redline | e49f4be0e09d6360d6fe877dc7245a5ca0f9c91cbb73688dc62038ed096d5b09 | Triage

Submit
Reports

Overview

overview

Static

static

1

Executor I...er.exe

windows7-x64

Executor I...er.exe

windows10-2004-x64

Sharing

General

Target

Executor Installer.exe
Size

300.0MB
Sample

240426-al4chagd41
MD5

ce52d76fa19eef8e2ba89a9eee3911cc
SHA1

2d44c9a520a92e508e69622b481dd0363da80b80
SHA256

e49f4be0e09d6360d6fe877dc7245a5ca0f9c91cbb73688dc62038ed096d5b09
SHA512

fd6323b7d6006ddd4f728097481873353ecd50d262be514a316e0c16c6bb2f91be7963f4931c96f7383ae811944696e8b365f8176ff21638725f6ef42e815550
SSDEEP

24576:fNO2MOoMWSUDUfJBl3PzKcP5rBZBdXqfXJ4bXYEdNZOPtDngAh6b4xjGFoOUBfxa:l7GkxBl/zRHBNqsBdratDVfhGFoOUBfs

Score

10^/10

redline zgrat discovery infostealer rat spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

Executor Installer.exe

Resource

win7-20240221-en

redline zgrat discovery infostealer rat spyware stealer

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

Executor Installer.exe

Resource

win10v2004-20240412-en

redline zgrat discovery infostealer rat spyware stealer

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Targets

- Target
  
  Executor Installer.exe
- Size
  
  300.0MB
- MD5
  
  ce52d76fa19eef8e2ba89a9eee3911cc
- SHA1
  
  2d44c9a520a92e508e69622b481dd0363da80b80
- SHA256
  
  e49f4be0e09d6360d6fe877dc7245a5ca0f9c91cbb73688dc62038ed096d5b09
- SHA512
  
  fd6323b7d6006ddd4f728097481873353ecd50d262be514a316e0c16c6bb2f91be7963f4931c96f7383ae811944696e8b365f8176ff21638725f6ef42e815550
- SSDEEP
  
  24576:fNO2MOoMWSUDUfJBl3PzKcP5rBZBdXqfXJ4bXYEdNZOPtDngAh6b4xjGFoOUBfxa:l7GkxBl/zRHBNqsBdratDVfhGFoOUBfs
Score

10^/10

redline zgrat discovery infostealer rat spyware stealer
- Detect ZGRat V1
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

Install Root Certificate

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Process Discovery

Remote System Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

redlinezgratdiscoveryinfostealerratspywarestealer

behavioral2

redlinezgratdiscoveryinfostealerratspywarestealer

© 2018-2024

Terms | Privacy