Overview

overview

10

Static

static

9

Celery.exe

windows10-2004-x64

10

scripts/scripts.dll

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Cel3ry.rar

  • Size

    8.6MB

  • Sample

    240425-qa36csba82

  • MD5

    f47c25576cee11f1583a3408aaa7f397

  • SHA1

    110776172201659e9c0356841b1f1a86855a99db

  • SHA256

    32e6b9e623d1f1f49aabfeb97b58636ef3b574b52862b4483a1710717a1a19b4

  • SHA512

    8094cf0f082245fd0be551281ac97068bceb62ce3b0335f544772899ae9e3bee5c1fdb60669b217b87708e2789c4f44ee1fa7885dc5af8cb66c093538d132df1

  • SSDEEP

    196608:nFjVQQXuXdeSWtnD3cYAmzvl3rhgIPlpSw0Fro9i5Sl:nFjqS7DvRhNPjJ0hiuSl

Score
10/10
redlinezgratcryptonediscoveryinfostealerpackerpersistenceratspywarestealer

Malware Config

Targets

    • Target

      Celery.exe

    • Size

      800.0MB

    • MD5

      b4c744abf264ef21108c72d281704b41

    • SHA1

      f865c64edce99bade55b7d097d8dda842655cc55

    • SHA256

      321f32aca8d188e7164272993d747933c61e15e852f90035c99c09dec2d4f2b5

    • SHA512

      1e9386367aea49f5a86ed34793179e52c45f250ad7776bd212eeea2c91d09e7b0e18ca69353092d3c206bd94a97cd01a9247df8260b5368becede52c4c5d0961

    • SSDEEP

      49152:uWBRH4OPyauD8t5WJEmdwAl/zSC++SKQ:uWBRHrPyauD8tRKzSCMJ

    Score
    10/10
    redlinezgratdiscoveryinfostealerpersistenceratspywarestealer

    • Detect ZGRat V1

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Registers COM server for autorun

      persistence

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    behavioral1

    • Target

      scripts/scripts.dll

    • Size

      18.7MB

    • MD5

      88fd7dbf04bcf75123d02009aea3f7f7

    • SHA1

      cecf16bdad71e54afc941179ea2b7438a04efa1d

    • SHA256

      01481b9a862936fbc090bda4033f22d7ffa5a7bfe5dc32f47c7794332b34eec4

    • SHA512

      2c6298b5adf91b51f0042d48e0846f5b196d52a588fd4fc577bf19ec26ad8e547382279a15f8bf131b08b0d7c140534aff25f82d5e8998818b812e72c9493917

    • SSDEEP

      393216:hqA/D2IIyzg8DolBo6i0KoI6Di42sC1/syU3DXNs6hq8:hqcaZyV0fC1JOpjhq8

    Score
    1/10
    behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

5
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

4
T1012

System Information Discovery

4
T1082

Process Discovery

1
T1057

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks