redline | 1fad6fe833e520abed8b1937ed2598091545cd8b388188ba3e702c1da0401813 | Triage

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-04-2024 04:50

Sharing

Report Analysis Logs

General

Target

MOD.exe
Size

435KB
MD5

39f127b2722cfd35f5102cad5c3528ba
SHA1

5f27952052884953907e6a3b806f5b7f055261dd
SHA256

1fad6fe833e520abed8b1937ed2598091545cd8b388188ba3e702c1da0401813
SHA512

39fd2e250078cae9be975b9074b3f8eaff331e9682f73aacbf0950d4a7bb55a0c984c1d9d03710e3852b2a0a0c917a769f30871f9fc89df53d95d4c76b834ad6
SSDEEP

12288:/r7219cp5VgRdztHiyX9Aa7Cv3FM4pIdW3pArpX:+gpPiDX9yVCdN1X

Score

10^/10

redline zgrat infostealer rat

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2888-0-0x0000000000D40000-0x0000000000DAE000-memory.dmp	family_zgrat_v1

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2888-0-0x0000000000D40000-0x0000000000DAE000-memory.dmp	family_redline

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3032 2888 WerFault.exe MOD.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

MOD.exe

description	pid	process	target process
PID 2888 wrote to memory of 3032	2888	MOD.exe	WerFault.exe
PID 2888 wrote to memory of 3032	2888	MOD.exe	WerFault.exe
PID 2888 wrote to memory of 3032	2888	MOD.exe	WerFault.exe
PID 2888 wrote to memory of 3032	2888	MOD.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\MOD.exe
"C:\Users\Admin\AppData\Local\Temp\MOD.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 120
2⤵
- Program crash
PID:3032

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2888-0-0x0000000000D40000-0x0000000000DAE000-memory.dmp

Filesize
440KB

Download