Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    42s
  • max time network
    113s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    12-08-2021 08:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3c8cc71aa463c7a7cc67e164eb183f7b4e1824a9a138598b609ee35c63a7a562.exe

  • Size

    162KB

  • MD5

    953513e9a9e8496e829e98288a628c6e

  • SHA1

    eb6f1ee5c7eb3835779648e7e6418bcc9dc6b8bd

  • SHA256

    3c8cc71aa463c7a7cc67e164eb183f7b4e1824a9a138598b609ee35c63a7a562

  • SHA512

    76399389dfee57bcc31f18fea3ad0efe5dd1af80eec81604f620ca0fea64248f23582405d3fd142fdb002b5180c390b6cdebe86a630735e581f1d38fc8a6437d

Score
10/10
redline7newdiscoveryinfostealerpersistencespywarestealersuricata

Malware Config

Extracted

Family

redline

Botnet

7new

C2

sytareliar.xyz:80

yabelesatg.xyz:80

ceneimarck.xyz:80

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 1 IoCs
  • suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)

    suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)

    suricata
  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3c8cc71aa463c7a7cc67e164eb183f7b4e1824a9a138598b609ee35c63a7a562.exe
    "C:\Users\Admin\AppData\Local\Temp\3c8cc71aa463c7a7cc67e164eb183f7b4e1824a9a138598b609ee35c63a7a562.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:860
    • C:\Users\Admin\AppData\Roaming\5926773.exe
      "C:\Users\Admin\AppData\Roaming\5926773.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3996
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 3996 -s 2136
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:576
    • C:\Users\Admin\AppData\Roaming\7209319.exe
      "C:\Users\Admin\AppData\Roaming\7209319.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3168
      • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        3⤵
        • Executes dropped EXE
        PID:2324
    • C:\Users\Admin\AppData\Roaming\1774412.exe
      "C:\Users\Admin\AppData\Roaming\1774412.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3944
    • C:\Users\Admin\AppData\Roaming\3754601.exe
      "C:\Users\Admin\AppData\Roaming\3754601.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3572
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 2228
        3⤵
        • Drops file in Windows directory
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3152

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\1774412.exe
    MD5

    bb470004aa699664c19b399c5e86d493

    SHA1

    1cb81c5e9189954a2b8d400051eef04851f67f13

    SHA256

    0f5aa0e94dd4a987efaeca7c6b8abfc4d593596408389555d5b73f627d13add9

    SHA512

    d1109ba1f5829f3effff21893724798a3f0c75fb772abd10c0bb8e2e78e98b05dcef29ac0d850a7a3eb8980aadd8ea7c1eee5155d0f63a2ee1cb7f58c7dd4093

    Download Submit
  • C:\Users\Admin\AppData\Roaming\1774412.exe
    MD5

    bb470004aa699664c19b399c5e86d493

    SHA1

    1cb81c5e9189954a2b8d400051eef04851f67f13

    SHA256

    0f5aa0e94dd4a987efaeca7c6b8abfc4d593596408389555d5b73f627d13add9

    SHA512

    d1109ba1f5829f3effff21893724798a3f0c75fb772abd10c0bb8e2e78e98b05dcef29ac0d850a7a3eb8980aadd8ea7c1eee5155d0f63a2ee1cb7f58c7dd4093

    Download Submit
  • C:\Users\Admin\AppData\Roaming\3754601.exe
    MD5

    53d7fdc14532454784b25e7d9e03a1ea

    SHA1

    59fdcb845b0af484b06113b2c87bdecd2240b3c0

    SHA256

    1e9ae7d5d56d0edec67e34170dfe3dd19bb5796e4b76f6e375c419d5997059a0

    SHA512

    1cf1f5beb78d25e2a02de05137ce46be83da96bf7342b7e0421fe8b0c5dde89b545188457425d5599ea7d68b0872af2c5375c2d116744b6c630f5359a1e50adc

    Download Submit
  • C:\Users\Admin\AppData\Roaming\3754601.exe
    MD5

    53d7fdc14532454784b25e7d9e03a1ea

    SHA1

    59fdcb845b0af484b06113b2c87bdecd2240b3c0

    SHA256

    1e9ae7d5d56d0edec67e34170dfe3dd19bb5796e4b76f6e375c419d5997059a0

    SHA512

    1cf1f5beb78d25e2a02de05137ce46be83da96bf7342b7e0421fe8b0c5dde89b545188457425d5599ea7d68b0872af2c5375c2d116744b6c630f5359a1e50adc

    Download Submit
  • C:\Users\Admin\AppData\Roaming\5926773.exe
    MD5

    7a0118a33baa712a7c0ed95d140d09d0

    SHA1

    94b4edbcf6c9527f86b20c12c8a505031316bf6f

    SHA256

    172a9e30421d9cecba28556b530f7de62ad342b9a6fd178c185e971a3db4dee0

    SHA512

    0026f6fb0352679fa049ddb2e57ea62cea501380b3b27809fbd249ecc3eb992dc0dbc3a9426a4f6c2bf8394db2b84da571b2fe36328411fd2613c8916723521d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\5926773.exe
    MD5

    7a0118a33baa712a7c0ed95d140d09d0

    SHA1

    94b4edbcf6c9527f86b20c12c8a505031316bf6f

    SHA256

    172a9e30421d9cecba28556b530f7de62ad342b9a6fd178c185e971a3db4dee0

    SHA512

    0026f6fb0352679fa049ddb2e57ea62cea501380b3b27809fbd249ecc3eb992dc0dbc3a9426a4f6c2bf8394db2b84da571b2fe36328411fd2613c8916723521d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\7209319.exe
    MD5

    1d095bc417db73c6bc6e4c4e7b43106f

    SHA1

    db7e49df1fb5a0a665976f98ff7128aeba40c5f3

    SHA256

    b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee

    SHA512

    3d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097

    Download Submit
  • C:\Users\Admin\AppData\Roaming\7209319.exe
    MD5

    1d095bc417db73c6bc6e4c4e7b43106f

    SHA1

    db7e49df1fb5a0a665976f98ff7128aeba40c5f3

    SHA256

    b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee

    SHA512

    3d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097

    Download Submit
  • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
    MD5

    1d095bc417db73c6bc6e4c4e7b43106f

    SHA1

    db7e49df1fb5a0a665976f98ff7128aeba40c5f3

    SHA256

    b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee

    SHA512

    3d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097

    Download Submit
  • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
    MD5

    1d095bc417db73c6bc6e4c4e7b43106f

    SHA1

    db7e49df1fb5a0a665976f98ff7128aeba40c5f3

    SHA256

    b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee

    SHA512

    3d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097

    Download Submit
  • memory/860-122-0x000000001AD90000-0x000000001AD92000-memory.dmp
    Filesize

    8KB

    Download
  • memory/860-114-0x00000000000A0000-0x00000000000A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/860-118-0x0000000000710000-0x0000000000711000-memory.dmp
    Filesize

    4KB

    Download
  • memory/860-117-0x0000000000510000-0x000000000052C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/860-116-0x0000000000500000-0x0000000000501000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2324-155-0x0000000000000000-mapping.dmp
    Download
  • memory/2324-166-0x0000000008520000-0x0000000008521000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2324-165-0x0000000005470000-0x0000000005471000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3168-138-0x0000000000710000-0x0000000000711000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3168-150-0x00000000074C0000-0x00000000074C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3168-127-0x0000000000000000-mapping.dmp
    Download
  • memory/3168-146-0x0000000007920000-0x0000000007921000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3168-145-0x0000000001020000-0x0000000001027000-memory.dmp
    Filesize

    28KB

    Download
  • memory/3572-164-0x0000000008BB0000-0x0000000008BB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3572-149-0x0000000002F80000-0x0000000002F81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3572-140-0x0000000000E40000-0x0000000000E41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3572-169-0x0000000009250000-0x0000000009251000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3572-132-0x0000000000000000-mapping.dmp
    Download
  • memory/3572-147-0x0000000007D40000-0x0000000007D6B000-memory.dmp
    Filesize

    172KB

    Download
  • memory/3944-130-0x0000000000000000-mapping.dmp
    Download
  • memory/3944-139-0x0000000000580000-0x0000000000581000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3944-176-0x00000000092C0000-0x00000000092C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3944-151-0x0000000007340000-0x0000000007341000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3944-152-0x00000000073A0000-0x00000000073A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3944-153-0x0000000004F20000-0x0000000004F21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3944-154-0x00000000073E0000-0x00000000073E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3944-174-0x00000000091F0000-0x00000000091F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3944-171-0x0000000008C40000-0x0000000008C41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3944-170-0x0000000008540000-0x0000000008541000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3944-161-0x0000000007590000-0x0000000007591000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3944-144-0x0000000004D90000-0x0000000004DC3000-memory.dmp
    Filesize

    204KB

    Download
  • memory/3944-148-0x0000000007930000-0x0000000007931000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3996-134-0x000000001B3C0000-0x000000001B3C2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3996-126-0x0000000000A00000-0x0000000000A34000-memory.dmp
    Filesize

    208KB

    Download
  • memory/3996-119-0x0000000000000000-mapping.dmp
    Download
  • memory/3996-123-0x00000000004C0000-0x00000000004C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3996-125-0x00000000009F0000-0x00000000009F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3996-129-0x0000000000A40000-0x0000000000A41000-memory.dmp
    Filesize

    4KB

    Download