Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    90s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/02/2023, 21:14

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    3a324700847c75f57b3cdd1f99aa058a8aaa261367e93132f6d54bf5cfad3f25.exe

  • Size

    477KB

  • MD5

    5c2a9e2142af6dd94270719ac9d5e5eb

  • SHA1

    142b938411b5d4c1ad9cd98c6f12b61f9b572ccc

  • SHA256

    3a324700847c75f57b3cdd1f99aa058a8aaa261367e93132f6d54bf5cfad3f25

  • SHA512

    949f5399ed3a0ae0edb61e137a5ea33d244a7105a7685668389a91dbec293e90c3783d980d6f62f319e13b01a001aafcab5051340bccb22cec6d6d9e6bd4fdcf

  • SSDEEP

    12288:KMrVy90a6HrVgb1hxhX7r8qIw0l8MO3GoZ4+cd:Dy6HrVs1hxhX38TBl8zA+o

Score
10/10
redlinefusadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

fusa

C2

193.233.20.12:4132

Attributes
  • auth_value

    a08b2f01bd2af756e38c5dd60e87e697

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a324700847c75f57b3cdd1f99aa058a8aaa261367e93132f6d54bf5cfad3f25.exe
    "C:\Users\Admin\AppData\Local\Temp\3a324700847c75f57b3cdd1f99aa058a8aaa261367e93132f6d54bf5cfad3f25.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4792
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nJc82jM.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nJc82jM.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3560
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bIk78UZ.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bIk78UZ.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1712
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 1080
          4⤵
          • Program crash
          PID:3060
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dVn52iA.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dVn52iA.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1392
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lGg61By.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lGg61By.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4580
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1712 -ip 1712
    1⤵
      PID:2852

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lGg61By.exe
            Filesize

            11KB

            MD5

            7e93bacbbc33e6652e147e7fe07572a0

            SHA1

            421a7167da01c8da4dc4d5234ca3dd84e319e762

            SHA256

            850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

            SHA512

            250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lGg61By.exe
            Filesize

            11KB

            MD5

            7e93bacbbc33e6652e147e7fe07572a0

            SHA1

            421a7167da01c8da4dc4d5234ca3dd84e319e762

            SHA256

            850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

            SHA512

            250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nJc82jM.exe
            Filesize

            374KB

            MD5

            6090c0ce04dfbeca5286c080c05c2f4a

            SHA1

            46339cd14bd931372a681207f65378d208843ce2

            SHA256

            58b196829b74284f49cb0ae1f2d16f9270a7a1620904098fb252db21c029f7b8

            SHA512

            c9d0183effb5f05174d5e3178bd9d4722cd091d2f04a9a023089491a75ab2b605cda2297fcb381645a308e00dde8f2de67b6f7b378e16c7814031f7bf6cdb9e3

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nJc82jM.exe
            Filesize

            374KB

            MD5

            6090c0ce04dfbeca5286c080c05c2f4a

            SHA1

            46339cd14bd931372a681207f65378d208843ce2

            SHA256

            58b196829b74284f49cb0ae1f2d16f9270a7a1620904098fb252db21c029f7b8

            SHA512

            c9d0183effb5f05174d5e3178bd9d4722cd091d2f04a9a023089491a75ab2b605cda2297fcb381645a308e00dde8f2de67b6f7b378e16c7814031f7bf6cdb9e3

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bIk78UZ.exe
            Filesize

            235KB

            MD5

            10ebdbd3b97101647f579e816a624c0b

            SHA1

            504e3a11a4ae58dbf156627cee7f49e89502d489

            SHA256

            0eae82f040db8b8af792d3e005b0486093320f12601be24065e7e5569e1f8c2c

            SHA512

            75d837bf685f529671c3be97702956de890d2a3c9f61f81c51a569363c6bedcbe367e5381f9636c78d5e96b286b77bcc8927fad4490517c80b30652ec67ec392

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bIk78UZ.exe
            Filesize

            235KB

            MD5

            10ebdbd3b97101647f579e816a624c0b

            SHA1

            504e3a11a4ae58dbf156627cee7f49e89502d489

            SHA256

            0eae82f040db8b8af792d3e005b0486093320f12601be24065e7e5569e1f8c2c

            SHA512

            75d837bf685f529671c3be97702956de890d2a3c9f61f81c51a569363c6bedcbe367e5381f9636c78d5e96b286b77bcc8927fad4490517c80b30652ec67ec392

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dVn52iA.exe
            Filesize

            175KB

            MD5

            da6f3bef8abc85bd09f50783059964e3

            SHA1

            a0f25f60ec1896c4c920ea397f40e6ce29724322

            SHA256

            e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b

            SHA512

            4d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dVn52iA.exe
            Filesize

            175KB

            MD5

            da6f3bef8abc85bd09f50783059964e3

            SHA1

            a0f25f60ec1896c4c920ea397f40e6ce29724322

            SHA256

            e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b

            SHA512

            4d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec

            Download Submit

          • memory/1392-156-0x0000000007320000-0x000000000784C000-memory.dmp

            Filesize

            5.2MB

            Download

          • memory/1392-152-0x0000000005550000-0x000000000558C000-memory.dmp

            Filesize

            240KB

            Download

          • memory/1392-158-0x0000000006BA0000-0x0000000006BF0000-memory.dmp

            Filesize

            320KB

            Download

          • memory/1392-157-0x0000000006DF0000-0x0000000006E66000-memory.dmp

            Filesize

            472KB

            Download

          • memory/1392-155-0x0000000006C20000-0x0000000006DE2000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/1392-154-0x00000000057B0000-0x0000000005816000-memory.dmp

            Filesize

            408KB

            Download

          • memory/1392-153-0x0000000005710000-0x00000000057A2000-memory.dmp

            Filesize

            584KB

            Download

          • memory/1392-148-0x0000000000AE0000-0x0000000000B12000-memory.dmp

            Filesize

            200KB

            Download

          • memory/1392-149-0x00000000058D0000-0x0000000005EE8000-memory.dmp

            Filesize

            6.1MB

            Download

          • memory/1392-150-0x0000000005440000-0x000000000554A000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/1392-151-0x0000000005370000-0x0000000005382000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1712-139-0x00000000005B1000-0x00000000005D1000-memory.dmp

            Filesize

            128KB

            Download

          • memory/1712-141-0x0000000000400000-0x000000000056C000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/1712-140-0x0000000000900000-0x000000000092D000-memory.dmp

            Filesize

            180KB

            Download

          • memory/1712-144-0x0000000000400000-0x000000000056C000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/1712-143-0x00000000005B1000-0x00000000005D1000-memory.dmp

            Filesize

            128KB

            Download

          • memory/1712-142-0x00000000005B1000-0x00000000005D1000-memory.dmp

            Filesize

            128KB

            Download

          • memory/1712-138-0x0000000004C60000-0x0000000005204000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/4580-162-0x0000000000EC0000-0x0000000000ECA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/4580-163-0x00007FFCFEF80000-0x00007FFCFFA41000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4580-164-0x00007FFCFEF80000-0x00007FFCFFA41000-memory.dmp

            Filesize

            10.8MB

            Download