Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06-05-2024 10:33
Behavioral task
behavioral1
Sample
2529a7bbbdf0b297c2bcbde40bca3671.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2529a7bbbdf0b297c2bcbde40bca3671.exe
Resource
win10v2004-20240419-en
General
-
Target
2529a7bbbdf0b297c2bcbde40bca3671.exe
-
Size
260KB
-
MD5
2529a7bbbdf0b297c2bcbde40bca3671
-
SHA1
5f674bfb89857da5ce013ec8f360f9e6453333c4
-
SHA256
51a759f98a18ef3e6b4e91fa32dc5319ccc5121eb77ac28cfa0579d30af7d8e8
-
SHA512
cd6f332a16d41b3608b074f44c80b6491a9480544776d2c2fc5c9cb6d33362be0e06f6ac702eb36b9d4907784bb3c26a668796db68cb5c12f14c8b1aa73969e2
-
SSDEEP
6144:sqv0ib3cJzO0HxjGE4ujgbAh/sGBachoRux:jb3IfHhOb4U8achoRux
Malware Config
Extracted
redline
5345987420
https://pastebin.com/raw/KE5Mft0T
Signatures
-
Detect ZGRat V1 1 IoCs
resource yara_rule behavioral1/memory/1808-1-0x0000000000080000-0x00000000000C6000-memory.dmp family_zgrat_v1 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/2280-15-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral1/memory/2280-20-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral1/memory/2280-18-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral1/memory/2280-11-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral1/memory/2280-10-0x0000000000400000-0x0000000000422000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 4 pastebin.com 5 pastebin.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1808 set thread context of 2280 1808 2529a7bbbdf0b297c2bcbde40bca3671.exe 28 -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2280 RegAsm.exe 2280 RegAsm.exe 2280 RegAsm.exe 2280 RegAsm.exe 2280 RegAsm.exe 2280 RegAsm.exe 2280 RegAsm.exe 2280 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2280 RegAsm.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1808 wrote to memory of 2280 1808 2529a7bbbdf0b297c2bcbde40bca3671.exe 28 PID 1808 wrote to memory of 2280 1808 2529a7bbbdf0b297c2bcbde40bca3671.exe 28 PID 1808 wrote to memory of 2280 1808 2529a7bbbdf0b297c2bcbde40bca3671.exe 28 PID 1808 wrote to memory of 2280 1808 2529a7bbbdf0b297c2bcbde40bca3671.exe 28 PID 1808 wrote to memory of 2280 1808 2529a7bbbdf0b297c2bcbde40bca3671.exe 28 PID 1808 wrote to memory of 2280 1808 2529a7bbbdf0b297c2bcbde40bca3671.exe 28 PID 1808 wrote to memory of 2280 1808 2529a7bbbdf0b297c2bcbde40bca3671.exe 28 PID 1808 wrote to memory of 2280 1808 2529a7bbbdf0b297c2bcbde40bca3671.exe 28 PID 1808 wrote to memory of 2280 1808 2529a7bbbdf0b297c2bcbde40bca3671.exe 28 PID 1808 wrote to memory of 2280 1808 2529a7bbbdf0b297c2bcbde40bca3671.exe 28 PID 1808 wrote to memory of 2280 1808 2529a7bbbdf0b297c2bcbde40bca3671.exe 28 PID 1808 wrote to memory of 2280 1808 2529a7bbbdf0b297c2bcbde40bca3671.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2529a7bbbdf0b297c2bcbde40bca3671.exe"C:\Users\Admin\AppData\Local\Temp\2529a7bbbdf0b297c2bcbde40bca3671.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2280
-