Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    73s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-01-2023 06:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    06ccee05be0cb619beb6729d90111bb77577c68de4d2a07c60166ce541a6103d.exe

  • Size

    1.4MB

  • MD5

    fd165fda80732035427ac5c9536506ac

  • SHA1

    f23998921c36740a05380fc53c1bc5747a19db05

  • SHA256

    06ccee05be0cb619beb6729d90111bb77577c68de4d2a07c60166ce541a6103d

  • SHA512

    a58425dc863f6af016233367efed8476cb4177aac90ea623fc0b4df6a4ad3b4df99dc26cf14cc3f61bf24a74ab4043dc3454004e788e6c7e12fb901c8767b9d4

  • SSDEEP

    24576:MHWmAFrsR4eEdzvikBXTpH4fGQDt7R61rvu6xQd0px1xr52itKQCE16SOtF:9sRsd3BDpH4fGK01q68WFEisTEESO

Score
10/10
redlinemaininfostealerspywareupx

Malware Config

Extracted

Family

redline

Botnet

main

C2

birja1.com:29658

Attributes
  • auth_value

    7a6d3334d5db5d02c16eec7633780063

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Drops desktop.ini file(s) 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\06ccee05be0cb619beb6729d90111bb77577c68de4d2a07c60166ce541a6103d.exe
    "C:\Users\Admin\AppData\Local\Temp\06ccee05be0cb619beb6729d90111bb77577c68de4d2a07c60166ce541a6103d.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2424
    • C:\Users\Admin\AppData\Local\Temp\SETUP_27185\Engine.exe
      C:\Users\Admin\AppData\Local\Temp\SETUP_27185\Engine.exe /TH_ID=_4516 /OriginExe="C:\Users\Admin\AppData\Local\Temp\06ccee05be0cb619beb6729d90111bb77577c68de4d2a07c60166ce541a6103d.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:424
      • C:\Windows\SysWOW64\CmD.exe
        C:\Windows\system32\CmD.exe /c cmd < 64
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2000
        • C:\Windows\SysWOW64\cmd.exe
          cmd
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4544
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell get-process avastui
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5000
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell get-process avgui
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3604
          • C:\Windows\SysWOW64\certutil.exe
            certutil -decode 23 23DDdRqF
            5⤵
              PID:936
            • C:\Windows\SysWOW64\findstr.exe
              findstr /V /R "^jdjfUCLAznmSSizqPiNAzpcaRJECVAbEQRcNMoxDprqvwRmVfhrHtNGeUUnlXpESwUewLGgHNpsdoZdqlJhIbQmela$" 23DDdRqF
              5⤵
                PID:2968
              • C:\Users\Admin\AppData\Local\Temp\tmq2swfe.f5a\30645\Sapphire.exe.pif
                30645\\Sapphire.exe.pif 30645\\a
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                • Suspicious use of WriteProcessMemory
                PID:3108
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                  C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                  6⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:632
              • C:\Windows\SysWOW64\PING.EXE
                ping localhost -n 8
                5⤵
                • Runs ping.exe
                PID:4228
      • C:\Windows\system32\OpenWith.exe
        C:\Windows\system32\OpenWith.exe -Embedding
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:1292
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
        1⤵
        • Drops desktop.ini file(s)
        • Checks processor information in registry
        • Modifies registry class
        PID:4908
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
        1⤵
        • Checks processor information in registry
        • Modifies registry class
        PID:736

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      1
      T1082

      Remote System Discovery

      1
      T1018

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
        Filesize

        1KB

        MD5

        def65711d78669d7f8e69313be4acf2e

        SHA1

        6522ebf1de09eeb981e270bd95114bc69a49cda6

        SHA256

        aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

        SHA512

        05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        18KB

        MD5

        25ef5d3305311185916d884f9ee69dbb

        SHA1

        8d7726c0a1f7099c900ca8f0150e8917edd8afd6

        SHA256

        624b05819b5d929b90cda8a4a56a39425ba9b84bd6d32f4bb628131085b7342d

        SHA512

        d40c42c567ad794ee832b6b35557858a99db40fd68331df4c7138324d98c6c8d9308cb9c4dd43f84957d0a3535dcc3cc7bf06c40093c3528be3bf08cd4b9777b

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\SETUP_27185\00000#15
        Filesize

        703KB

        MD5

        df71877bb70145c158ee749484d637e5

        SHA1

        af402cbddb2166c83fe4a22d542442b4e0690768

        SHA256

        b645ec264e0cfb2bdc9551902fd026c32808c2b3d4837a43c2303151ed994144

        SHA512

        ba024d5cadc7483f10566da88e99273d5d38c17f9206392f2f3d86fb0d8f75eaeedb11c7b8d57a378089b5e90d45cbd1e1a787b80a6cfdcc7e162342e7d86330

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\SETUP_27185\00001#23
        Filesize

        1.2MB

        MD5

        701d6702294745ec4dacfa44185f3a1f

        SHA1

        2f10d2d401ea759b215df8f226f9aaef292b4078

        SHA256

        00a8e70fa0887bf3f554be24e02b319c8d2cb272304faed4bcb78349902992e0

        SHA512

        95ede9988f3cf0a549bf3b28667710683e7936ec7fdd3b4c0ad4e38fda17916d3e5c7cf54b859cea54ff88f25fe487d24db4b8f03ce2d16401b3958de0b8a190

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\SETUP_27185\00002#64
        Filesize

        14KB

        MD5

        a298fc34bd36502c2feb227ab10877eb

        SHA1

        3e088657aa4207907e206194149185bc03bdee5d

        SHA256

        52ba970eecdcb4253474ec350e960d6a4dc3a1e44680ea9a970119129d158191

        SHA512

        11fb7c57fd29145781bd0ed2ebd0f277fdee06978791a2ccff1b0f84dd4ae4ec165a2622976493d27a852d7ca2118302002b685b1fbb6d71270e0ccaa14728a4

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\SETUP_27185\Engine.exe
        Filesize

        392KB

        MD5

        debfb007af59891f08aaa75bff0e0df0

        SHA1

        cb00e41eeb60bc27cd32aad7adfc347a2b0e8f87

        SHA256

        e5a077d2a393e938f9cd7a2529f8b71a81f15406c2f19b878eb4ffdb15d483c7

        SHA512

        1bb3effddb47b30b9d7780cc05cb26061c8f6362c808bbca78a24833ca1884d4c2072eda6a5213a51458f2e0b9036f204a4f50ea771ba6294ac9c051b28832c1

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\SETUP_27185\Engine.exe
        Filesize

        392KB

        MD5

        debfb007af59891f08aaa75bff0e0df0

        SHA1

        cb00e41eeb60bc27cd32aad7adfc347a2b0e8f87

        SHA256

        e5a077d2a393e938f9cd7a2529f8b71a81f15406c2f19b878eb4ffdb15d483c7

        SHA512

        1bb3effddb47b30b9d7780cc05cb26061c8f6362c808bbca78a24833ca1884d4c2072eda6a5213a51458f2e0b9036f204a4f50ea771ba6294ac9c051b28832c1

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\SETUP_27185\Modern_Icon.bmp
        Filesize

        7KB

        MD5

        1dd88f67f029710d5c5858a6293a93f1

        SHA1

        3e5ef66613415fe9467b2a24ccc27d8f997e7df6

        SHA256

        b5dad33ceb6eb1ac2a05fbda76e29a73038403939218a88367925c3a20c05532

        SHA512

        7071fd64038e0058c8c586c63c62677c0ca403768100f90323cf9c0bc7b7fcb538391e6f3606bd7970b8769445606ada47adcdcfc1e991e25caf272a13e10c94

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\SETUP_27185\Setup.txt
        Filesize

        2KB

        MD5

        4659c49e470bbfee63e5fb5c3124b5f5

        SHA1

        f6d8fec5e142f7bef189222876184e7a4f328d77

        SHA256

        57be12e2d60db927a577b4b6b2a9fc3bb675a45b9800eea0e8f746d4da9baac2

        SHA512

        3c3d59266297ef361c79c016dd6814e1c762d3d2fb5063d0c5c66a0ce214a163cbff4406c03f91268e967f7fdecd7cfd529a4e5ced5729322cc3d41f9890a895

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tmq2swfe.f5a\23DDdRqF
        Filesize

        872KB

        MD5

        bffb8a21a31753c1b89ed768421d6762

        SHA1

        133606479ee6fc8a60dc2dd3f0a13b62b79da54a

        SHA256

        5957bb04b17675dde4f67b46c0521ca34245ae2ef30d1107f3bf3a2d2c7b7db7

        SHA512

        2a76dc72c5d02cfbdd2eba4823b6f62bdf7700ab21709bbbe8f2f13a0bca208ff1b3c4e189e9c93745f33d929b7609065c01b21cc45493f9fac42ebc46186677

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tmq2swfe.f5a\30645\Sapphire.exe.pif
        Filesize

        872KB

        MD5

        c56b5f0201a3b3de53e561fe76912bfd

        SHA1

        2a4062e10a5de813f5688221dbeb3f3ff33eb417

        SHA256

        237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

        SHA512

        195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

        Download Submit
      • memory/424-164-0x0000000000400000-0x0000000000558000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/424-163-0x0000000000400000-0x0000000000558000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/424-136-0x0000000000400000-0x0000000000558000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/424-132-0x0000000000000000-mapping.dmp
        Download
      • memory/632-165-0x0000000000000000-mapping.dmp
        Download
      • memory/632-172-0x00000000067D0000-0x0000000006862000-memory.dmp
        Filesize

        584KB

        Download
      • memory/632-169-0x0000000005940000-0x0000000005A4A000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/632-168-0x0000000005E10000-0x0000000006428000-memory.dmp
        Filesize

        6.1MB

        Download
      • memory/632-166-0x0000000000F70000-0x0000000000FA2000-memory.dmp
        Filesize

        200KB

        Download
      • memory/632-174-0x0000000007990000-0x0000000007EBC000-memory.dmp
        Filesize

        5.2MB

        Download
      • memory/632-171-0x00000000058D0000-0x000000000590C000-memory.dmp
        Filesize

        240KB

        Download
      • memory/632-170-0x0000000005870000-0x0000000005882000-memory.dmp
        Filesize

        72KB

        Download
      • memory/632-175-0x0000000006B00000-0x0000000006B76000-memory.dmp
        Filesize

        472KB

        Download
      • memory/632-176-0x0000000006B80000-0x0000000006BD0000-memory.dmp
        Filesize

        320KB

        Download
      • memory/632-173-0x0000000007290000-0x0000000007452000-memory.dmp
        Filesize

        1.8MB

        Download
      • memory/936-157-0x0000000000000000-mapping.dmp
        Download
      • memory/2000-141-0x0000000000000000-mapping.dmp
        Download
      • memory/2968-158-0x0000000000000000-mapping.dmp
        Download
      • memory/3108-160-0x0000000000000000-mapping.dmp
        Download
      • memory/3604-154-0x0000000000000000-mapping.dmp
        Download
      • memory/4228-162-0x0000000000000000-mapping.dmp
        Download
      • memory/4544-142-0x0000000000000000-mapping.dmp
        Download
      • memory/5000-148-0x0000000005B30000-0x0000000005B96000-memory.dmp
        Filesize

        408KB

        Download
      • memory/5000-151-0x0000000006610000-0x000000000662A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/5000-150-0x00000000070D0000-0x0000000007166000-memory.dmp
        Filesize

        600KB

        Download
      • memory/5000-149-0x0000000006110000-0x000000000612E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/5000-152-0x0000000006660000-0x0000000006682000-memory.dmp
        Filesize

        136KB

        Download
      • memory/5000-147-0x0000000005A50000-0x0000000005AB6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/5000-146-0x0000000005160000-0x0000000005182000-memory.dmp
        Filesize

        136KB

        Download
      • memory/5000-145-0x0000000005320000-0x0000000005948000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/5000-144-0x00000000027F0000-0x0000000002826000-memory.dmp
        Filesize

        216KB

        Download
      • memory/5000-143-0x0000000000000000-mapping.dmp
        Download
      • memory/5000-153-0x0000000007720000-0x0000000007CC4000-memory.dmp
        Filesize

        5.6MB

        Download