Overview

overview

10

Static

static

dridex

windows10-2004_x64

10

Resubmissions

29-06-2022 01:00

220629-bcr4jsfdd9 10

28-06-2022 23:36

220628-3lnw2adbgm 10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    28-06-2022 23:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fd0fadecf054fd384b0964b72331387a79d621a90383706838713f086d12ee74.exe

  • Size

    279KB

  • MD5

    e8a3b9038499e57efa0fac179995c4eb

  • SHA1

    4584bea5ef3c4d6dd4de7bc1162ab5a3000cf6d1

  • SHA256

    fd0fadecf054fd384b0964b72331387a79d621a90383706838713f086d12ee74

  • SHA512

    063874174ab32f003a26bdf2ee7651e7ff08eeac21bcc8f122a25b840f8901fbcf6ed8289f321e817bc507a86cc54b9c8e715ccc00de12735022723175d28b13

Score
10/10
recordbreakerredlinemario2infostealerspywarestealersuricata

Malware Config

Extracted

Family

redline

Botnet

mario2

C2

193.106.191.129:80

Attributes
  • auth_value

    4ef7e3fec3a418b2f0233b604d0560d9

Signatures

  • RecordBreaker

    RecordBreaker is an information stealer capable of downloading and executing secondary payloads written in C++.

    stealerrecordbreaker
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 1 IoCs
  • suricata: ET MALWARE Generic Stealer Config Download Request

    suricata: ET MALWARE Generic Stealer Config Download Request

    suricata
  • suricata: ET MALWARE Win32/RecordBreaker CnC Checkin

    suricata: ET MALWARE Win32/RecordBreaker CnC Checkin

    suricata
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fd0fadecf054fd384b0964b72331387a79d621a90383706838713f086d12ee74.exe
    "C:\Users\Admin\AppData\Local\Temp\fd0fadecf054fd384b0964b72331387a79d621a90383706838713f086d12ee74.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:2156
  • C:\Users\Admin\AppData\Local\Temp\567C.exe
    C:\Users\Admin\AppData\Local\Temp\567C.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2496
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      2⤵
        PID:3896
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        2⤵
          PID:4900
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4240
      • C:\Users\Admin\AppData\Local\Temp\4A34.exe
        C:\Users\Admin\AppData\Local\Temp\4A34.exe
        1⤵
        • Executes dropped EXE
        PID:4892
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        1⤵
          PID:1276
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 872
            2⤵
            • Program crash
            PID:2320
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1276 -ip 1276
          1⤵
            PID:4072
          • C:\Windows\explorer.exe
            C:\Windows\explorer.exe
            1⤵
              PID:1872

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\4A34.exe
              Filesize

              6.6MB

              MD5

              a840af25865513286606284b38490add

              SHA1

              3ab6eaaa2457f3afc1a37645152a91efa95751af

              SHA256

              26923ba499b7c445e86e76c616dee82cd5699de4bdfcf61d3e09562b36f2fbad

              SHA512

              fec4a023ac03aa0733d6e4f11dd9f79c1329b2b73acd543e85b96d2fd32de4374a26250dd36f82919e32bd022fa3e753c8bf09cdb9e92670314ba0f7ef38ceb6

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\4A34.exe
              Filesize

              6.6MB

              MD5

              a840af25865513286606284b38490add

              SHA1

              3ab6eaaa2457f3afc1a37645152a91efa95751af

              SHA256

              26923ba499b7c445e86e76c616dee82cd5699de4bdfcf61d3e09562b36f2fbad

              SHA512

              fec4a023ac03aa0733d6e4f11dd9f79c1329b2b73acd543e85b96d2fd32de4374a26250dd36f82919e32bd022fa3e753c8bf09cdb9e92670314ba0f7ef38ceb6

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\567C.exe
              Filesize

              1.6MB

              MD5

              df9cc49add3e01f23c63b0f73469f752

              SHA1

              6f8199ae9280e13671f5eb5715b093cd93f6732e

              SHA256

              b18d30fdfaa2f3469131da279fe2a64ed3cf6c1cbc8785ea1ba6e7596ae85419

              SHA512

              09100b76b4d0ba5a417da4a68977ed0a9eba8563cc5866e0cf912234ebded7598c482967e1812c143868c43c49eb882f82588dfafc041698b814c564decfc9b5

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\567C.exe
              Filesize

              1.6MB

              MD5

              df9cc49add3e01f23c63b0f73469f752

              SHA1

              6f8199ae9280e13671f5eb5715b093cd93f6732e

              SHA256

              b18d30fdfaa2f3469131da279fe2a64ed3cf6c1cbc8785ea1ba6e7596ae85419

              SHA512

              09100b76b4d0ba5a417da4a68977ed0a9eba8563cc5866e0cf912234ebded7598c482967e1812c143868c43c49eb882f82588dfafc041698b814c564decfc9b5

              Download Submit

            • memory/1276-169-0x0000000000B60000-0x0000000000BD4000-memory.dmp

              Filesize

              464KB

              Download

            • memory/1276-170-0x0000000000AF0000-0x0000000000B5B000-memory.dmp

              Filesize

              428KB

              Download

            • memory/1872-172-0x00000000007C0000-0x00000000007CC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/2156-133-0x0000000000400000-0x0000000000B38000-memory.dmp

              Filesize

              7.2MB

              Download

            • memory/2156-132-0x0000000000400000-0x0000000000B38000-memory.dmp

              Filesize

              7.2MB

              Download

            • memory/2156-130-0x0000000000DA2000-0x0000000000DB2000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2156-131-0x00000000001F0000-0x00000000001F9000-memory.dmp

              Filesize

              36KB

              Download

            • memory/2496-140-0x0000000002B95000-0x0000000002CE4000-memory.dmp

              Filesize

              1.3MB

              Download

            • memory/2496-141-0x000000000D040000-0x000000000D185000-memory.dmp

              Filesize

              1.3MB

              Download

            • memory/2496-142-0x000000000D040000-0x000000000D185000-memory.dmp

              Filesize

              1.3MB

              Download

            • memory/2496-139-0x000000000278B000-0x0000000002B84000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/2496-137-0x000000000278B000-0x0000000002B84000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/2496-138-0x0000000002B95000-0x0000000002CE4000-memory.dmp

              Filesize

              1.3MB

              Download

            • memory/2496-149-0x0000000002B95000-0x0000000002CE4000-memory.dmp

              Filesize

              1.3MB

              Download

            • memory/4240-151-0x00000000053B0000-0x00000000053C2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/4240-160-0x0000000007CE0000-0x000000000820C000-memory.dmp

              Filesize

              5.2MB

              Download

            • memory/4240-155-0x0000000006710000-0x00000000067A2000-memory.dmp

              Filesize

              584KB

              Download

            • memory/4240-156-0x0000000006D60000-0x0000000007304000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/4240-157-0x00000000068F0000-0x000000000690E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/4240-158-0x0000000006AE0000-0x0000000006B46000-memory.dmp

              Filesize

              408KB

              Download

            • memory/4240-159-0x00000000075E0000-0x00000000077A2000-memory.dmp

              Filesize

              1.8MB

              Download

            • memory/4240-148-0x0000000000400000-0x0000000000420000-memory.dmp

              Filesize

              128KB

              Download

            • memory/4240-161-0x00000000074F0000-0x0000000007540000-memory.dmp

              Filesize

              320KB

              Download

            • memory/4240-154-0x00000000065F0000-0x0000000006666000-memory.dmp

              Filesize

              472KB

              Download

            • memory/4240-153-0x0000000005410000-0x000000000544C000-memory.dmp

              Filesize

              240KB

              Download

            • memory/4240-152-0x00000000054E0000-0x00000000055EA000-memory.dmp

              Filesize

              1.0MB

              Download

            • memory/4240-146-0x0000000000400000-0x0000000000420000-memory.dmp

              Filesize

              128KB

              Download

            • memory/4240-150-0x0000000005910000-0x0000000005F28000-memory.dmp

              Filesize

              6.1MB

              Download

            • memory/4892-167-0x0000000000080000-0x0000000000ADC000-memory.dmp

              Filesize

              10.4MB

              Download

            • memory/4892-165-0x0000000000080000-0x0000000000ADC000-memory.dmp

              Filesize

              10.4MB

              Download