Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    107s
  • max time network
    122s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    24-10-2021 23:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    60d5d621021211e78d6970ec792b181f83e5cb2291b88d0a0e63e17215287c83.exe

  • Size

    705KB

  • MD5

    0f8ab084532b57e7dba94d75c688250e

  • SHA1

    74081221c6374dff6363b120bd5a5bc29c6e9f05

  • SHA256

    60d5d621021211e78d6970ec792b181f83e5cb2291b88d0a0e63e17215287c83

  • SHA512

    2169b48dd21a9e0188c7f1c3d4152bbd6bf7f4b7c4aab26945a622770151e4286c09f2b66028afb86367a5e0743555fd7b80fb6d6502faefaa266621b12c832c

Score
10/10
redlinediscoveryinfostealerspywarestealer

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\60d5d621021211e78d6970ec792b181f83e5cb2291b88d0a0e63e17215287c83.exe
    "C:\Users\Admin\AppData\Local\Temp\60d5d621021211e78d6970ec792b181f83e5cb2291b88d0a0e63e17215287c83.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:4368
    • C:\Users\Admin\AppData\Roaming\wowsfree\ipstersh.exe
      ipstersh.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4508

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\wowsfree\ipstersh.exe
    MD5

    a67648a5bb88c3bfb10e76a764efef44

    SHA1

    27b7ccf7e4559fcbb3a0e83b600f54f1b602bf7d

    SHA256

    fcbae6e5add0cd76ec5a91761d8f17396dcac7a5ca41f6d9dd7401b4c0b2ce94

    SHA512

    418ca5c8e5f43b94dcd702be7742488f053db1e0d6ee6e34ada4337cedf1832e7a8a4449724f2348abecd8eeee7d6bd5b81378781cf8dfafe6beb4f74a18ddfe

    Download Submit

  • C:\Users\Admin\AppData\Roaming\wowsfree\ipstersh.exe
    MD5

    a67648a5bb88c3bfb10e76a764efef44

    SHA1

    27b7ccf7e4559fcbb3a0e83b600f54f1b602bf7d

    SHA256

    fcbae6e5add0cd76ec5a91761d8f17396dcac7a5ca41f6d9dd7401b4c0b2ce94

    SHA512

    418ca5c8e5f43b94dcd702be7742488f053db1e0d6ee6e34ada4337cedf1832e7a8a4449724f2348abecd8eeee7d6bd5b81378781cf8dfafe6beb4f74a18ddfe

    Download Submit

  • memory/4368-116-0x0000000001210000-0x00000000012DF000-memory.dmp

    Filesize

    828KB

    Download

  • memory/4368-117-0x0000000000400000-0x0000000001081000-memory.dmp

    Filesize

    12.5MB

    Download

  • memory/4368-115-0x00000000013C4000-0x0000000001430000-memory.dmp

    Filesize

    432KB

    Download

  • memory/4508-127-0x0000000002E42000-0x0000000002E43000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4508-131-0x0000000006130000-0x0000000006131000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4508-122-0x00000000001C0000-0x00000000001F0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4508-123-0x0000000000400000-0x0000000001037000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/4508-124-0x0000000002EE0000-0x0000000002EFC000-memory.dmp

    Filesize

    112KB

    Download

  • memory/4508-125-0x0000000005550000-0x0000000005551000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4508-126-0x0000000002E40000-0x0000000002E41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4508-118-0x0000000000000000-mapping.dmp

    Download

  • memory/4508-128-0x0000000002E43000-0x0000000002E44000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4508-129-0x0000000002FE0000-0x0000000002FFB000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4508-130-0x0000000005A90000-0x0000000005A91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4508-121-0x00000000010E1000-0x0000000001104000-memory.dmp

    Filesize

    140KB

    Download

  • memory/4508-132-0x0000000006160000-0x0000000006161000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4508-133-0x0000000006270000-0x0000000006271000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4508-134-0x0000000002E44000-0x0000000002E46000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4508-135-0x00000000062F0000-0x00000000062F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4508-136-0x0000000006480000-0x0000000006481000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4508-137-0x0000000006C70000-0x0000000006C71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4508-138-0x0000000006CF0000-0x0000000006CF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4508-139-0x0000000006DE0000-0x0000000006DE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4508-140-0x00000000070E0000-0x00000000070E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4508-141-0x00000000072B0000-0x00000000072B1000-memory.dmp

    Filesize

    4KB

    Download