Overview

overview

10

Static

static

dridex

windows10-2004_x64

10

Analysis

  • max time kernel
    132s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    26-02-2022 23:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    59a8083391f2d47e161cf0caa51da1ea77898657941279135a3a66e10dfc1237.exe

  • Size

    465KB

  • MD5

    c71425e3cc3c2e52e15f6554d510e6a8

  • SHA1

    136db115777778a0ecb9d459d3ace8c98542aafb

  • SHA256

    59a8083391f2d47e161cf0caa51da1ea77898657941279135a3a66e10dfc1237

  • SHA512

    b0838277e82abe6e2df4cbf899d72c7faf92874800a6dd5fae4f9b6effa45543cbcd5cca934c351942ddfb52db3a0fc399199d7497faa079e8ed82ad77c536ba

Score
10/10
redlineytinfostealer

Malware Config

Extracted

Family

redline

Botnet

yt

C2

65.21.1.119:24371

Attributes
  • auth_value

    a7960fdd4739462c8f9231095a524ac3

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 1 IoCs
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\59a8083391f2d47e161cf0caa51da1ea77898657941279135a3a66e10dfc1237.exe
    "C:\Users\Admin\AppData\Local\Temp\59a8083391f2d47e161cf0caa51da1ea77898657941279135a3a66e10dfc1237.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:816
    • C:\Users\Admin\AppData\Local\Temp\59a8083391f2d47e161cf0caa51da1ea77898657941279135a3a66e10dfc1237.exe
      C:\Users\Admin\AppData\Local\Temp\59a8083391f2d47e161cf0caa51da1ea77898657941279135a3a66e10dfc1237.exe
      2⤵
      • Suspicious use of UnmapMainImage
      PID:3836
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 12
        3⤵
        • Program crash
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3156
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3836 -ip 3836
    1⤵
    • Suspicious use of NtCreateProcessExOtherParentProcess
    • Suspicious use of WriteProcessMemory
    PID:3628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/816-130-0x0000000074BDE000-0x0000000074BDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/816-131-0x0000000000390000-0x000000000040A000-memory.dmp
    Filesize

    488KB

    Download
  • memory/816-133-0x0000000004CC0000-0x0000000004CC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/816-132-0x0000000004DA0000-0x0000000004DA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3836-134-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download