redline | 9e8089879ce079ffcf4fbe7882df57de0ac1218a4c3119bda16f738480eeda5b

Analysis

max time kernel
2s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
04-04-2024 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Luxury Shield.exe
Size

9.9MB
MD5

7643fc25c660a6dfb42fe9a7c047159f
SHA1

079bab6472d00fa034497b52e7348acccb2ccdd3
SHA256

9e8089879ce079ffcf4fbe7882df57de0ac1218a4c3119bda16f738480eeda5b
SHA512

f98e1e3a58b8a75f45fa6ed7af6c5f076c170c902ef31d6b8f6570218300b34ff454b4127ae2a11645bd031a2b3dac873ff069a6b60a7ba3d78efc7749d4cf66
SSDEEP

196608:y14C1Jk6qMEUjfzx6zMHBFpTBjcGZn1DvlzCGZ9bfJH:I1JgUPxekZN4M1DvgGzfJH

Score

10^/10

redline zgrat infostealer rat

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral1/memory/2128-9-0x0000000000D20000-0x0000000000D76000-memory.dmp	family_zgrat_v1

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/2128-9-0x0000000000D20000-0x0000000000D76000-memory.dmp	family_redline

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 1 IoCs

pid	Process
2128	build.exe

Loads dropped DLL 2 IoCs

pid	Process
2128	build.exe
2128	build.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2180	2128	WerFault.exe	76

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 2128	1276	Luxury Shield.exe	76
PID 1276 wrote to memory of 2128	1276	Luxury Shield.exe	76
PID 1276 wrote to memory of 2128	1276	Luxury Shield.exe	76

C:\Users\Admin\AppData\Local\Temp\Luxury Shield.exe
"C:\Users\Admin\AppData\Local\Temp\Luxury Shield.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Users\Admin\AppData\Local\Temp\build.exe
  "C:\Users\Admin\AppData\Local\Temp\build.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2128
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 784
    3⤵
    - Program crash
    PID:2180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2128 -ip 2128
1⤵
PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\build.exe

Filesize
506KB

MD5
e5fb57e8214483fd395bd431cb3d1c4b

SHA1
60e22fc9e0068c8156462f003760efdcac82766b

SHA256
e389fc5782f754918a10b020adcd8faa11c25658b8d6f8cbc49f9ac3a7637684

SHA512
dc2ed0421db7dd5a3afeacb6a9f5017c97fc07d0b2d1745b50ede50087a58245d31d6669077a672b32541dbfa233ef87260a37be48de3bd407d8c587fc903d89

Download Submit
memory/1276-7-0x0000000000400000-0x0000000000DF1000-memory.dmp

Filesize
9.9MB

Download
memory/2128-9-0x0000000000D20000-0x0000000000D76000-memory.dmp

Filesize
344KB

Download
memory/2128-15-0x00000000744E0000-0x0000000074C91000-memory.dmp

Filesize
7.7MB

Download
memory/2128-19-0x00000000744E0000-0x0000000074C91000-memory.dmp

Filesize
7.7MB

Download