Analysis
-
max time kernel
24s -
max time network
27s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
07-04-2024 23:06
Static task
static1
Behavioral task
behavioral1
Sample
External v_4.26.exe
Resource
win10v2004-20240226-en
General
-
Target
External v_4.26.exe
-
Size
279KB
-
MD5
1b3a071cd0ad94839874a3471e89b8aa
-
SHA1
ce82ce87e39705d8b05055fbdfacafa675f9b4db
-
SHA256
4ec76eb7a26ba0b31255b177ff476b0dc2d7cba06dd015eac838cb0e585d1b7f
-
SHA512
796eda6dece8257d115a98a7ca5c33e39078e8f7275fe17f42d5b73e4d826889a09ae2e2e8f6987630b66d26b2da88f5eabee4a2bb330cf947638590f7169b00
-
SSDEEP
6144:K/PT2fQDz89hqi1l+t7aelEgNOXG9imxUg:cLCQU9hqi+lEgNoe9x
Malware Config
Signatures
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3880-4-0x0000000000400000-0x000000000044A000-memory.dmp family_zgrat_v1 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3880-4-0x0000000000400000-0x000000000044A000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
External v_4.26.exedescription pid process target process PID 4468 set thread context of 3880 4468 External v_4.26.exe RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
RegAsm.exepid process 3880 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 3880 RegAsm.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
External v_4.26.exedescription pid process target process PID 4468 wrote to memory of 3880 4468 External v_4.26.exe RegAsm.exe PID 4468 wrote to memory of 3880 4468 External v_4.26.exe RegAsm.exe PID 4468 wrote to memory of 3880 4468 External v_4.26.exe RegAsm.exe PID 4468 wrote to memory of 3880 4468 External v_4.26.exe RegAsm.exe PID 4468 wrote to memory of 3880 4468 External v_4.26.exe RegAsm.exe PID 4468 wrote to memory of 3880 4468 External v_4.26.exe RegAsm.exe PID 4468 wrote to memory of 3880 4468 External v_4.26.exe RegAsm.exe PID 4468 wrote to memory of 3880 4468 External v_4.26.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\External v_4.26.exe"C:\Users\Admin\AppData\Local\Temp\External v_4.26.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3880