Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    117s
  • max time network
    131s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    24-10-2021 16:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aa0b18588184b4fbafe165ac9d837e82904f629ddbaf0b995385a3a1ad0322bd.exe

  • Size

    1.9MB

  • MD5

    99df6353fe7522df46b187dd77680a04

  • SHA1

    718408c02be57809602852ac4d905ca94e15c634

  • SHA256

    aa0b18588184b4fbafe165ac9d837e82904f629ddbaf0b995385a3a1ad0322bd

  • SHA512

    587d66b3b8fe3ed08b05f64dc0203f56dbaac7bdcde62d6ba07a3e00b1210bf38ed315a1c9586ff285b174ce238a55b5c6449032633abb12324b7fc5aec5ee20

Score
10/10
redlinediscoveryinfostealerspywarestealer

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 3 IoCs
  • Downloads MZ/PE file
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aa0b18588184b4fbafe165ac9d837e82904f629ddbaf0b995385a3a1ad0322bd.exe
    "C:\Users\Admin\AppData\Local\Temp\aa0b18588184b4fbafe165ac9d837e82904f629ddbaf0b995385a3a1ad0322bd.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:760
    • C:\Users\Admin\AppData\Local\Temp\aa0b18588184b4fbafe165ac9d837e82904f629ddbaf0b995385a3a1ad0322bd.exe
      "C:\Users\Admin\AppData\Local\Temp\aa0b18588184b4fbafe165ac9d837e82904f629ddbaf0b995385a3a1ad0322bd.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3764

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aa0b18588184b4fbafe165ac9d837e82904f629ddbaf0b995385a3a1ad0322bd.exe.log
    MD5

    90acfd72f14a512712b1a7380c0faf60

    SHA1

    40ba4accb8faa75887e84fb8e38d598dc8cf0f12

    SHA256

    20806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86

    SHA512

    29dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9

    Download Submit

  • memory/760-115-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/760-117-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/760-118-0x0000000005250000-0x0000000005251000-memory.dmp

    Filesize

    4KB

    Download

  • memory/760-119-0x0000000004D50000-0x0000000004D51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/760-120-0x0000000004D50000-0x000000000524E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/760-121-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/760-122-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/760-123-0x0000000008BC0000-0x0000000008C6B000-memory.dmp

    Filesize

    684KB

    Download

  • memory/760-135-0x0000000004D50000-0x000000000524E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/3764-130-0x0000000005430000-0x0000000005431000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3764-125-0x0000000000436F2E-mapping.dmp

    Download

  • memory/3764-128-0x0000000005360000-0x0000000005361000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3764-131-0x0000000005560000-0x0000000005561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3764-132-0x0000000005490000-0x0000000005491000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3764-133-0x0000000005500000-0x0000000005501000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3764-134-0x0000000005380000-0x0000000005381000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3764-129-0x00000000059A0000-0x00000000059A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3764-137-0x00000000057E0000-0x00000000057E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3764-138-0x0000000006390000-0x0000000006391000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3764-140-0x0000000006490000-0x0000000006491000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3764-141-0x0000000006F00000-0x0000000006F01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3764-142-0x0000000007600000-0x0000000007601000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3764-143-0x00000000073D0000-0x00000000073D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3764-124-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download