Overview

overview

10

Static

static

3

file.exe

windows7-x64

7

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-01-2024 18:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    1.7MB

  • MD5

    a615f2eee64c5d7449a8792cc782b6d6

  • SHA1

    cf1dff4fbbf172c6870c30fc3784bdbd53d49a69

  • SHA256

    4e6015f1e7c8790a2907de407d2ea9e14ccc04e925c81607fb815bd73c372389

  • SHA512

    9b0a2e7c7c4310300cb7f1f14d8b9ec11c7e5d6013b0bdf5c33af9e8f3de92be74ac95d83c0b637e6919f61cdffd8f7a9bf7c5411c23fcdf56b2a753a2830f0c

  • SSDEEP

    49152:8kQTAxXCwWJ7d2JtVYtcbQk4fkr73Vreyvi1wwlaYjYMm3:8axbhJItfxMP3Visi1r7sMm

Score
10/10
redlinezgrat@oleh_psdiscoveryinfostealerratspywarestealer

Malware Config

Extracted

Family

redline

Botnet

@oleh_ps

C2

185.172.128.33:8924

Signatures

  • Detect ZGRat V1 5 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 8 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • .NET Reactor proctector 22 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:932
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2292
      • C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
        "C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe"
        3⤵
        • Checks computer location settings
        • Drops startup file
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4604
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
          4⤵
          • Executes dropped EXE
          PID:740
      • C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
        "C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2148
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4120
  • C:\Windows\SysWOW64\choice.exe
    choice /C Y /N /D Y /T 3
    1⤵
      PID:4204

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
      Filesize

      4KB

      MD5

      a5ce3aba68bdb438e98b1d0c70a3d95c

      SHA1

      013f5aa9057bf0b3c0c24824de9d075434501354

      SHA256

      9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a

      SHA512

      7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

      Download Submit

    • C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
      Filesize

      221KB

      MD5

      0f56e3f196987ff9992885079f776f74

      SHA1

      89a2f103166c5f15dad32bd8fd1491b913740585

      SHA256

      2080feb792462d70a38746144c619d9a48e5ccb819a509dbdc2b90c1769b3ec3

      SHA512

      0c05cca214e003d35f737d6a5a95398dfa8849e953183480a995b35e531c2638e0bad7338b8d1528252ac9265e2c97ed52a6e2e1341a393d7768d577a3c175ec

      Download Submit

    • C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
      Filesize

      225KB

      MD5

      9d204f2ff6df8372ecf9cb72243fe20e

      SHA1

      dedd0fac338093e612981671ac2eb52f8befa1d2

      SHA256

      687e5c8ab1ea25e735f094ef93a5b1f445b6daf3081ed2c24cba8e1bd4bfdbc4

      SHA512

      a66d67f13fb935c7d032e0ae9558e477ddad6035085b61d743c6b8559bbb19ca2036c00e3b16275897118b0f1b40f34eba7356eabd13208825fca71d0550aafd

      Download Submit

    • C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
      Filesize

      174KB

      MD5

      b3341a524231b56aa1c5f52c664794fb

      SHA1

      f8be2aed546e9d2b9e44d303e1a6079bdc6d548d

      SHA256

      b0310bd3a5aa7127b0fbe33a9c39eee4fa705ea27aa06ebb6eaf8f169939efd9

      SHA512

      845433efc82af27b7151f207af69146f049bdbbe67e01ef271d393c3cf5839f9c1f4d18f8c2025e81af57c6286686dcea7eeaeb03645ae81624d5f220fd038ce

      Download Submit

    • C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
      Filesize

      220KB

      MD5

      ef9abdab2154264beaa33b44b1943fa3

      SHA1

      21769020b4c15ee47bdc11d8c221ec7cb9fd0d56

      SHA256

      cdbd526f0b5cd1cf9f91ea88d843d6528b92ef58ffbd2ddb75c0c50c8370ee34

      SHA512

      7692b0c68875475767023e92e9b1cb8f790049d6f98f199bf7475821bdd5d2e502674c115502380c98d0c6aa144c1409922361bc898d9a17a2ccbdc3d4cc0a6a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
      Filesize

      172KB

      MD5

      2255fe59199bd0da1b40b5a4c7d56df3

      SHA1

      1fc721e59cfe7bcfb78348580b449d949cc0638f

      SHA256

      512e3ab9892928f206a9f13a64c8567969decad84579a7109884c6512c7efd44

      SHA512

      443595bd3f36d774f35e10b47dd95ec7189c914a93c82839fdae7cc5df8c2816436493f0de8f757d33f3d92fb209c7e10a119983d27b8997e5a0fc385cbbe03c

      Download Submit

    • C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
      Filesize

      273KB

      MD5

      cf99bd158ac44d6f84d1e45e442e7bdb

      SHA1

      16c998a9903cfad9967585f494396e6bcc03f126

      SHA256

      dc066732b24bd5cd1274433d79071dfcf5ba93d6a130d2379b971e0d697493b3

      SHA512

      2946dcbe325550830f2b365647d3fb8af5f460a08c66353157818ca1ff6c0f596a9fb5be0e636b8f0dcd7a24f2f5c22a283adea568ed8134cf21fa914b6ecb25

      Download Submit

    • memory/740-110-0x00007FFBC94B0000-0x00007FFBC9F71000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/740-103-0x0000000000AF0000-0x0000000000AF8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/740-105-0x00007FFBC94B0000-0x00007FFBC9F71000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/932-23-0x0000000005060000-0x0000000005205000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/932-41-0x0000000005060000-0x0000000005205000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/932-11-0x0000000005060000-0x0000000005205000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/932-19-0x0000000005060000-0x0000000005205000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/932-21-0x0000000005060000-0x0000000005205000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/932-0-0x0000000005210000-0x00000000053BC000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/932-25-0x0000000005060000-0x0000000005205000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/932-27-0x0000000005060000-0x0000000005205000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/932-29-0x0000000005060000-0x0000000005205000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/932-31-0x0000000005060000-0x0000000005205000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/932-33-0x0000000005060000-0x0000000005205000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/932-35-0x0000000005060000-0x0000000005205000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/932-37-0x0000000005060000-0x0000000005205000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/932-7-0x0000000005060000-0x0000000005205000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/932-39-0x0000000005060000-0x0000000005205000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/932-1-0x0000000074BB0000-0x0000000075360000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/932-50-0x0000000074BB0000-0x0000000075360000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/932-109-0x0000000002AD0000-0x0000000004AD0000-memory.dmp

      Filesize

      32.0MB

      Download

    • memory/932-47-0x0000000002AD0000-0x0000000004AD0000-memory.dmp

      Filesize

      32.0MB

      Download

    • memory/932-15-0x0000000005060000-0x0000000005205000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/932-2-0x0000000005050000-0x0000000005060000-memory.dmp

      Filesize

      64KB

      Download

    • memory/932-13-0x0000000005060000-0x0000000005205000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/932-3-0x0000000005050000-0x0000000005060000-memory.dmp

      Filesize

      64KB

      Download

    • memory/932-9-0x0000000005060000-0x0000000005205000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/932-6-0x0000000005060000-0x0000000005205000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/932-17-0x0000000005060000-0x0000000005205000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/932-4-0x00000000053C0000-0x0000000005964000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/932-5-0x0000000005060000-0x000000000520C000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2148-75-0x0000000074BB0000-0x0000000075360000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2148-74-0x00000000004A0000-0x00000000004F4000-memory.dmp

      Filesize

      336KB

      Download

    • memory/2148-77-0x0000000004DC0000-0x0000000004E52000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2148-81-0x0000000004F10000-0x0000000004F20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2148-82-0x0000000004E70000-0x0000000004E7A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2148-107-0x0000000074BB0000-0x0000000075360000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2292-44-0x0000000000400000-0x0000000000592000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2292-51-0x0000000074BB0000-0x0000000075360000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2292-108-0x0000000074BB0000-0x0000000075360000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4604-86-0x0000000006230000-0x00000000062A6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4604-76-0x0000000005990000-0x0000000005FA8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4604-79-0x0000000005320000-0x0000000005332000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4604-87-0x0000000006430000-0x000000000644E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4604-89-0x0000000007780000-0x00000000077D0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4604-88-0x0000000007360000-0x0000000007522000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4604-90-0x0000000007F40000-0x000000000846C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/4604-85-0x0000000005660000-0x00000000056C6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4604-104-0x0000000074BB0000-0x0000000075360000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4604-72-0x0000000074BB0000-0x0000000075360000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4604-71-0x0000000000A40000-0x0000000000A98000-memory.dmp

      Filesize

      352KB

      Download

    • memory/4604-84-0x00000000053F0000-0x000000000543C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4604-83-0x00000000053B0000-0x00000000053EC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4604-80-0x0000000005480000-0x000000000558A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4604-78-0x0000000005360000-0x0000000005370000-memory.dmp

      Filesize

      64KB

      Download