068 wrote to memory of 4760	5068	Logs.exe	98
PID 5068 wrote to memory of 4760	5068	Logs.exe	98
PID 4564 wrote to memory of 228	4564	RegAsm.exe	100
PID 4564 wrote to memory of 228	4564	RegAsm.exe	100
PID 4564 wrote to memory of 228	4564	RegAsm.exe	100
PID 228 wrote to memory of 1016	228	cmd.exe	101
PID 228 wrote to memory of 1016	228	cmd.exe	101
PID 228 wrote to memory of 1016	228	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
    "C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5068
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
      4⤵
      Executes dropped EXE
      PID:4760
- - C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
    "C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:976
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:228
  - - C:\Windows\SysWOW64\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:1016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

Filesize
4KB

MD5
a5ce3aba68bdb438e98b1d0c70a3d95c

SHA1
013f5aa9057bf0b3c0c24824de9d075434501354

SHA256
9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a

SHA512
7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

Filesize
110KB

MD5
0fa1cd076cb941c9e32dc08bcfcb446e

SHA1
6104191ebd9829f5020f658f79f5af7c5a228fa5

SHA256
c8b362496eac9bb4d81d881de2db31f5bc6097bb43e3933e442e033c281696eb

SHA512
835b4b02971ef7dd793aabb6dec81de4320de57ad2867ee619308232c8e532da34c0d46460e190aec14b83503b95eb3904d57a7360f7c45507e76e179ee79728

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

Filesize
325KB

MD5
3058f10b2fe431d9f8a487a35cd89ba3

SHA1
adf31cfada940e96a02305177bea754d4ee41861

SHA256
73e5d1b5c0d2134f08a76a09b913efa9076bd492e509cd0346794db436c54d30

SHA512
4f59602a4f557a9947d15a1ed13d8e1b09d0ba3660130fa7e029219b21062a3dba55f7da6db0efa9f2f5ac5053dda51ed4e183ae171789374e239c4d7609eae5

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

Filesize
105KB

MD5
a829b3a76ef0fb76690ecbdcc8da4ce2

SHA1
cb8955901f933ddcff2867a24e7a6a6d041039a5

SHA256
40d70ffa94c65b6ff15144b1ec536b21055bad0a9719fd04720ef92b0d3ed25c

SHA512
2aabc5b9cecbee26f64a6cccd3926558cf4eedd66a46fe6b75b71ee978a36049a78b792cd3a4503826360f061f30afa3134bbde3c8399f66c9c7366cfa5a44f6

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

Filesize
244KB

MD5
1dea6cd4ac67134e1e81b647650a68ee

SHA1
9629318a861178fb083e5e5109f677188a954565

SHA256
8479c06ed586997c56f3f7078790cdb2aeaac6fd98e5580c857e891759b72ba3

SHA512
de055ffad5eae513d011cadec2414982f15260548dadc6fb1ddacd047ac3f9bc425f512672bab9cfd6ab88200b89f6f2cab60caf53ed063f07008b61ace23f90

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

Filesize
129KB

MD5
a27d83c95cf81c32e9c0667681109518

SHA1
4cf42042ec54c4ee4f631aa44ae2ea31b0b0bc8f

SHA256
7a355d176dd818b79419b315bb611df36560b7cb8cb44b7245bf9135dd912bc2

SHA512
19beafb74a69729787114a9d718490a49e32306317a29c7b3e31be121fa5dfe344f6a3a60fd54fda2a30cba0d6aec60d37ea7693c726bf4b3379a75dccf4b49a

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

Filesize
128KB

MD5
ad6cd54be37a4a7aad0536a9383daeea

SHA1
941f83c17c90d4c365bb438989e0248059721ae1

SHA256
4384a3f45e0845897a9b73d430fcf4484f7717497f36ab104bcb37d116e9be4f

SHA512
de58794792532a677b4cadea0dcf2ac16794118612ae33f9de4aff188ad3a401578d4ca415fec674f6b905fc9d9bf08679a71d5aa96c224c12caaf9f183a9ba6

Download Submit
memory/976-81-0x00000000023F0000-0x0000000002400000-memory.dmp

Filesize
64KB

Download
memory/976-77-0x00000000000A0000-0x00000000000F4000-memory.dmp

Filesize
336KB

Download
memory/976-76-0x0000000074E70000-0x0000000075620000-memory.dmp

Filesize
7.7MB

Download
memory/976-83-0x0000000004A80000-0x0000000004A8A000-memory.dmp

Filesize
40KB

Download
memory/976-79-0x00000000049B0000-0x0000000004A42000-memory.dmp

Filesize
584KB

Download
memory/976-96-0x0000000074E70000-0x0000000075620000-memory.dmp

Filesize
7.7MB

Download
memory/2420-21-0x00000000050A0000-0x0000000005245000-memory.dmp

Filesize
1.6MB

Download
memory/2420-25-0x00000000050A0000-0x0000000005245000-memory.dmp

Filesize
1.6MB

Download
memory/2420-29-0x00000000050A0000-0x0000000005245000-memory.dmp

Filesize
1.6MB

Download
memory/2420-31-0x00000000050A0000-0x0000000005245000-memory.dmp

Filesize
1.6MB

Download
memory/2420-1-0x0000000074E70000-0x0000000075620000-memory.dmp

Filesize
7.7MB

Download
memory/2420-17-0x00000000050A0000-0x0000000005245000-memory.dmp

Filesize
1.6MB

Download
memory/2420-15-0x00000000050A0000-0x0000000005245000-memory.dmp

Filesize
1.6MB

Download
memory/2420-13-0x00000000050A0000-0x0000000005245000-memory.dmp

Filesize
1.6MB

Download
memory/2420-33-0x00000000050A0000-0x0000000005245000-memory.dmp

Filesize
1.6MB

Download
memory/2420-35-0x00000000050A0000-0x0000000005245000-memory.dmp

Filesize
1.6MB

Download
memory/2420-39-0x00000000050A0000-0x0000000005245000-memory.dmp

Filesize
1.6MB

Download
memory/2420-37-0x00000000050A0000-0x0000000005245000-memory.dmp

Filesize
1.6MB

Download
memory/2420-43-0x00000000050A0000-0x0000000005245000-memory.dmp

Filesize
1.6MB

Download
memory/2420-41-0x00000000050A0000-0x0000000005245000-memory.dmp

Filesize
1.6MB

Download
memory/2420-3-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/2420-51-0x00000000029F0000-0x00000000049F0000-memory.dmp

Filesize
32.0MB

Download
memory/2420-2-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/2420-52-0x0000000074E70000-0x0000000075620000-memory.dmp

Filesize
7.7MB

Download
memory/2420-5-0x0000000005400000-0x00000000059A4000-memory.dmp

Filesize
5.6MB

Download
memory/2420-4-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/2420-23-0x00000000050A0000-0x0000000005245000-memory.dmp

Filesize
1.6MB

Download
memory/2420-19-0x00000000050A0000-0x0000000005245000-memory.dmp

Filesize
1.6MB

Download
memory/2420-11-0x00000000050A0000-0x0000000005245000-memory.dmp

Filesize
1.6MB

Download
memory/2420-9-0x00000000050A0000-0x0000000005245000-memory.dmp

Filesize
1.6MB

Download
memory/2420-6-0x00000000050A0000-0x000000000524C000-memory.dmp

Filesize
1.7MB

Download
memory/2420-8-0x00000000050A0000-0x0000000005245000-memory.dmp

Filesize
1.6MB

Download
memory/2420-27-0x00000000050A0000-0x0000000005245000-memory.dmp

Filesize
1.6MB

Download
memory/2420-7-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/2420-0-0x0000000005250000-0x00000000053FC000-memory.dmp

Filesize
1.7MB

Download
memory/4564-114-0x0000000074E70000-0x0000000075620000-memory.dmp

Filesize
7.7MB

Download
memory/4564-97-0x0000000074E70000-0x0000000075620000-memory.dmp

Filesize
7.7MB

Download
memory/4564-94-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/4564-54-0x0000000074E70000-0x0000000075620000-memory.dmp

Filesize
7.7MB

Download
memory/4564-53-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/4564-46-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/4760-112-0x0000000000B50000-0x0000000000B58000-memory.dmp

Filesize
32KB

Download
memory/4760-115-0x00007FFD82400000-0x00007FFD82EC1000-memory.dmp

Filesize
10.8MB

Download
memory/4760-116-0x00007FFD82400000-0x00007FFD82EC1000-memory.dmp

Filesize
10.8MB

Download
memory/5068-78-0x0000000074E70000-0x0000000075620000-memory.dmp

Filesize
7.7MB

Download
memory/5068-89-0x0000000005A30000-0x0000000005AA6000-memory.dmp

Filesize
472KB

Download
memory/5068-90-0x0000000005D70000-0x0000000005D8E000-memory.dmp

Filesize
120KB

Download
memory/5068-91-0x0000000006B60000-0x0000000006BB0000-memory.dmp

Filesize
320KB

Download
memory/5068-92-0x0000000008120000-0x00000000082E2000-memory.dmp

Filesize
1.8MB

Download
memory/5068-93-0x0000000008820000-0x0000000008D4C000-memory.dmp

Filesize
5.2MB

Download
memory/5068-88-0x0000000004D60000-0x0000000004DC6000-memory.dmp

Filesize
408KB

Download
memory/5068-80-0x0000000004960000-0x0000000004970000-memory.dmp

Filesize
64KB

Download
memory/5068-87-0x0000000004AF0000-0x0000000004B3C000-memory.dmp

Filesize
304KB

Download
memory/5068-98-0x0000000074E70000-0x0000000075620000-memory.dmp

Filesize
7.7MB

Download
memory/5068-99-0x0000000004960000-0x0000000004970000-memory.dmp

Filesize
64KB

Download
memory/5068-86-0x0000000004A90000-0x0000000004ACC000-memory.dmp

Filesize
240KB

Download
memory/5068-85-0x0000000004B60000-0x0000000004C6A000-memory.dmp

Filesize
1.0MB

Download
memory/5068-113-0x0000000074E70000-0x0000000075620000-memory.dmp

Filesize
7.7MB

Download
memory/5068-82-0x0000000004F90000-0x00000000055A8000-memory.dmp

Filesize
6.1MB

Download
memory/5068-84-0x0000000004A30000-0x0000000004A42000-memory.dmp

Filesize
72KB

Download
memory/5068-75-0x0000000000140000-0x0000000000198000-memory.dmp

Filesize
352KB

Download