Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    79s
  • max time network
    124s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    15-12-2021 23:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7d6762a9187e44646e80e0b866d6389128e2caceb9cadb3e535cf36e615ad690.exe

  • Size

    551KB

  • MD5

    749f87b58e7faa71de24d4f8487d3c56

  • SHA1

    bf0d6bb93a9b2c25ec8a8fdf831da2ee3630aa7d

  • SHA256

    7d6762a9187e44646e80e0b866d6389128e2caceb9cadb3e535cf36e615ad690

  • SHA512

    dc3cd730b9a5616fa4d261b96d6857947a0342d72008738013fb7fb2981c76139aab6ab6978e05ae880faa02c3e52fb1fc3357b30ccf5afed44f4f3523fd5561

Score
10/10
redlinemix16.12discoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

mix16.12

C2

185.215.113.70:21508

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7d6762a9187e44646e80e0b866d6389128e2caceb9cadb3e535cf36e615ad690.exe
    "C:\Users\Admin\AppData\Local\Temp\7d6762a9187e44646e80e0b866d6389128e2caceb9cadb3e535cf36e615ad690.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:2560
    • C:\Users\Admin\AppData\Roaming\neofed\neofim.exe
      neofim.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2708

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\neofed\neofim.exe
    MD5

    b55b79a43adaa926c61fcab8dd9270b3

    SHA1

    81ab099461595934b47462d0587d0f0c85a24999

    SHA256

    50ce76cbce3d9be8c8e7d9595ddfe43118192a1df5644a8ec03a1bcf36029d97

    SHA512

    f5d10c08e1c3904f885376ad21501cadc4206ebe5e3d3bba46a97cc78745ac1dd07997936771dd07809865438d97767c1c810afcd3f74f8a346b02fb8e554540

    Download Submit
  • C:\Users\Admin\AppData\Roaming\neofed\neofim.exe
    MD5

    b55b79a43adaa926c61fcab8dd9270b3

    SHA1

    81ab099461595934b47462d0587d0f0c85a24999

    SHA256

    50ce76cbce3d9be8c8e7d9595ddfe43118192a1df5644a8ec03a1bcf36029d97

    SHA512

    f5d10c08e1c3904f885376ad21501cadc4206ebe5e3d3bba46a97cc78745ac1dd07997936771dd07809865438d97767c1c810afcd3f74f8a346b02fb8e554540

    Download Submit
  • memory/2560-115-0x0000000000D40000-0x0000000000DAC000-memory.dmp
    Filesize

    432KB

    Download
  • memory/2560-117-0x0000000000400000-0x000000000087B000-memory.dmp
    Filesize

    4.5MB

    Download
  • memory/2560-116-0x0000000000E80000-0x0000000000F4E000-memory.dmp
    Filesize

    824KB

    Download
  • memory/2708-128-0x0000000002A70000-0x0000000002A9D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/2708-131-0x0000000002B70000-0x0000000002B71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2708-122-0x0000000004FF0000-0x0000000004FF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2708-123-0x0000000000C90000-0x0000000000CBB000-memory.dmp
    Filesize

    172KB

    Download
  • memory/2708-124-0x0000000000CF0000-0x0000000000D29000-memory.dmp
    Filesize

    228KB

    Download
  • memory/2708-125-0x0000000000400000-0x000000000083B000-memory.dmp
    Filesize

    4.2MB

    Download
  • memory/2708-126-0x0000000002B60000-0x0000000002B61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2708-118-0x0000000000000000-mapping.dmp
    Download
  • memory/2708-127-0x0000000002B62000-0x0000000002B63000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2708-129-0x0000000002B63000-0x0000000002B64000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2708-130-0x00000000054F0000-0x00000000054F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2708-121-0x0000000000E50000-0x0000000000E7E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/2708-132-0x0000000002B90000-0x0000000002B91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2708-133-0x0000000005B20000-0x0000000005B21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2708-134-0x0000000005B90000-0x0000000005B91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2708-135-0x0000000002B64000-0x0000000002B66000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2708-136-0x0000000005D30000-0x0000000005D31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2708-137-0x00000000064F0000-0x00000000064F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2708-138-0x0000000006580000-0x0000000006581000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2708-139-0x0000000006780000-0x0000000006781000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2708-140-0x00000000069B0000-0x00000000069B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2708-141-0x0000000006B80000-0x0000000006B81000-memory.dmp
    Filesize

    4KB

    Download