redline | 4e6015f1e7c8790a2907de407d2ea9e14ccc04e925c81607fb815bd73c372389

Analysis

max time kernel
192s
max time network
299s
platform
windows10-1703_x64
resource
win10-20231220-en
resource tags

arch:x64arch:x86image:win10-20231220-enlocale:en-usos:windows10-1703-x64system
submitted
07-02-2024 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e6015f1e7c8790a2907de407d2ea9e14ccc04e925c81607fb815bd73c372389.exe
Size

1.7MB
MD5

a615f2eee64c5d7449a8792cc782b6d6
SHA1

cf1dff4fbbf172c6870c30fc3784bdbd53d49a69
SHA256

4e6015f1e7c8790a2907de407d2ea9e14ccc04e925c81607fb815bd73c372389
SHA512

9b0a2e7c7c4310300cb7f1f14d8b9ec11c7e5d6013b0bdf5c33af9e8f3de92be74ac95d83c0b637e6919f61cdffd8f7a9bf7c5411c23fcdf56b2a753a2830f0c
SSDEEP

49152:8kQTAxXCwWJ7d2JtVYtcbQk4fkr73Vreyvi1wwlaYjYMm3:8axbhJItfxMP3Visi1r7sMm

Score

10^/10

redline zgrat @oleh_ps discovery infostealer rat spyware stealer

Malware Config

Extracted

Family

redline

Botnet

@oleh_ps

185.172.128.33:8924

Signatures

Detect ZGRat V1 4 IoCs

resource	yara_rule
behavioral2/memory/4480-46-0x0000000000400000-0x0000000000592000-memory.dmp	family_zgrat_v1
behavioral2/files/0x000700000001ab98-59.dat	family_zgrat_v1
behavioral2/files/0x000700000001ab98-58.dat	family_zgrat_v1
behavioral2/memory/2368-62-0x0000000000690000-0x00000000006E8000-memory.dmp	family_zgrat_v1

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

resource	yara_rule
behavioral2/files/0x000700000001ab98-59.dat	family_redline
behavioral2/memory/4380-66-0x0000000000020000-0x0000000000074000-memory.dmp	family_redline
behavioral2/files/0x000700000001ab9b-61.dat	family_redline
behavioral2/files/0x000700000001ab9b-60.dat	family_redline
behavioral2/files/0x000700000001ab98-58.dat	family_redline
behavioral2/memory/2368-62-0x0000000000690000-0x00000000006E8000-memory.dmp	family_redline

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

.NET Reactor proctector 22 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/memory/312-0-0x0000000005100000-0x00000000052AC000-memory.dmp	net_reactor
behavioral2/memory/312-6-0x0000000004F40000-0x00000000050EC000-memory.dmp	net_reactor
behavioral2/memory/312-8-0x0000000004F40000-0x00000000050E5000-memory.dmp	net_reactor
behavioral2/memory/312-11-0x0000000004F40000-0x00000000050E5000-memory.dmp	net_reactor
behavioral2/memory/312-17-0x0000000004F40000-0x00000000050E5000-memory.dmp	net_reactor
behavioral2/memory/312-25-0x0000000004F40000-0x00000000050E5000-memory.dmp	net_reactor
behavioral2/memory/312-31-0x0000000004F40000-0x00000000050E5000-memory.dmp	net_reactor
behavioral2/memory/312-33-0x0000000004F40000-0x00000000050E5000-memory.dmp	net_reactor
behavioral2/memory/312-39-0x0000000004F40000-0x00000000050E5000-memory.dmp	net_reactor
behavioral2/memory/312-43-0x0000000004F40000-0x00000000050E5000-memory.dmp	net_reactor
behavioral2/memory/312-41-0x0000000004F40000-0x00000000050E5000-memory.dmp	net_reactor
behavioral2/memory/4480-46-0x0000000000400000-0x0000000000592000-memory.dmp	net_reactor
behavioral2/memory/312-37-0x0000000004F40000-0x00000000050E5000-memory.dmp	net_reactor
behavioral2/memory/312-35-0x0000000004F40000-0x00000000050E5000-memory.dmp	net_reactor
behavioral2/memory/312-29-0x0000000004F40000-0x00000000050E5000-memory.dmp	net_reactor
behavioral2/memory/312-27-0x0000000004F40000-0x00000000050E5000-memory.dmp	net_reactor
behavioral2/memory/312-23-0x0000000004F40000-0x00000000050E5000-memory.dmp	net_reactor
behavioral2/memory/312-21-0x0000000004F40000-0x00000000050E5000-memory.dmp	net_reactor
behavioral2/memory/312-19-0x0000000004F40000-0x00000000050E5000-memory.dmp	net_reactor
behavioral2/memory/312-15-0x0000000004F40000-0x00000000050E5000-memory.dmp	net_reactor
behavioral2/memory/312-13-0x0000000004F40000-0x00000000050E5000-memory.dmp	net_reactor
behavioral2/memory/312-9-0x0000000004F40000-0x00000000050E5000-memory.dmp	net_reactor

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Logs.exe

Executes dropped EXE 3 IoCs

pid	Process
2368	Logs.exe
4380	olehps.exe
2460	qemu-ga.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 312 set thread context of 4480	312	4e6015f1e7c8790a2907de407d2ea9e14ccc04e925c81607fb815bd73c372389.exe	74

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1380	4380	WerFault.exe	76

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2368	Logs.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	312	4e6015f1e7c8790a2907de407d2ea9e14ccc04e925c81607fb815bd73c372389.exe
Token: SeDebugPrivilege	2368	Logs.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 312 wrote to memory of 4144	312	4e6015f1e7c8790a2907de407d2ea9e14ccc04e925c81607fb815bd73c372389.exe	75
PID 312 wrote to memory of 4144	312	4e6015f1e7c8790a2907de407d2ea9e14ccc04e925c81607fb815bd73c372389.exe	75
PID 312 wrote to memory of 4144	312	4e6015f1e7c8790a2907de407d2ea9e14ccc04e925c81607fb815bd73c372389.exe	75
PID 312 wrote to memory of 4480	312	4e6015f1e7c8790a2907de407d2ea9e14ccc04e925c81607fb815bd73c372389.exe	74
PID 312 wrote to memory of 4480	312	4e6015f1e7c8790a2907de407d2ea9e14ccc04e925c81607fb815bd73c372389.exe	74
PID 312 wrote to memory of 4480	312	4e6015f1e7c8790a2907de407d2ea9e14ccc04e925c81607fb815bd73c372389.exe	74
PID 312 wrote to memory of 4480	312	4e6015f1e7c8790a2907de407d2ea9e14ccc04e925c81607fb815bd73c372389.exe	74
PID 312 wrote to memory of 4480	312	4e6015f1e7c8790a2907de407d2ea9e14ccc04e925c81607fb815bd73c372389.exe	74
PID 312 wrote to memory of 4480	312	4e6015f1e7c8790a2907de407d2ea9e14ccc04e925c81607fb815bd73c372389.exe	74
PID 312 wrote to memory of 4480	312	4e6015f1e7c8790a2907de407d2ea9e14ccc04e925c81607fb815bd73c372389.exe	74
PID 312 wrote to memory of 4480	312	4e6015f1e7c8790a2907de407d2ea9e14ccc04e925c81607fb815bd73c372389.exe	74
PID 4480 wrote to memory of 2368	4480	RegAsm.exe	79
PID 4480 wrote to memory of 2368	4480	RegAsm.exe	79
PID 4480 wrote to memory of 2368	4480	RegAsm.exe	79
PID 4480 wrote to memory of 4380	4480	RegAsm.exe	76
PID 4480 wrote to memory of 4380	4480	RegAsm.exe	76
PID 4480 wrote to memory of 4380	4480	RegAsm.exe	76
PID 2368 wrote to memory of 2460	2368	Logs.exe	81
PID 2368 wrote to memory of 2460	2368	Logs.exe	81

C:\Users\Admin\AppData\Local\Temp\4e6015f1e7c8790a2907de407d2ea9e14ccc04e925c81607fb815bd73c372389.exe
"C:\Users\Admin\AppData\Local\Temp\4e6015f1e7c8790a2907de407d2ea9e14ccc04e925c81607fb815bd73c372389.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4480
- - C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
    "C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe"
    3⤵
    - Executes dropped EXE
    PID:4380
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 764
      4⤵
      Program crash
      PID:1380
- - C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
    "C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2368
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
      4⤵
      Executes dropped EXE
      PID:2460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:4144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

Filesize
4KB

MD5
a5ce3aba68bdb438e98b1d0c70a3d95c

SHA1
013f5aa9057bf0b3c0c24824de9d075434501354

SHA256
9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a

SHA512
7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

Filesize
213KB

MD5
9adc883fa2ff0b3dec20a36ed444036f

SHA1
e778a32632405d5f1e1c9a24f2bb927f745dc1df

SHA256
ed9f6390617650b877ee614b96bb79be0d7ccd02a6b9175f551972e4667331d5

SHA512
d191b766f9b2904d9ef5ce13c7fc8212ca3a1fe8089ef3f9d557c198be3f9e8736b419bbbcfd7bfd29484bc5c0eac61d9a547da92ae55fa5679a001d3c4b4849

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

Filesize
11KB

MD5
4e97e9d849c476a1f8c3b0d23ea09c32

SHA1
4d6486e6a0cdb7e94bb0c7809f099bd9b2920fef

SHA256
d33c4a1a7ea97eb43c9572df7a643f5a2611a3ea03d6925e4384d2a0ad886ac6

SHA512
61d68ab88e4f2f17ac853d47c35853222b9398b87b9e09a11696aa30e126b2b341257a2fabf44b2cc4f2bbb2ff8758f59cedfc878bf56d1aa1e4e70ee77c1e18

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

Filesize
236KB

MD5
19762174c0648ce62754ea41d48c05dc

SHA1
b12f06ce8bac3d0d5e240be6bd11af949ae7f87e

SHA256
cbbb83b56f106700d2ad2b7cbf52a3878aad418db84598624320cb7a37160620

SHA512
812ff63e58b5aca0089858dae5401fd77f6a5d6705b6f0c35aa15f39fa92ee68377c962625d348f1397ad44d0baf6b1b074079f86c7a18326deaae777d200222

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

Filesize
217KB

MD5
c3ddeeba7901eb62fc1456496bbf1948

SHA1
d6d2f9f15776a5469cd786b9299754773824c222

SHA256
86e6854490d251340e47c0df6dee13c8bb6b4478a0688e4daa4012543876a446

SHA512
4948872a99040df839cc3bfbf11f82e18aa03a924ea2b322be6ae700dc3e3a0cdda4c12bd9c09a00155f6b12c564e04c9ade65a9c6991d3ad11a053573801a85

Download Submit
memory/312-9-0x0000000004F40000-0x00000000050E5000-memory.dmp

Filesize
1.6MB

Download
memory/312-37-0x0000000004F40000-0x00000000050E5000-memory.dmp

Filesize
1.6MB

Download
memory/312-8-0x0000000004F40000-0x00000000050E5000-memory.dmp

Filesize
1.6MB

Download
memory/312-11-0x0000000004F40000-0x00000000050E5000-memory.dmp

Filesize
1.6MB

Download
memory/312-17-0x0000000004F40000-0x00000000050E5000-memory.dmp

Filesize
1.6MB

Download
memory/312-25-0x0000000004F40000-0x00000000050E5000-memory.dmp

Filesize
1.6MB

Download
memory/312-31-0x0000000004F40000-0x00000000050E5000-memory.dmp

Filesize
1.6MB

Download
memory/312-33-0x0000000004F40000-0x00000000050E5000-memory.dmp

Filesize
1.6MB

Download
memory/312-39-0x0000000004F40000-0x00000000050E5000-memory.dmp

Filesize
1.6MB

Download
memory/312-43-0x0000000004F40000-0x00000000050E5000-memory.dmp

Filesize
1.6MB

Download
memory/312-41-0x0000000004F40000-0x00000000050E5000-memory.dmp

Filesize
1.6MB

Download
memory/312-3-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/312-52-0x0000000073B20000-0x000000007420E000-memory.dmp

Filesize
6.9MB

Download
memory/312-6-0x0000000004F40000-0x00000000050EC000-memory.dmp

Filesize
1.7MB

Download
memory/312-50-0x0000000002B00000-0x0000000004B00000-memory.dmp

Filesize
32.0MB

Download
memory/312-4-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/312-35-0x0000000004F40000-0x00000000050E5000-memory.dmp

Filesize
1.6MB

Download
memory/312-29-0x0000000004F40000-0x00000000050E5000-memory.dmp

Filesize
1.6MB

Download
memory/312-27-0x0000000004F40000-0x00000000050E5000-memory.dmp

Filesize
1.6MB

Download
memory/312-23-0x0000000004F40000-0x00000000050E5000-memory.dmp

Filesize
1.6MB

Download
memory/312-21-0x0000000004F40000-0x00000000050E5000-memory.dmp

Filesize
1.6MB

Download
memory/312-19-0x0000000004F40000-0x00000000050E5000-memory.dmp

Filesize
1.6MB

Download
memory/312-15-0x0000000004F40000-0x00000000050E5000-memory.dmp

Filesize
1.6MB

Download
memory/312-13-0x0000000004F40000-0x00000000050E5000-memory.dmp

Filesize
1.6MB

Download
memory/312-1-0x0000000073B20000-0x000000007420E000-memory.dmp

Filesize
6.9MB

Download
memory/312-7-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/312-5-0x00000000052B0000-0x00000000057AE000-memory.dmp

Filesize
5.0MB

Download
memory/312-2-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/312-0-0x0000000005100000-0x00000000052AC000-memory.dmp

Filesize
1.7MB

Download
memory/2368-72-0x0000000005250000-0x00000000052B6000-memory.dmp

Filesize
408KB

Download
memory/2368-73-0x0000000006020000-0x00000000060B2000-memory.dmp

Filesize
584KB

Download
memory/2368-70-0x0000000004FB0000-0x0000000004FEE000-memory.dmp

Filesize
248KB

Download
memory/2368-69-0x0000000005080000-0x000000000518A000-memory.dmp

Filesize
1.0MB

Download
memory/2368-63-0x0000000073B20000-0x000000007420E000-memory.dmp

Filesize
6.9MB

Download
memory/2368-65-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/2368-71-0x0000000004FF0000-0x000000000503B000-memory.dmp

Filesize
300KB

Download
memory/2368-67-0x0000000005580000-0x0000000005B86000-memory.dmp

Filesize
6.0MB

Download
memory/2368-82-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/2368-80-0x0000000073B20000-0x000000007420E000-memory.dmp

Filesize
6.9MB

Download
memory/2368-62-0x0000000000690000-0x00000000006E8000-memory.dmp

Filesize
352KB

Download
memory/2368-91-0x0000000073B20000-0x000000007420E000-memory.dmp

Filesize
6.9MB

Download
memory/2368-74-0x0000000005E50000-0x0000000005EC6000-memory.dmp

Filesize
472KB

Download
memory/2368-68-0x0000000004F10000-0x0000000004F22000-memory.dmp

Filesize
72KB

Download
memory/2368-75-0x0000000005F40000-0x0000000005F5E000-memory.dmp

Filesize
120KB

Download
memory/2368-76-0x0000000006D60000-0x0000000006F22000-memory.dmp

Filesize
1.8MB

Download
memory/2368-77-0x00000000075D0000-0x0000000007620000-memory.dmp

Filesize
320KB

Download
memory/2368-78-0x0000000007B50000-0x000000000807C000-memory.dmp

Filesize
5.2MB

Download
memory/2460-90-0x00007FF9E2530000-0x00007FF9E2F1C000-memory.dmp

Filesize
9.9MB

Download
memory/2460-88-0x0000000000050000-0x0000000000058000-memory.dmp

Filesize
32KB

Download
memory/2460-92-0x00007FF9E2530000-0x00007FF9E2F1C000-memory.dmp

Filesize
9.9MB

Download
memory/4380-81-0x0000000073B20000-0x000000007420E000-memory.dmp

Filesize
6.9MB

Download
memory/4380-64-0x0000000073B20000-0x000000007420E000-memory.dmp

Filesize
6.9MB

Download
memory/4380-66-0x0000000000020000-0x0000000000074000-memory.dmp

Filesize
336KB

Download
memory/4480-79-0x0000000073B20000-0x000000007420E000-memory.dmp

Filesize
6.9MB

Download
memory/4480-53-0x0000000073B20000-0x000000007420E000-memory.dmp

Filesize
6.9MB

Download
memory/4480-46-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download