Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/02/2023, 21:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c3d83ac7749f663687a3373adf7742dd89fc02ec8e5321b2cb567408a715437a.exe

  • Size

    477KB

  • MD5

    e4572956fb9ab81ee62554e99c327e9c

  • SHA1

    bbd3c0c6d65a3d0b8b159a7ca392fb76c68d089b

  • SHA256

    c3d83ac7749f663687a3373adf7742dd89fc02ec8e5321b2cb567408a715437a

  • SHA512

    5e49d763ed62d57f543d3303213617d693ec0141bc2438a070691812447bb9760a3441ab7e7fee293d1c242b5cf98e9d1478ae4c7cb58423bb603a01f2612abb

  • SSDEEP

    12288:HMr7y90VmwMMJffoaEhgTH5gHrG4t4GAQ:8ykbfoaEhgTSMG7

Score
10/10
redlinefusadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

fusa

C2

193.233.20.12:4132

Attributes
  • auth_value

    a08b2f01bd2af756e38c5dd60e87e697

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c3d83ac7749f663687a3373adf7742dd89fc02ec8e5321b2cb567408a715437a.exe
    "C:\Users\Admin\AppData\Local\Temp\c3d83ac7749f663687a3373adf7742dd89fc02ec8e5321b2cb567408a715437a.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2476
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nUq30TL.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nUq30TL.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3260
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bPk61Fi.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bPk61Fi.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1080
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 1080
          4⤵
          • Program crash
          PID:2980
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dES65iD.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dES65iD.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2780
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lhC09ev.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lhC09ev.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1292
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1080 -ip 1080
    1⤵
      PID:648

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lhC09ev.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lhC09ev.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nUq30TL.exe
      Filesize

      374KB

      MD5

      1745a63a64062bf7bc33e22b1c86dee2

      SHA1

      64110866f23539b3d4ebc526fffe5a12e3400b10

      SHA256

      863a7c35b043f582536ec2b3db05025d265a0ed497d077d741bbe57bea2cda9b

      SHA512

      ba069b3c46584c10c32b7776f1b3f39d5e108b132d582148b5f1c8ebeab021763ec005b27f3544070554806771f09e987e05fa9974b40191a0fb5c36d74631b7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nUq30TL.exe
      Filesize

      374KB

      MD5

      1745a63a64062bf7bc33e22b1c86dee2

      SHA1

      64110866f23539b3d4ebc526fffe5a12e3400b10

      SHA256

      863a7c35b043f582536ec2b3db05025d265a0ed497d077d741bbe57bea2cda9b

      SHA512

      ba069b3c46584c10c32b7776f1b3f39d5e108b132d582148b5f1c8ebeab021763ec005b27f3544070554806771f09e987e05fa9974b40191a0fb5c36d74631b7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bPk61Fi.exe
      Filesize

      235KB

      MD5

      10ebdbd3b97101647f579e816a624c0b

      SHA1

      504e3a11a4ae58dbf156627cee7f49e89502d489

      SHA256

      0eae82f040db8b8af792d3e005b0486093320f12601be24065e7e5569e1f8c2c

      SHA512

      75d837bf685f529671c3be97702956de890d2a3c9f61f81c51a569363c6bedcbe367e5381f9636c78d5e96b286b77bcc8927fad4490517c80b30652ec67ec392

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bPk61Fi.exe
      Filesize

      235KB

      MD5

      10ebdbd3b97101647f579e816a624c0b

      SHA1

      504e3a11a4ae58dbf156627cee7f49e89502d489

      SHA256

      0eae82f040db8b8af792d3e005b0486093320f12601be24065e7e5569e1f8c2c

      SHA512

      75d837bf685f529671c3be97702956de890d2a3c9f61f81c51a569363c6bedcbe367e5381f9636c78d5e96b286b77bcc8927fad4490517c80b30652ec67ec392

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dES65iD.exe
      Filesize

      175KB

      MD5

      da6f3bef8abc85bd09f50783059964e3

      SHA1

      a0f25f60ec1896c4c920ea397f40e6ce29724322

      SHA256

      e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b

      SHA512

      4d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dES65iD.exe
      Filesize

      175KB

      MD5

      da6f3bef8abc85bd09f50783059964e3

      SHA1

      a0f25f60ec1896c4c920ea397f40e6ce29724322

      SHA256

      e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b

      SHA512

      4d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec

      Download Submit

    • memory/1080-140-0x0000000000400000-0x000000000056C000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/1080-141-0x0000000004E70000-0x0000000005414000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1080-142-0x0000000000851000-0x0000000000871000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1080-143-0x0000000000851000-0x0000000000871000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1080-144-0x0000000000400000-0x000000000056C000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/1080-139-0x0000000000570000-0x000000000059D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/1080-138-0x0000000000851000-0x0000000000871000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1292-164-0x00007FFA67810000-0x00007FFA682D1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1292-163-0x00007FFA67810000-0x00007FFA682D1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1292-162-0x00000000007A0000-0x00000000007AA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2780-148-0x0000000000C60000-0x0000000000C92000-memory.dmp

      Filesize

      200KB

      Download

    • memory/2780-153-0x00000000058D0000-0x0000000005962000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2780-154-0x0000000005970000-0x00000000059D6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2780-155-0x0000000006540000-0x00000000065B6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/2780-156-0x00000000065C0000-0x0000000006610000-memory.dmp

      Filesize

      320KB

      Download

    • memory/2780-157-0x0000000006EA0000-0x0000000007062000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2780-158-0x00000000075A0000-0x0000000007ACC000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/2780-152-0x0000000005550000-0x000000000558C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2780-151-0x00000000054F0000-0x0000000005502000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2780-150-0x00000000055C0000-0x00000000056CA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2780-149-0x0000000005A50000-0x0000000006068000-memory.dmp

      Filesize

      6.1MB

      Download