Analysis Overview
SHA256
4ec76eb7a26ba0b31255b177ff476b0dc2d7cba06dd015eac838cb0e585d1b7f
Threat Level: Known bad
The file External v_4.26.exe was found to be: Known bad.
Malicious Activity Summary
RedLine
ZGRat
Detect ZGRat V1
RedLine payload
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 23:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 23:06
Reported
2024-04-07 23:08
Platform
win10v2004-20240226-en
Max time kernel
78s
Max time network
87s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ZGRat
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 788 set thread context of 3560 | N/A | C:\Users\Admin\AppData\Local\Temp\External v_4.26.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\External v_4.26.exe
"C:\Users\Admin\AppData\Local\Temp\External v_4.26.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| RU | 147.45.47.64:11837 | tcp | |
| US | 8.8.8.8:53 | 64.47.45.147.in-addr.arpa | udp |
Files
memory/788-0-0x0000000000820000-0x000000000086C000-memory.dmp
memory/788-1-0x0000000075120000-0x00000000758D0000-memory.dmp
memory/788-4-0x0000000002C60000-0x0000000004C60000-memory.dmp
memory/3560-5-0x0000000000400000-0x000000000044A000-memory.dmp
memory/788-8-0x0000000075120000-0x00000000758D0000-memory.dmp
memory/3560-9-0x0000000075120000-0x00000000758D0000-memory.dmp
memory/3560-10-0x0000000005C90000-0x0000000006234000-memory.dmp
memory/3560-11-0x00000000057E0000-0x0000000005872000-memory.dmp
memory/3560-12-0x0000000005900000-0x0000000005910000-memory.dmp
memory/3560-13-0x0000000005890000-0x000000000589A000-memory.dmp
memory/3560-14-0x0000000006E20000-0x0000000007438000-memory.dmp
memory/3560-15-0x0000000006970000-0x0000000006A7A000-memory.dmp
memory/3560-16-0x00000000068A0000-0x00000000068B2000-memory.dmp
memory/3560-17-0x0000000006680000-0x00000000066BC000-memory.dmp
memory/3560-18-0x00000000068C0000-0x000000000690C000-memory.dmp
memory/3560-19-0x00000000065B0000-0x0000000006616000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 23:06
Reported
2024-04-07 23:08
Platform
win11-20240221-en
Max time kernel
24s
Max time network
27s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ZGRat
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4468 set thread context of 3880 | N/A | C:\Users\Admin\AppData\Local\Temp\External v_4.26.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\External v_4.26.exe
"C:\Users\Admin\AppData\Local\Temp\External v_4.26.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 147.45.47.64:11837 | tcp | |
| US | 8.8.8.8:53 | 64.47.45.147.in-addr.arpa | udp |
Files
memory/4468-0-0x0000000000880000-0x00000000008CC000-memory.dmp
memory/4468-1-0x00000000749A0000-0x0000000075151000-memory.dmp
memory/3880-4-0x0000000000400000-0x000000000044A000-memory.dmp
memory/3880-8-0x00000000057A0000-0x0000000005D46000-memory.dmp
memory/4468-7-0x00000000749A0000-0x0000000075151000-memory.dmp
memory/3880-9-0x00000000052B0000-0x0000000005342000-memory.dmp
memory/4468-10-0x0000000002E10000-0x0000000004E10000-memory.dmp
memory/3880-11-0x0000000005500000-0x0000000005510000-memory.dmp
memory/3880-12-0x0000000005440000-0x000000000544A000-memory.dmp
memory/3880-13-0x00000000749A0000-0x0000000075151000-memory.dmp
memory/3880-14-0x00000000068C0000-0x0000000006ED8000-memory.dmp
memory/3880-15-0x0000000006440000-0x000000000654A000-memory.dmp
memory/3880-16-0x0000000006360000-0x0000000006372000-memory.dmp
memory/3880-17-0x00000000063C0000-0x00000000063FC000-memory.dmp
memory/3880-18-0x0000000006550000-0x000000000659C000-memory.dmp
memory/3880-19-0x00000000066C0000-0x0000000006726000-memory.dmp
memory/3880-20-0x0000000007160000-0x00000000071D6000-memory.dmp
memory/3880-21-0x0000000007100000-0x000000000711E000-memory.dmp
memory/3880-22-0x0000000008410000-0x00000000085D2000-memory.dmp
memory/3880-23-0x0000000008B10000-0x000000000903C000-memory.dmp
memory/4468-24-0x0000000002E10000-0x0000000004E10000-memory.dmp
memory/3880-26-0x00000000749A0000-0x0000000075151000-memory.dmp