redline | 4e6015f1e7c8790a2907de407d2ea9e14ccc04e925c81607fb815bd73c372389

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2024 18:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.7MB
MD5

a615f2eee64c5d7449a8792cc782b6d6
SHA1

cf1dff4fbbf172c6870c30fc3784bdbd53d49a69
SHA256

4e6015f1e7c8790a2907de407d2ea9e14ccc04e925c81607fb815bd73c372389
SHA512

9b0a2e7c7c4310300cb7f1f14d8b9ec11c7e5d6013b0bdf5c33af9e8f3de92be74ac95d83c0b637e6919f61cdffd8f7a9bf7c5411c23fcdf56b2a753a2830f0c
SSDEEP

49152:8kQTAxXCwWJ7d2JtVYtcbQk4fkr73Vreyvi1wwlaYjYMm3:8axbhJItfxMP3Visi1r7sMm

Score

10^/10

redline zgrat @oleh_ps discovery infostealer rat spyware stealer

Malware Config

Extracted

Family

redline

Botnet

@oleh_ps

185.172.128.33:8924

Signatures

Detect ZGRat V1 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2060-44-0x0000000000400000-0x0000000000592000-memory.dmp	family_zgrat_v1
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_zgrat_v1
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_zgrat_v1
behavioral2/memory/3928-73-0x0000000000E80000-0x0000000000ED8000-memory.dmp	family_zgrat_v1
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_zgrat_v1

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 8 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_redline
behavioral2/memory/3928-73-0x0000000000E80000-0x0000000000ED8000-memory.dmp	family_redline
behavioral2/memory/1404-75-0x0000000000FB0000-0x0000000001004000-memory.dmp	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe	family_redline

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

.NET Reactor proctector 22 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral2/memory/800-0-0x0000000005150000-0x00000000052FC000-memory.dmp	net_reactor
behavioral2/memory/800-5-0x00000000058B0000-0x0000000005A5C000-memory.dmp	net_reactor
behavioral2/memory/800-7-0x00000000058B0000-0x0000000005A55000-memory.dmp	net_reactor
behavioral2/memory/800-6-0x00000000058B0000-0x0000000005A55000-memory.dmp	net_reactor
behavioral2/memory/800-11-0x00000000058B0000-0x0000000005A55000-memory.dmp	net_reactor
behavioral2/memory/800-9-0x00000000058B0000-0x0000000005A55000-memory.dmp	net_reactor
behavioral2/memory/800-13-0x00000000058B0000-0x0000000005A55000-memory.dmp	net_reactor
behavioral2/memory/800-15-0x00000000058B0000-0x0000000005A55000-memory.dmp	net_reactor
behavioral2/memory/800-17-0x00000000058B0000-0x0000000005A55000-memory.dmp	net_reactor
behavioral2/memory/800-19-0x00000000058B0000-0x0000000005A55000-memory.dmp	net_reactor
behavioral2/memory/800-21-0x00000000058B0000-0x0000000005A55000-memory.dmp	net_reactor
behavioral2/memory/800-23-0x00000000058B0000-0x0000000005A55000-memory.dmp	net_reactor
behavioral2/memory/800-25-0x00000000058B0000-0x0000000005A55000-memory.dmp	net_reactor
behavioral2/memory/800-29-0x00000000058B0000-0x0000000005A55000-memory.dmp	net_reactor
behavioral2/memory/800-33-0x00000000058B0000-0x0000000005A55000-memory.dmp	net_reactor
behavioral2/memory/800-35-0x00000000058B0000-0x0000000005A55000-memory.dmp	net_reactor
behavioral2/memory/800-37-0x00000000058B0000-0x0000000005A55000-memory.dmp	net_reactor
behavioral2/memory/800-41-0x00000000058B0000-0x0000000005A55000-memory.dmp	net_reactor
behavioral2/memory/800-39-0x00000000058B0000-0x0000000005A55000-memory.dmp	net_reactor
behavioral2/memory/800-31-0x00000000058B0000-0x0000000005A55000-memory.dmp	net_reactor
behavioral2/memory/800-27-0x00000000058B0000-0x0000000005A55000-memory.dmp	net_reactor
behavioral2/memory/2060-44-0x0000000000400000-0x0000000000592000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegAsm.exeLogs.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Logs.exe

Drops startup file 1 IoCs

Processes:

Logs.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe Logs.exe
Executes dropped EXE 3 IoCs

Processes:

Logs.exeolehps.exeqemu-ga.exe

pid process

3928 Logs.exe
1404 olehps.exe
1088 qemu-ga.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

file.exe

description pid process target process

PID 800 set thread context of 2060 800 file.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Logs.exeolehps.exe

pid process

3928 Logs.exe
1404 olehps.exe
1404 olehps.exe
1404 olehps.exe
1404 olehps.exe
1404 olehps.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Logs.exe

pid	process
3928	Logs.exe
1404	olehps.exe
1088	qemu-ga.exe

description	pid	process	target process
PID 800 set thread context of 2060	800	file.exe	RegAsm.exe

pid	process
3928	Logs.exe
1404	olehps.exe
1404	olehps.exe
1404	olehps.exe
1404	olehps.exe
1404	olehps.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

file.exeLogs.exeolehps.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	800	file.exe
Token: SeDebugPrivilege	3928	Logs.exe
Token: SeDebugPrivilege	1404	olehps.exe
Token: SeDebugPrivilege	2060	RegAsm.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

file.exeRegAsm.exeLogs.execmd.exe

description	pid	process	target process
PID 800 wrote to memory of 2060	800	file.exe	RegAsm.exe
PID 800 wrote to memory of 2060	800	file.exe	RegAsm.exe
PID 800 wrote to memory of 2060	800	file.exe	RegAsm.exe
PID 800 wrote to memory of 2060	800	file.exe	RegAsm.exe
PID 800 wrote to memory of 2060	800	file.exe	RegAsm.exe
PID 800 wrote to memory of 2060	800	file.exe	RegAsm.exe
PID 800 wrote to memory of 2060	800	file.exe	RegAsm.exe
PID 800 wrote to memory of 2060	800	file.exe	RegAsm.exe
PID 2060 wrote to memory of 3928	2060	RegAsm.exe	Logs.exe
PID 2060 wrote to memory of 3928	2060	RegAsm.exe	Logs.exe
PID 2060 wrote to memory of 3928	2060	RegAsm.exe	Logs.exe
PID 2060 wrote to memory of 1404	2060	RegAsm.exe	olehps.exe
PID 2060 wrote to memory of 1404	2060	RegAsm.exe	olehps.exe
PID 2060 wrote to memory of 1404	2060	RegAsm.exe	olehps.exe
PID 3928 wrote to memory of 1088	3928	Logs.exe	qemu-ga.exe
PID 3928 wrote to memory of 1088	3928	Logs.exe	qemu-ga.exe
PID 2060 wrote to memory of 3728	2060	RegAsm.exe	cmd.exe
PID 2060 wrote to memory of 3728	2060	RegAsm.exe	cmd.exe
PID 2060 wrote to memory of 3728	2060	RegAsm.exe	cmd.exe
PID 3728 wrote to memory of 4740	3728	cmd.exe	choice.exe
PID 3728 wrote to memory of 4740	3728	cmd.exe	choice.exe
PID 3728 wrote to memory of 4740	3728	cmd.exe	choice.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
    "C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1404
- - C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
    "C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3928
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
      4⤵
      Executes dropped EXE
      PID:1088
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3728
  - - C:\Windows\SysWOW64\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:4740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

Filesize
4KB

MD5
a5ce3aba68bdb438e98b1d0c70a3d95c

SHA1
013f5aa9057bf0b3c0c24824de9d075434501354

SHA256
9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a

SHA512
7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

Filesize
213KB

MD5
cda688787730357316ad63cf6d041736

SHA1
5932f382d9efe159d0c4f53e6ce608ca46b6600e

SHA256
7f85ca39466e5dc686144f34ca1f372118904227cdc2dc4ed57afc4a2a9d87af

SHA512
945dd8535dd46c0004c0d8e2959baee3edfa12347bbe68b633853bae4daee71f9a94d8261756fd85acb97f143b5ae313045138c42766d941b1f313db94f24929

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

Filesize
157KB

MD5
8253cc9aa43d0e13e7de2fb0cc372a92

SHA1
ac90dbbd420df2babc9f8b9a4fb4807acf74ca06

SHA256
4ffcaaae59e16e91f82812d7e90bd4955aaf92d2c94cb7d2b70e2abfc3973a0b

SHA512
5f7ac42b9c553d8b56b024e7d04f604dc4bd23c9090c031c3fb841b8b4fa51727dc84f476959549abcfece83dfc3ed332f68b4ac929bf4a925fd95af420b8ba7

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

Filesize
96KB

MD5
881a6f245627dd654171e8fd70ffc6d1

SHA1
6c3c52559d2fc997c9cecd80238c31373aee5d0a

SHA256
a99e31595863f8ea07c6cadef06276ec82109975a9e8304da33a24fd15c45c6a

SHA512
378b8858df24e9ff709dbc6d6f70e889e749314998c2bbc7a698d91f5b758191479a8a9ca85eac0c3efc1c4d1290547d27d063c5c9a3eb34733efe6b48085981

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

Filesize
113KB

MD5
e0a36d2824326c04ebb109cbeb7121ea

SHA1
6fdb722d0c907fce2f594a4078d2ea5d79b1095b

SHA256
788805903cbcec6ab87c7d28d85da5d01793fc69e4222b8fe1b0f3a0486e8aac

SHA512
be7441c2f0330ed0c1dcdfab55cdc4e07f2eaef536a02b341ce572a2f6c2fd9273f754621003b3808e2b5213331268895089e214833c65ac96778573cbcaeda0

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

Filesize
104KB

MD5
6a5531cb1136194b7b7672814af2cd41

SHA1
b20089f5d86f1a638d1e19933d807ded9b7aaa19

SHA256
eec7fc530ad818dda21b276f612f9ae218e137746abfea5cbb9fac224a7d01d5

SHA512
b70d818259246560160e0e1103f16dbcd65f201bd6856471dc959986ef5a5bebcd9c4ce807cbce9a484102e2fb69e0b9903c0b328418340d94101198aadeeb7b

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

Filesize
150KB

MD5
e0c0debb8fdddac7e3183351819c760b

SHA1
103c06149606ba83ce49306e57f41c9551c866da

SHA256
7b093e9f8971269e0cfe9e0e8ca0bb0d52760037b93fd78d10f27df9983a4a2e

SHA512
57724d1d3f2e10b08f0e1c8eae7371a5b6d75c687d202cf34fe310c37178f71b9534dd05449d90680d31ef8d23a9863f2c922d720cdc4c66faea6b350e960acf

Download Submit
memory/800-23-0x00000000058B0000-0x0000000005A55000-memory.dmp

Filesize
1.6MB

Download
memory/800-39-0x00000000058B0000-0x0000000005A55000-memory.dmp

Filesize
1.6MB

Download
memory/800-9-0x00000000058B0000-0x0000000005A55000-memory.dmp

Filesize
1.6MB

Download
memory/800-13-0x00000000058B0000-0x0000000005A55000-memory.dmp

Filesize
1.6MB

Download
memory/800-15-0x00000000058B0000-0x0000000005A55000-memory.dmp

Filesize
1.6MB

Download
memory/800-17-0x00000000058B0000-0x0000000005A55000-memory.dmp

Filesize
1.6MB

Download
memory/800-19-0x00000000058B0000-0x0000000005A55000-memory.dmp

Filesize
1.6MB

Download
memory/800-21-0x00000000058B0000-0x0000000005A55000-memory.dmp

Filesize
1.6MB

Download
memory/800-1-0x0000000074580000-0x0000000074D30000-memory.dmp

Filesize
7.7MB

Download
memory/800-25-0x00000000058B0000-0x0000000005A55000-memory.dmp

Filesize
1.6MB

Download
memory/800-29-0x00000000058B0000-0x0000000005A55000-memory.dmp

Filesize
1.6MB

Download
memory/800-33-0x00000000058B0000-0x0000000005A55000-memory.dmp

Filesize
1.6MB

Download
memory/800-35-0x00000000058B0000-0x0000000005A55000-memory.dmp

Filesize
1.6MB

Download
memory/800-37-0x00000000058B0000-0x0000000005A55000-memory.dmp

Filesize
1.6MB

Download
memory/800-41-0x00000000058B0000-0x0000000005A55000-memory.dmp

Filesize
1.6MB

Download
memory/800-3-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/800-31-0x00000000058B0000-0x0000000005A55000-memory.dmp

Filesize
1.6MB

Download
memory/800-27-0x00000000058B0000-0x0000000005A55000-memory.dmp

Filesize
1.6MB

Download
memory/800-2-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/800-46-0x0000000002B00000-0x0000000004B00000-memory.dmp

Filesize
32.0MB

Download
memory/800-108-0x0000000002B00000-0x0000000004B00000-memory.dmp

Filesize
32.0MB

Download
memory/800-50-0x0000000074580000-0x0000000074D30000-memory.dmp

Filesize
7.7MB

Download
memory/800-4-0x0000000005300000-0x00000000058A4000-memory.dmp

Filesize
5.6MB

Download
memory/800-6-0x00000000058B0000-0x0000000005A55000-memory.dmp

Filesize
1.6MB

Download
memory/800-7-0x00000000058B0000-0x0000000005A55000-memory.dmp

Filesize
1.6MB

Download
memory/800-5-0x00000000058B0000-0x0000000005A5C000-memory.dmp

Filesize
1.7MB

Download
memory/800-0-0x0000000005150000-0x00000000052FC000-memory.dmp

Filesize
1.7MB

Download
memory/800-11-0x00000000058B0000-0x0000000005A55000-memory.dmp

Filesize
1.6MB

Download
memory/1088-105-0x0000000000B30000-0x0000000000B38000-memory.dmp

Filesize
32KB

Download
memory/1088-110-0x00007FFE4ACA0000-0x00007FFE4B761000-memory.dmp

Filesize
10.8MB

Download
memory/1088-111-0x00007FFE4ACA0000-0x00007FFE4B761000-memory.dmp

Filesize
10.8MB

Download
memory/1404-75-0x0000000000FB0000-0x0000000001004000-memory.dmp

Filesize
336KB

Download
memory/1404-93-0x0000000074580000-0x0000000074D30000-memory.dmp

Filesize
7.7MB

Download
memory/1404-81-0x0000000005A80000-0x0000000005A90000-memory.dmp

Filesize
64KB

Download
memory/1404-77-0x00000000058E0000-0x0000000005972000-memory.dmp

Filesize
584KB

Download
memory/1404-83-0x0000000005980000-0x000000000598A000-memory.dmp

Filesize
40KB

Download
memory/1404-76-0x0000000074580000-0x0000000074D30000-memory.dmp

Filesize
7.7MB

Download
memory/2060-44-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/2060-51-0x00000000051F0000-0x0000000005200000-memory.dmp

Filesize
64KB

Download
memory/2060-52-0x0000000074580000-0x0000000074D30000-memory.dmp

Filesize
7.7MB

Download
memory/2060-109-0x0000000074580000-0x0000000074D30000-memory.dmp

Filesize
7.7MB

Download
memory/3928-88-0x0000000006970000-0x000000000698E000-memory.dmp

Filesize
120KB

Download
memory/3928-85-0x0000000005830000-0x000000000587C000-memory.dmp

Filesize
304KB

Download
memory/3928-87-0x00000000066B0000-0x0000000006726000-memory.dmp

Filesize
472KB

Download
memory/3928-80-0x0000000005760000-0x0000000005772000-memory.dmp

Filesize
72KB

Download
memory/3928-89-0x0000000007810000-0x0000000007860000-memory.dmp

Filesize
320KB

Download
memory/3928-90-0x0000000007D30000-0x0000000007EF2000-memory.dmp

Filesize
1.8MB

Download
memory/3928-91-0x0000000008430000-0x000000000895C000-memory.dmp

Filesize
5.2MB

Download
memory/3928-86-0x0000000005AA0000-0x0000000005B06000-memory.dmp

Filesize
408KB

Download
memory/3928-74-0x0000000074580000-0x0000000074D30000-memory.dmp

Filesize
7.7MB

Download
memory/3928-73-0x0000000000E80000-0x0000000000ED8000-memory.dmp

Filesize
352KB

Download
memory/3928-107-0x0000000074580000-0x0000000074D30000-memory.dmp

Filesize
7.7MB

Download
memory/3928-84-0x00000000057F0000-0x000000000582C000-memory.dmp

Filesize
240KB

Download
memory/3928-82-0x0000000005900000-0x0000000005A0A000-memory.dmp

Filesize
1.0MB

Download
memory/3928-79-0x0000000005E10000-0x0000000006428000-memory.dmp

Filesize
6.1MB

Download
memory/3928-78-0x00000000057E0000-0x00000000057F0000-memory.dmp

Filesize
64KB

Download