Malware Analysis Report

2024-11-13 14:01

Sample ID 240407-23qarahd65
Target External v_4.26.exe
SHA256 4ec76eb7a26ba0b31255b177ff476b0dc2d7cba06dd015eac838cb0e585d1b7f
Tags
redline zgrat infostealer rat discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4ec76eb7a26ba0b31255b177ff476b0dc2d7cba06dd015eac838cb0e585d1b7f

Threat Level: Known bad

The file External v_4.26.exe was found to be: Known bad.

Malicious Activity Summary

redline zgrat infostealer rat discovery spyware stealer

RedLine

ZGRat

Detect ZGRat V1

RedLine payload

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 23:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 23:06

Reported

2024-04-07 23:08

Platform

win10v2004-20240226-en

Max time kernel

78s

Max time network

87s

Command Line

"C:\Users\Admin\AppData\Local\Temp\External v_4.26.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

ZGRat

rat zgrat

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 788 set thread context of 3560 N/A C:\Users\Admin\AppData\Local\Temp\External v_4.26.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\External v_4.26.exe

"C:\Users\Admin\AppData\Local\Temp\External v_4.26.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 121.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
RU 147.45.47.64:11837 tcp
US 8.8.8.8:53 64.47.45.147.in-addr.arpa udp

Files

memory/788-0-0x0000000000820000-0x000000000086C000-memory.dmp

memory/788-1-0x0000000075120000-0x00000000758D0000-memory.dmp

memory/788-4-0x0000000002C60000-0x0000000004C60000-memory.dmp

memory/3560-5-0x0000000000400000-0x000000000044A000-memory.dmp

memory/788-8-0x0000000075120000-0x00000000758D0000-memory.dmp

memory/3560-9-0x0000000075120000-0x00000000758D0000-memory.dmp

memory/3560-10-0x0000000005C90000-0x0000000006234000-memory.dmp

memory/3560-11-0x00000000057E0000-0x0000000005872000-memory.dmp

memory/3560-12-0x0000000005900000-0x0000000005910000-memory.dmp

memory/3560-13-0x0000000005890000-0x000000000589A000-memory.dmp

memory/3560-14-0x0000000006E20000-0x0000000007438000-memory.dmp

memory/3560-15-0x0000000006970000-0x0000000006A7A000-memory.dmp

memory/3560-16-0x00000000068A0000-0x00000000068B2000-memory.dmp

memory/3560-17-0x0000000006680000-0x00000000066BC000-memory.dmp

memory/3560-18-0x00000000068C0000-0x000000000690C000-memory.dmp

memory/3560-19-0x00000000065B0000-0x0000000006616000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 23:06

Reported

2024-04-07 23:08

Platform

win11-20240221-en

Max time kernel

24s

Max time network

27s

Command Line

"C:\Users\Admin\AppData\Local\Temp\External v_4.26.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

ZGRat

rat zgrat

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4468 set thread context of 3880 N/A C:\Users\Admin\AppData\Local\Temp\External v_4.26.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\External v_4.26.exe

"C:\Users\Admin\AppData\Local\Temp\External v_4.26.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Network

Country Destination Domain Proto
RU 147.45.47.64:11837 tcp
US 8.8.8.8:53 64.47.45.147.in-addr.arpa udp

Files

memory/4468-0-0x0000000000880000-0x00000000008CC000-memory.dmp

memory/4468-1-0x00000000749A0000-0x0000000075151000-memory.dmp

memory/3880-4-0x0000000000400000-0x000000000044A000-memory.dmp

memory/3880-8-0x00000000057A0000-0x0000000005D46000-memory.dmp

memory/4468-7-0x00000000749A0000-0x0000000075151000-memory.dmp

memory/3880-9-0x00000000052B0000-0x0000000005342000-memory.dmp

memory/4468-10-0x0000000002E10000-0x0000000004E10000-memory.dmp

memory/3880-11-0x0000000005500000-0x0000000005510000-memory.dmp

memory/3880-12-0x0000000005440000-0x000000000544A000-memory.dmp

memory/3880-13-0x00000000749A0000-0x0000000075151000-memory.dmp

memory/3880-14-0x00000000068C0000-0x0000000006ED8000-memory.dmp

memory/3880-15-0x0000000006440000-0x000000000654A000-memory.dmp

memory/3880-16-0x0000000006360000-0x0000000006372000-memory.dmp

memory/3880-17-0x00000000063C0000-0x00000000063FC000-memory.dmp

memory/3880-18-0x0000000006550000-0x000000000659C000-memory.dmp

memory/3880-19-0x00000000066C0000-0x0000000006726000-memory.dmp

memory/3880-20-0x0000000007160000-0x00000000071D6000-memory.dmp

memory/3880-21-0x0000000007100000-0x000000000711E000-memory.dmp

memory/3880-22-0x0000000008410000-0x00000000085D2000-memory.dmp

memory/3880-23-0x0000000008B10000-0x000000000903C000-memory.dmp

memory/4468-24-0x0000000002E10000-0x0000000004E10000-memory.dmp

memory/3880-26-0x00000000749A0000-0x0000000075151000-memory.dmp