Overview

overview

10

Static

static

1

Aquantia_S...21.exe

windows7-x64

3

Aquantia_S...21.exe

windows10-2004-x64

10

Resubmissions

12-05-2024 16:17

240512-trvr4adh71 10

12-05-2024 16:04

240512-th9vnade4x 10

Analysis

  • max time kernel
    5s
  • max time network
    9s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-05-2024 16:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Aquantia_Setup 2.21.exe

  • Size

    368KB

  • MD5

    f77b3165615ad09f0dec44af2746fc36

  • SHA1

    7b6bc037c7c82534805a739e93a14a34cffb15de

  • SHA256

    ee348f845ad37552a32b0643002b39614abab46eb7cba0788a4fe75ce5191c6c

  • SHA512

    a002681e303d6ffa165e9500c9a64e23ccda58f503d182d397f25cf9661fa2268a6da750f7af12eac1d90c3fe7c2853f0ba8f2f42badd8a353fac176774a5565

  • SSDEEP

    6144:su1A7hb59pvaOKDpV1aUDTssIIE4dnW4hqHAJwtPzhAgr7NHiNI6espZ:sQAX9Qr1aUD4s8ZzKgoaPspZ

Score
10/10
redlinezgratdiscoveryinfostealerratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 1 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Aquantia_Setup 2.21.exe
    "C:\Users\Admin\AppData\Local\Temp\Aquantia_Setup 2.21.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2940
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5036

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2940-0-0x0000000000860000-0x0000000000861000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2940-1-0x0000000000860000-0x0000000000861000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2940-3-0x0000000000860000-0x0000000000861000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5036-2-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/5036-4-0x000000007419E000-0x000000007419F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5036-5-0x0000000005D00000-0x00000000062A4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/5036-6-0x0000000005850000-0x00000000058E2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/5036-7-0x0000000074190000-0x0000000074940000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5036-8-0x00000000059F0000-0x00000000059FA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/5036-9-0x0000000006EA0000-0x00000000074B8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/5036-10-0x00000000069E0000-0x0000000006AEA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/5036-11-0x0000000006910000-0x0000000006922000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5036-12-0x0000000006970000-0x00000000069AC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/5036-13-0x0000000006AF0000-0x0000000006B3C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/5036-14-0x0000000006C70000-0x0000000006CD6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/5036-15-0x00000000075C0000-0x0000000007636000-memory.dmp

    Filesize

    472KB

    Download

  • memory/5036-16-0x0000000006E50000-0x0000000006E6E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/5036-17-0x0000000007DF0000-0x0000000007FB2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/5036-18-0x0000000009230000-0x000000000975C000-memory.dmp

    Filesize

    5.2MB

    Download