Overview

overview

10

Static

static

3

0de9ceb4a3...69.exe

windows7-x64

3

0de9ceb4a3...69.exe

windows10-2004-x64

10

0e996fcc71...f5.exe

windows7-x64

3

0e996fcc71...f5.exe

windows10-2004-x64

10

2ab1df3f8f...6b.exe

windows7-x64

3

2ab1df3f8f...6b.exe

windows10-2004-x64

10

2d7becaac8...2a.exe

windows10-2004-x64

10

50b189382d...9a.exe

windows7-x64

3

50b189382d...9a.exe

windows10-2004-x64

10

57959e3af4...c6.exe

windows7-x64

3

57959e3af4...c6.exe

windows10-2004-x64

10

5f7c9e83d8...c5.exe

windows7-x64

3

5f7c9e83d8...c5.exe

windows10-2004-x64

10

64b48352a0...25.exe

windows7-x64

3

64b48352a0...25.exe

windows10-2004-x64

10

8a870280a0...35.exe

windows7-x64

3

8a870280a0...35.exe

windows10-2004-x64

10

8f1e4113ca...56.exe

windows7-x64

3

8f1e4113ca...56.exe

windows10-2004-x64

10

94cb7f4064...ae.exe

windows10-2004-x64

10

9d876cd8a7...ed.exe

windows7-x64

3

9d876cd8a7...ed.exe

windows10-2004-x64

10

a4fbd5dfa9...dd.exe

windows7-x64

10

a4fbd5dfa9...dd.exe

windows10-2004-x64

10

b3796a101c...4b.exe

windows10-2004-x64

7

f09814000e...42.exe

windows7-x64

3

f09814000e...42.exe

windows10-2004-x64

10

f18a59d97c...79.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    92s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-05-2024 11:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2ab1df3f8fef1caee2ac62a5a72a677c82d0cc62b831066d9caa7cd26be2e26b.exe

  • Size

    1.2MB

  • MD5

    f84173f34e2dde73b09e195674093006

  • SHA1

    ac48cb5947b04688398d45f330497c2e2139e82b

  • SHA256

    2ab1df3f8fef1caee2ac62a5a72a677c82d0cc62b831066d9caa7cd26be2e26b

  • SHA512

    fee46161a9fbb2762feb9bef37ddfccf96a5de6f11f0113197ad5b13ab280c738a3ed000e655a6aec55a615c5f916d9c2b30d37de197aae2e5536f2ea6e02d58

  • SSDEEP

    24576:ofRaixH28+VpdGfVDeJJmJMsGM5aDnLmXs7Ms:ofsnVpdGfVDe2PGyXsgs

Score
10/10
redlinezgratdiscoveryinfostealerratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 1 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2ab1df3f8fef1caee2ac62a5a72a677c82d0cc62b831066d9caa7cd26be2e26b.exe
    "C:\Users\Admin\AppData\Local\Temp\2ab1df3f8fef1caee2ac62a5a72a677c82d0cc62b831066d9caa7cd26be2e26b.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2528
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4092

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2528-0-0x00000000001A0000-0x00000000001A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2528-1-0x00000000001A0000-0x00000000001A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2528-3-0x00000000001A0000-0x00000000001A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4092-2-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/4092-4-0x0000000074EBE000-0x0000000074EBF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4092-5-0x0000000005800000-0x0000000005DA4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4092-6-0x00000000052F0000-0x0000000005382000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4092-7-0x0000000074EB0000-0x0000000075660000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4092-8-0x0000000005390000-0x000000000539A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4092-9-0x0000000006910000-0x0000000006F28000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4092-10-0x0000000006470000-0x000000000657A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4092-11-0x00000000063A0000-0x00000000063B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4092-12-0x0000000006400000-0x000000000643C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4092-13-0x0000000006580000-0x00000000065CC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4092-14-0x0000000006700000-0x0000000006766000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4092-15-0x00000000071B0000-0x0000000007226000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4092-16-0x00000000057A0000-0x00000000057BE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4092-17-0x0000000008920000-0x0000000008AE2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4092-18-0x0000000009020000-0x000000000954C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4092-20-0x0000000074EB0000-0x0000000075660000-memory.dmp

    Filesize

    7.7MB

    Download