Analysis
-
max time kernel
78s -
max time network
87s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 23:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
External v_4.26.exe
Resource
win10v2004-20240226-en
7 signatures
150 seconds
General
-
Target
External v_4.26.exe
-
Size
279KB
-
MD5
1b3a071cd0ad94839874a3471e89b8aa
-
SHA1
ce82ce87e39705d8b05055fbdfacafa675f9b4db
-
SHA256
4ec76eb7a26ba0b31255b177ff476b0dc2d7cba06dd015eac838cb0e585d1b7f
-
SHA512
796eda6dece8257d115a98a7ca5c33e39078e8f7275fe17f42d5b73e4d826889a09ae2e2e8f6987630b66d26b2da88f5eabee4a2bb330cf947638590f7169b00
-
SSDEEP
6144:K/PT2fQDz89hqi1l+t7aelEgNOXG9imxUg:cLCQU9hqi+lEgNoe9x
Score
10/10
Malware Config
Signatures
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule behavioral1/memory/3560-5-0x0000000000400000-0x000000000044A000-memory.dmp family_zgrat_v1 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/3560-5-0x0000000000400000-0x000000000044A000-memory.dmp family_redline -
Suspicious use of SetThreadContext 1 IoCs
Processes:
External v_4.26.exedescription pid process target process PID 788 set thread context of 3560 788 External v_4.26.exe RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 3560 RegAsm.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
External v_4.26.exedescription pid process target process PID 788 wrote to memory of 3560 788 External v_4.26.exe RegAsm.exe PID 788 wrote to memory of 3560 788 External v_4.26.exe RegAsm.exe PID 788 wrote to memory of 3560 788 External v_4.26.exe RegAsm.exe PID 788 wrote to memory of 3560 788 External v_4.26.exe RegAsm.exe PID 788 wrote to memory of 3560 788 External v_4.26.exe RegAsm.exe PID 788 wrote to memory of 3560 788 External v_4.26.exe RegAsm.exe PID 788 wrote to memory of 3560 788 External v_4.26.exe RegAsm.exe PID 788 wrote to memory of 3560 788 External v_4.26.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\External v_4.26.exe"C:\Users\Admin\AppData\Local\Temp\External v_4.26.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3560
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:448