Overview

overview

10

Static

static

3

Quest Adve...er.zip

windows7-x64

1

Quest Adve...er.zip

windows10-2004-x64

1

Quest Adve...er.exe

windows7-x64

10

Quest Adve...er.exe

windows10-2004-x64

10

Quest Adve...ch.exe

windows7-x64

1

Quest Adve...ch.exe

windows10-2004-x64

1

Quest Adve...or.exe

windows7-x64

1

Quest Adve...or.exe

windows10-2004-x64

1

Quest Adve...er.exe

windows7-x64

1

Quest Adve...er.exe

windows10-2004-x64

1

Quest Adve...ar.exe

windows7-x64

1

Quest Adve...ar.exe

windows10-2004-x64

1

Quest Adve...er.exe

windows7-x64

1

Quest Adve...er.exe

windows10-2004-x64

1

Quest Adve...va.exe

windows7-x64

1

Quest Adve...va.exe

windows10-2004-x64

1

Quest Adve...ac.exe

windows7-x64

1

Quest Adve...ac.exe

windows10-2004-x64

1

Quest Adve...oc.exe

windows7-x64

1

Quest Adve...oc.exe

windows10-2004-x64

1

Quest Adve...md.exe

windows7-x64

1

Quest Adve...md.exe

windows10-2004-x64

1

Quest Adve...mplate

windows7-x64

3

Quest Adve...mplate

windows10-2004-x64

3

Quest Adve...erties

windows7-x64

3

Quest Adve...erties

windows10-2004-x64

3

Quest Adve...erties

windows7-x64

3

Quest Adve...erties

windows10-2004-x64

3

Quest Adve...curity

windows7-x64

3

Quest Adve...curity

windows10-2004-x64

3

Quest Adve...ME.txt

windows7-x64

1

Quest Adve...ME.txt

windows10-2004-x64

1

Analysis

  • max time kernel
    121s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    13-05-2024 16:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quest Adventure Installer/GameLauncher.exe

  • Size

    1.6MB

  • MD5

    b7dc1166dbcd5df0a6c7c6ce4e72c30b

  • SHA1

    cd034c1468bdcb81cc52efeba5c95857d60cc537

  • SHA256

    e6fad824874c1ba468b8a4f94acd705cccb0c4d316b321eb3935c2160e1217f1

  • SHA512

    aade2a596c8e714a56b54c6618d870dd2e5bef8bd37b128a5406785bb5d80c1ae15cd34aca1dad9c0db36ff0bb08dfef65e54bf94d3638e00fbe5d6b2ef73e6a

  • SSDEEP

    24576:IdHHNmOzj4d9c8r1zSYiNED/MZvR4x6ApJT8v4A4n:eHQOJ5YiNED/MZvR3AbVA

Score
10/10
redlinezgratinfostealerratspyware

Malware Config

Signatures

  • Detect ZGRat V1 5 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Quest Adventure Installer\GameLauncher.exe
    "C:\Users\Admin\AppData\Local\Temp\Quest Adventure Installer\GameLauncher.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3056
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2156
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2968
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      2⤵
        PID:2488
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        2⤵
          PID:808

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\TmpA555.tmp
        Filesize

        2KB

        MD5

        1420d30f964eac2c85b2ccfe968eebce

        SHA1

        bdf9a6876578a3e38079c4f8cf5d6c79687ad750

        SHA256

        f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

        SHA512

        6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

        Download Submit
      • memory/808-48-0x0000000000400000-0x000000000044F000-memory.dmp
        Filesize

        316KB

        Download
      • memory/808-47-0x0000000000400000-0x000000000044F000-memory.dmp
        Filesize

        316KB

        Download
      • memory/2156-6-0x0000000000400000-0x00000000004CA000-memory.dmp
        Filesize

        808KB

        Download
      • memory/2156-51-0x0000000074BA0000-0x000000007528E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/2156-46-0x0000000074BA0000-0x000000007528E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/2156-18-0x0000000074BA0000-0x000000007528E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/2156-8-0x0000000000400000-0x00000000004CA000-memory.dmp
        Filesize

        808KB

        Download
      • memory/2156-9-0x0000000000400000-0x00000000004CA000-memory.dmp
        Filesize

        808KB

        Download
      • memory/2156-10-0x0000000000400000-0x00000000004CA000-memory.dmp
        Filesize

        808KB

        Download
      • memory/2156-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2156-19-0x0000000074BA0000-0x000000007528E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/2156-17-0x0000000000400000-0x00000000004CA000-memory.dmp
        Filesize

        808KB

        Download
      • memory/2156-15-0x0000000000400000-0x00000000004CA000-memory.dmp
        Filesize

        808KB

        Download
      • memory/2156-16-0x0000000000400000-0x00000000004CA000-memory.dmp
        Filesize

        808KB

        Download
      • memory/2488-26-0x0000000000090000-0x00000000000DF000-memory.dmp
        Filesize

        316KB

        Download
      • memory/2488-24-0x0000000000090000-0x00000000000DF000-memory.dmp
        Filesize

        316KB

        Download
      • memory/2488-20-0x0000000000090000-0x00000000000DF000-memory.dmp
        Filesize

        316KB

        Download
      • memory/2488-22-0x0000000000090000-0x00000000000DF000-memory.dmp
        Filesize

        316KB

        Download
      • memory/2488-25-0x0000000000090000-0x00000000000DF000-memory.dmp
        Filesize

        316KB

        Download
      • memory/2968-40-0x0000000000400000-0x00000000004C0000-memory.dmp
        Filesize

        768KB

        Download
      • memory/2968-50-0x0000000000400000-0x00000000004C0000-memory.dmp
        Filesize

        768KB

        Download
      • memory/2968-53-0x0000000000400000-0x00000000004C0000-memory.dmp
        Filesize

        768KB

        Download
      • memory/2968-36-0x0000000000400000-0x00000000004C0000-memory.dmp
        Filesize

        768KB

        Download
      • memory/2968-42-0x0000000000400000-0x00000000004C0000-memory.dmp
        Filesize

        768KB

        Download
      • memory/2968-44-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2968-52-0x0000000000400000-0x00000000004C0000-memory.dmp
        Filesize

        768KB

        Download
      • memory/2968-38-0x0000000000400000-0x00000000004C0000-memory.dmp
        Filesize

        768KB

        Download
      • memory/3056-4-0x0000000000750000-0x000000000076A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/3056-0-0x0000000074BAE000-0x0000000074BAF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3056-3-0x0000000074BA0000-0x000000007528E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/3056-49-0x0000000074BA0000-0x000000007528E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/3056-5-0x0000000000530000-0x0000000000536000-memory.dmp
        Filesize

        24KB

        Download
      • memory/3056-2-0x0000000000C90000-0x0000000000CD4000-memory.dmp
        Filesize

        272KB

        Download
      • memory/3056-14-0x0000000074BA0000-0x000000007528E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/3056-13-0x0000000074BAE000-0x0000000074BAF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3056-1-0x0000000000240000-0x00000000003DA000-memory.dmp
        Filesize

        1.6MB

        Download