redline | 6a92c749f157ec43b1d14cfba29f9ce164ecd3048353a720089f872f13b843fe

General

Target

6a92c749f157ec43b1d14cfba29f9ce164ecd3048353a720089f872f13b843fe.exe
Size

4.6MB
MD5

15a5a210a88d15a932171a9fa25a1356
SHA1

7f6290046bd9bb6129af3da4612fad50369eda09
SHA256

6a92c749f157ec43b1d14cfba29f9ce164ecd3048353a720089f872f13b843fe
SHA512

6738cc6366da9561df4b87f099bba64e56db7421598c2dda25be2933052bdb7593b7b386671f222b1e509a73f54ca982feae27fe22d57b6af82a0b30ffbed258
SSDEEP

98304:dPwGDPsMTm7Gh0nUu7TcY0mmdlv3GLCjcKbbygH:dPfDPtqGmnUu4mmdlO8bbyg

Score

10^/10

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral2/memory/2648-1-0x00000000004F0000-0x0000000000990000-memory.dmp	family_zgrat_v1
behavioral2/memory/2616-21-0x0000000000400000-0x00000000004C2000-memory.dmp	family_zgrat_v1

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/2616-21-0x0000000000400000-0x00000000004C2000-memory.dmp	family_redline

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Loads dropped DLL 1 IoCs

pid	Process
2648	6a92c749f157ec43b1d14cfba29f9ce164ecd3048353a720089f872f13b843fe.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2648 set thread context of 2616	2648	6a92c749f157ec43b1d14cfba29f9ce164ecd3048353a720089f872f13b843fe.exe	99

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2716	2648	WerFault.exe	90

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2616	MsBuild.exe
2616	MsBuild.exe
2616	MsBuild.exe
2616	MsBuild.exe
2616	MsBuild.exe
2616	MsBuild.exe
2616	MsBuild.exe
2616	MsBuild.exe
2616	MsBuild.exe
2616	MsBuild.exe
2616	MsBuild.exe
2616	MsBuild.exe
2616	MsBuild.exe
2616	MsBuild.exe
2616	MsBuild.exe
2616	MsBuild.exe
2616	MsBuild.exe
2616	MsBuild.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2616	MsBuild.exe
Token: SeBackupPrivilege	2616	MsBuild.exe
Token: SeSecurityPrivilege	2616	MsBuild.exe
Token: SeSecurityPrivilege	2616	MsBuild.exe
Token: SeSecurityPrivilege	2616	MsBuild.exe
Token: SeSecurityPrivilege	2616	MsBuild.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2616	2648	6a92c749f157ec43b1d14cfba29f9ce164ecd3048353a720089f872f13b843fe.exe	99
PID 2648 wrote to memory of 2616	2648	6a92c749f157ec43b1d14cfba29f9ce164ecd3048353a720089f872f13b843fe.exe	99
PID 2648 wrote to memory of 2616	2648	6a92c749f157ec43b1d14cfba29f9ce164ecd3048353a720089f872f13b843fe.exe	99
PID 2648 wrote to memory of 2616	2648	6a92c749f157ec43b1d14cfba29f9ce164ecd3048353a720089f872f13b843fe.exe	99
PID 2648 wrote to memory of 2616	2648	6a92c749f157ec43b1d14cfba29f9ce164ecd3048353a720089f872f13b843fe.exe	99
PID 2648 wrote to memory of 2616	2648	6a92c749f157ec43b1d14cfba29f9ce164ecd3048353a720089f872f13b843fe.exe	99
PID 2648 wrote to memory of 2616	2648	6a92c749f157ec43b1d14cfba29f9ce164ecd3048353a720089f872f13b843fe.exe	99
PID 2648 wrote to memory of 2616	2648	6a92c749f157ec43b1d14cfba29f9ce164ecd3048353a720089f872f13b843fe.exe	99

C:\Users\Admin\AppData\Local\Temp\6a92c749f157ec43b1d14cfba29f9ce164ecd3048353a720089f872f13b843fe.exe
"C:\Users\Admin\AppData\Local\Temp\6a92c749f157ec43b1d14cfba29f9ce164ecd3048353a720089f872f13b843fe.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2616
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 1008
  2⤵
  - Program crash
  PID:2716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2648 -ip 2648
1⤵
PID:5044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1344 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
1⤵
PID:4424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

Filesize
742KB

MD5
544cd51a596619b78e9b54b70088307d

SHA1
4769ddd2dbc1dc44b758964ed0bd231b85880b65

SHA256
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

SHA512
f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp8DF3.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
memory/2616-47-0x0000000008B20000-0x0000000008B3E000-memory.dmp

Filesize
120KB

Download
memory/2616-23-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/2616-61-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/2616-59-0x000000000ACF0000-0x000000000B21C000-memory.dmp

Filesize
5.2MB

Download
memory/2616-58-0x000000000A5F0000-0x000000000A7B2000-memory.dmp

Filesize
1.8MB

Download
memory/2616-55-0x00000000092B0000-0x0000000009316000-memory.dmp

Filesize
408KB

Download
memory/2616-54-0x0000000009130000-0x000000000917C000-memory.dmp

Filesize
304KB

Download
memory/2616-53-0x0000000008FB0000-0x0000000008FEC000-memory.dmp

Filesize
240KB

Download
memory/2616-52-0x0000000008F50000-0x0000000008F62000-memory.dmp

Filesize
72KB

Download
memory/2616-25-0x0000000005630000-0x00000000056C2000-memory.dmp

Filesize
584KB

Download
memory/2616-51-0x0000000009020000-0x000000000912A000-memory.dmp

Filesize
1.0MB

Download
memory/2616-50-0x00000000094B0000-0x0000000009AC8000-memory.dmp

Filesize
6.1MB

Download
memory/2616-46-0x0000000008430000-0x00000000084A6000-memory.dmp

Filesize
472KB

Download
memory/2616-29-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/2616-27-0x00000000055B0000-0x00000000055BA000-memory.dmp

Filesize
40KB

Download
memory/2616-21-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2616-26-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/2616-24-0x0000000005BE0000-0x0000000006184000-memory.dmp

Filesize
5.6MB

Download
memory/2648-17-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/2648-3-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/2648-19-0x0000000005C40000-0x0000000005D40000-memory.dmp

Filesize
1024KB

Download
memory/2648-28-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/2648-20-0x0000000005C40000-0x0000000005D40000-memory.dmp

Filesize
1024KB

Download
memory/2648-1-0x00000000004F0000-0x0000000000990000-memory.dmp

Filesize
4.6MB

Download
memory/2648-18-0x0000000005C40000-0x0000000005D40000-memory.dmp

Filesize
1024KB

Download
memory/2648-0-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/2648-10-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/2648-16-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/2648-11-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/2648-14-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/2648-15-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/2648-13-0x00000000057B0000-0x00000000057C0000-memory.dmp

Filesize
64KB

Download
memory/2648-12-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/2648-2-0x0000000005390000-0x000000000542C000-memory.dmp

Filesize
624KB

Download
memory/2648-4-0x00000000057D0000-0x0000000005962000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing