Overview

overview

10

Static

static

dridex

windows10-2004_x64

10

Analysis

  • max time kernel
    90s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    07-06-2022 07:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a8ed64c2ba2355ae29d0f0d8fff78a40b8488fd60351839c6ce2347e355a74c3.exe

  • Size

    290KB

  • MD5

    98422ed16c0986e96b8628b55e1e86a6

  • SHA1

    c5888f1c5474e77f625903d7247239e5fc362a18

  • SHA256

    a8ed64c2ba2355ae29d0f0d8fff78a40b8488fd60351839c6ce2347e355a74c3

  • SHA512

    fadf6f67fa71ad7df3d989b59b6bcd092b0e4e2ae6749b8641caf7a3d7b41796c141490fdfa534f9dfaf5a6727d31b9d66dbbe7a75f4e0dc1b734371061df2b8

Score
10/10
redline9-5infostealerspyware

Malware Config

Extracted

Family

redline

Botnet

9-5

C2

139.99.32.83:43199

Attributes
  • auth_value

    637de2b47f42d9cc7912f71cb6b57b5b

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 1 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a8ed64c2ba2355ae29d0f0d8fff78a40b8488fd60351839c6ce2347e355a74c3.exe
    "C:\Users\Admin\AppData\Local\Temp\a8ed64c2ba2355ae29d0f0d8fff78a40b8488fd60351839c6ce2347e355a74c3.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2304
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3340
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 296
      2⤵
      • Program crash
      PID:2204
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2304 -ip 2304
    1⤵
      PID:4080

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2304-136-0x0000000000F7C000-0x0000000000F7E000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3340-140-0x0000000007E30000-0x0000000007E6C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/3340-142-0x0000000008B60000-0x0000000008BF2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3340-137-0x0000000006550000-0x0000000006B68000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/3340-138-0x0000000007DD0000-0x0000000007DE2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3340-139-0x0000000007F00000-0x000000000800A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/3340-130-0x0000000000000000-mapping.dmp
      Download
    • memory/3340-141-0x0000000008A40000-0x0000000008AB6000-memory.dmp
      Filesize

      472KB

      Download
    • memory/3340-131-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download
    • memory/3340-143-0x00000000091B0000-0x0000000009754000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3340-144-0x0000000008AC0000-0x0000000008ADE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/3340-145-0x0000000008EA0000-0x0000000008F06000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3340-146-0x0000000009930000-0x0000000009AF2000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/3340-147-0x000000000A030000-0x000000000A55C000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/3340-148-0x0000000009100000-0x0000000009150000-memory.dmp
      Filesize

      320KB

      Download