redline | 9f52a7ac90fff99eb407a0d377aed95920b7e62b492848e74f11fef5d59c7002 | Triage

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-04-2024 18:07

Sharing

Report Analysis Logs

General

Target

OwnCheat.exe
Size

462KB
MD5

adcf088bea6905d093229562ff62fee0
SHA1

e7b83c9844472d36a9e3eae60622626c51d76ea8
SHA256

9f52a7ac90fff99eb407a0d377aed95920b7e62b492848e74f11fef5d59c7002
SHA512

9b9ba4cdcacf0cd26b48a50f2eafec19b5e3e32adc07c4b8d7af3d1bfe836b39c4502bd9e1e616814f1d3adf272fc0421ac2a7e14b65f4a8a15a86db810ee79c
SSDEEP

12288:xdy0t/5TvlSRKJCyscfmiBYLRY7i4nzqjFdry:T/5jlZxmiYRR4Udr

Score

10^/10

redline zgrat infostealer rat

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2088-0-0x00000000013E0000-0x0000000001458000-memory.dmp	family_zgrat_v1

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2088-0-0x00000000013E0000-0x0000000001458000-memory.dmp	family_redline

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2404 2088 WerFault.exe OwnCheat.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

OwnCheat.exe

description	pid	process	target process
PID 2088 wrote to memory of 2404	2088	OwnCheat.exe	WerFault.exe
PID 2088 wrote to memory of 2404	2088	OwnCheat.exe	WerFault.exe
PID 2088 wrote to memory of 2404	2088	OwnCheat.exe	WerFault.exe
PID 2088 wrote to memory of 2404	2088	OwnCheat.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\OwnCheat.exe
"C:\Users\Admin\AppData\Local\Temp\OwnCheat.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 36
2⤵
- Program crash
PID:2404

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2088-0-0x00000000013E0000-0x0000000001458000-memory.dmp

Filesize
480KB

Download