Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    71s
  • max time network
    127s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    18-10-2021 16:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    579214390f165480aa3ff4991f1a6eb8b6d946dc02e9ecc075a7b816e9ffdfba.exe

  • Size

    808KB

  • MD5

    0f7db123d145142719c707374a5848a4

  • SHA1

    b2a03dbf263d4a50caf841fbb00ffa8f0f071ee1

  • SHA256

    579214390f165480aa3ff4991f1a6eb8b6d946dc02e9ecc075a7b816e9ffdfba

  • SHA512

    0e5e7dd009452dbb7e32ee34f65e4a2336f20ca19f596c3ba82131d130a0ce9bf6b7f15e4258de1f1eb5b932f9b499e95bf15c05dd096d0160427d3161f744c1

Score
10/10
redline01discoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

01

C2

176.57.71.68:37814

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\579214390f165480aa3ff4991f1a6eb8b6d946dc02e9ecc075a7b816e9ffdfba.exe
    "C:\Users\Admin\AppData\Local\Temp\579214390f165480aa3ff4991f1a6eb8b6d946dc02e9ecc075a7b816e9ffdfba.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2476

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2476-115-0x0000000000810000-0x0000000000841000-memory.dmp
    Filesize

    196KB

    Download
  • memory/2476-121-0x0000000002A90000-0x0000000002AAC000-memory.dmp
    Filesize

    112KB

    Download
  • memory/2476-124-0x0000000002CB2000-0x0000000002CB3000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2476-123-0x0000000002CB0000-0x0000000002CB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2476-125-0x00000000056A0000-0x00000000056A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2476-126-0x0000000005BA0000-0x0000000005BA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2476-127-0x0000000002BF0000-0x0000000002BF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2476-128-0x0000000002CB3000-0x0000000002CB4000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2476-129-0x0000000002D00000-0x0000000002D01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2476-130-0x00000000061B0000-0x00000000061B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2476-131-0x0000000007A20000-0x0000000007A21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2476-132-0x0000000002CB4000-0x0000000002CB5000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2476-133-0x0000000007AA0000-0x0000000007AA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2476-134-0x0000000008B70000-0x0000000008B71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2476-135-0x0000000008D40000-0x0000000008D41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2476-136-0x0000000009360000-0x0000000009361000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2476-137-0x0000000009650000-0x0000000009651000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2476-138-0x00000000097A0000-0x00000000097A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2476-139-0x000000000A500000-0x000000000A501000-memory.dmp
    Filesize

    4KB

    Download