Overview

overview

10

Static

static

10

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-09-2022 04:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2ffe2df993b67638486e696c776f7dc2dd3bf1f83a948f7a9f5a10aa990ff8e4.exe

  • Size

    361KB

  • MD5

    9e2b897a7c63d54fe8495df1efb44190

  • SHA1

    a0cbe58ef5a9c5ef0918a387283a9fc913a206c8

  • SHA256

    2ffe2df993b67638486e696c776f7dc2dd3bf1f83a948f7a9f5a10aa990ff8e4

  • SHA512

    60ab6188c2f66ee5863220bfd78fdf9ddae326e9c55154778efa85aec5a4a00438dad85d9529f72111add08e9c28d4c6dd0cdc8e3b216a64d363dd47b62feb9f

  • SSDEEP

    6144:eEaXBUcN2BRrn1fH0N6GkBut5adsSEK69yDPhSjYlakxjTLVqoARRSTZAPdg+:/aRDNoVJKRtUdsSEK69yDPhSjYlakxjv

Score
10/10
redline0002discoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

0002

C2

13.72.81.58:13413

Attributes
  • auth_value

    866ce0ed8cfe2be77fb43a4912677698

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2ffe2df993b67638486e696c776f7dc2dd3bf1f83a948f7a9f5a10aa990ff8e4.exe
    "C:\Users\Admin\AppData\Local\Temp\2ffe2df993b67638486e696c776f7dc2dd3bf1f83a948f7a9f5a10aa990ff8e4.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4512

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4512-132-0x00000000005F0000-0x0000000000650000-memory.dmp
    Filesize

    384KB

    Download
  • memory/4512-133-0x000000000AC90000-0x000000000B2A8000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/4512-134-0x000000000A800000-0x000000000A90A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/4512-135-0x000000000A730000-0x000000000A742000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4512-136-0x000000000A790000-0x000000000A7CC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/4512-137-0x000000000B860000-0x000000000BE04000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4512-138-0x000000000ABF0000-0x000000000AC82000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4512-139-0x000000000B2B0000-0x000000000B316000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4512-140-0x000000000D2A0000-0x000000000D462000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/4512-141-0x000000000D9A0000-0x000000000DECC000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4512-142-0x0000000007260000-0x00000000072D6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/4512-143-0x00000000072E0000-0x0000000007330000-memory.dmp
    Filesize

    320KB

    Download