redline | 5793d66613a4bc7f9aa4e3b2ac79ede554048d458d808827f151c31de0644871

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
27/01/2024, 16:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7abbe54e88a9839577224252a504edb6.exe
Size

471KB
MD5

7abbe54e88a9839577224252a504edb6
SHA1

863d260d5a86ac8302a54f61e2ce75071a38a2d9
SHA256

5793d66613a4bc7f9aa4e3b2ac79ede554048d458d808827f151c31de0644871
SHA512

4bea74649d3cede59bd8986b8a14c39fc0b7525090da77005ff711ce2cd33584d0f6857eab139da2b176716a30c8a59ab3b36ae8a6e32c00272d807c139381c2
SSDEEP

6144:xczG+G+PEUeLvkB8C5vdOy3JXx+X8Do3a+Qxm6EpauRxcIt:azQ+8UeTkHvdOgXxg8DJ+QMpT/t

Score

10^/10

redline sectoprat zgrat @kepslhgt infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

@kepslhgt

185.230.143.48:64590

Signatures

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral2/memory/4072-8-0x0000000006E60000-0x0000000006ED2000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-9-0x0000000006E60000-0x0000000006ECB000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-16-0x0000000006E60000-0x0000000006ECB000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-18-0x0000000006E60000-0x0000000006ECB000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-20-0x0000000006E60000-0x0000000006ECB000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-14-0x0000000006E60000-0x0000000006ECB000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-12-0x0000000006E60000-0x0000000006ECB000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-24-0x0000000006E60000-0x0000000006ECB000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-30-0x0000000006E60000-0x0000000006ECB000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-28-0x0000000006E60000-0x0000000006ECB000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-34-0x0000000006E60000-0x0000000006ECB000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-46-0x0000000006E60000-0x0000000006ECB000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-52-0x0000000006E60000-0x0000000006ECB000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-60-0x0000000006E60000-0x0000000006ECB000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-68-0x0000000006E60000-0x0000000006ECB000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-72-0x0000000006E60000-0x0000000006ECB000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-70-0x0000000006E60000-0x0000000006ECB000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-66-0x0000000006E60000-0x0000000006ECB000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-64-0x0000000006E60000-0x0000000006ECB000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-62-0x0000000006E60000-0x0000000006ECB000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-58-0x0000000006E60000-0x0000000006ECB000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-56-0x0000000006E60000-0x0000000006ECB000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-54-0x0000000006E60000-0x0000000006ECB000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-50-0x0000000006E60000-0x0000000006ECB000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-48-0x0000000006E60000-0x0000000006ECB000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-44-0x0000000006E60000-0x0000000006ECB000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-42-0x0000000006E60000-0x0000000006ECB000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-40-0x0000000006E60000-0x0000000006ECB000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-38-0x0000000006E60000-0x0000000006ECB000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-36-0x0000000006E60000-0x0000000006ECB000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-32-0x0000000006E60000-0x0000000006ECB000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-26-0x0000000006E60000-0x0000000006ECB000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-22-0x0000000006E60000-0x0000000006ECB000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-10-0x0000000006E60000-0x0000000006ECB000-memory.dmp	family_zgrat_v1

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/3948-2255-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/3948-2255-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 1 IoCs

pid	Process
3948	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4072 set thread context of 3948	4072	7abbe54e88a9839577224252a504edb6.exe	97

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4072	7abbe54e88a9839577224252a504edb6.exe
4072	7abbe54e88a9839577224252a504edb6.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4072	7abbe54e88a9839577224252a504edb6.exe
Token: SeDebugPrivilege	3948	RegAsm.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4072 wrote to memory of 3948	4072	7abbe54e88a9839577224252a504edb6.exe	97
PID 4072 wrote to memory of 3948	4072	7abbe54e88a9839577224252a504edb6.exe	97
PID 4072 wrote to memory of 3948	4072	7abbe54e88a9839577224252a504edb6.exe	97
PID 4072 wrote to memory of 3948	4072	7abbe54e88a9839577224252a504edb6.exe	97
PID 4072 wrote to memory of 3948	4072	7abbe54e88a9839577224252a504edb6.exe	97
PID 4072 wrote to memory of 3948	4072	7abbe54e88a9839577224252a504edb6.exe	97
PID 4072 wrote to memory of 3948	4072	7abbe54e88a9839577224252a504edb6.exe	97
PID 4072 wrote to memory of 3948	4072	7abbe54e88a9839577224252a504edb6.exe	97

C:\Users\Admin\AppData\Local\Temp\7abbe54e88a9839577224252a504edb6.exe
"C:\Users\Admin\AppData\Local\Temp\7abbe54e88a9839577224252a504edb6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
  C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3948

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
memory/3948-2255-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3948-2256-0x0000000075280000-0x0000000075A30000-memory.dmp

Filesize
7.7MB

Download
memory/3948-2257-0x0000000005750000-0x0000000005D68000-memory.dmp

Filesize
6.1MB

Download
memory/3948-2258-0x00000000051B0000-0x00000000051C2000-memory.dmp

Filesize
72KB

Download
memory/3948-2262-0x0000000075280000-0x0000000075A30000-memory.dmp

Filesize
7.7MB

Download
memory/3948-2261-0x00000000054C0000-0x00000000055CA000-memory.dmp

Filesize
1.0MB

Download
memory/3948-2260-0x0000000005250000-0x000000000529C000-memory.dmp

Filesize
304KB

Download
memory/3948-2259-0x0000000005210000-0x000000000524C000-memory.dmp

Filesize
240KB

Download
memory/4072-60-0x0000000006E60000-0x0000000006ECB000-memory.dmp

Filesize
428KB

Download
memory/4072-62-0x0000000006E60000-0x0000000006ECB000-memory.dmp

Filesize
428KB

Download
memory/4072-6-0x0000000006C20000-0x0000000006C6E000-memory.dmp

Filesize
312KB

Download
memory/4072-7-0x0000000006CF0000-0x0000000006D66000-memory.dmp

Filesize
472KB

Download
memory/4072-8-0x0000000006E60000-0x0000000006ED2000-memory.dmp

Filesize
456KB

Download
memory/4072-9-0x0000000006E60000-0x0000000006ECB000-memory.dmp

Filesize
428KB

Download
memory/4072-16-0x0000000006E60000-0x0000000006ECB000-memory.dmp

Filesize
428KB

Download
memory/4072-18-0x0000000006E60000-0x0000000006ECB000-memory.dmp

Filesize
428KB

Download
memory/4072-20-0x0000000006E60000-0x0000000006ECB000-memory.dmp

Filesize
428KB

Download
memory/4072-14-0x0000000006E60000-0x0000000006ECB000-memory.dmp

Filesize
428KB

Download
memory/4072-12-0x0000000006E60000-0x0000000006ECB000-memory.dmp

Filesize
428KB

Download
memory/4072-24-0x0000000006E60000-0x0000000006ECB000-memory.dmp

Filesize
428KB

Download
memory/4072-30-0x0000000006E60000-0x0000000006ECB000-memory.dmp

Filesize
428KB

Download
memory/4072-28-0x0000000006E60000-0x0000000006ECB000-memory.dmp

Filesize
428KB

Download
memory/4072-34-0x0000000006E60000-0x0000000006ECB000-memory.dmp

Filesize
428KB

Download
memory/4072-46-0x0000000006E60000-0x0000000006ECB000-memory.dmp

Filesize
428KB

Download
memory/4072-52-0x0000000006E60000-0x0000000006ECB000-memory.dmp

Filesize
428KB

Download
memory/4072-4-0x00000000052E0000-0x00000000052F0000-memory.dmp

Filesize
64KB

Download
memory/4072-68-0x0000000006E60000-0x0000000006ECB000-memory.dmp

Filesize
428KB

Download
memory/4072-72-0x0000000006E60000-0x0000000006ECB000-memory.dmp

Filesize
428KB

Download
memory/4072-70-0x0000000006E60000-0x0000000006ECB000-memory.dmp

Filesize
428KB

Download
memory/4072-66-0x0000000006E60000-0x0000000006ECB000-memory.dmp

Filesize
428KB

Download
memory/4072-64-0x0000000006E60000-0x0000000006ECB000-memory.dmp

Filesize
428KB

Download
memory/4072-5-0x00000000050D0000-0x00000000050DA000-memory.dmp

Filesize
40KB

Download
memory/4072-58-0x0000000006E60000-0x0000000006ECB000-memory.dmp

Filesize
428KB

Download
memory/4072-56-0x0000000006E60000-0x0000000006ECB000-memory.dmp

Filesize
428KB

Download
memory/4072-54-0x0000000006E60000-0x0000000006ECB000-memory.dmp

Filesize
428KB

Download
memory/4072-50-0x0000000006E60000-0x0000000006ECB000-memory.dmp

Filesize
428KB

Download
memory/4072-48-0x0000000006E60000-0x0000000006ECB000-memory.dmp

Filesize
428KB

Download
memory/4072-44-0x0000000006E60000-0x0000000006ECB000-memory.dmp

Filesize
428KB

Download
memory/4072-42-0x0000000006E60000-0x0000000006ECB000-memory.dmp

Filesize
428KB

Download
memory/4072-40-0x0000000006E60000-0x0000000006ECB000-memory.dmp

Filesize
428KB

Download
memory/4072-38-0x0000000006E60000-0x0000000006ECB000-memory.dmp

Filesize
428KB

Download
memory/4072-36-0x0000000006E60000-0x0000000006ECB000-memory.dmp

Filesize
428KB

Download
memory/4072-32-0x0000000006E60000-0x0000000006ECB000-memory.dmp

Filesize
428KB

Download
memory/4072-26-0x0000000006E60000-0x0000000006ECB000-memory.dmp

Filesize
428KB

Download
memory/4072-22-0x0000000006E60000-0x0000000006ECB000-memory.dmp

Filesize
428KB

Download
memory/4072-10-0x0000000006E60000-0x0000000006ECB000-memory.dmp

Filesize
428KB

Download
memory/4072-3-0x0000000005030000-0x00000000050C2000-memory.dmp

Filesize
584KB

Download
memory/4072-2-0x00000000056F0000-0x0000000005C94000-memory.dmp

Filesize
5.6MB

Download
memory/4072-1-0x0000000075280000-0x0000000075A30000-memory.dmp

Filesize
7.7MB

Download
memory/4072-0-0x00000000005C0000-0x0000000000638000-memory.dmp

Filesize
480KB

Download
memory/4072-252-0x0000000075280000-0x0000000075A30000-memory.dmp

Filesize
7.7MB

Download
memory/4072-1829-0x00000000052E0000-0x00000000052F0000-memory.dmp

Filesize
64KB

Download
memory/4072-2247-0x0000000006F10000-0x0000000006F2E000-memory.dmp

Filesize
120KB

Download
memory/4072-2254-0x0000000075280000-0x0000000075A30000-memory.dmp

Filesize
7.7MB

Download