Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    55s
  • max time network
    143s
  • platform
    windows10_x64
  • resource
    win10-20220414-en
  • submitted
    06-07-2022 13:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3a3c096118818ef28420da1a07e93fd8664528d7d2d217334b8fb4fbb5f8ffa5.exe

  • Size

    2.4MB

  • MD5

    e4f8eb7e01eb50044323a07cbe4314fa

  • SHA1

    5f81b0be101ff7d8e5eecfe6f1c33a963fcf4930

  • SHA256

    3a3c096118818ef28420da1a07e93fd8664528d7d2d217334b8fb4fbb5f8ffa5

  • SHA512

    e96d0574f614c9d10c06e5229b9795fe76dbf0d568876742b053e924bd240ec3c93695bbcffba7a81cc123af9ae7c5bd3f6b21aec0af983a46d6149f9464e6ce

Score
10/10
redlineinfostealerpersistencespywareupx

Malware Config

Extracted

Family

redline

C2

141.95.140.173:33470

Attributes
  • auth_value

    6d9508e5573e656e0dc3c4c5f8526d8e

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 4 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a3c096118818ef28420da1a07e93fd8664528d7d2d217334b8fb4fbb5f8ffa5.exe
    "C:\Users\Admin\AppData\Local\Temp\3a3c096118818ef28420da1a07e93fd8664528d7d2d217334b8fb4fbb5f8ffa5.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:215060
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:215120
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:215136
        • C:\Users\Admin\AppData\Local\Temp\crypton.exe
          "C:\Users\Admin\AppData\Local\Temp\crypton.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:215080
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            5⤵
              PID:215448
          • C:\Users\Admin\AppData\Local\Temp\updator.exe
            "C:\Users\Admin\AppData\Local\Temp\updator.exe"
            4⤵
            • Executes dropped EXE
            • Adds Run key to start application
            PID:2160
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 576
              5⤵
              • Program crash
              PID:215560

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Web Service

    1
    T1102

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
      Filesize

      847B

      MD5

      808e884c00533a9eb0e13e64960d9c3a

      SHA1

      279d05181fc6179a12df1a669ff5d8b64c1380ae

      SHA256

      2f6a0aab99b1c228a6642f44f8992646ce84c5a2b3b9941b6cf1f2badf67bdd6

      SHA512

      9489bdb2ffdfeef3c52edcfe9b34c6688eba53eb86075e0564df1cd474723c86b5b5aedc12df1ff5fc12cf97bd1e3cf9701ff61dc4ce90155d70e9ccfd0fc299

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\crypton.exe
      Filesize

      3.3MB

      MD5

      4fddb0fb46c2d951db20eca9a3b1c296

      SHA1

      22b17e95712be0586272e742acb183d3a28d2e05

      SHA256

      8350c0a227f79ef1a94da8e8bf95a4bc7cd3b590d0dcf78cc6da7236a5cdd1c5

      SHA512

      ce471181a1dfd9195c2afc49b844ca5b8e809bae64d1715cf85d2f5e1050b6838cc0274d053bc27b9fd30e4ee9558a2aa1297b322d07f41ee1c5d6475020a168

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\crypton.exe
      Filesize

      3.3MB

      MD5

      4fddb0fb46c2d951db20eca9a3b1c296

      SHA1

      22b17e95712be0586272e742acb183d3a28d2e05

      SHA256

      8350c0a227f79ef1a94da8e8bf95a4bc7cd3b590d0dcf78cc6da7236a5cdd1c5

      SHA512

      ce471181a1dfd9195c2afc49b844ca5b8e809bae64d1715cf85d2f5e1050b6838cc0274d053bc27b9fd30e4ee9558a2aa1297b322d07f41ee1c5d6475020a168

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\updator.exe
      Filesize

      96KB

      MD5

      d217c2a5f59c25ae90f29a54d13b21f2

      SHA1

      cda28aca60ae2aafb132b7e66b9de310a22604ee

      SHA256

      5f5ddb7f5934fc851903768ea0911a87b6278e0927169974f8442db9b0d1ca9a

      SHA512

      94c9e81934b9b2f3c98e267bcdd288d5fd81a1b2d155d1496fc5e9a8cff7e4c44871eb01963af653b62b605df89b7a0e6a3d71360c95cd1c60455a6819c5b352

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\updator.exe
      Filesize

      96KB

      MD5

      d217c2a5f59c25ae90f29a54d13b21f2

      SHA1

      cda28aca60ae2aafb132b7e66b9de310a22604ee

      SHA256

      5f5ddb7f5934fc851903768ea0911a87b6278e0927169974f8442db9b0d1ca9a

      SHA512

      94c9e81934b9b2f3c98e267bcdd288d5fd81a1b2d155d1496fc5e9a8cff7e4c44871eb01963af653b62b605df89b7a0e6a3d71360c95cd1c60455a6819c5b352

      Download Submit
    • memory/2096-120-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2096-122-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2096-123-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2096-121-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2096-119-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2096-134-0x0000000000400000-0x0000000000555000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2096-118-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2096-117-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2096-116-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2160-350-0x0000000000000000-mapping.dmp
      Download
    • memory/2160-701-0x0000000001090000-0x00000000010C9000-memory.dmp
      Filesize

      228KB

      Download
    • memory/2160-363-0x0000000001090000-0x00000000010C9000-memory.dmp
      Filesize

      228KB

      Download
    • memory/215060-133-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/215060-136-0x0000000000400000-0x000000000041C000-memory.dmp
      Filesize

      112KB

      Download
    • memory/215060-124-0x0000000000400000-0x000000000041C000-memory.dmp
      Filesize

      112KB

      Download
    • memory/215060-130-0x00000000004011D4-mapping.dmp
      Download
    • memory/215060-132-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/215060-131-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/215060-135-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/215080-330-0x0000000000000000-mapping.dmp
      Download
    • memory/215120-172-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/215120-310-0x0000000009D20000-0x0000000009D86000-memory.dmp
      Filesize

      408KB

      Download
    • memory/215120-141-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/215120-390-0x000000000B480000-0x000000000B4D0000-memory.dmp
      Filesize

      320KB

      Download
    • memory/215120-147-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/215120-153-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/215120-428-0x000000000B4D0000-0x000000000B692000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/215120-157-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/215120-158-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/215120-429-0x000000000BBD0000-0x000000000C0FC000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/215120-161-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/215120-187-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/215120-165-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/215120-167-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/215120-169-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/215120-139-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/215120-143-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/215120-137-0x0000000000400000-0x000000000041C000-memory.dmp
      Filesize

      112KB

      Download
    • memory/215120-138-0x000000000041789E-mapping.dmp
      Download
    • memory/215120-145-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/215120-302-0x0000000009340000-0x000000000935E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/215120-294-0x00000000092A0000-0x0000000009332000-memory.dmp
      Filesize

      584KB

      Download
    • memory/215120-293-0x0000000009130000-0x00000000091A6000-memory.dmp
      Filesize

      472KB

      Download
    • memory/215120-163-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/215120-151-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/215120-176-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/215120-290-0x0000000009F20000-0x000000000A41E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/215120-177-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/215120-179-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/215120-266-0x0000000008E80000-0x0000000008ECB000-memory.dmp
      Filesize

      300KB

      Download
    • memory/215120-181-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/215120-250-0x0000000008E40000-0x0000000008E7E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/215120-244-0x0000000008F10000-0x000000000901A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/215120-242-0x0000000000AE0000-0x0000000000AF2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/215120-186-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/215120-184-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/215120-241-0x0000000009410000-0x0000000009A16000-memory.dmp
      Filesize

      6.0MB

      Download
    • memory/215136-142-0x0000000000402CCE-mapping.dmp
      Download
    • memory/215136-171-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/215136-185-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/215136-183-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/215136-182-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/215136-180-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/215136-175-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/215136-164-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/215136-166-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/215136-168-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/215136-170-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/215136-178-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/215136-174-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/215136-173-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/215136-162-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/215136-159-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/215136-156-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/215136-152-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/215136-149-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/215136-140-0x0000000000400000-0x0000000000408000-memory.dmp
      Filesize

      32KB

      Download
    • memory/215136-148-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/215136-146-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/215136-144-0x00000000776A0000-0x000000007782E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/215448-410-0x0000000000429223-mapping.dmp
      Download