redline | 0f2f61669d3bc852e0defe69777a70627ae072b167425a64f4c88ac9ca84389c

General

Target

tmp.exe
Size

1.7MB
MD5

211c3659790c88b15827ec89ffa5898f
SHA1

f0ef5847fb9a1db37b3307e3b2b6f90098aa6e65
SHA256

0f2f61669d3bc852e0defe69777a70627ae072b167425a64f4c88ac9ca84389c
SHA512

a7aa227100c27ba414d53af42c9dbedd3f509fa7b32fc442d2f0ede75292c917e226ec78238a66c6d46531d23856a4d1bcf1ad9567d4c1e75bfdeb975769e708
SSDEEP

24576:mnkh7MnClk+2SEETqUjuX5DYF5l53hDGlLVnHeV+6nn3kuoMryAF72btp/H:mn8kCKSEEA5DY/glLxHeV+6n38MHh2P

Score

10^/10

redline zgrat @logscloudyt_bot discovery infostealer rat spyware stealer

Malware Config

Extracted

Family

redline

Botnet

@logscloudyt_bot

C2

185.172.128.33:8970

Signatures

Detect ZGRat V1 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3380-0-0x00000000007A0000-0x0000000000962000-memory.dmp	family_zgrat_v1
behavioral2/memory/4928-6-0x0000000000400000-0x0000000000592000-memory.dmp	family_zgrat_v1
C:\Users\Admin\AppData\Roaming\configurationValue\olehpsp.exe	family_zgrat_v1
behavioral2/memory/3060-36-0x0000000000C20000-0x0000000000C74000-memory.dmp	family_zgrat_v1

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\configurationValue\olehpsp.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\fate.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\fate.exe	family_redline
behavioral2/memory/3060-36-0x0000000000C20000-0x0000000000C74000-memory.dmp	family_redline
behavioral2/memory/3672-35-0x0000000000460000-0x00000000004B0000-memory.dmp	family_redline

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

RegAsm.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation RegAsm.exe
Executes dropped EXE 2 IoCs

Processes:

fate.exeolehpsp.exe

pid process

3672 fate.exe
3060 olehpsp.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

tmp.exe

description pid process target process

PID 3380 set thread context of 4928 3380 tmp.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

olehpsp.exefate.exe

pid process

3060 olehpsp.exe
3672 fate.exe
3672 fate.exe
3672 fate.exe
3672 fate.exe
3672 fate.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

olehpsp.exefate.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 3060 olehpsp.exe
Token: SeDebugPrivilege 3672 fate.exe
Token: SeDebugPrivilege 4928 RegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	RegAsm.exe

pid	process
3672	fate.exe
3060	olehpsp.exe

description	pid	process	target process
PID 3380 set thread context of 4928	3380	tmp.exe	RegAsm.exe

pid	process
3060	olehpsp.exe
3672	fate.exe
3672	fate.exe
3672	fate.exe
3672	fate.exe
3672	fate.exe

description	pid	process
Token: SeDebugPrivilege	3060	olehpsp.exe
Token: SeDebugPrivilege	3672	fate.exe
Token: SeDebugPrivilege	4928	RegAsm.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

tmp.exeRegAsm.execmd.exe

description	pid	process	target process
PID 3380 wrote to memory of 4928	3380	tmp.exe	RegAsm.exe
PID 3380 wrote to memory of 4928	3380	tmp.exe	RegAsm.exe
PID 3380 wrote to memory of 4928	3380	tmp.exe	RegAsm.exe
PID 3380 wrote to memory of 4928	3380	tmp.exe	RegAsm.exe
PID 3380 wrote to memory of 4928	3380	tmp.exe	RegAsm.exe
PID 3380 wrote to memory of 4928	3380	tmp.exe	RegAsm.exe
PID 3380 wrote to memory of 4928	3380	tmp.exe	RegAsm.exe
PID 3380 wrote to memory of 4928	3380	tmp.exe	RegAsm.exe
PID 4928 wrote to memory of 3672	4928	RegAsm.exe	fate.exe
PID 4928 wrote to memory of 3672	4928	RegAsm.exe	fate.exe
PID 4928 wrote to memory of 3672	4928	RegAsm.exe	fate.exe
PID 4928 wrote to memory of 3060	4928	RegAsm.exe	olehpsp.exe
PID 4928 wrote to memory of 3060	4928	RegAsm.exe	olehpsp.exe
PID 4928 wrote to memory of 1772	4928	RegAsm.exe	cmd.exe
PID 4928 wrote to memory of 1772	4928	RegAsm.exe	cmd.exe
PID 4928 wrote to memory of 1772	4928	RegAsm.exe	cmd.exe
PID 1772 wrote to memory of 1268	1772	cmd.exe	choice.exe
PID 1772 wrote to memory of 1268	1772	cmd.exe	choice.exe
PID 1772 wrote to memory of 1268	1772	cmd.exe	choice.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4928

C:\Users\Admin\AppData\Roaming\configurationValue\fate.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\fate.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3672

C:\Users\Admin\AppData\Roaming\configurationValue\olehpsp.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\olehpsp.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:1268

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\configurationValue\fate.exe
Filesize
296KB

MD5
28f30e43da4c45f023b546fc871a12ea

SHA1
ab063bbb313b75320f4335a8cd878f7a02e5f91c

SHA256
1e246855bc5d7648a3425771faa304d08ce84496a3afa7a023937ac41d381c6b

SHA512
559099480bc8518f740249b096c123bc5dfb9dc0126d1c681f4e650329cfb4383754ec8a307057f24b2692c36f4fa8e90b5b5d2debe1061e1ece27a7b26335b4

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\fate.exe
Filesize
64KB

MD5
7e5015cfb112821ba95aa9b93333780d

SHA1
2f71c23b628273db3c7a873c04df1b964609bc62

SHA256
7cb811fa25123c18f9ddea8da9a8f52a600b407732a2eda0ff6eb1537337f51c

SHA512
567ac0d42ed27560ccea9c015c98c8a7eb24d92d0c9fb96c699e2093ba310a9862ba2ad21a2de976e32cf03200aed172b8d694168a84d3e79727936156c05150

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\olehpsp.exe
Filesize
310KB

MD5
afbc408680d16aa491e10c002dc9c3d0

SHA1
272e07bc68d862f65fc2006d9d714ad03cb09086

SHA256
7b32e5045377a79d4f7f552d9971022f6883799eebeffa8f48f3c76e66acb80d

SHA512
05601f82bc44aaca332b7357b745a5658199c6bb86d26cbf9a110686351717359a6b64f1c713e278a3517b470cf7bc6db48c647f587999931606a137d0040fbb

Download Submit
memory/3060-43-0x000000001BA30000-0x000000001BA42000-memory.dmp

Filesize
72KB

Download
memory/3060-51-0x000000001BE10000-0x000000001BE2E000-memory.dmp

Filesize
120KB

Download
memory/3060-42-0x000000001DFB0000-0x000000001E0BA000-memory.dmp

Filesize
1.0MB

Download
memory/3060-44-0x000000001BDB0000-0x000000001BDEC000-memory.dmp

Filesize
240KB

Download
memory/3060-56-0x00007FFE838B0000-0x00007FFE84371000-memory.dmp

Filesize
10.8MB

Download
memory/3060-39-0x000000001B8D0000-0x000000001B8E0000-memory.dmp

Filesize
64KB

Download
memory/3060-50-0x000000001E540000-0x000000001E5B6000-memory.dmp

Filesize
472KB

Download
memory/3060-52-0x000000001B8D0000-0x000000001B8E0000-memory.dmp

Filesize
64KB

Download
memory/3060-54-0x000000001F090000-0x000000001F5B8000-memory.dmp

Filesize
5.2MB

Download
memory/3060-36-0x0000000000C20000-0x0000000000C74000-memory.dmp

Filesize
336KB

Download
memory/3060-53-0x000000001E990000-0x000000001EB52000-memory.dmp

Filesize
1.8MB

Download
memory/3060-37-0x00007FFE838B0000-0x00007FFE84371000-memory.dmp

Filesize
10.8MB

Download
memory/3380-1-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/3380-0-0x00000000007A0000-0x0000000000962000-memory.dmp

Filesize
1.8MB

Download
memory/3380-2-0x00000000051C0000-0x00000000051D0000-memory.dmp

Filesize
64KB

Download
memory/3380-5-0x0000000002C80000-0x0000000004C80000-memory.dmp

Filesize
32.0MB

Download
memory/3380-9-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/3672-35-0x0000000000460000-0x00000000004B0000-memory.dmp

Filesize
320KB

Download
memory/3672-34-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/3672-60-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/3672-41-0x0000000004D80000-0x0000000004D8A000-memory.dmp

Filesize
40KB

Download
memory/3672-47-0x0000000004FF0000-0x0000000005002000-memory.dmp

Filesize
72KB

Download
memory/3672-48-0x0000000005050000-0x000000000508C000-memory.dmp

Filesize
240KB

Download
memory/3672-49-0x00000000050A0000-0x00000000050EC000-memory.dmp

Filesize
304KB

Download
memory/3672-40-0x0000000004D90000-0x0000000004E22000-memory.dmp

Filesize
584KB

Download
memory/3672-46-0x0000000005130000-0x000000000523A000-memory.dmp

Filesize
1.0MB

Download
memory/3672-38-0x00000000052A0000-0x0000000005844000-memory.dmp

Filesize
5.6MB

Download
memory/3672-63-0x0000000007670000-0x00000000076C0000-memory.dmp

Filesize
320KB

Download
memory/3672-65-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/3672-62-0x00000000070E0000-0x000000000760C000-memory.dmp

Filesize
5.2MB

Download
memory/3672-57-0x0000000005A10000-0x0000000005A76000-memory.dmp

Filesize
408KB

Download
memory/3672-61-0x00000000069E0000-0x0000000006BA2000-memory.dmp

Filesize
1.8MB

Download
memory/3672-45-0x0000000005E70000-0x0000000006488000-memory.dmp

Filesize
6.1MB

Download
memory/4928-59-0x00000000056E0000-0x00000000056F0000-memory.dmp

Filesize
64KB

Download
memory/4928-58-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/4928-11-0x00000000056E0000-0x00000000056F0000-memory.dmp

Filesize
64KB

Download
memory/4928-6-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/4928-10-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/4928-66-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads