General

  • Target

    JaffaCakes118_4e5b72658b3ee150f255b726931d387e897d1e5db4f40fbd6a3181e1908671af

  • Size

    700.0MB

  • Sample

    241223-w7zgbsxlgs

  • MD5

    42a123d2a8c6b9bf813d4ba30c6f7339

  • SHA1

    020db224e295b652601f34b1b5284f3ad6bdf22f

  • SHA256

    4e5b72658b3ee150f255b726931d387e897d1e5db4f40fbd6a3181e1908671af

  • SHA512

    aec4d9c6c9255ad4764a737bb38f68e525d95d38d634e286100c896683fa1bc5f3b62cdc829b6f990fb2570455a6f1c3a7c81e117499065520c24325700cccaf

  • SSDEEP

    98304:Xm27HCFxPcIIqb9tIKdgEezl6nW1WIxV2UBPB3VsYT:XmHbPcIIqb9u15zl6nW1WA2rYT

Malware Config

Extracted

Family

redline

Botnet

web

C2

62.204.41.139:25190

Attributes
  • auth_value

    2b0495835b75f494572b5792f0b7a9e1

Targets

    • Target

      JaffaCakes118_4e5b72658b3ee150f255b726931d387e897d1e5db4f40fbd6a3181e1908671af

    • Size

      700.0MB

    • MD5

      42a123d2a8c6b9bf813d4ba30c6f7339

    • SHA1

      020db224e295b652601f34b1b5284f3ad6bdf22f

    • SHA256

      4e5b72658b3ee150f255b726931d387e897d1e5db4f40fbd6a3181e1908671af

    • SHA512

      aec4d9c6c9255ad4764a737bb38f68e525d95d38d634e286100c896683fa1bc5f3b62cdc829b6f990fb2570455a6f1c3a7c81e117499065520c24325700cccaf

    • SSDEEP

      98304:Xm27HCFxPcIIqb9tIKdgEezl6nW1WIxV2UBPB3VsYT:XmHbPcIIqb9u15zl6nW1WA2rYT

    • Detect ZGRat V2

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Zgrat family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks