redline | 41f3351a2f08d18c27ddcab29e6258fb9238b1061e82ff7220f16a9393199438

Analysis

max time kernel
147s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 21:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

A u r о r a.exe
Size

685KB
MD5

b3b6feed946c4b70880677c1fed7cc83
SHA1

97655d0243bebe24126037cbadd107d908858fd6
SHA256

41f3351a2f08d18c27ddcab29e6258fb9238b1061e82ff7220f16a9393199438
SHA512

71fb2259e7f8c27882b69fa2662161a620e304dfbe2cdcbff30b99fd9bc19044ec5fcf291ed8a11925bc9cf88d05fa990fc9623b9a215098479060d3383d8cd4
SSDEEP

12288:LNc3BNU4PF6atV0w6Q/zyz0KuRAMbkZMDnOnBVHZ4CiyBq9ph0kMCr0IhY5RR1mp:LNc3BNrF6CVb6CjkeDOnH2vyBSokMCrT

Score

10^/10

redline zgrat discovery infostealer rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral2/memory/1424-29-0x0000000000E00000-0x0000000000E4C000-memory.dmp	family_zgrat_v1

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/1424-29-0x0000000000E00000-0x0000000000E4C000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4892 created 3492	4892	Tagged.pif	57

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	A u r о r a.exe

Executes dropped EXE 2 IoCs

pid	Process
4892	Tagged.pif
1424	RegAsm.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
4844	tasklist.exe
688	tasklist.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1556	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4892	Tagged.pif
4892	Tagged.pif
4892	Tagged.pif
4892	Tagged.pif
4892	Tagged.pif
4892	Tagged.pif
4892	Tagged.pif
4892	Tagged.pif
1424	RegAsm.exe
1424	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4844	tasklist.exe
Token: SeDebugPrivilege	688	tasklist.exe
Token: SeDebugPrivilege	1424	RegAsm.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4892	Tagged.pif
4892	Tagged.pif
4892	Tagged.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4892	Tagged.pif
4892	Tagged.pif
4892	Tagged.pif

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 1576	1476	A u r о r a.exe	89
PID 1476 wrote to memory of 1576	1476	A u r о r a.exe	89
PID 1476 wrote to memory of 1576	1476	A u r о r a.exe	89
PID 1576 wrote to memory of 4844	1576	cmd.exe	93
PID 1576 wrote to memory of 4844	1576	cmd.exe	93
PID 1576 wrote to memory of 4844	1576	cmd.exe	93
PID 1576 wrote to memory of 4468	1576	cmd.exe	94
PID 1576 wrote to memory of 4468	1576	cmd.exe	94
PID 1576 wrote to memory of 4468	1576	cmd.exe	94
PID 1576 wrote to memory of 688	1576	cmd.exe	96
PID 1576 wrote to memory of 688	1576	cmd.exe	96
PID 1576 wrote to memory of 688	1576	cmd.exe	96
PID 1576 wrote to memory of 1940	1576	cmd.exe	97
PID 1576 wrote to memory of 1940	1576	cmd.exe	97
PID 1576 wrote to memory of 1940	1576	cmd.exe	97
PID 1576 wrote to memory of 3324	1576	cmd.exe	98
PID 1576 wrote to memory of 3324	1576	cmd.exe	98
PID 1576 wrote to memory of 3324	1576	cmd.exe	98
PID 1576 wrote to memory of 2392	1576	cmd.exe	99
PID 1576 wrote to memory of 2392	1576	cmd.exe	99
PID 1576 wrote to memory of 2392	1576	cmd.exe	99
PID 1576 wrote to memory of 2220	1576	cmd.exe	100
PID 1576 wrote to memory of 2220	1576	cmd.exe	100
PID 1576 wrote to memory of 2220	1576	cmd.exe	100
PID 1576 wrote to memory of 4892	1576	cmd.exe	101
PID 1576 wrote to memory of 4892	1576	cmd.exe	101
PID 1576 wrote to memory of 4892	1576	cmd.exe	101
PID 1576 wrote to memory of 1556	1576	cmd.exe	102
PID 1576 wrote to memory of 1556	1576	cmd.exe	102
PID 1576 wrote to memory of 1556	1576	cmd.exe	102
PID 4892 wrote to memory of 1424	4892	Tagged.pif	110
PID 4892 wrote to memory of 1424	4892	Tagged.pif	110
PID 4892 wrote to memory of 1424	4892	Tagged.pif	110
PID 4892 wrote to memory of 1424	4892	Tagged.pif	110
PID 4892 wrote to memory of 1424	4892	Tagged.pif	110

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3492
- C:\Users\Admin\AppData\Local\Temp\A u r о r a.exe
  "C:\Users\Admin\AppData\Local\Temp\A u r о r a.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Novel Novel.bat & Novel.bat & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1576
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4844
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:4468
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:688
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:1940
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 14094
      4⤵
      PID:3324
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b 14094\Tagged.pif + Corn + Justice + Anthropology + Georgia + Enable 14094\Tagged.pif
      4⤵
      PID:2392
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b En + Bag + Omissions 14094\O
      4⤵
      PID:2220
  - - C:\Users\Admin\AppData\Local\Temp\14094\Tagged.pif
      14094\Tagged.pif 14094\O
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4892
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 127.0.0.1
      4⤵
      Runs ping.exe
      PID:1556
- C:\Users\Admin\AppData\Local\Temp\14094\RegAsm.exe
  C:\Users\Admin\AppData\Local\Temp\14094\RegAsm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\14094\O

Filesize
671KB

MD5
4421acdb5a27f21358a75613804bbef1

SHA1
c19071cb423076674b101c21042409f9ea20dfc1

SHA256
5076f2384d0f8e2b492479d718d978639018fd6227b3378841e1da4bf1e8e9c2

SHA512
6549827ac5fad30fe3ccb24f095022d4488571fbc0a774d615a1c5c6010e9a0ce0efef649311d7185096fb0450693ff88aa03293b7c7591b0106c784cdb7fc59

Download Submit
C:\Users\Admin\AppData\Local\Temp\14094\RegAsm.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\14094\Tagged.pif

Filesize
1B

MD5
69691c7bdcc3ce6d5d8a1361f22d04ac

SHA1
c63ae6dd4fc9f9dda66970e827d13f7c73fe841c

SHA256
08f271887ce94707da822d5263bae19d5519cb3614e0daedc4c7ce5dab7473f1

SHA512
253405e03b91441a6dd354a9b72e040068b1bfe10e83eb1a64a086c05525d8ccae2bf09130c624af50d55c3522a4fbb7c18cfc8dd843e5f4801d9ad2b5164b12

Download Submit
C:\Users\Admin\AppData\Local\Temp\14094\Tagged.pif

Filesize
872KB

MD5
6ee7ddebff0a2b78c7ac30f6e00d1d11

SHA1
f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

SHA256
865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

SHA512
57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Anthropology

Filesize
147KB

MD5
457d830032cc11c2191731add1810ab5

SHA1
d6ae3b4a0de4b1263f04331788633a601d928aa3

SHA256
7443b210f82fab88cb79f46106c4c6ac0e11e98f2446d450e0a5b34153296005

SHA512
037a708e38a82e36bc98ce200a8d745b15072888d55a95701f517340e82e3174bbddbdee3765f2c510a2081701fa9f3dc60e52458acf44b2b64f4af5fc0fa0fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bag

Filesize
280KB

MD5
db21ccfa50d066be0f532add39caae36

SHA1
c67289579f598198958793e554d9899e6bb4c109

SHA256
7c05886816bbb30dfef799f964c6fdff0ff91e9a1e2afdf5a27785d7db1b99e1

SHA512
8278cac71afdb2d64c371f7531aa547eac67476f49379d9453c5262fba2594ce8c522c093b25735d5ca7951ae64aecb30e184ef3c9c4a456aa6d0d6db942f8d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Corn

Filesize
270KB

MD5
b5f7361e2ed0c1e4ceefdb73689bd8dd

SHA1
3720d41cf60d0f456e9f7e338e58c145a2240812

SHA256
61498598484d2b7b250176536bd5860208c31ef0aa7833bf3a4759f71fe8a706

SHA512
99606fb430aaea67be37d1617f64a0737887e6941bcdfb1345913b3d26131f18ca6d47707199742bba755733785703dcbe865397c3f342ee896b39d0f93e7ec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\En

Filesize
228KB

MD5
1a4d258dd2e65fda6fae17dc8d713664

SHA1
0b803a36599bf5a5f1460a61ded50c7cda4f2692

SHA256
fd7ff96c10300da123af7c38597894417e4300f9c59ac417ee13385fe4606684

SHA512
b0efc4f12ae0d50fe7c7d10c1a34a9db04a4f53d84ebf2b9a845937ec307adb1a59c4949c15e28480a4a12f8c551f88c7651592907c4edb6ebdc52d4ec0c8cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Enable

Filesize
84KB

MD5
61d7f5e4bb4d84fab1ee357f5071bb16

SHA1
5d4dbd193f6608f5ce3391f14cdd4620b1f01680

SHA256
585a18c2cdd6a975796d55d1a501475dc1ceb345a4913a3e00346163da77e287

SHA512
114b106b14f60090a8666078f5159ecd3a27c63be47d07a2224cf10a10b9cf9af1ff536542d7407ca45b1e59340f3a963288f8644c35092d67076c2e23a0f7e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Georgia

Filesize
140KB

MD5
5f4974740f5aa7124c52df0bb48ef65e

SHA1
ec52992637c94e99f8350f4a9f8c586840e52940

SHA256
eb934de1a00592a7183fd577fe7227b50179dc34c6af5cf30e805add68da7cee

SHA512
2816a7758ca1e75360b582db412e5ea22ea63f5021d707dc98092df15c13bc3e62abf08d437c8e108c0418d978a287ba18c945e37633c71156e3afd91b52da0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Justice

Filesize
231KB

MD5
806c61777aa5ab0c83723676391e155e

SHA1
69221170fc978da946b31594be39164c30e66e9f

SHA256
08a89401a6ae80305fc9b75ec5944bc84cc6e1cfddd84dc7cc912d1f0d07304b

SHA512
ae6b225253beea0a0a2578870595bf147899ae0bfb81e12e22e2c232ec2c692ff4b3716ff8c9a52c157ba2b20c27a2da6c2e6c7b27a099f7ec8cd3ecd805bc3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Novel

Filesize
15KB

MD5
00629f6223e0f6ecb6684ea3115ad26d

SHA1
57ee172a967204b0df4cd3b3d87928f10a9fcd83

SHA256
29dc378e128bf0b86d0be35b8c3f9be1d200f2dabdade729ef680503cd34acc8

SHA512
ad24a2d3bd12e0d3153554790feceedf897d320e37d60be57ab5ee5e5e217ba929eb9a765ad3f37f5bf5d3b8f93f5668d5ad146ccf1b664d1a61ef073971a93b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Omissions

Filesize
163KB

MD5
ce6aab10736655fe51357ef763a81873

SHA1
00cc63e8c40ccde40537e7c80c565660ff681530

SHA256
dd2b0347be3f0535db49269d8ae57af1024235aed4d9d258499fd0404d3c1f08

SHA512
7938c7b8cbae3c1b6a0c8b7dc8005b1d7385177ba018685372b5919f2c86184d7ceb6e0cf5ed8d28fef16f4bf9bdf9015dd9767842822c085a9502783b6bd73f

Download Submit
memory/1424-32-0x0000000074720000-0x0000000074ED0000-memory.dmp

Filesize
7.7MB

Download
memory/1424-38-0x0000000006500000-0x000000000660A000-memory.dmp

Filesize
1.0MB

Download
memory/1424-48-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download
memory/1424-47-0x0000000074720000-0x0000000074ED0000-memory.dmp

Filesize
7.7MB

Download
memory/1424-33-0x0000000005950000-0x0000000005EF4000-memory.dmp

Filesize
5.6MB

Download
memory/1424-34-0x0000000005480000-0x0000000005512000-memory.dmp

Filesize
584KB

Download
memory/1424-35-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download
memory/1424-36-0x0000000005620000-0x000000000562A000-memory.dmp

Filesize
40KB

Download
memory/1424-37-0x00000000069B0000-0x0000000006FC8000-memory.dmp

Filesize
6.1MB

Download
memory/1424-29-0x0000000000E00000-0x0000000000E4C000-memory.dmp

Filesize
304KB

Download
memory/1424-39-0x0000000006430000-0x0000000006442000-memory.dmp

Filesize
72KB

Download
memory/1424-40-0x0000000006490000-0x00000000064CC000-memory.dmp

Filesize
240KB

Download
memory/1424-41-0x0000000006710000-0x000000000675C000-memory.dmp

Filesize
304KB

Download
memory/1424-42-0x0000000006810000-0x0000000006876000-memory.dmp

Filesize
408KB

Download
memory/1424-43-0x0000000007190000-0x0000000007206000-memory.dmp

Filesize
472KB

Download
memory/1424-44-0x0000000007110000-0x000000000712E000-memory.dmp

Filesize
120KB

Download
memory/1424-45-0x0000000008090000-0x0000000008252000-memory.dmp

Filesize
1.8MB

Download
memory/1424-46-0x0000000008790000-0x0000000008CBC000-memory.dmp

Filesize
5.2MB

Download
memory/4892-25-0x0000000077C91000-0x0000000077DB1000-memory.dmp

Filesize
1.1MB

Download
memory/4892-27-0x0000000001760000-0x0000000001761000-memory.dmp

Filesize
4KB

Download