Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    39s
  • max time network
    134s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    11-08-2021 18:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3760fafd1e5ee645aaef604ff52ffa90b563bc13bfbc18e9b3af523b3ebf20b5.exe

  • Size

    796KB

  • MD5

    a974c0caddd12b9920902ef72ffdad0c

  • SHA1

    bf559198597d137f81eb52e1071389de96514ab4

  • SHA256

    3760fafd1e5ee645aaef604ff52ffa90b563bc13bfbc18e9b3af523b3ebf20b5

  • SHA512

    8d3e5d97380919592ce4123cbc7e0a25665aa5d0f0fd55a3b1553b341689d441278f46898f72e1faedce1a8b84dd7a35d6a9c32399e74df967b5d3e9d80bb729

Score
10/10
redlineruzdiscoveryevasioninfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

RUZ

C2

sandedean.xyz:80

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 5 IoCs
    evasion
  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\3760fafd1e5ee645aaef604ff52ffa90b563bc13bfbc18e9b3af523b3ebf20b5.exe
    "C:\Users\Admin\AppData\Local\Temp\3760fafd1e5ee645aaef604ff52ffa90b563bc13bfbc18e9b3af523b3ebf20b5.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1440
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Soft\trusted\trusr.vbs" /f=CREATE_NO_WINDOW install.cmd
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2712
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Soft\trusted\1at.bat" "
        3⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2368
        • C:\Windows\SysWOW64\timeout.exe
          timeout 7
          4⤵
          • Delays execution with timeout.exe
          PID:3832
        • C:\Soft\trusted\trust_cert.com
          "trust_cert.com" e -pEkZAp8pHr6Mqaq9SQ xr.rar
          4⤵
          • Executes dropped EXE
          PID:2188
        • C:\Windows\SysWOW64\timeout.exe
          timeout 6
          4⤵
          • Delays execution with timeout.exe
          PID:1096
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Soft\trusted\9l.vbs"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3900
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Soft\trusted\xx54.bat" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2992
            • C:\Windows\SysWOW64\attrib.exe
              attrib +s +h "C:\Soft"
              6⤵
              • Views/modifies file attributes
              PID:3296
            • C:\Windows\SysWOW64\timeout.exe
              timeout 2
              6⤵
              • Delays execution with timeout.exe
              PID:2712
            • C:\Soft\trusted\ledarx.exe
              ledarx.exe /start
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:496
              • C:\Soft\trusted\ledarx.exe
                ledarx.exe /start
                7⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3812
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im trust_cert.com
              6⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:412
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im trust_cert.com
              6⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1816
            • C:\Windows\SysWOW64\attrib.exe
              attrib -s -h "C:\Soft\trusted"
              6⤵
              • Views/modifies file attributes
              PID:2288
            • C:\Windows\SysWOW64\timeout.exe
              timeout 4
              6⤵
              • Delays execution with timeout.exe
              PID:2284
        • C:\Windows\SysWOW64\timeout.exe
          timeout 8
          4⤵
          • Delays execution with timeout.exe
          PID:3448

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2
T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

2
T1158

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Soft\trusted\1at.bat
    MD5

    9621e9b2dda4f5d9e98394e7083e9acc

    SHA1

    b41457492caaa084e04eea368ddfdce7b4ff47f8

    SHA256

    68db4992619b59abe6db43501028272e95124dbb10e94dd72f9c66ce47b6373a

    SHA512

    e060d37aba786f1c725a3e2ce9954220a0d53bb97880036156ae51360bc6e72707187b4685a35371107b2916cdf5854dfc9def56d2d2f258ad272b99277b2168

    Download Submit
  • C:\Soft\trusted\9l.vbs
    MD5

    43e78a35d4d3ec90d7e760caa8dad51c

    SHA1

    d9d379ae55ae8daa9aa9aa28a3567efaeb63eebe

    SHA256

    869d7ba49888533eaf5b8d571c867bf3dae406fdd44318b8ae7bb03af2a84d6f

    SHA512

    34e2cf9d6dfd41c24e468206bffebb2b5f1e491b987b2f797e6bf5e83ad3fe063ece9cfeebb401617ae4f8f0ae370a3f0f364bd7a88759812771159a0e94806f

    Download Submit
  • C:\Soft\trusted\dump.ssl
    MD5

    2e58e3545c24c2955b0c361cd55c30e1

    SHA1

    f8b07f9043c86a5ab3ba2518fb30ca4607e473c4

    SHA256

    3743472aa6d2c8bd148575df3a0cb2dbc78137f219f442044a68f3b4278e1e1f

    SHA512

    1ea632a4726d1d2e193d3cbdcb43f83a709c3744df17441155875e6ee3e3f09418ef4a9807a5b16cbdefa4bac760a114c539e889209d8d45dfc714c49986e13c

    Download Submit
  • C:\Soft\trusted\ledarx.exe
    MD5

    1f331d518d0e425ab7642ccd638ec795

    SHA1

    71be2eec586f3a1dfb6971845a784ceeb049a838

    SHA256

    63fd6bf15b0991d449174bc48825a2ccf0056e9cff75b407cbe9755241ef6a35

    SHA512

    b449ca3c6410e035dfd7d45f5a37cbcdc8e4e97a8318ab36e513d7044115bcf7f23eb9dd8321f04ee04f93ff8cd626b1ec6b3913c0cd1d34eb5d0e0f80422b80

    Download Submit
  • C:\Soft\trusted\ledarx.exe
    MD5

    1f331d518d0e425ab7642ccd638ec795

    SHA1

    71be2eec586f3a1dfb6971845a784ceeb049a838

    SHA256

    63fd6bf15b0991d449174bc48825a2ccf0056e9cff75b407cbe9755241ef6a35

    SHA512

    b449ca3c6410e035dfd7d45f5a37cbcdc8e4e97a8318ab36e513d7044115bcf7f23eb9dd8321f04ee04f93ff8cd626b1ec6b3913c0cd1d34eb5d0e0f80422b80

    Download Submit
  • C:\Soft\trusted\ledarx.exe
    MD5

    1f331d518d0e425ab7642ccd638ec795

    SHA1

    71be2eec586f3a1dfb6971845a784ceeb049a838

    SHA256

    63fd6bf15b0991d449174bc48825a2ccf0056e9cff75b407cbe9755241ef6a35

    SHA512

    b449ca3c6410e035dfd7d45f5a37cbcdc8e4e97a8318ab36e513d7044115bcf7f23eb9dd8321f04ee04f93ff8cd626b1ec6b3913c0cd1d34eb5d0e0f80422b80

    Download Submit
  • C:\Soft\trusted\trusr.vbs
    MD5

    e4bc20a44789d26859352df31041bd1f

    SHA1

    49e3fdc0385299007b4617bc84759f0b4225fdb4

    SHA256

    13ce6cfecb26ca72699dd624cdd20e07453cc39f24452642edcf91ad724da99a

    SHA512

    37f0441f915948485032047c9fcb2842b9699fc118dec8c961eb815f7fb489a391640ceff9bc9bc58da34e54a48a9f9a81f5509008d89dbeb1478367a34e2102

    Download Submit
  • C:\Soft\trusted\trust_cert.com
    MD5

    061f64173293969577916832be29b90d

    SHA1

    b05b80385de20463a80b6c9c39bd1d53123aab9b

    SHA256

    34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

    SHA512

    66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

    Download Submit
  • C:\Soft\trusted\trust_cert.com
    MD5

    061f64173293969577916832be29b90d

    SHA1

    b05b80385de20463a80b6c9c39bd1d53123aab9b

    SHA256

    34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

    SHA512

    66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

    Download Submit
  • C:\Soft\trusted\xx54.bat
    MD5

    b44f70202d320f439facb9d67726e445

    SHA1

    c1d8c5f0677acc788ab7072e10dca15153fa60ba

    SHA256

    6ec5f540671441cdae8bc4f7c9aaf5d6901624fb772243acd01cfd171c9fac77

    SHA512

    0561ef4b7b1fa4dce7ea9bf0ba7bf3bc6623945885719621f39aeaf71f90ea91d5868617948ab316e692890225186f7724183451d27c8ded5a12c5a51d2b5a70

    Download Submit
  • memory/412-136-0x0000000000000000-mapping.dmp
    Download
  • memory/496-130-0x0000000000000000-mapping.dmp
    Download
  • memory/1096-122-0x0000000000000000-mapping.dmp
    Download
  • memory/1816-137-0x0000000000000000-mapping.dmp
    Download
  • memory/2188-120-0x0000000000000000-mapping.dmp
    Download
  • memory/2284-139-0x0000000000000000-mapping.dmp
    Download
  • memory/2288-138-0x0000000000000000-mapping.dmp
    Download
  • memory/2368-117-0x0000000000000000-mapping.dmp
    Download
  • memory/2712-114-0x0000000000000000-mapping.dmp
    Download
  • memory/2712-129-0x0000000000000000-mapping.dmp
    Download
  • memory/2992-127-0x0000000000000000-mapping.dmp
    Download
  • memory/3296-128-0x0000000000000000-mapping.dmp
    Download
  • memory/3448-125-0x0000000000000000-mapping.dmp
    Download
  • memory/3812-147-0x0000000004BA3000-0x0000000004BA4000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3812-159-0x0000000007070000-0x0000000007071000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3812-134-0x000000000040CD2F-mapping.dmp
    Download
  • memory/3812-140-0x0000000000400000-0x0000000000434000-memory.dmp
    Filesize

    208KB

    Download
  • memory/3812-141-0x0000000002300000-0x000000000231D000-memory.dmp
    Filesize

    116KB

    Download
  • memory/3812-142-0x0000000004BB0000-0x0000000004BB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3812-143-0x00000000023B0000-0x00000000023CB000-memory.dmp
    Filesize

    108KB

    Download
  • memory/3812-144-0x00000000050B0000-0x00000000050B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3812-146-0x0000000004BA2000-0x0000000004BA3000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3812-149-0x00000000025A0000-0x00000000025A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3812-148-0x0000000002580000-0x0000000002581000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3812-133-0x0000000000400000-0x0000000000434000-memory.dmp
    Filesize

    208KB

    Download
  • memory/3812-145-0x0000000004BA0000-0x0000000004BA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3812-150-0x0000000004BA4000-0x0000000004BA6000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3812-151-0x0000000004A80000-0x0000000004A81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3812-152-0x0000000005700000-0x0000000005701000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3812-158-0x00000000070A0000-0x00000000070A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3812-154-0x00000000063E0000-0x00000000063E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3812-155-0x00000000065B0000-0x00000000065B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3812-156-0x0000000006BE0000-0x0000000006BE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3812-157-0x0000000006F50000-0x0000000006F51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3832-118-0x0000000000000000-mapping.dmp
    Download
  • memory/3900-124-0x0000000000000000-mapping.dmp
    Download