Overview

overview

10

Static

static

10

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/12/2022, 01:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    39ae1a73d9326d866c0ea79742243790ed3aeeceac161f1a23f7b0c7b84b4570.exe

  • Size

    47KB

  • MD5

    6d717fe6e6123691c7d9ffee92625c2f

  • SHA1

    ac8e4b99c2398a48884805255f2fa90daf0dff3c

  • SHA256

    39ae1a73d9326d866c0ea79742243790ed3aeeceac161f1a23f7b0c7b84b4570

  • SHA512

    2b1d1ef8cc59b9916ccea5712609117d99576d59d3376bfe187eca473f988c0c76bc16dfff75d0e936af769963e13135f2f5f45ae7d4b62c619ffb88d20afdf8

  • SSDEEP

    768:R/IO5VILWCyh+DiWtelDSN+iV08YbygejovEgK/J/ZVc6KN:R/PNWtKDs4zb1BnkJ/ZVclN

Score
10/10
asyncratredlinedefaulttestdiscoveryinfostealerratspywarestealer

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

193.233.48.17:8848

Mutex

dfas9asdf8as8z

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

redline

Botnet

test

C2

193.233.48.17:9832

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 3 IoCs
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\39ae1a73d9326d866c0ea79742243790ed3aeeceac161f1a23f7b0c7b84b4570.exe
    "C:\Users\Admin\AppData\Local\Temp\39ae1a73d9326d866c0ea79742243790ed3aeeceac161f1a23f7b0c7b84b4570.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4980
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\build.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3332
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\build.exe"'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4248
        • C:\Users\Admin\AppData\Local\Temp\build.exe
          "C:\Users\Admin\AppData\Local\Temp\build.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1840

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\build.exe
    Filesize

    95KB

    MD5

    37ccecb56eb0d2db0a5159b5bbc3ec5b

    SHA1

    7ba3a1ef06bbd6b1444337ff58736aeeec6d4164

    SHA256

    8dfbcef9c1dfe6a9bbc7d3a97ba8ac8928e6b4abc83bbd49e67a33c061a119cc

    SHA512

    8f93b9dce515b51cfb61fbc21881a83d8623a30849195299759edc9c8c2f3898562d5f461bc15b22c1abc7a9b3ab430a9bfdd7d610cf24d842ce28d672c77354

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\build.exe
    Filesize

    95KB

    MD5

    37ccecb56eb0d2db0a5159b5bbc3ec5b

    SHA1

    7ba3a1ef06bbd6b1444337ff58736aeeec6d4164

    SHA256

    8dfbcef9c1dfe6a9bbc7d3a97ba8ac8928e6b4abc83bbd49e67a33c061a119cc

    SHA512

    8f93b9dce515b51cfb61fbc21881a83d8623a30849195299759edc9c8c2f3898562d5f461bc15b22c1abc7a9b3ab430a9bfdd7d610cf24d842ce28d672c77354

    Download Submit

  • memory/1840-150-0x0000000007650000-0x0000000007B7C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/1840-147-0x0000000005990000-0x00000000059CC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1840-155-0x0000000007580000-0x00000000075E6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1840-152-0x00000000071C0000-0x0000000007252000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1840-149-0x0000000006F50000-0x0000000007112000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1840-148-0x0000000005C40000-0x0000000005D4A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1840-144-0x0000000000FB0000-0x0000000000FCE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1840-154-0x00000000071A0000-0x00000000071BE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1840-146-0x0000000005930000-0x0000000005942000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1840-153-0x0000000007260000-0x00000000072D6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1840-145-0x00000000060E0000-0x00000000066F8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1840-151-0x0000000008130000-0x00000000086D4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4248-143-0x00007FFAB7130000-0x00007FFAB7BF1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4248-139-0x000001CAE1350000-0x000001CAE1372000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4980-134-0x00007FFAB7130000-0x00007FFAB7BF1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4980-132-0x0000000000930000-0x0000000000942000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4980-135-0x000000001D3F0000-0x000000001D466000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4980-133-0x00007FFAB7130000-0x00007FFAB7BF1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4980-136-0x000000001C0E0000-0x000000001C0FE000-memory.dmp

    Filesize

    120KB

    Download