Overview

overview

10

Static

static

1

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a

  • Size

    18.8MB

  • Sample

    240418-2qapjaaa6x

  • MD5

    9211e67da80fe6d9f713f6b4aece1d27

  • SHA1

    e271997ff6d723260ac8af44e37ed6a59adaaac2

  • SHA256

    722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a

  • SHA512

    65950fbb4a3bc4bb0042502d5c4f363687e228e08fc606770323c2ac6590f241ab65ce53671dbaebaa958239154a33943c4132c9ad67554ae0bba9d4403e07ab

  • SSDEEP

    393216:qynEX19Y0QBTstAfrrKgbKR2/KFZ9F9EIbHmWJqgLT1:qHLYPBTsmPKxvyIi0nX1

Score
10/10
lummaredlinezgrat@good_deaydiscoveryinfostealerpersistenceratspywarestealer

Malware Config

Extracted

Family

redline

Botnet

@Good_Deay

C2

45.15.156.167:80

Extracted

Family

lumma

C2

https://poledoverglazedkilio.shop/api

https://productivelookewr.shop/api

https://tolerateilusidjukl.shop/api

https://shatterbreathepsw.shop/api

https://shortsvelventysjo.shop/api

https://incredibleextedwj.shop/api

https://alcojoldwograpciw.shop/api

https://liabilitynighstjsko.shop/api

https://demonstationfukewko.shop/api

Targets

    • Target

      722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a

    • Size

      18.8MB

    • MD5

      9211e67da80fe6d9f713f6b4aece1d27

    • SHA1

      e271997ff6d723260ac8af44e37ed6a59adaaac2

    • SHA256

      722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a

    • SHA512

      65950fbb4a3bc4bb0042502d5c4f363687e228e08fc606770323c2ac6590f241ab65ce53671dbaebaa958239154a33943c4132c9ad67554ae0bba9d4403e07ab

    • SSDEEP

      393216:qynEX19Y0QBTstAfrrKgbKR2/KFZ9F9EIbHmWJqgLT1:qHLYPBTsmPKxvyIi0nX1

    Score
    10/10
    redlineinfostealerlummazgrat@good_deaydiscoverypersistenceratspywarestealer

    • Detect ZGRat V1

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Modify Registry

2
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

1
T1012

Remote System Discovery

1
T1018

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks