Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/03/2023, 22:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    292d49b35338ec0ef22bc276cb6d336669da61043c903ad37c785b0cd280b2e1.exe

  • Size

    536KB

  • MD5

    08dd5e47f75381b73263d9e074ea0d14

  • SHA1

    4bcf6868cfcc74ec7714c593b02ce17e43ac3b6b

  • SHA256

    292d49b35338ec0ef22bc276cb6d336669da61043c903ad37c785b0cd280b2e1

  • SHA512

    c64ca1b10ebde90fda5a622eb9b402193e543a7ce6744cb018e75c354b4c5fa4f0c13ffc203871b1c13e2e1c3316100fc6f90fa96dedb209ad934190534333fc

  • SSDEEP

    12288:fMrJy90x/1hVHvdweruFPhC5Z/JTE1+DnLEU0nd9:OyoVeI8apE4LT0v

Score
10/10
redlinefubarouchdiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rouch

C2

193.56.146.11:4162

Attributes
  • auth_value

    1b1735bcfc122c708eae27ca352568de

Extracted

Family

redline

Botnet

fuba

C2

193.56.146.11:4162

Attributes
  • auth_value

    43015841fc23c63b15ca6ffe1d278d5e

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\292d49b35338ec0ef22bc276cb6d336669da61043c903ad37c785b0cd280b2e1.exe
    "C:\Users\Admin\AppData\Local\Temp\292d49b35338ec0ef22bc276cb6d336669da61043c903ad37c785b0cd280b2e1.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1564
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmS2626NO.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmS2626NO.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4428
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw88Sl59su30.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw88Sl59su30.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:32
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\trN20mC95.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\trN20mC95.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4564
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 1336
          4⤵
          • Program crash
          PID:4192
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ura40tv84.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ura40tv84.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2928
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4564 -ip 4564
    1⤵
      PID:3976

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ura40tv84.exe
      Filesize

      175KB

      MD5

      d8633077bf2fbc145ba153b269e260ec

      SHA1

      2acce38df6980292b2f01cdb94b21f2d3882aa7e

      SHA256

      477a770a08d493973e79417f6dee855b24cbf3fb44ba200a60a694d84ff5fe25

      SHA512

      0aeae7f4a74aa2f0e3074a846f00a6ced6df3754643006d1a9ba54993b10396d4a246a6ff2a119e3a9483f5b04fdbefd1efa3a0d9e99f36cb4403a14f1a7ba34

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ura40tv84.exe
      Filesize

      175KB

      MD5

      d8633077bf2fbc145ba153b269e260ec

      SHA1

      2acce38df6980292b2f01cdb94b21f2d3882aa7e

      SHA256

      477a770a08d493973e79417f6dee855b24cbf3fb44ba200a60a694d84ff5fe25

      SHA512

      0aeae7f4a74aa2f0e3074a846f00a6ced6df3754643006d1a9ba54993b10396d4a246a6ff2a119e3a9483f5b04fdbefd1efa3a0d9e99f36cb4403a14f1a7ba34

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmS2626NO.exe
      Filesize

      391KB

      MD5

      43b050b60ea70f5353418f1714dd32aa

      SHA1

      9e2f57a612bb5347982f5fb2e2eecea3447fcb5b

      SHA256

      0b5bd52c4a714e629c3bf831a6e2dd601519824473d09f86cce755f82dd4c2e6

      SHA512

      311d720c14730fcdc9deb22bb08f9e4f643e05e83c127a277b75ace7a85e6cee4f7032786d248285c8b4383d152cdd49ca72d465c231e65f28de7cc635c176c7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmS2626NO.exe
      Filesize

      391KB

      MD5

      43b050b60ea70f5353418f1714dd32aa

      SHA1

      9e2f57a612bb5347982f5fb2e2eecea3447fcb5b

      SHA256

      0b5bd52c4a714e629c3bf831a6e2dd601519824473d09f86cce755f82dd4c2e6

      SHA512

      311d720c14730fcdc9deb22bb08f9e4f643e05e83c127a277b75ace7a85e6cee4f7032786d248285c8b4383d152cdd49ca72d465c231e65f28de7cc635c176c7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw88Sl59su30.exe
      Filesize

      11KB

      MD5

      c8a8cea45e9b40590620ed7be3a231aa

      SHA1

      104f68acbfb921ed2e7bf6fb35f427643e7bbc2c

      SHA256

      e8777b31dbbc5db5ca15255be6ba323e57a5ca6eefe1f775d35bb05925af4aa1

      SHA512

      c59e0d5da5c966524f2370a5877212a3cfc9fc628ac7a09608bac67a13e5325c3858e50131fa4e0b1e6cdc036e48c481d40cfceeebf5cc52ab050ca1ff77f7d1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw88Sl59su30.exe
      Filesize

      11KB

      MD5

      c8a8cea45e9b40590620ed7be3a231aa

      SHA1

      104f68acbfb921ed2e7bf6fb35f427643e7bbc2c

      SHA256

      e8777b31dbbc5db5ca15255be6ba323e57a5ca6eefe1f775d35bb05925af4aa1

      SHA512

      c59e0d5da5c966524f2370a5877212a3cfc9fc628ac7a09608bac67a13e5325c3858e50131fa4e0b1e6cdc036e48c481d40cfceeebf5cc52ab050ca1ff77f7d1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\trN20mC95.exe
      Filesize

      304KB

      MD5

      a562213cf445eaaf665759f35b4e91c2

      SHA1

      c37cb42d6b01cb56f0528499c8cb2d801176bf45

      SHA256

      457e081eb0be34e398946eda58be940aef13cd4390cb727cc848846833d307c3

      SHA512

      6944f4c08e8617f4ff143a96aeb4b4dc8c31562db7f6747bed36abb4116b540c181a5c42384505f1d059c3e3bbdf4f4ca3f74d0480b0e20efa28e1505f3b4fbd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\trN20mC95.exe
      Filesize

      304KB

      MD5

      a562213cf445eaaf665759f35b4e91c2

      SHA1

      c37cb42d6b01cb56f0528499c8cb2d801176bf45

      SHA256

      457e081eb0be34e398946eda58be940aef13cd4390cb727cc848846833d307c3

      SHA512

      6944f4c08e8617f4ff143a96aeb4b4dc8c31562db7f6747bed36abb4116b540c181a5c42384505f1d059c3e3bbdf4f4ca3f74d0480b0e20efa28e1505f3b4fbd

      Download Submit

    • memory/32-147-0x0000000000240000-0x000000000024A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2928-1086-0x00000000005B0000-0x00000000005E2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/2928-1087-0x0000000004E30000-0x0000000004E40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4564-189-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4564-201-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4564-155-0x0000000004AF0000-0x0000000004B00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4564-156-0x0000000004AF0000-0x0000000004B00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4564-157-0x0000000004B40000-0x00000000050E4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4564-158-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4564-159-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4564-161-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4564-163-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4564-165-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4564-167-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4564-169-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4564-171-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4564-173-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4564-175-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4564-177-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4564-179-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4564-181-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4564-183-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4564-185-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4564-187-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4564-153-0x0000000000700000-0x000000000074B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4564-191-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4564-193-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4564-195-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4564-197-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4564-199-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4564-154-0x0000000004AF0000-0x0000000004B00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4564-203-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4564-205-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4564-207-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4564-209-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4564-211-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4564-213-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4564-215-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4564-217-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4564-219-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4564-221-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4564-1064-0x0000000005190000-0x00000000057A8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4564-1065-0x0000000005830000-0x000000000593A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4564-1066-0x0000000005970000-0x0000000005982000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4564-1067-0x0000000005990000-0x00000000059CC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4564-1068-0x0000000004AF0000-0x0000000004B00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4564-1070-0x0000000004AF0000-0x0000000004B00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4564-1071-0x0000000004AF0000-0x0000000004B00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4564-1072-0x0000000004AF0000-0x0000000004B00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4564-1073-0x0000000005C80000-0x0000000005D12000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4564-1074-0x0000000005D20000-0x0000000005D86000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4564-1075-0x0000000004AF0000-0x0000000004B00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4564-1076-0x00000000077F0000-0x0000000007866000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4564-1077-0x0000000007890000-0x00000000078E0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4564-1078-0x0000000007910000-0x0000000007AD2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4564-1079-0x0000000007AE0000-0x000000000800C000-memory.dmp

      Filesize

      5.2MB

      Download