Overview

overview

10

Static

static

10

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    90s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/02/2023, 12:45

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    aeaf3db76aabbf205438448f17549a96e20aabd7461d63fecef564a19b014a45.exe

  • Size

    336KB

  • MD5

    86c0b782119aaa2cee741971ce28a408

  • SHA1

    a2215b07ea9b85685340654e2fd1aa8a78e6cfdd

  • SHA256

    aeaf3db76aabbf205438448f17549a96e20aabd7461d63fecef564a19b014a45

  • SHA512

    f06027b9f07e2aed64d10611f9332922980f18a3163e7c3d20aabdb2673a27efd43cb5823822c3f44b8975b4ca809dd4a525a395b8fd21aa9197c0ea48e63fa1

  • SSDEEP

    6144:nbDQmioYCCAYp5fRZOVANlZ1iJ5ZccG7uMR9NX23BoIgPEDZCO4lw1JedPlC:nbDQ7LpDcVAN1lDm3BoIgPEDZCO4lw1H

Score
10/10
redline24.01discoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

24.01

C2

37.220.86.164:29170

Attributes
  • auth_value

    1c7f0aa21138601b5201a3a4a0123991

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aeaf3db76aabbf205438448f17549a96e20aabd7461d63fecef564a19b014a45.exe
    "C:\Users\Admin\AppData\Local\Temp\aeaf3db76aabbf205438448f17549a96e20aabd7461d63fecef564a19b014a45.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2548

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2548-132-0x0000000000F60000-0x0000000000FBA000-memory.dmp

          Filesize

          360KB

          Download

        • memory/2548-133-0x0000000006080000-0x0000000006698000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/2548-134-0x0000000005B70000-0x0000000005C7A000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/2548-135-0x0000000005A80000-0x0000000005A92000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2548-136-0x0000000005AE0000-0x0000000005B1C000-memory.dmp

          Filesize

          240KB

          Download

        • memory/2548-137-0x0000000005F20000-0x0000000005FB2000-memory.dmp

          Filesize

          584KB

          Download

        • memory/2548-138-0x0000000007140000-0x00000000076E4000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/2548-139-0x0000000006710000-0x0000000006776000-memory.dmp

          Filesize

          408KB

          Download

        • memory/2548-140-0x0000000006F60000-0x0000000007122000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/2548-141-0x0000000009310000-0x000000000983C000-memory.dmp

          Filesize

          5.2MB

          Download

        • memory/2548-142-0x0000000006E60000-0x0000000006ED6000-memory.dmp

          Filesize

          472KB

          Download

        • memory/2548-143-0x0000000006EE0000-0x0000000006F30000-memory.dmp

          Filesize

          320KB

          Download