Analysis
-
max time kernel
91s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
24-01-2024 18:16
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20231215-en
General
-
Target
file.exe
-
Size
1.7MB
-
MD5
a615f2eee64c5d7449a8792cc782b6d6
-
SHA1
cf1dff4fbbf172c6870c30fc3784bdbd53d49a69
-
SHA256
4e6015f1e7c8790a2907de407d2ea9e14ccc04e925c81607fb815bd73c372389
-
SHA512
9b0a2e7c7c4310300cb7f1f14d8b9ec11c7e5d6013b0bdf5c33af9e8f3de92be74ac95d83c0b637e6919f61cdffd8f7a9bf7c5411c23fcdf56b2a753a2830f0c
-
SSDEEP
49152:8kQTAxXCwWJ7d2JtVYtcbQk4fkr73Vreyvi1wwlaYjYMm3:8axbhJItfxMP3Visi1r7sMm
Malware Config
Extracted
redline
@oleh_ps
185.172.128.33:8924
Signatures
-
Detect ZGRat V1 5 IoCs
resource yara_rule behavioral2/memory/2292-44-0x0000000000400000-0x0000000000592000-memory.dmp family_zgrat_v1 behavioral2/files/0x000600000002322a-62.dat family_zgrat_v1 behavioral2/memory/4604-71-0x0000000000A40000-0x0000000000A98000-memory.dmp family_zgrat_v1 behavioral2/files/0x000600000002322a-70.dat family_zgrat_v1 behavioral2/files/0x000600000002322a-69.dat family_zgrat_v1 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 8 IoCs
resource yara_rule behavioral2/files/0x000600000002322a-62.dat family_redline behavioral2/memory/4604-71-0x0000000000A40000-0x0000000000A98000-memory.dmp family_redline behavioral2/files/0x000600000002322a-70.dat family_redline behavioral2/files/0x000600000002322b-73.dat family_redline behavioral2/files/0x000600000002322a-69.dat family_redline behavioral2/memory/2148-74-0x00000000004A0000-0x00000000004F4000-memory.dmp family_redline behavioral2/files/0x000600000002322b-68.dat family_redline behavioral2/files/0x000600000002322b-57.dat family_redline -
.NET Reactor proctector 22 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral2/memory/932-0-0x0000000005210000-0x00000000053BC000-memory.dmp net_reactor behavioral2/memory/932-5-0x0000000005060000-0x000000000520C000-memory.dmp net_reactor behavioral2/memory/932-7-0x0000000005060000-0x0000000005205000-memory.dmp net_reactor behavioral2/memory/932-6-0x0000000005060000-0x0000000005205000-memory.dmp net_reactor behavioral2/memory/932-9-0x0000000005060000-0x0000000005205000-memory.dmp net_reactor behavioral2/memory/932-13-0x0000000005060000-0x0000000005205000-memory.dmp net_reactor behavioral2/memory/932-15-0x0000000005060000-0x0000000005205000-memory.dmp net_reactor behavioral2/memory/932-17-0x0000000005060000-0x0000000005205000-memory.dmp net_reactor behavioral2/memory/932-11-0x0000000005060000-0x0000000005205000-memory.dmp net_reactor behavioral2/memory/932-19-0x0000000005060000-0x0000000005205000-memory.dmp net_reactor behavioral2/memory/932-21-0x0000000005060000-0x0000000005205000-memory.dmp net_reactor behavioral2/memory/932-23-0x0000000005060000-0x0000000005205000-memory.dmp net_reactor behavioral2/memory/932-25-0x0000000005060000-0x0000000005205000-memory.dmp net_reactor behavioral2/memory/932-27-0x0000000005060000-0x0000000005205000-memory.dmp net_reactor behavioral2/memory/932-29-0x0000000005060000-0x0000000005205000-memory.dmp net_reactor behavioral2/memory/932-31-0x0000000005060000-0x0000000005205000-memory.dmp net_reactor behavioral2/memory/932-33-0x0000000005060000-0x0000000005205000-memory.dmp net_reactor behavioral2/memory/932-35-0x0000000005060000-0x0000000005205000-memory.dmp net_reactor behavioral2/memory/932-37-0x0000000005060000-0x0000000005205000-memory.dmp net_reactor behavioral2/memory/932-41-0x0000000005060000-0x0000000005205000-memory.dmp net_reactor behavioral2/memory/932-39-0x0000000005060000-0x0000000005205000-memory.dmp net_reactor behavioral2/memory/2292-44-0x0000000000400000-0x0000000000592000-memory.dmp net_reactor -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation RegAsm.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation Logs.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe Logs.exe -
Executes dropped EXE 3 IoCs
pid Process 2148 olehps.exe 4604 Logs.exe 740 qemu-ga.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 932 set thread context of 2292 932 file.exe 88 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4604 Logs.exe 2148 olehps.exe 2148 olehps.exe 2148 olehps.exe 2148 olehps.exe 2148 olehps.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 932 file.exe Token: SeDebugPrivilege 4604 Logs.exe Token: SeDebugPrivilege 2148 olehps.exe Token: SeDebugPrivilege 2292 RegAsm.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 932 wrote to memory of 2292 932 file.exe 88 PID 932 wrote to memory of 2292 932 file.exe 88 PID 932 wrote to memory of 2292 932 file.exe 88 PID 932 wrote to memory of 2292 932 file.exe 88 PID 932 wrote to memory of 2292 932 file.exe 88 PID 932 wrote to memory of 2292 932 file.exe 88 PID 932 wrote to memory of 2292 932 file.exe 88 PID 932 wrote to memory of 2292 932 file.exe 88 PID 2292 wrote to memory of 2148 2292 RegAsm.exe 90 PID 2292 wrote to memory of 2148 2292 RegAsm.exe 90 PID 2292 wrote to memory of 2148 2292 RegAsm.exe 90 PID 2292 wrote to memory of 4604 2292 RegAsm.exe 89 PID 2292 wrote to memory of 4604 2292 RegAsm.exe 89 PID 2292 wrote to memory of 4604 2292 RegAsm.exe 89 PID 4604 wrote to memory of 740 4604 Logs.exe 96 PID 4604 wrote to memory of 740 4604 Logs.exe 96 PID 2292 wrote to memory of 4120 2292 RegAsm.exe 101 PID 2292 wrote to memory of 4120 2292 RegAsm.exe 101 PID 2292 wrote to memory of 4120 2292 RegAsm.exe 101 PID 4120 wrote to memory of 4204 4120 cmd.exe 99 PID 4120 wrote to memory of 4204 4120 cmd.exe 99 PID 4120 wrote to memory of 4204 4120 cmd.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe"C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe"3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"4⤵
- Executes dropped EXE
PID:740
-
-
-
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe"C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2148
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:4120
-
-
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 31⤵PID:4204
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1013f5aa9057bf0b3c0c24824de9d075434501354
SHA2569b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA5127446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79
-
Filesize
221KB
MD50f56e3f196987ff9992885079f776f74
SHA189a2f103166c5f15dad32bd8fd1491b913740585
SHA2562080feb792462d70a38746144c619d9a48e5ccb819a509dbdc2b90c1769b3ec3
SHA5120c05cca214e003d35f737d6a5a95398dfa8849e953183480a995b35e531c2638e0bad7338b8d1528252ac9265e2c97ed52a6e2e1341a393d7768d577a3c175ec
-
Filesize
225KB
MD59d204f2ff6df8372ecf9cb72243fe20e
SHA1dedd0fac338093e612981671ac2eb52f8befa1d2
SHA256687e5c8ab1ea25e735f094ef93a5b1f445b6daf3081ed2c24cba8e1bd4bfdbc4
SHA512a66d67f13fb935c7d032e0ae9558e477ddad6035085b61d743c6b8559bbb19ca2036c00e3b16275897118b0f1b40f34eba7356eabd13208825fca71d0550aafd
-
Filesize
174KB
MD5b3341a524231b56aa1c5f52c664794fb
SHA1f8be2aed546e9d2b9e44d303e1a6079bdc6d548d
SHA256b0310bd3a5aa7127b0fbe33a9c39eee4fa705ea27aa06ebb6eaf8f169939efd9
SHA512845433efc82af27b7151f207af69146f049bdbbe67e01ef271d393c3cf5839f9c1f4d18f8c2025e81af57c6286686dcea7eeaeb03645ae81624d5f220fd038ce
-
Filesize
220KB
MD5ef9abdab2154264beaa33b44b1943fa3
SHA121769020b4c15ee47bdc11d8c221ec7cb9fd0d56
SHA256cdbd526f0b5cd1cf9f91ea88d843d6528b92ef58ffbd2ddb75c0c50c8370ee34
SHA5127692b0c68875475767023e92e9b1cb8f790049d6f98f199bf7475821bdd5d2e502674c115502380c98d0c6aa144c1409922361bc898d9a17a2ccbdc3d4cc0a6a
-
Filesize
172KB
MD52255fe59199bd0da1b40b5a4c7d56df3
SHA11fc721e59cfe7bcfb78348580b449d949cc0638f
SHA256512e3ab9892928f206a9f13a64c8567969decad84579a7109884c6512c7efd44
SHA512443595bd3f36d774f35e10b47dd95ec7189c914a93c82839fdae7cc5df8c2816436493f0de8f757d33f3d92fb209c7e10a119983d27b8997e5a0fc385cbbe03c
-
Filesize
273KB
MD5cf99bd158ac44d6f84d1e45e442e7bdb
SHA116c998a9903cfad9967585f494396e6bcc03f126
SHA256dc066732b24bd5cd1274433d79071dfcf5ba93d6a130d2379b971e0d697493b3
SHA5122946dcbe325550830f2b365647d3fb8af5f460a08c66353157818ca1ff6c0f596a9fb5be0e636b8f0dcd7a24f2f5c22a283adea568ed8134cf21fa914b6ecb25