Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    82s
  • max time network
    126s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    26-01-2022 17:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    03c9d092f03b568db03ae4d1f214724f2041b6281957c1404156f02a43c5ad23.exe

  • Size

    702KB

  • MD5

    435757d3c3e80723c18c9053dbe3bb90

  • SHA1

    8f38de1a3bf7a3937b712db14f11e8a6d1a3ec00

  • SHA256

    03c9d092f03b568db03ae4d1f214724f2041b6281957c1404156f02a43c5ad23

  • SHA512

    88387e0182d1969f2957e8814383624052d03460d7ef7770c4835504bdc9cb77992dd3c1e620cdb9a9f0e74abeba7e8e86ccb405757e6e6f279705b4be5fa99d

Score
10/10
redlinemix26.01discoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

mix26.01

C2

185.215.113.70:21508

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\03c9d092f03b568db03ae4d1f214724f2041b6281957c1404156f02a43c5ad23.exe
    "C:\Users\Admin\AppData\Local\Temp\03c9d092f03b568db03ae4d1f214724f2041b6281957c1404156f02a43c5ad23.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:3716
    • C:\Users\Admin\AppData\Roaming\Green\neofim.exe
      neofim.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Green\neofim.exe
    MD5

    a3377eab3ef751df3dfc631512bfbbca

    SHA1

    dd82520deb584884de1c361a1d8aad6f5dd4c3be

    SHA256

    7de1d6871b83deefd60706fc87f03b1b57be6a259107c1f4e797eb386c5db464

    SHA512

    c7f4135b694a1692e61e579b3ed1d1675cc16ccc55d8d7969c4f2800d21c736424120f1ecbb63900a3a87ddf0ece3c434b7ccf47959d7546db49995affaa8764

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Green\neofim.exe
    MD5

    a3377eab3ef751df3dfc631512bfbbca

    SHA1

    dd82520deb584884de1c361a1d8aad6f5dd4c3be

    SHA256

    7de1d6871b83deefd60706fc87f03b1b57be6a259107c1f4e797eb386c5db464

    SHA512

    c7f4135b694a1692e61e579b3ed1d1675cc16ccc55d8d7969c4f2800d21c736424120f1ecbb63900a3a87ddf0ece3c434b7ccf47959d7546db49995affaa8764

    Download Submit
  • memory/3716-115-0x00000000007E0000-0x0000000000859000-memory.dmp
    Filesize

    484KB

    Download
  • memory/3716-116-0x0000000002280000-0x000000000234E000-memory.dmp
    Filesize

    824KB

    Download
  • memory/3716-117-0x0000000000400000-0x00000000004D9000-memory.dmp
    Filesize

    868KB

    Download
  • memory/4044-127-0x0000000005600000-0x0000000005612000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4044-131-0x0000000004AB3000-0x0000000004AB4000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4044-122-0x0000000000400000-0x0000000000479000-memory.dmp
    Filesize

    484KB

    Download
  • memory/4044-123-0x00000000021E0000-0x0000000002214000-memory.dmp
    Filesize

    208KB

    Download
  • memory/4044-124-0x0000000004AC0000-0x0000000004FBE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/4044-125-0x00000000025B0000-0x00000000025E2000-memory.dmp
    Filesize

    200KB

    Download
  • memory/4044-126-0x0000000004FC0000-0x00000000055C6000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/4044-120-0x00000000007B0000-0x00000000007DB000-memory.dmp
    Filesize

    172KB

    Download
  • memory/4044-129-0x0000000005630000-0x000000000573A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/4044-128-0x0000000004AB0000-0x0000000004AB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4044-130-0x0000000004AB2000-0x0000000004AB3000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4044-121-0x00000000007E0000-0x0000000000819000-memory.dmp
    Filesize

    228KB

    Download
  • memory/4044-132-0x0000000005780000-0x00000000057BE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4044-133-0x00000000057D0000-0x000000000581B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4044-134-0x0000000004A60000-0x0000000004AB6000-memory.dmp
    Filesize

    344KB

    Download
  • memory/4044-135-0x0000000005A70000-0x0000000005AD6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4044-136-0x0000000006110000-0x0000000006186000-memory.dmp
    Filesize

    472KB

    Download
  • memory/4044-137-0x00000000061D0000-0x0000000006262000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4044-138-0x00000000062C0000-0x00000000062DE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/4044-139-0x00000000065F0000-0x00000000067B2000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/4044-140-0x00000000067C0000-0x0000000006CEC000-memory.dmp
    Filesize

    5.2MB

    Download