redline

General

Target

76e4e31dd3e40ac6790c83fa48419a55
Size

5.1MB
Sample

241111-ggg22atkcv
MD5

21f4c75dc23cf4a2caa5d73d7ecc5405
SHA1

02428ce8ab84804e9d56f6ea847001611bc67fa4
SHA256

82ea10edc8a126ed26774707ebb6d5ce828268e260549bd75877fe256e06055f
SHA512

eec0704eedd154543f52225c051a2833706d785f85ca192d71a2f5f04010cffc1185c700efde6fbcb0e5729339b9d780891dd5566a6fed1007544b4548489633
SSDEEP

98304:xqb3rxxPd0T23L68nY/Xmuthjv3KdP1Nixptcj/hE9QyNXM:4b3VRm228n+bJv6dP1NiHtcuNXM

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

ws-19

C2

38.91.100.57:32750

Attributes

auth_value
b8974207e31b05e60d39e04eba8eeb0b

Targets

- Target
  
  WhatsApp/WhatsApp.exe
- Size
  
  700.0MB
- MD5
  
  76e4e31dd3e40ac6790c83fa48419a55
- SHA1
  
  f42363c9ca8325a47efd4f01f177702433d78ff8
- SHA256
  
  661d2ed323c8703a7466774162972254589be4ab04abd6067d70ab44bc70d978
- SHA512
  
  78ae771f67d5c1c66d2e8ffc1f3dd398b6cd87c6ee813e6108e0f0c8cdfb8cd656c82d3ec4fff7b9d9f84c31e0cfd00b613150bb6eb22ad942c00a5aed379b8e
- SSDEEP
  
  98304:NCDnyTWzDCidsFXGAtljN36bZfRE7Rtc/vNK3egPJP:N2qM+idivVNKbZfREVtc0PJP
Score

10^/10

redline zgrat ws-19 agilenet discovery infostealer rat
- Detect ZGRat V2
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Zgrat family
  zgrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect ZGRat V2

RedLine payload

Redline family

ZGRat

Zgrat family

Checks computer location settings

Obfuscated with Agile.Net obfuscator

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2