Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    28s
  • max time network
    114s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    15-08-2021 21:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c512a329b9361a9d68d6feaeca69e6a146cead46a222b26627d74daa8388c48b.exe

  • Size

    131KB

  • MD5

    6301e9c998f8c01fda4f923f6d027c58

  • SHA1

    f5e9a39ddd9ffbe627b492653c46c5ba9e25240a

  • SHA256

    c512a329b9361a9d68d6feaeca69e6a146cead46a222b26627d74daa8388c48b

  • SHA512

    1302d2a51d72aab781db8dd862aa814686f85bc8061a4acf72538af704c14ea78f2d514285e54e5173ea5924fc1fe1b7c7ba32e78554356144f2b9f7eda71a30

Score
10/10
redline7newdiscoveryinfostealerpersistencespywarestealersuricata

Malware Config

Extracted

Family

redline

Botnet

7new

C2

sytareliar.xyz:80

yabelesatg.xyz:80

ceneimarck.xyz:80

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 1 IoCs
  • suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)

    suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)

    suricata
  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c512a329b9361a9d68d6feaeca69e6a146cead46a222b26627d74daa8388c48b.exe
    "C:\Users\Admin\AppData\Local\Temp\c512a329b9361a9d68d6feaeca69e6a146cead46a222b26627d74daa8388c48b.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3716
    • C:\Users\Admin\AppData\Roaming\4981553.exe
      "C:\Users\Admin\AppData\Roaming\4981553.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1560
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 1560 -s 2024
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2564
    • C:\Users\Admin\AppData\Roaming\7825578.exe
      "C:\Users\Admin\AppData\Roaming\7825578.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1280
      • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        3⤵
        • Executes dropped EXE
        PID:1748
    • C:\Users\Admin\AppData\Roaming\3088313.exe
      "C:\Users\Admin\AppData\Roaming\3088313.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2592
    • C:\Users\Admin\AppData\Roaming\6377463.exe
      "C:\Users\Admin\AppData\Roaming\6377463.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3828
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 2224
        3⤵
        • Drops file in Windows directory
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\3088313.exe
    MD5

    847f33cf691e4880c90eedbd843eecef

    SHA1

    f1ceaa79cde6aae1101ff25661594e4fb3a300af

    SHA256

    22561d7f28f4914eb00ece540d4b48e3064706e3e627e6b46c58b35311aa27c7

    SHA512

    de5e34f0158d878e50e9ad558093585fb0302348f78997b9f429747357ce7acad84357548d584aa2c1a81030caf44adfb4f6954051449aa805cfe906b47308af

    Download Submit
  • C:\Users\Admin\AppData\Roaming\3088313.exe
    MD5

    847f33cf691e4880c90eedbd843eecef

    SHA1

    f1ceaa79cde6aae1101ff25661594e4fb3a300af

    SHA256

    22561d7f28f4914eb00ece540d4b48e3064706e3e627e6b46c58b35311aa27c7

    SHA512

    de5e34f0158d878e50e9ad558093585fb0302348f78997b9f429747357ce7acad84357548d584aa2c1a81030caf44adfb4f6954051449aa805cfe906b47308af

    Download Submit
  • C:\Users\Admin\AppData\Roaming\4981553.exe
    MD5

    c1c2faffcf934cd29b20b4922ea0d2f7

    SHA1

    a2e239069b9559de7c6a3ddb35653e64e1dcbede

    SHA256

    cd364c53f5dd10e6a4d9e0992a471a398580a322531ffb09c6184118e8226fe1

    SHA512

    238e18d61fed19fb2d887dc20aa7b43af6807e4cd1ca662f97b7ba63fd734f0df2a703c25acbb8f502c06957e874231319c0138f07663b661fa192349beaf0ff

    Download Submit
  • C:\Users\Admin\AppData\Roaming\4981553.exe
    MD5

    c1c2faffcf934cd29b20b4922ea0d2f7

    SHA1

    a2e239069b9559de7c6a3ddb35653e64e1dcbede

    SHA256

    cd364c53f5dd10e6a4d9e0992a471a398580a322531ffb09c6184118e8226fe1

    SHA512

    238e18d61fed19fb2d887dc20aa7b43af6807e4cd1ca662f97b7ba63fd734f0df2a703c25acbb8f502c06957e874231319c0138f07663b661fa192349beaf0ff

    Download Submit
  • C:\Users\Admin\AppData\Roaming\6377463.exe
    MD5

    36acd7e8f309426cb30aeda6c58234a6

    SHA1

    e111555e3324dcb03fda2b03fd4f765dec10ee75

    SHA256

    d17fbe43bc63006f1f11be7948fc385457eb4e830567f5f564cc3d3316ce6a3d

    SHA512

    62449c4e2d9c5faae15164e5751901d2e8e978aa52a7e156e7001b44bb61ed0cc14ee2230458a239ab7a85198826fe704246043ae800ee9c55951b7182b2ea6c

    Download Submit
  • C:\Users\Admin\AppData\Roaming\6377463.exe
    MD5

    36acd7e8f309426cb30aeda6c58234a6

    SHA1

    e111555e3324dcb03fda2b03fd4f765dec10ee75

    SHA256

    d17fbe43bc63006f1f11be7948fc385457eb4e830567f5f564cc3d3316ce6a3d

    SHA512

    62449c4e2d9c5faae15164e5751901d2e8e978aa52a7e156e7001b44bb61ed0cc14ee2230458a239ab7a85198826fe704246043ae800ee9c55951b7182b2ea6c

    Download Submit
  • C:\Users\Admin\AppData\Roaming\7825578.exe
    MD5

    1d095bc417db73c6bc6e4c4e7b43106f

    SHA1

    db7e49df1fb5a0a665976f98ff7128aeba40c5f3

    SHA256

    b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee

    SHA512

    3d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097

    Download Submit
  • C:\Users\Admin\AppData\Roaming\7825578.exe
    MD5

    1d095bc417db73c6bc6e4c4e7b43106f

    SHA1

    db7e49df1fb5a0a665976f98ff7128aeba40c5f3

    SHA256

    b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee

    SHA512

    3d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097

    Download Submit
  • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
    MD5

    1d095bc417db73c6bc6e4c4e7b43106f

    SHA1

    db7e49df1fb5a0a665976f98ff7128aeba40c5f3

    SHA256

    b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee

    SHA512

    3d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097

    Download Submit
  • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
    MD5

    1d095bc417db73c6bc6e4c4e7b43106f

    SHA1

    db7e49df1fb5a0a665976f98ff7128aeba40c5f3

    SHA256

    b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee

    SHA512

    3d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097

    Download Submit
  • memory/1280-124-0x0000000000000000-mapping.dmp
    Download
  • memory/1280-135-0x0000000000120000-0x0000000000121000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1280-142-0x0000000007330000-0x0000000007331000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1280-146-0x0000000006ED0000-0x0000000006ED1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1280-140-0x0000000000AC0000-0x0000000000AC7000-memory.dmp
    Filesize

    28KB

    Download
  • memory/1560-123-0x0000000000950000-0x000000000097B000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1560-128-0x000000001AE40000-0x000000001AE42000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1560-121-0x0000000000230000-0x0000000000231000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1560-118-0x0000000000000000-mapping.dmp
    Download
  • memory/1748-151-0x0000000000000000-mapping.dmp
    Download
  • memory/1748-161-0x00000000048D0000-0x00000000048D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1748-162-0x0000000007300000-0x0000000007301000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2592-145-0x0000000007A40000-0x0000000007A41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2592-148-0x00000000074F0000-0x00000000074F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2592-141-0x0000000004E80000-0x0000000004EB2000-memory.dmp
    Filesize

    200KB

    Download
  • memory/2592-167-0x0000000009250000-0x0000000009251000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2592-134-0x00000000006D0000-0x00000000006D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2592-126-0x0000000000000000-mapping.dmp
    Download
  • memory/2592-147-0x0000000007490000-0x0000000007491000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2592-166-0x0000000008B50000-0x0000000008B51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2592-159-0x00000000076E0000-0x00000000076E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2592-150-0x0000000004EE0000-0x0000000004EE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2592-171-0x0000000008E00000-0x0000000008E01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2592-168-0x0000000008D20000-0x0000000008D21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2592-149-0x0000000007530000-0x0000000007531000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3716-116-0x0000000000E90000-0x0000000000EA8000-memory.dmp
    Filesize

    96KB

    Download
  • memory/3716-117-0x000000001B270000-0x000000001B272000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3716-114-0x00000000005D0000-0x00000000005D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3828-131-0x0000000000000000-mapping.dmp
    Download
  • memory/3828-165-0x00000000094E0000-0x00000000094E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3828-136-0x0000000000F90000-0x0000000000F91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3828-160-0x0000000008E40000-0x0000000008E41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3828-143-0x00000000059C0000-0x00000000059C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3828-144-0x0000000003330000-0x000000000335B000-memory.dmp
    Filesize

    172KB

    Download