Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-02-2023 16:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    44053e25d9cb28c9da8d06b689ea6636bcfcb4d7949d0f19a3d5becfc9974376.exe

  • Size

    550KB

  • MD5

    0aedf23ba56d130a30162ced1a662769

  • SHA1

    17998ab64f9359e4b4879f5ef141cff895645715

  • SHA256

    44053e25d9cb28c9da8d06b689ea6636bcfcb4d7949d0f19a3d5becfc9974376

  • SHA512

    712d130776111a42a49c0457b7258d4445d75effd42017d8c618d911c3221da1927861b96235e1a1a05a9e8ef5608ac9087d43bc5ea3cc423fad84703fbf5c71

  • SSDEEP

    12288:kMr7y90tBlOa95RVhSTeLcdxgMmXvsG2XuGeA8NOaeyWh5h:fymBlZdVYeLSmXvx2XuhjlWDh

Score
10/10
redlinefusanocryptdiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

fusa

C2

193.233.20.12:4132

Attributes
  • auth_value

    a08b2f01bd2af756e38c5dd60e87e697

Extracted

Family

redline

Botnet

nocrypt

C2

176.113.115.17:4132

Attributes
  • auth_value

    4fc7cda1ab5883a6197f20f517ce2a8c

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\44053e25d9cb28c9da8d06b689ea6636bcfcb4d7949d0f19a3d5becfc9974376.exe
    "C:\Users\Admin\AppData\Local\Temp\44053e25d9cb28c9da8d06b689ea6636bcfcb4d7949d0f19a3d5becfc9974376.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4276
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsU74.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsU74.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:5060
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aKx89.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aKx89.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4944
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bmg32cY.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bmg32cY.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1124
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cid82.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cid82.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3332
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 1084
        3⤵
        • Program crash
        PID:4800
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3332 -ip 3332
    1⤵
      PID:4160

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cid82.exe
      Filesize

      426KB

      MD5

      4ea7f0f83fe4de36b199d47ec932b492

      SHA1

      c425ad2531d09f1e17af3d0231c738bc11274b51

      SHA256

      95e152c0f8a9ece8429caf208a1f71afedbef3c37e23b3332a1d3dc7c3ebc6b3

      SHA512

      5ca46ad6ba56fedbeb88cd2ce299eb15e3a5e14758d8b6112e252a01c459c6a335fc12710755296c27455057a241f07e3c66c17cc2f9c2047deee2c037ce7a22

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cid82.exe
      Filesize

      426KB

      MD5

      4ea7f0f83fe4de36b199d47ec932b492

      SHA1

      c425ad2531d09f1e17af3d0231c738bc11274b51

      SHA256

      95e152c0f8a9ece8429caf208a1f71afedbef3c37e23b3332a1d3dc7c3ebc6b3

      SHA512

      5ca46ad6ba56fedbeb88cd2ce299eb15e3a5e14758d8b6112e252a01c459c6a335fc12710755296c27455057a241f07e3c66c17cc2f9c2047deee2c037ce7a22

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsU74.exe
      Filesize

      202KB

      MD5

      66c7ba5749d382af982ee18a5890e7ff

      SHA1

      250212c63a071334166da7eb1594ba091416eae9

      SHA256

      f723dc59ba50f96c1ee4eb99ba6653e2ac0ab661b064eaf5ab4608cc40f8f133

      SHA512

      88ba7e6d827d077246bb7ff6d55bcbf8e13fc66d563ff5df1a13fd56f186770d7898a8b95e78f756632483e60cb7fe2e37375d3ebdfe32ab2bc6d6bf003f378c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsU74.exe
      Filesize

      202KB

      MD5

      66c7ba5749d382af982ee18a5890e7ff

      SHA1

      250212c63a071334166da7eb1594ba091416eae9

      SHA256

      f723dc59ba50f96c1ee4eb99ba6653e2ac0ab661b064eaf5ab4608cc40f8f133

      SHA512

      88ba7e6d827d077246bb7ff6d55bcbf8e13fc66d563ff5df1a13fd56f186770d7898a8b95e78f756632483e60cb7fe2e37375d3ebdfe32ab2bc6d6bf003f378c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aKx89.exe
      Filesize

      175KB

      MD5

      da6f3bef8abc85bd09f50783059964e3

      SHA1

      a0f25f60ec1896c4c920ea397f40e6ce29724322

      SHA256

      e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b

      SHA512

      4d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aKx89.exe
      Filesize

      175KB

      MD5

      da6f3bef8abc85bd09f50783059964e3

      SHA1

      a0f25f60ec1896c4c920ea397f40e6ce29724322

      SHA256

      e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b

      SHA512

      4d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bmg32cY.exe
      Filesize

      175KB

      MD5

      30132c45c2305b287d96a3ad8158e9e3

      SHA1

      c89477868792dbfc6abeb3016e4fcc542b01bea1

      SHA256

      0cca99711baf600eb030bbfcf279faf74c564084e733df3d9e98bea3e4e2f45f

      SHA512

      1f6ccbaf0787c9bc61f568c4398374426961fc73ed7ea38c75e27d7025a9df6f93ea111297a6a02acdeea52845067e222e681f278dc7278d834fbbb6be98b74e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bmg32cY.exe
      Filesize

      175KB

      MD5

      30132c45c2305b287d96a3ad8158e9e3

      SHA1

      c89477868792dbfc6abeb3016e4fcc542b01bea1

      SHA256

      0cca99711baf600eb030bbfcf279faf74c564084e733df3d9e98bea3e4e2f45f

      SHA512

      1f6ccbaf0787c9bc61f568c4398374426961fc73ed7ea38c75e27d7025a9df6f93ea111297a6a02acdeea52845067e222e681f278dc7278d834fbbb6be98b74e

      Download Submit

    • memory/1124-153-0x0000000000C60000-0x0000000000C92000-memory.dmp

      Filesize

      200KB

      Download

    • memory/1124-150-0x0000000000000000-mapping.dmp

      Download

    • memory/3332-158-0x0000000000600000-0x000000000062D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/3332-157-0x0000000000764000-0x0000000000784000-memory.dmp

      Filesize

      128KB

      Download

    • memory/3332-154-0x0000000000000000-mapping.dmp

      Download

    • memory/3332-159-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

      Download

    • memory/3332-160-0x0000000000764000-0x0000000000784000-memory.dmp

      Filesize

      128KB

      Download

    • memory/3332-161-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

      Download

    • memory/4944-139-0x0000000005440000-0x0000000005A58000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4944-149-0x00000000070D0000-0x00000000075FC000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/4944-148-0x00000000069D0000-0x0000000006B92000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4944-147-0x0000000006000000-0x0000000006050000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4944-146-0x0000000006080000-0x00000000060F6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4944-145-0x0000000005B60000-0x0000000005BC6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4944-144-0x0000000006250000-0x00000000067F4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4944-143-0x0000000005C00000-0x0000000005C92000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4944-142-0x0000000004F50000-0x0000000004F8C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4944-141-0x0000000004EF0000-0x0000000004F02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4944-140-0x0000000004FC0000-0x00000000050CA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4944-138-0x0000000000520000-0x0000000000552000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4944-135-0x0000000000000000-mapping.dmp

      Download

    • memory/5060-132-0x0000000000000000-mapping.dmp

      Download