redline | 4e6015f1e7c8790a2907de407d2ea9e14ccc04e925c81607fb815bd73c372389

Analysis

max time kernel
92s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04-02-2024 08:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

1.7MB
MD5

a615f2eee64c5d7449a8792cc782b6d6
SHA1

cf1dff4fbbf172c6870c30fc3784bdbd53d49a69
SHA256

4e6015f1e7c8790a2907de407d2ea9e14ccc04e925c81607fb815bd73c372389
SHA512

9b0a2e7c7c4310300cb7f1f14d8b9ec11c7e5d6013b0bdf5c33af9e8f3de92be74ac95d83c0b637e6919f61cdffd8f7a9bf7c5411c23fcdf56b2a753a2830f0c
SSDEEP

49152:8kQTAxXCwWJ7d2JtVYtcbQk4fkr73Vreyvi1wwlaYjYMm3:8axbhJItfxMP3Visi1r7sMm

Score

10^/10

redline zgrat @oleh_ps discovery infostealer rat spyware stealer

Malware Config

Extracted

Family

redline

Botnet

@oleh_ps

185.172.128.33:8924

Signatures

Detect ZGRat V1 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1236-44-0x0000000000400000-0x0000000000592000-memory.dmp	family_zgrat_v1
behavioral2/memory/4428-73-0x0000000000EC0000-0x0000000000F18000-memory.dmp	family_zgrat_v1
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_zgrat_v1
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_zgrat_v1
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_zgrat_v1

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 8 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe	family_redline
behavioral2/memory/4428-73-0x0000000000EC0000-0x0000000000F18000-memory.dmp	family_redline
behavioral2/memory/2396-76-0x0000000000D80000-0x0000000000DD4000-memory.dmp	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_redline

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

.NET Reactor proctector 22 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral2/memory/3444-0-0x00000000051D0000-0x000000000537C000-memory.dmp	net_reactor
behavioral2/memory/3444-5-0x0000000005020000-0x00000000051CC000-memory.dmp	net_reactor
behavioral2/memory/3444-6-0x0000000005020000-0x00000000051C5000-memory.dmp	net_reactor
behavioral2/memory/3444-7-0x0000000005020000-0x00000000051C5000-memory.dmp	net_reactor
behavioral2/memory/3444-9-0x0000000005020000-0x00000000051C5000-memory.dmp	net_reactor
behavioral2/memory/3444-11-0x0000000005020000-0x00000000051C5000-memory.dmp	net_reactor
behavioral2/memory/3444-13-0x0000000005020000-0x00000000051C5000-memory.dmp	net_reactor
behavioral2/memory/3444-19-0x0000000005020000-0x00000000051C5000-memory.dmp	net_reactor
behavioral2/memory/3444-23-0x0000000005020000-0x00000000051C5000-memory.dmp	net_reactor
behavioral2/memory/3444-25-0x0000000005020000-0x00000000051C5000-memory.dmp	net_reactor
behavioral2/memory/3444-29-0x0000000005020000-0x00000000051C5000-memory.dmp	net_reactor
behavioral2/memory/3444-27-0x0000000005020000-0x00000000051C5000-memory.dmp	net_reactor
behavioral2/memory/3444-21-0x0000000005020000-0x00000000051C5000-memory.dmp	net_reactor
behavioral2/memory/3444-17-0x0000000005020000-0x00000000051C5000-memory.dmp	net_reactor
behavioral2/memory/3444-15-0x0000000005020000-0x00000000051C5000-memory.dmp	net_reactor
behavioral2/memory/3444-31-0x0000000005020000-0x00000000051C5000-memory.dmp	net_reactor
behavioral2/memory/3444-33-0x0000000005020000-0x00000000051C5000-memory.dmp	net_reactor
behavioral2/memory/3444-35-0x0000000005020000-0x00000000051C5000-memory.dmp	net_reactor
behavioral2/memory/3444-41-0x0000000005020000-0x00000000051C5000-memory.dmp	net_reactor
behavioral2/memory/3444-39-0x0000000005020000-0x00000000051C5000-memory.dmp	net_reactor
behavioral2/memory/3444-37-0x0000000005020000-0x00000000051C5000-memory.dmp	net_reactor
behavioral2/memory/1236-44-0x0000000000400000-0x0000000000592000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegAsm.exeLogs.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	Logs.exe

Drops startup file 1 IoCs

Processes:

Logs.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe Logs.exe
Executes dropped EXE 3 IoCs

Processes:

olehps.exeLogs.exeqemu-ga.exe

pid process

2396 olehps.exe
4428 Logs.exe
2400 qemu-ga.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

tmp.exe

description pid process target process

PID 3444 set thread context of 1236 3444 tmp.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Logs.exeolehps.exe

pid process

4428 Logs.exe
2396 olehps.exe
2396 olehps.exe
2396 olehps.exe
2396 olehps.exe
2396 olehps.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Logs.exe

pid	process
2396	olehps.exe
4428	Logs.exe
2400	qemu-ga.exe

description	pid	process	target process
PID 3444 set thread context of 1236	3444	tmp.exe	RegAsm.exe

pid	process
4428	Logs.exe
2396	olehps.exe
2396	olehps.exe
2396	olehps.exe
2396	olehps.exe
2396	olehps.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tmp.exeLogs.exeolehps.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	3444	tmp.exe
Token: SeDebugPrivilege	4428	Logs.exe
Token: SeDebugPrivilege	2396	olehps.exe
Token: SeDebugPrivilege	1236	RegAsm.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

tmp.exeRegAsm.exeLogs.execmd.exe

description	pid	process	target process
PID 3444 wrote to memory of 5672	3444	tmp.exe	RegAsm.exe
PID 3444 wrote to memory of 5672	3444	tmp.exe	RegAsm.exe
PID 3444 wrote to memory of 5672	3444	tmp.exe	RegAsm.exe
PID 3444 wrote to memory of 1236	3444	tmp.exe	RegAsm.exe
PID 3444 wrote to memory of 1236	3444	tmp.exe	RegAsm.exe
PID 3444 wrote to memory of 1236	3444	tmp.exe	RegAsm.exe
PID 3444 wrote to memory of 1236	3444	tmp.exe	RegAsm.exe
PID 3444 wrote to memory of 1236	3444	tmp.exe	RegAsm.exe
PID 3444 wrote to memory of 1236	3444	tmp.exe	RegAsm.exe
PID 3444 wrote to memory of 1236	3444	tmp.exe	RegAsm.exe
PID 3444 wrote to memory of 1236	3444	tmp.exe	RegAsm.exe
PID 1236 wrote to memory of 4428	1236	RegAsm.exe	Logs.exe
PID 1236 wrote to memory of 4428	1236	RegAsm.exe	Logs.exe
PID 1236 wrote to memory of 4428	1236	RegAsm.exe	Logs.exe
PID 1236 wrote to memory of 2396	1236	RegAsm.exe	olehps.exe
PID 1236 wrote to memory of 2396	1236	RegAsm.exe	olehps.exe
PID 1236 wrote to memory of 2396	1236	RegAsm.exe	olehps.exe
PID 4428 wrote to memory of 2400	4428	Logs.exe	qemu-ga.exe
PID 4428 wrote to memory of 2400	4428	Logs.exe	qemu-ga.exe
PID 1236 wrote to memory of 4492	1236	RegAsm.exe	cmd.exe
PID 1236 wrote to memory of 4492	1236	RegAsm.exe	cmd.exe
PID 1236 wrote to memory of 4492	1236	RegAsm.exe	cmd.exe
PID 4492 wrote to memory of 2172	4492	cmd.exe	choice.exe
PID 4492 wrote to memory of 2172	4492	cmd.exe	choice.exe
PID 4492 wrote to memory of 2172	4492	cmd.exe	choice.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:5672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1236
- - C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
    "C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4428
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
      4⤵
      Executes dropped EXE
      PID:2400
- - C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
    "C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4492

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
1⤵
PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

Filesize
4KB

MD5
a5ce3aba68bdb438e98b1d0c70a3d95c

SHA1
013f5aa9057bf0b3c0c24824de9d075434501354

SHA256
9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a

SHA512
7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

Filesize
211KB

MD5
622da4aa87ac9133ed65c1d277e42e83

SHA1
9bb834e360ce0f85385ecfbf7551c6db3be0d70a

SHA256
930094fa906441315cabb7b7ab9f3e399564fabfc5b929caacc4d00a8167d7c8

SHA512
7592bf0e512986efe1c8d55583ca3950ce98366783c38ac334164f8c930695d85462c5905a04006931c296b28444dc3ea9b5d2cd19e7758d26a83f20128c363f

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

Filesize
325KB

MD5
3058f10b2fe431d9f8a487a35cd89ba3

SHA1
adf31cfada940e96a02305177bea754d4ee41861

SHA256
73e5d1b5c0d2134f08a76a09b913efa9076bd492e509cd0346794db436c54d30

SHA512
4f59602a4f557a9947d15a1ed13d8e1b09d0ba3660130fa7e029219b21062a3dba55f7da6db0efa9f2f5ac5053dda51ed4e183ae171789374e239c4d7609eae5

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

Filesize
64KB

MD5
b71f57850111323ec9ea2629cfc85ad4

SHA1
f4f8d7faa89f23958c884e4db95071c0fdde15a7

SHA256
8c2aaac5714c5efb43378650ea1cbc92e67c7f38da3e3acd8ad089e6e7406aa0

SHA512
b6e9e16fad1586eb0ff47757d518bbb34e5b0c9c2570772a394ee7af572741f71c49449a8ccfe2c5e2f529a321dd436e17b5bbb1cf8a3667d26af112334bc8ae

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

Filesize
89KB

MD5
25a6c4d5062dab1d2a05082ec868ade5

SHA1
f94c9cd9385c649153ae9790b7ce1c2fbf17b77c

SHA256
08db01f281c623650c64fa129880bb2b79f9195d5b37c843a4e6e5cbe85e714b

SHA512
ffd69b054ed3ecdd270e23ea76942b6b555808cc0c0dc6eea064d8f8942828229c6c4e473e6ea241f75ffa34b4316c911b3e508b6b7b4b5b210bb6f413123bdb

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

Filesize
100KB

MD5
631a9fc4a305dc1761b3fc2e7f382ae4

SHA1
6e8bbaa5121189cfea84c58ca2bb649c4b65bb59

SHA256
698123ee20c46acc53cb2f218f27792df3d6020437d5222f219e9669654f1c17

SHA512
273bc54bf57440b09f2e5db389d2b94aa4dcc573af3ec38ed591611a7235614a827d89b064e957c316fa9d8039db523bccba844559762221a6a944437c83de56

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

Filesize
243KB

MD5
94e52cbfeeda0ceefc5db94f02bdbee2

SHA1
eae2128beefd9a7d63c6b9eca1401ab23eac2096

SHA256
5019091c2ea96879698c0443dd8717f444b482471e8323b5ec56b8e708dfbca3

SHA512
189e9e5604ab66463082637e8f59de202cebac5f23c7c6d902dbeb18f682511a17fa29eeec3d0071deca40f048ea97128652ac09110b0b5184f1ef5f7a5ef1f0

Download Submit
memory/1236-47-0x0000000075100000-0x00000000758B0000-memory.dmp

Filesize
7.7MB

Download
memory/1236-110-0x0000000075100000-0x00000000758B0000-memory.dmp

Filesize
7.7MB

Download
memory/1236-49-0x0000000005200000-0x0000000005210000-memory.dmp

Filesize
64KB

Download
memory/1236-107-0x0000000075100000-0x00000000758B0000-memory.dmp

Filesize
7.7MB

Download
memory/1236-44-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/2396-83-0x0000000005860000-0x000000000586A000-memory.dmp

Filesize
40KB

Download
memory/2396-77-0x0000000075100000-0x00000000758B0000-memory.dmp

Filesize
7.7MB

Download
memory/2396-82-0x0000000005610000-0x0000000005620000-memory.dmp

Filesize
64KB

Download
memory/2396-79-0x00000000056B0000-0x0000000005742000-memory.dmp

Filesize
584KB

Download
memory/2396-76-0x0000000000D80000-0x0000000000DD4000-memory.dmp

Filesize
336KB

Download
memory/2396-109-0x0000000075100000-0x00000000758B0000-memory.dmp

Filesize
7.7MB

Download
memory/2400-104-0x00000000007D0000-0x00000000007D8000-memory.dmp

Filesize
32KB

Download
memory/2400-105-0x00007FFA6F570000-0x00007FFA70031000-memory.dmp

Filesize
10.8MB

Download
memory/2400-111-0x00007FFA6F570000-0x00007FFA70031000-memory.dmp

Filesize
10.8MB

Download
memory/3444-27-0x0000000005020000-0x00000000051C5000-memory.dmp

Filesize
1.6MB

Download
memory/3444-17-0x0000000005020000-0x00000000051C5000-memory.dmp

Filesize
1.6MB

Download
memory/3444-39-0x0000000005020000-0x00000000051C5000-memory.dmp

Filesize
1.6MB

Download
memory/3444-37-0x0000000005020000-0x00000000051C5000-memory.dmp

Filesize
1.6MB

Download
memory/3444-35-0x0000000005020000-0x00000000051C5000-memory.dmp

Filesize
1.6MB

Download
memory/3444-45-0x0000000002A50000-0x0000000004A50000-memory.dmp

Filesize
32.0MB

Download
memory/3444-33-0x0000000005020000-0x00000000051C5000-memory.dmp

Filesize
1.6MB

Download
memory/3444-31-0x0000000005020000-0x00000000051C5000-memory.dmp

Filesize
1.6MB

Download
memory/3444-50-0x0000000075100000-0x00000000758B0000-memory.dmp

Filesize
7.7MB

Download
memory/3444-15-0x0000000005020000-0x00000000051C5000-memory.dmp

Filesize
1.6MB

Download
memory/3444-2-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/3444-1-0x0000000075100000-0x00000000758B0000-memory.dmp

Filesize
7.7MB

Download
memory/3444-3-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/3444-9-0x0000000005020000-0x00000000051C5000-memory.dmp

Filesize
1.6MB

Download
memory/3444-5-0x0000000005020000-0x00000000051CC000-memory.dmp

Filesize
1.7MB

Download
memory/3444-4-0x0000000005380000-0x0000000005924000-memory.dmp

Filesize
5.6MB

Download
memory/3444-21-0x0000000005020000-0x00000000051C5000-memory.dmp

Filesize
1.6MB

Download
memory/3444-6-0x0000000005020000-0x00000000051C5000-memory.dmp

Filesize
1.6MB

Download
memory/3444-0-0x00000000051D0000-0x000000000537C000-memory.dmp

Filesize
1.7MB

Download
memory/3444-7-0x0000000005020000-0x00000000051C5000-memory.dmp

Filesize
1.6MB

Download
memory/3444-29-0x0000000005020000-0x00000000051C5000-memory.dmp

Filesize
1.6MB

Download
memory/3444-41-0x0000000005020000-0x00000000051C5000-memory.dmp

Filesize
1.6MB

Download
memory/3444-25-0x0000000005020000-0x00000000051C5000-memory.dmp

Filesize
1.6MB

Download
memory/3444-23-0x0000000005020000-0x00000000051C5000-memory.dmp

Filesize
1.6MB

Download
memory/3444-19-0x0000000005020000-0x00000000051C5000-memory.dmp

Filesize
1.6MB

Download
memory/3444-13-0x0000000005020000-0x00000000051C5000-memory.dmp

Filesize
1.6MB

Download
memory/3444-11-0x0000000005020000-0x00000000051C5000-memory.dmp

Filesize
1.6MB

Download
memory/4428-81-0x00000000058E0000-0x00000000059EA000-memory.dmp

Filesize
1.0MB

Download
memory/4428-86-0x0000000005AE0000-0x0000000005B46000-memory.dmp

Filesize
408KB

Download
memory/4428-87-0x00000000067B0000-0x0000000006826000-memory.dmp

Filesize
472KB

Download
memory/4428-88-0x00000000068D0000-0x00000000068EE000-memory.dmp

Filesize
120KB

Download
memory/4428-89-0x0000000007680000-0x00000000076D0000-memory.dmp

Filesize
320KB

Download
memory/4428-90-0x0000000007F30000-0x00000000080F2000-memory.dmp

Filesize
1.8MB

Download
memory/4428-91-0x0000000008630000-0x0000000008B5C000-memory.dmp

Filesize
5.2MB

Download
memory/4428-85-0x0000000005870000-0x00000000058BC000-memory.dmp

Filesize
304KB

Download
memory/4428-84-0x0000000005810000-0x000000000584C000-memory.dmp

Filesize
240KB

Download
memory/4428-106-0x0000000075100000-0x00000000758B0000-memory.dmp

Filesize
7.7MB

Download
memory/4428-80-0x00000000057B0000-0x00000000057C2000-memory.dmp

Filesize
72KB

Download
memory/4428-78-0x0000000005DB0000-0x00000000063C8000-memory.dmp

Filesize
6.1MB

Download
memory/4428-75-0x0000000005780000-0x0000000005790000-memory.dmp

Filesize
64KB

Download
memory/4428-74-0x0000000075100000-0x00000000758B0000-memory.dmp

Filesize
7.7MB

Download
memory/4428-73-0x0000000000EC0000-0x0000000000F18000-memory.dmp

Filesize
352KB

Download