Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/02/2023, 22:03 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f6ef39ad4c596ccac29d13a03de27e3f264603c901c5ca34834fe2043d5259af.exe

  • Size

    478KB

  • MD5

    ad73f56789ba7bb139feba1217f9d3b7

  • SHA1

    06672cfd3f4d13fc5e9639e7e4f7e2d3cdef8e10

  • SHA256

    f6ef39ad4c596ccac29d13a03de27e3f264603c901c5ca34834fe2043d5259af

  • SHA512

    80f1ab2b92c887adedaf060037d54d57d5b5053446c5a1589e573043295a2c1a1bad1c86ad72f8e30421fe47bab84245cf35c713c31def1ac3a4a605b524e3b9

  • SSDEEP

    12288:eMrvy90F/0cOMa/B0YY9fHW/e8yU2w80Mbz:NymeMo4KSwAbz

Score
10/10
redlinefusadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

fusa

C2

193.233.20.12:4132

Attributes
  • auth_value

    a08b2f01bd2af756e38c5dd60e87e697

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f6ef39ad4c596ccac29d13a03de27e3f264603c901c5ca34834fe2043d5259af.exe
    "C:\Users\Admin\AppData\Local\Temp\f6ef39ad4c596ccac29d13a03de27e3f264603c901c5ca34834fe2043d5259af.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4280
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nKl63jt.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nKl63jt.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4816
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\biB59lo.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\biB59lo.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4852
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 1072
          4⤵
          • Program crash
          PID:4456
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dTY09ee.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dTY09ee.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4588
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\laz96Cd.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\laz96Cd.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1780
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4852 -ip 4852
    1⤵
      PID:1956

    Network

    • flag-us
      DNS
      151.122.125.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      151.122.125.40.in-addr.arpa
      IN PTR
      Response
    • 20.224.254.73:443
      40 B
       1
    • 193.233.20.12:4132
      dTY09ee.exe
      3.4MB
       50.9kB
       2479
      1095
    • 52.152.108.96:443
      260 B
       5
    • 88.221.25.154:80
      322 B
       7
    • 88.221.25.154:80
      322 B
       7
    • 104.80.225.205:443
      322 B
       7
    • 20.50.73.9:443
      322 B
       7
    • 8.248.7.254:80
      322 B
       7
    • 8.248.7.254:80
      322 B
       7
    • 8.248.7.254:80
      322 B
       7
    • 8.8.8.8:53
      151.122.125.40.in-addr.arpa
      dns
      73 B
       159 B
       1
      1

      DNS Request

      151.122.125.40.in-addr.arpa

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\laz96Cd.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\laz96Cd.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nKl63jt.exe
      Filesize

      375KB

      MD5

      aa9dd08139f3b4c32a236109630491c9

      SHA1

      88268d297f357087a67b3560e73fac5ecc96fae6

      SHA256

      6aaeb29f413e39fabc19f2997f8f3de3535a4784671bb95a6907332c698f4047

      SHA512

      45ebe06ef420c1444358f737196168a6a551c7fb98dd178cf2e8bed6fced9eca2c5771d31ac10dd2294da43ef4421ea146117cd02d9897141b68b89f764f5842

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nKl63jt.exe
      Filesize

      375KB

      MD5

      aa9dd08139f3b4c32a236109630491c9

      SHA1

      88268d297f357087a67b3560e73fac5ecc96fae6

      SHA256

      6aaeb29f413e39fabc19f2997f8f3de3535a4784671bb95a6907332c698f4047

      SHA512

      45ebe06ef420c1444358f737196168a6a551c7fb98dd178cf2e8bed6fced9eca2c5771d31ac10dd2294da43ef4421ea146117cd02d9897141b68b89f764f5842

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\biB59lo.exe
      Filesize

      235KB

      MD5

      ea2af715b2c17a763c05bffc5669ded5

      SHA1

      876295abbc668533e3629c38e5b4db50776f969a

      SHA256

      b639725c9da4eecd879a811d1f643a2d7cef7b15079547c075f3f380f2e83e29

      SHA512

      1f42bf7bed7a87b2da22af31b6c0f3afe844eac6949e2f9379290ff6548259431f6f55c3d5a3de2f408889e0f3cb67898e1e26050b87408a10937902df0b0c9d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\biB59lo.exe
      Filesize

      235KB

      MD5

      ea2af715b2c17a763c05bffc5669ded5

      SHA1

      876295abbc668533e3629c38e5b4db50776f969a

      SHA256

      b639725c9da4eecd879a811d1f643a2d7cef7b15079547c075f3f380f2e83e29

      SHA512

      1f42bf7bed7a87b2da22af31b6c0f3afe844eac6949e2f9379290ff6548259431f6f55c3d5a3de2f408889e0f3cb67898e1e26050b87408a10937902df0b0c9d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dTY09ee.exe
      Filesize

      175KB

      MD5

      da6f3bef8abc85bd09f50783059964e3

      SHA1

      a0f25f60ec1896c4c920ea397f40e6ce29724322

      SHA256

      e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b

      SHA512

      4d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dTY09ee.exe
      Filesize

      175KB

      MD5

      da6f3bef8abc85bd09f50783059964e3

      SHA1

      a0f25f60ec1896c4c920ea397f40e6ce29724322

      SHA256

      e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b

      SHA512

      4d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec

      Download Submit

    • memory/1780-164-0x00007FFB80BA0000-0x00007FFB81661000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1780-163-0x00007FFB80BA0000-0x00007FFB81661000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1780-162-0x00000000008F0000-0x00000000008FA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4588-156-0x0000000007620000-0x0000000007B4C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/4588-155-0x0000000006F20000-0x00000000070E2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4588-158-0x0000000006EA0000-0x0000000006EF0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4588-157-0x00000000071F0000-0x0000000007266000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4588-148-0x0000000000BF0000-0x0000000000C22000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4588-149-0x0000000005BD0000-0x00000000061E8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4588-150-0x00000000056C0000-0x00000000057CA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4588-151-0x00000000055D0000-0x00000000055E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4588-152-0x0000000005630000-0x000000000566C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4588-153-0x0000000005AE0000-0x0000000005B72000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4588-154-0x00000000061F0000-0x0000000006256000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4852-143-0x0000000000851000-0x0000000000871000-memory.dmp

      Filesize

      128KB

      Download

    • memory/4852-144-0x0000000000400000-0x000000000056C000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4852-142-0x0000000000851000-0x0000000000871000-memory.dmp

      Filesize

      128KB

      Download

    • memory/4852-141-0x0000000004B50000-0x00000000050F4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4852-140-0x0000000000400000-0x000000000056C000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4852-139-0x0000000000640000-0x000000000066D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/4852-138-0x0000000000851000-0x0000000000871000-memory.dmp

      Filesize

      128KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.