Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    175s
  • max time network
    186s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 09:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6fb4b196fcbce9856ff0099ab2108c7a7b0ecce86b133d0eb30f9c2e0010d9c5.exe

  • Size

    244KB

  • MD5

    02e6fcd8c1d944ba73de12e389ab314e

  • SHA1

    b9969fb9fe35a7d16906ba5cc7d3e457d9cbf24c

  • SHA256

    6fb4b196fcbce9856ff0099ab2108c7a7b0ecce86b133d0eb30f9c2e0010d9c5

  • SHA512

    4eafa4708cd2934186e883f630196dc88c6dc78a2db6bfa3a8628fe9f212297db032458ec7df4a3e3d1e6f6d9c570e55d320bce64beaf3cd1b889700b283836d

  • SSDEEP

    3072:vBkA20emdYBLD/80PW8pD56fpTAe+UyVkMf4DWFsyUf0S1gZICyYp2bkuiWRL:WApwLDE0PPqBTAe3WF/UfTCwbd5

Score
10/10
amadeyredlinenovrcollectiondiscoveryinfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.50

C2

193.56.146.194/h49vlBP/index.php

Extracted

Family

redline

Botnet

novr

C2

31.41.244.14:4694

Attributes
  • auth_value

    34ddf4eb9326256f20a48cd5f1e9b496

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detect Amadey credential stealer module 2 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 3 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 3 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6fb4b196fcbce9856ff0099ab2108c7a7b0ecce86b133d0eb30f9c2e0010d9c5.exe
    "C:\Users\Admin\AppData\Local\Temp\6fb4b196fcbce9856ff0099ab2108c7a7b0ecce86b133d0eb30f9c2e0010d9c5.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3784
    • C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
      "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4768
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe" /F
        3⤵
        • Creates scheduled task(s)
        PID:4932
      • C:\Users\Admin\AppData\Local\Temp\1000121001\lada.exe
        "C:\Users\Admin\AppData\Local\Temp\1000121001\lada.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2476
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll, Main
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • outlook_win_path
        PID:332
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 1136
      2⤵
      • Program crash
      PID:3808
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3784 -ip 3784
    1⤵
      PID:1212
    • C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
      C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
      1⤵
      • Executes dropped EXE
      PID:3172
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 416
        2⤵
        • Program crash
        PID:1296
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3172 -ip 3172
      1⤵
        PID:5056
      • C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
        C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
        1⤵
        • Executes dropped EXE
        PID:4572
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 416
          2⤵
          • Program crash
          PID:3044
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4572 -ip 4572
        1⤵
          PID:3540

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Scheduled Task

        1
        T1053

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Scheduled Task

        1
        T1053

        Privilege Escalation

        Scheduled Task

        1
        T1053

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Credentials in Files

        3
        T1081

        Discovery

        Query Registry

        2
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Data from Local System

        3
        T1005

        Email Collection

        1
        T1114

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\1000121001\lada.exe
          Filesize

          137KB

          MD5

          bae3fb566c191522bab2bde67c482767

          SHA1

          7da8b30a638ff9f943cf03b32a4f254273990708

          SHA256

          3ed2170e83cce59a98471509fb4a84090f2ddcb38549a191663d5fbd05612e01

          SHA512

          f9859aba46d440df5dd10059a95708acdd45cca36339867ee654c271f4bb065f6c58005eadadc9a954c35078986402d2f379d5cf3c10484c603ae262d38e1f46

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\1000121001\lada.exe
          Filesize

          137KB

          MD5

          bae3fb566c191522bab2bde67c482767

          SHA1

          7da8b30a638ff9f943cf03b32a4f254273990708

          SHA256

          3ed2170e83cce59a98471509fb4a84090f2ddcb38549a191663d5fbd05612e01

          SHA512

          f9859aba46d440df5dd10059a95708acdd45cca36339867ee654c271f4bb065f6c58005eadadc9a954c35078986402d2f379d5cf3c10484c603ae262d38e1f46

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
          Filesize

          244KB

          MD5

          02e6fcd8c1d944ba73de12e389ab314e

          SHA1

          b9969fb9fe35a7d16906ba5cc7d3e457d9cbf24c

          SHA256

          6fb4b196fcbce9856ff0099ab2108c7a7b0ecce86b133d0eb30f9c2e0010d9c5

          SHA512

          4eafa4708cd2934186e883f630196dc88c6dc78a2db6bfa3a8628fe9f212297db032458ec7df4a3e3d1e6f6d9c570e55d320bce64beaf3cd1b889700b283836d

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
          Filesize

          244KB

          MD5

          02e6fcd8c1d944ba73de12e389ab314e

          SHA1

          b9969fb9fe35a7d16906ba5cc7d3e457d9cbf24c

          SHA256

          6fb4b196fcbce9856ff0099ab2108c7a7b0ecce86b133d0eb30f9c2e0010d9c5

          SHA512

          4eafa4708cd2934186e883f630196dc88c6dc78a2db6bfa3a8628fe9f212297db032458ec7df4a3e3d1e6f6d9c570e55d320bce64beaf3cd1b889700b283836d

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
          Filesize

          244KB

          MD5

          02e6fcd8c1d944ba73de12e389ab314e

          SHA1

          b9969fb9fe35a7d16906ba5cc7d3e457d9cbf24c

          SHA256

          6fb4b196fcbce9856ff0099ab2108c7a7b0ecce86b133d0eb30f9c2e0010d9c5

          SHA512

          4eafa4708cd2934186e883f630196dc88c6dc78a2db6bfa3a8628fe9f212297db032458ec7df4a3e3d1e6f6d9c570e55d320bce64beaf3cd1b889700b283836d

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
          Filesize

          244KB

          MD5

          02e6fcd8c1d944ba73de12e389ab314e

          SHA1

          b9969fb9fe35a7d16906ba5cc7d3e457d9cbf24c

          SHA256

          6fb4b196fcbce9856ff0099ab2108c7a7b0ecce86b133d0eb30f9c2e0010d9c5

          SHA512

          4eafa4708cd2934186e883f630196dc88c6dc78a2db6bfa3a8628fe9f212297db032458ec7df4a3e3d1e6f6d9c570e55d320bce64beaf3cd1b889700b283836d

          Download Submit
        • C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll
          Filesize

          126KB

          MD5

          674cec24e36e0dfaec6290db96dda86e

          SHA1

          581e3a7a541cc04641e751fc850d92e07236681f

          SHA256

          de81531468982b689451e85d249214d0aa484e2ffedfd32c58d43cf879f29ded

          SHA512

          6d9898169073c240fe454bd45065fd7dc8458f1d323925b57eb58fa4305bb0d5631bbceb61835593b225e887e0867186ef637c440460279378cb29e832066029

          Download Submit
        • C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll
          Filesize

          126KB

          MD5

          674cec24e36e0dfaec6290db96dda86e

          SHA1

          581e3a7a541cc04641e751fc850d92e07236681f

          SHA256

          de81531468982b689451e85d249214d0aa484e2ffedfd32c58d43cf879f29ded

          SHA512

          6d9898169073c240fe454bd45065fd7dc8458f1d323925b57eb58fa4305bb0d5631bbceb61835593b225e887e0867186ef637c440460279378cb29e832066029

          Download Submit
        • memory/332-162-0x0000000000000000-mapping.dmp
          Download
        • memory/2476-150-0x00000000053A0000-0x00000000053DC000-memory.dmp
          Filesize

          240KB

          Download
        • memory/2476-154-0x00000000068B0000-0x0000000006E54000-memory.dmp
          Filesize

          5.6MB

          Download
        • memory/2476-159-0x0000000006E60000-0x0000000006EB0000-memory.dmp
          Filesize

          320KB

          Download
        • memory/2476-158-0x0000000006EE0000-0x0000000006F56000-memory.dmp
          Filesize

          472KB

          Download
        • memory/2476-156-0x0000000007390000-0x00000000078BC000-memory.dmp
          Filesize

          5.2MB

          Download
        • memory/2476-146-0x0000000000990000-0x00000000009B8000-memory.dmp
          Filesize

          160KB

          Download
        • memory/2476-147-0x0000000005890000-0x0000000005EA8000-memory.dmp
          Filesize

          6.1MB

          Download
        • memory/2476-148-0x0000000005410000-0x000000000551A000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/2476-149-0x0000000005340000-0x0000000005352000-memory.dmp
          Filesize

          72KB

          Download
        • memory/2476-155-0x00000000064D0000-0x0000000006692000-memory.dmp
          Filesize

          1.8MB

          Download
        • memory/2476-141-0x0000000000000000-mapping.dmp
          Download
        • memory/2476-152-0x00000000056B0000-0x0000000005716000-memory.dmp
          Filesize

          408KB

          Download
        • memory/2476-153-0x0000000006260000-0x00000000062F2000-memory.dmp
          Filesize

          584KB

          Download
        • memory/3172-160-0x0000000000830000-0x000000000084F000-memory.dmp
          Filesize

          124KB

          Download
        • memory/3172-161-0x0000000000400000-0x000000000065B000-memory.dmp
          Filesize

          2.4MB

          Download
        • memory/3784-134-0x0000000000400000-0x000000000065B000-memory.dmp
          Filesize

          2.4MB

          Download
        • memory/3784-132-0x00000000007AD000-0x00000000007CC000-memory.dmp
          Filesize

          124KB

          Download
        • memory/3784-145-0x0000000000400000-0x000000000065B000-memory.dmp
          Filesize

          2.4MB

          Download
        • memory/3784-144-0x00000000007AD000-0x00000000007CC000-memory.dmp
          Filesize

          124KB

          Download
        • memory/3784-133-0x0000000002250000-0x000000000228E000-memory.dmp
          Filesize

          248KB

          Download
        • memory/4572-167-0x0000000000400000-0x000000000065B000-memory.dmp
          Filesize

          2.4MB

          Download
        • memory/4572-166-0x0000000000720000-0x000000000073F000-memory.dmp
          Filesize

          124KB

          Download
        • memory/4768-139-0x00000000008BC000-0x00000000008DB000-memory.dmp
          Filesize

          124KB

          Download
        • memory/4768-135-0x0000000000000000-mapping.dmp
          Download
        • memory/4768-140-0x0000000000400000-0x000000000065B000-memory.dmp
          Filesize

          2.4MB

          Download
        • memory/4768-151-0x0000000000400000-0x000000000065B000-memory.dmp
          Filesize

          2.4MB

          Download
        • memory/4932-138-0x0000000000000000-mapping.dmp
          Download