redline

Sharing

Copy URL

Twitter E-mail

General

Target

GitHub_Software.rar
Size

24.6MB
Sample

240406-wzef7aga25
MD5

979865bb1b29cbc872206748e109839d
SHA1

ed1ee1e8529e116127679809d7276bb366fa13fb
SHA256

2c3d6134bf6160409e38f9a19f7fa3a64f1b53218b358b1a562b3cea4935ecae
SHA512

d542de2a2cf2c2cba0cac2f99552635ff143de42e7986e75e61b9c0bb5f97c538a3d3d76581b6b53e6e0c9dec8e39ad866407ff967ef2d3fd642fa7ca3f5fa86
SSDEEP

786432:2zB8FaGkS1Quq420MD1hJ38WYdo2F+arXFHlcj:2xGkIqGIhJ38WYdbDFFI

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

@operRUS

45.15.156.167:80

Targets

- Target
  
  GitHub_Software.rar
- Size
  
  24.6MB
- MD5
  
  979865bb1b29cbc872206748e109839d
- SHA1
  
  ed1ee1e8529e116127679809d7276bb366fa13fb
- SHA256
  
  2c3d6134bf6160409e38f9a19f7fa3a64f1b53218b358b1a562b3cea4935ecae
- SHA512
  
  d542de2a2cf2c2cba0cac2f99552635ff143de42e7986e75e61b9c0bb5f97c538a3d3d76581b6b53e6e0c9dec8e39ad866407ff967ef2d3fd642fa7ca3f5fa86
- SSDEEP
  
  786432:2zB8FaGkS1Quq420MD1hJ38WYdo2F+arXFHlcj:2xGkIqGIhJ38WYdbDFFI
Score

3^/10
behavioral1
- Target
  
  Setup.exe
- Size
  
  313KB
- MD5
  
  cf088f8d0b4f4154f3223f9b92217cf4
- SHA1
  
  703401a56132ee36a1b32113e552e4377fffaa71
- SHA256
  
  ee6a2fa32b5f52139503e50cd129d7d12f0921de2d3fd61edc4907de3dc42db8
- SHA512
  
  520e94c35d86b1de62e23b735212c27562e6eb12a04881ca2273147b9c4954a05612d2271cc562c365468ae8f71e75b9a387976d3fdb665c9819321d128abb78
- SSDEEP
  
  6144:cg5BUIlrf4ELEdw3xGkSwCtqpxoXry+6F64Eb+HgNRaMNhMErVpHKb:95BVrDEd47xCtqzUryh643gzNhMgF
Score

10^/10

redline xmrig zgrat @operrus discovery infostealer miner persistence rat spyware stealer
- Detect ZGRat V1
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- XMRig Miner payload
  miner
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral2
- Target
  
  libEGL.dll
- Size
  
  431KB
- MD5
  
  1ed91477a02e0e2a64e5e9f26bcea438
- SHA1
  
  8058c2bd3342d8d882768188b1e5c45567a8dde9
- SHA256
  
  a1267343e2ff9f9603627c0520e6cdd8e4a67fba041146e8def6a43e334a4e03
- SHA512
  
  c80ace4df62ccde9699cafaffae290cb9ab83dc5db5fed6483aadea0f6389eaab8cc44f8cfde43aa980307a6f357d51c406fa267293135def1eee5378d0960a5
- SSDEEP
  
  6144:gbSSlxpHPDSDwFRSHXEU4alu73cwp1MmJw7r2qVmTsR6Lbg3y:q9lxdPewF43EDaG+0TP3g3
Score

1^/10
behavioral3
- Target
  
  msvcp100.dll
- Size
  
  411KB
- MD5
  
  03e9314004f504a14a61c3d364b62f66
- SHA1
  
  0aa3caac24fdf9d9d4c618e2bbf0a063036cd55d
- SHA256
  
  a3ba6421991241bea9c8334b62c3088f8f131ab906c3cc52113945d05016a35f
- SHA512
  
  2fcff4439d2759d93c57d49b24f28ae89b7698e284e76ac65fe2b50bdefc23a8cc3c83891d671de4e4c0f036cef810856de79ac2b028aa89a895bf35abff8c8d
- SSDEEP
  
  12288:iHEqYsrMWIqz473PTiPoH/aGhUgiW6QR7t5qv3Ooc8UHkC2eKq87:iH9YsIWIW4rPTiPofaDv3Ooc8UHkC2e8
Score

3^/10
behavioral4
- Target
  
  msvcr100.dll
- Size
  
  755KB
- MD5
  
  0e37fbfa79d349d672456923ec5fbbe3
- SHA1
  
  4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
- SHA256
  
  8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
- SHA512
  
  2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630
- SSDEEP
  
  12288:nMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BVoe3z:MmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV7z
Score

3^/10
behavioral5
- Target
  
  src/WebHttp.dll
- Size
  
  1.3MB
- MD5
  
  49d1368b76ea5ef7b3279d03a719e096
- SHA1
  
  67fb6bd0fc126833117aa08a3a99bb9e71436b60
- SHA256
  
  8d32708739969ea486cadd25d5c3d0bce2a23d17282e73b280c21b306c91d02b
- SHA512
  
  4134fb90c747df01b21389f7a21e5317897025dbf73a7f81602738201b429b8d083ca1e63a61ce3ecdffa6d982834b2896a1e0fbcc8be9ef3b84ffd8269a4e0e
- SSDEEP
  
  24576:zb5UVZTR01t5VR37qinFUqOmDhE3A4jsNUPLZr4zQH+iEFUFFS517cW/y:f54/WthlFUqtDhZ4jRP6zQe1MFI7cW/y
Score

1^/10
behavioral6
- Target
  
  src/d3dcompiler_47.dll
- Size
  
  4.3MB
- MD5
  
  7641e39b7da4077084d2afe7c31032e0
- SHA1
  
  2256644f69435ff2fee76deb04d918083960d1eb
- SHA256
  
  44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47
- SHA512
  
  8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5
- SSDEEP
  
  49152:aYlc/220PPiMLKam+VMrLi21f4i3jn5ZO3XUDmOZQwVd2uQpN3WsGVUWd55i/jrs:a6KD2Mrdaix4NQnLt
Score

1^/10
behavioral7
- Target
  
  src/ffmpeg.dll
- Size
  
  2.6MB
- MD5
  
  2fc7f6b0abd1af4988e30e58e8310291
- SHA1
  
  9d553d0ca4f13bf2ce07d850344cb1ca70bea0a6
- SHA256
  
  b08a720802c6dc662247e52658499ce9f87211e0d88343fb0326a1ce9abc5e8b
- SHA512
  
  cdcad781dae26a565fe07dec861c5f47a0861e308a275da529aadc9f4dd03778b40ba8b9e8b7cc3042b7d543cef6ec38f8e79761a7d6c5fe639872ed23d799c2
- SSDEEP
  
  49152:A14LZeiXTFI6vTD9MxCAJ0qsOw0FZnHzKedVLes+/EnvIS:V7hMxjk0vB
Score

1^/10
behavioral8
- Target
  
  src/libEGL.dll
- Size
  
  431KB
- MD5
  
  1ed91477a02e0e2a64e5e9f26bcea438
- SHA1
  
  8058c2bd3342d8d882768188b1e5c45567a8dde9
- SHA256
  
  a1267343e2ff9f9603627c0520e6cdd8e4a67fba041146e8def6a43e334a4e03
- SHA512
  
  c80ace4df62ccde9699cafaffae290cb9ab83dc5db5fed6483aadea0f6389eaab8cc44f8cfde43aa980307a6f357d51c406fa267293135def1eee5378d0960a5
- SSDEEP
  
  6144:gbSSlxpHPDSDwFRSHXEU4alu73cwp1MmJw7r2qVmTsR6Lbg3y:q9lxdPewF43EDaG+0TP3g3
Score

1^/10
behavioral9
- Target
  
  src/libGLESv2.dll
- Size
  
  7.5MB
- MD5
  
  640a515fcd8e5d5a332c1d40c47700b0
- SHA1
  
  0128c9d499deb7866f3d7aae0adab69d9a8f768f
- SHA256
  
  927c858deb4700d3759fab436d5ba554ff4cf7be505d536ea1c673707d5ca8a1
- SHA512
  
  792acebb5ba329e61bc319b415ba01248dcf18c7e46695222682dbf59d179403ced15c19ae03a282dec7e622121c05844d8eae5a04a2aa1f552ebced51644e27
- SSDEEP
  
  49152:cHYVf3vXozSZVwq1ZET78U9t9Ib7P4jN0gVkel0hZecqjXFArFFiKMTvrd5/Lln+:DWD0Ue/elpegxsgPRPV+fJJ7od0m
Score

1^/10
behavioral10
- Target
  
  src/vk_swiftshader.dll
- Size
  
  4.3MB
- MD5
  
  76d3589242fca16d76aff52910e72d7e
- SHA1
  
  a88a7495f71b718e127bdfe09e7a279bf05bfceb
- SHA256
  
  f1e92727d2c2ac4c3878d39ab29679f06e65594121dbd8845a86338dac06e61a
- SHA512
  
  95fc89f165b3235a524da6f2bd47c0086baa0f239d6c0fe8ee30a098bd72e09fc37027e0442dfbcdafa2a2ad6c1275a0a9cc4088f9d2feb41ca0d3a720e0d857
- SSDEEP
  
  49152:2QEStOXH0nQ7MY4KF6SZBUcgURTEXjvvoOLr3NXYMASpO5ewKmnTNDN54tFqjLNo:naCJwU1tRFn8FjF
Score

1^/10
behavioral11
- Target
  
  translate/WebHttp.dll
- Size
  
  1.3MB
- MD5
  
  49d1368b76ea5ef7b3279d03a719e096
- SHA1
  
  67fb6bd0fc126833117aa08a3a99bb9e71436b60
- SHA256
  
  8d32708739969ea486cadd25d5c3d0bce2a23d17282e73b280c21b306c91d02b
- SHA512
  
  4134fb90c747df01b21389f7a21e5317897025dbf73a7f81602738201b429b8d083ca1e63a61ce3ecdffa6d982834b2896a1e0fbcc8be9ef3b84ffd8269a4e0e
- SSDEEP
  
  24576:zb5UVZTR01t5VR37qinFUqOmDhE3A4jsNUPLZr4zQH+iEFUFFS517cW/y:f54/WthlFUqtDhZ4jRP6zQe1MFI7cW/y
Score

1^/10
behavioral12
- Target
  
  translate/vk_swiftshader.dll
- Size
  
  4.3MB
- MD5
  
  76d3589242fca16d76aff52910e72d7e
- SHA1
  
  a88a7495f71b718e127bdfe09e7a279bf05bfceb
- SHA256
  
  f1e92727d2c2ac4c3878d39ab29679f06e65594121dbd8845a86338dac06e61a
- SHA512
  
  95fc89f165b3235a524da6f2bd47c0086baa0f239d6c0fe8ee30a098bd72e09fc37027e0442dfbcdafa2a2ad6c1275a0a9cc4088f9d2feb41ca0d3a720e0d857
- SSDEEP
  
  49152:2QEStOXH0nQ7MY4KF6SZBUcgURTEXjvvoOLr3NXYMASpO5ewKmnTNDN54tFqjLNo:naCJwU1tRFn8FjF
Score

1^/10
behavioral13
- Target
  
  vcruntime140.dll
- Size
  
  94KB
- MD5
  
  02794a29811ba0a78e9687a0010c37ce
- SHA1
  
  97b5701d18bd5e25537851614099e2ffce25d6d8
- SHA256
  
  1729421a22585823493d5a125cd43a470889b952a2422f48a7bc8193f5c23b0f
- SHA512
  
  caf2a478e9c78c8e93dd2288ed98a9261fcf2b7e807df84f2e4d76f8130c2e503eb2470c947a678ac63e59d7d54f74e80e743d635428aa874ec2d06df68d0272
- SSDEEP
  
  1536:yPHLG4SsAzAvadZw+1Hcx8uIYNUzUgHR4xecbK/zJgXTG:yPrfZ+jPYNzgHR4xecbK/FgK
Score

1^/10
behavioral14
- Target
  
  vk_swiftshader.dll
- Size
  
  4.3MB
- MD5
  
  76d3589242fca16d76aff52910e72d7e
- SHA1
  
  a88a7495f71b718e127bdfe09e7a279bf05bfceb
- SHA256
  
  f1e92727d2c2ac4c3878d39ab29679f06e65594121dbd8845a86338dac06e61a
- SHA512
  
  95fc89f165b3235a524da6f2bd47c0086baa0f239d6c0fe8ee30a098bd72e09fc37027e0442dfbcdafa2a2ad6c1275a0a9cc4088f9d2feb41ca0d3a720e0d857
- SSDEEP
  
  49152:2QEStOXH0nQ7MY4KF6SZBUcgURTEXjvvoOLr3NXYMASpO5ewKmnTNDN54tFqjLNo:naCJwU1tRFn8FjF
Score

1^/10
behavioral15