Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    54s
  • max time network
    115s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    15-09-2021 02:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2c45d21de9caa436bc296e99df8a8409c0aea3126e3f125abafb036a4124c642.exe

  • Size

    565KB

  • MD5

    fe4a7ad6dbe0a0ae9c148de33f50802b

  • SHA1

    b0b959e0bd284bd45eb7492d51b3e189ec5dd402

  • SHA256

    2c45d21de9caa436bc296e99df8a8409c0aea3126e3f125abafb036a4124c642

  • SHA512

    c6b1ec7cb76ad77a1f0be4e5b3c692a8981a7116f68b81d1d0c3bba9130ffe26aca8d1aa09b14868910cbd0a61ce853f8aeb77743f54f23427d6c85b1c4c7b64

Score
10/10
redline15.09discoveryinfostealerspywarestealersuricata

Malware Config

Extracted

Family

redline

Botnet

15.09

C2

185.215.113.17:48236

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger

    suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger

    suricata
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2c45d21de9caa436bc296e99df8a8409c0aea3126e3f125abafb036a4124c642.exe
    "C:\Users\Admin\AppData\Local\Temp\2c45d21de9caa436bc296e99df8a8409c0aea3126e3f125abafb036a4124c642.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:992
    • C:\Users\Admin\AppData\Roaming\wushup\lipstersh.exe
      lipstersh.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1208

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\wushup\lipstersh.exe
    MD5

    2e86ae6eb7d98ccfa1c9433f77baac74

    SHA1

    77f47fad5da023c8775496b442666d90dcc5d493

    SHA256

    1566629c1522ed8c33bdf8d6cf525d0611994d45d533ba493b6133b27b668c71

    SHA512

    c3c64a68c992bc24cda82c2115301c5ced2faa3c35b0eecc466d0a6464fd3eecca660779570fe06b30ef7cfbc1957020cf1789eae1a237afdda2da587c06327a

    Download Submit
  • C:\Users\Admin\AppData\Roaming\wushup\lipstersh.exe
    MD5

    2e86ae6eb7d98ccfa1c9433f77baac74

    SHA1

    77f47fad5da023c8775496b442666d90dcc5d493

    SHA256

    1566629c1522ed8c33bdf8d6cf525d0611994d45d533ba493b6133b27b668c71

    SHA512

    c3c64a68c992bc24cda82c2115301c5ced2faa3c35b0eecc466d0a6464fd3eecca660779570fe06b30ef7cfbc1957020cf1789eae1a237afdda2da587c06327a

    Download Submit
  • memory/992-115-0x0000000000400000-0x00000000021AB000-memory.dmp
    Filesize

    29.7MB

    Download
  • memory/992-114-0x0000000003DE0000-0x0000000003EAD000-memory.dmp
    Filesize

    820KB

    Download
  • memory/1208-126-0x00000000024E0000-0x00000000024FE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1208-129-0x00000000056D0000-0x00000000056D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1208-119-0x00000000001C0000-0x00000000001F0000-memory.dmp
    Filesize

    192KB

    Download
  • memory/1208-121-0x00000000024C0000-0x00000000024C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1208-122-0x00000000021D0000-0x00000000021EF000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1208-123-0x0000000004B30000-0x0000000004B31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1208-124-0x00000000024C2000-0x00000000024C3000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1208-125-0x00000000024C3000-0x00000000024C4000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1208-116-0x0000000000000000-mapping.dmp
    Download
  • memory/1208-127-0x0000000005030000-0x0000000005031000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1208-128-0x00000000056A0000-0x00000000056A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1208-120-0x0000000000400000-0x000000000046F000-memory.dmp
    Filesize

    444KB

    Download
  • memory/1208-130-0x00000000057E0000-0x00000000057E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1208-131-0x00000000024C4000-0x00000000024C6000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1208-132-0x0000000005860000-0x0000000005861000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1208-133-0x0000000006A80000-0x0000000006A81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1208-134-0x0000000006C50000-0x0000000006C51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1208-135-0x0000000007270000-0x0000000007271000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1208-136-0x00000000075D0000-0x00000000075D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1208-137-0x0000000007670000-0x0000000007671000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1208-138-0x0000000006030000-0x0000000006031000-memory.dmp
    Filesize

    4KB

    Download