redline | fbfc3b16c84c52caf89196f4340d5725cfd1b95b31603b4b9c9119ed73a0d2dd

Analysis

max time kernel
141s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/03/2024, 05:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cd3b868bc32923f0594cd595c9914be5.exe
Size

338KB
MD5

cd3b868bc32923f0594cd595c9914be5
SHA1

78999abb16a82feae55918e7b1a4c1fd4333bae2
SHA256

fbfc3b16c84c52caf89196f4340d5725cfd1b95b31603b4b9c9119ed73a0d2dd
SHA512

64eebab73d0ec4fbca54829bc1d24adce9df79480919e78ad649bc7909cd7a8ed584e5bedf00c13d58c3c7564e4c7092208745792772762d94e88ba6404ee5d2
SSDEEP

6144:IeZn/oGcW4pp30+JVdYDoQRGaB4giSR7U3EwWx9bOHkrka:IeFQGcWUkWSPBDiWtyEIa

Score

10^/10

redline sectoprat zgrat @chmoeblan1 infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

@chmoeblan1

45.132.104.3:52352

Signatures

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral1/memory/1300-6-0x0000000007CE0000-0x0000000007D4C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1300-8-0x0000000007CE0000-0x0000000007D46000-memory.dmp	family_zgrat_v1
behavioral1/memory/1300-7-0x0000000007CE0000-0x0000000007D46000-memory.dmp	family_zgrat_v1
behavioral1/memory/1300-10-0x0000000007CE0000-0x0000000007D46000-memory.dmp	family_zgrat_v1
behavioral1/memory/1300-12-0x0000000007CE0000-0x0000000007D46000-memory.dmp	family_zgrat_v1
behavioral1/memory/1300-14-0x0000000007CE0000-0x0000000007D46000-memory.dmp	family_zgrat_v1
behavioral1/memory/1300-16-0x0000000007CE0000-0x0000000007D46000-memory.dmp	family_zgrat_v1
behavioral1/memory/1300-18-0x0000000007CE0000-0x0000000007D46000-memory.dmp	family_zgrat_v1
behavioral1/memory/1300-20-0x0000000007CE0000-0x0000000007D46000-memory.dmp	family_zgrat_v1
behavioral1/memory/1300-22-0x0000000007CE0000-0x0000000007D46000-memory.dmp	family_zgrat_v1
behavioral1/memory/1300-24-0x0000000007CE0000-0x0000000007D46000-memory.dmp	family_zgrat_v1
behavioral1/memory/1300-30-0x0000000007CE0000-0x0000000007D46000-memory.dmp	family_zgrat_v1
behavioral1/memory/1300-28-0x0000000007CE0000-0x0000000007D46000-memory.dmp	family_zgrat_v1
behavioral1/memory/1300-26-0x0000000007CE0000-0x0000000007D46000-memory.dmp	family_zgrat_v1
behavioral1/memory/1300-36-0x0000000007CE0000-0x0000000007D46000-memory.dmp	family_zgrat_v1
behavioral1/memory/1300-34-0x0000000007CE0000-0x0000000007D46000-memory.dmp	family_zgrat_v1
behavioral1/memory/1300-32-0x0000000007CE0000-0x0000000007D46000-memory.dmp	family_zgrat_v1
behavioral1/memory/1300-40-0x0000000007CE0000-0x0000000007D46000-memory.dmp	family_zgrat_v1
behavioral1/memory/1300-38-0x0000000007CE0000-0x0000000007D46000-memory.dmp	family_zgrat_v1
behavioral1/memory/1300-44-0x0000000007CE0000-0x0000000007D46000-memory.dmp	family_zgrat_v1
behavioral1/memory/1300-46-0x0000000007CE0000-0x0000000007D46000-memory.dmp	family_zgrat_v1
behavioral1/memory/1300-42-0x0000000007CE0000-0x0000000007D46000-memory.dmp	family_zgrat_v1
behavioral1/memory/1300-52-0x0000000007CE0000-0x0000000007D46000-memory.dmp	family_zgrat_v1
behavioral1/memory/1300-50-0x0000000007CE0000-0x0000000007D46000-memory.dmp	family_zgrat_v1
behavioral1/memory/1300-48-0x0000000007CE0000-0x0000000007D46000-memory.dmp	family_zgrat_v1
behavioral1/memory/1300-56-0x0000000007CE0000-0x0000000007D46000-memory.dmp	family_zgrat_v1
behavioral1/memory/1300-58-0x0000000007CE0000-0x0000000007D46000-memory.dmp	family_zgrat_v1
behavioral1/memory/1300-54-0x0000000007CE0000-0x0000000007D46000-memory.dmp	family_zgrat_v1
behavioral1/memory/1300-62-0x0000000007CE0000-0x0000000007D46000-memory.dmp	family_zgrat_v1
behavioral1/memory/1300-60-0x0000000007CE0000-0x0000000007D46000-memory.dmp	family_zgrat_v1
behavioral1/memory/1300-68-0x0000000007CE0000-0x0000000007D46000-memory.dmp	family_zgrat_v1
behavioral1/memory/1300-66-0x0000000007CE0000-0x0000000007D46000-memory.dmp	family_zgrat_v1
behavioral1/memory/1300-64-0x0000000007CE0000-0x0000000007D46000-memory.dmp	family_zgrat_v1
behavioral1/memory/1300-70-0x0000000007CE0000-0x0000000007D46000-memory.dmp	family_zgrat_v1

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/2376-2274-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/2376-2274-0x0000000000400000-0x0000000000420000-memory.dmp	family_sectoprat

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 1 IoCs

pid	Process
2376	RegAsm.exe

Loads dropped DLL 2 IoCs

pid	Process
1300	cd3b868bc32923f0594cd595c9914be5.exe
2376	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1300 set thread context of 2376	1300	cd3b868bc32923f0594cd595c9914be5.exe	28

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1300	cd3b868bc32923f0594cd595c9914be5.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1300	cd3b868bc32923f0594cd595c9914be5.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 2376	1300	cd3b868bc32923f0594cd595c9914be5.exe	28
PID 1300 wrote to memory of 2376	1300	cd3b868bc32923f0594cd595c9914be5.exe	28
PID 1300 wrote to memory of 2376	1300	cd3b868bc32923f0594cd595c9914be5.exe	28
PID 1300 wrote to memory of 2376	1300	cd3b868bc32923f0594cd595c9914be5.exe	28
PID 1300 wrote to memory of 2376	1300	cd3b868bc32923f0594cd595c9914be5.exe	28
PID 1300 wrote to memory of 2376	1300	cd3b868bc32923f0594cd595c9914be5.exe	28
PID 1300 wrote to memory of 2376	1300	cd3b868bc32923f0594cd595c9914be5.exe	28
PID 1300 wrote to memory of 2376	1300	cd3b868bc32923f0594cd595c9914be5.exe	28
PID 1300 wrote to memory of 2376	1300	cd3b868bc32923f0594cd595c9914be5.exe	28
PID 1300 wrote to memory of 2376	1300	cd3b868bc32923f0594cd595c9914be5.exe	28
PID 1300 wrote to memory of 2376	1300	cd3b868bc32923f0594cd595c9914be5.exe	28
PID 1300 wrote to memory of 2376	1300	cd3b868bc32923f0594cd595c9914be5.exe	28

C:\Users\Admin\AppData\Local\Temp\cd3b868bc32923f0594cd595c9914be5.exe
"C:\Users\Admin\AppData\Local\Temp\cd3b868bc32923f0594cd595c9914be5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
  C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2376

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\RegAsm.exe

Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
memory/1300-36-0x0000000007CE0000-0x0000000007D46000-memory.dmp

Filesize
408KB

Download
memory/1300-32-0x0000000007CE0000-0x0000000007D46000-memory.dmp

Filesize
408KB

Download
memory/1300-40-0x0000000007CE0000-0x0000000007D46000-memory.dmp

Filesize
408KB

Download
memory/1300-4-0x0000000000490000-0x00000000004D0000-memory.dmp

Filesize
256KB

Download
memory/1300-5-0x0000000001DF0000-0x0000000001E3E000-memory.dmp

Filesize
312KB

Download
memory/1300-6-0x0000000007CE0000-0x0000000007D4C000-memory.dmp

Filesize
432KB

Download
memory/1300-8-0x0000000007CE0000-0x0000000007D46000-memory.dmp

Filesize
408KB

Download
memory/1300-7-0x0000000007CE0000-0x0000000007D46000-memory.dmp

Filesize
408KB

Download
memory/1300-10-0x0000000007CE0000-0x0000000007D46000-memory.dmp

Filesize
408KB

Download
memory/1300-12-0x0000000007CE0000-0x0000000007D46000-memory.dmp

Filesize
408KB

Download
memory/1300-14-0x0000000007CE0000-0x0000000007D46000-memory.dmp

Filesize
408KB

Download
memory/1300-16-0x0000000007CE0000-0x0000000007D46000-memory.dmp

Filesize
408KB

Download
memory/1300-18-0x0000000007CE0000-0x0000000007D46000-memory.dmp

Filesize
408KB

Download
memory/1300-20-0x0000000007CE0000-0x0000000007D46000-memory.dmp

Filesize
408KB

Download
memory/1300-22-0x0000000007CE0000-0x0000000007D46000-memory.dmp

Filesize
408KB

Download
memory/1300-24-0x0000000007CE0000-0x0000000007D46000-memory.dmp

Filesize
408KB

Download
memory/1300-30-0x0000000007CE0000-0x0000000007D46000-memory.dmp

Filesize
408KB

Download
memory/1300-28-0x0000000007CE0000-0x0000000007D46000-memory.dmp

Filesize
408KB

Download
memory/1300-26-0x0000000007CE0000-0x0000000007D46000-memory.dmp

Filesize
408KB

Download
memory/1300-0-0x0000000000800000-0x0000000000858000-memory.dmp

Filesize
352KB

Download
memory/1300-2-0x0000000000490000-0x00000000004D0000-memory.dmp

Filesize
256KB

Download
memory/1300-34-0x0000000007CE0000-0x0000000007D46000-memory.dmp

Filesize
408KB

Download
memory/1300-3-0x00000000745F0000-0x0000000074CDE000-memory.dmp

Filesize
6.9MB

Download
memory/1300-38-0x0000000007CE0000-0x0000000007D46000-memory.dmp

Filesize
408KB

Download
memory/1300-44-0x0000000007CE0000-0x0000000007D46000-memory.dmp

Filesize
408KB

Download
memory/1300-46-0x0000000007CE0000-0x0000000007D46000-memory.dmp

Filesize
408KB

Download
memory/1300-42-0x0000000007CE0000-0x0000000007D46000-memory.dmp

Filesize
408KB

Download
memory/1300-52-0x0000000007CE0000-0x0000000007D46000-memory.dmp

Filesize
408KB

Download
memory/1300-50-0x0000000007CE0000-0x0000000007D46000-memory.dmp

Filesize
408KB

Download
memory/1300-48-0x0000000007CE0000-0x0000000007D46000-memory.dmp

Filesize
408KB

Download
memory/1300-56-0x0000000007CE0000-0x0000000007D46000-memory.dmp

Filesize
408KB

Download
memory/1300-58-0x0000000007CE0000-0x0000000007D46000-memory.dmp

Filesize
408KB

Download
memory/1300-54-0x0000000007CE0000-0x0000000007D46000-memory.dmp

Filesize
408KB

Download
memory/1300-62-0x0000000007CE0000-0x0000000007D46000-memory.dmp

Filesize
408KB

Download
memory/1300-60-0x0000000007CE0000-0x0000000007D46000-memory.dmp

Filesize
408KB

Download
memory/1300-68-0x0000000007CE0000-0x0000000007D46000-memory.dmp

Filesize
408KB

Download
memory/1300-66-0x0000000007CE0000-0x0000000007D46000-memory.dmp

Filesize
408KB

Download
memory/1300-64-0x0000000007CE0000-0x0000000007D46000-memory.dmp

Filesize
408KB

Download
memory/1300-70-0x0000000007CE0000-0x0000000007D46000-memory.dmp

Filesize
408KB

Download
memory/1300-1-0x00000000745F0000-0x0000000074CDE000-memory.dmp

Filesize
6.9MB

Download
memory/1300-2268-0x00000000745F0000-0x0000000074CDE000-memory.dmp

Filesize
6.9MB

Download
memory/2376-2274-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download