Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/03/2023, 12:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    de31e34590cc70b1f0a2cd1645c2bdac38dddc13da81d3543ae9023e1ebef1fb.exe

  • Size

    536KB

  • MD5

    e76ce7880e14bbd616c96ddfb3631048

  • SHA1

    df0dd2024062b1e73ba1512450cf0100d9808840

  • SHA256

    de31e34590cc70b1f0a2cd1645c2bdac38dddc13da81d3543ae9023e1ebef1fb

  • SHA512

    7500d7d158dc0b639448462ec05aa4dc50b811b4367f05fb0207ca33bc2e33e9de9ed86dc212952c8086055b6a1250a660401711e2aa92f27dffc40175b44f33

  • SSDEEP

    12288:qMrxy90w+aEvreN4VZUMMpSXxa6qwbx1bh84ksu8apz4:3yEaEvre6VZ4lSdphRMz4

Score
10/10
redlineformarumfadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rumfa

C2

193.233.20.24:4123

Attributes
  • auth_value

    749d02a6b4ef1fa2ad908e44ec2296dc

Extracted

Family

redline

Botnet

forma

C2

193.233.20.24:4123

Attributes
  • auth_value

    50b8e065d7cb1e9e30786f7a370368f9

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\de31e34590cc70b1f0a2cd1645c2bdac38dddc13da81d3543ae9023e1ebef1fb.exe
    "C:\Users\Admin\AppData\Local\Temp\de31e34590cc70b1f0a2cd1645c2bdac38dddc13da81d3543ae9023e1ebef1fb.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1304
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vlZ1126vQ.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vlZ1126vQ.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4480
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw42Ta32Qr07.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw42Ta32Qr07.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4576
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tIp73lT66.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tIp73lT66.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3880
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1796
          4⤵
          • Program crash
          PID:4368
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uzI90Vi05.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uzI90Vi05.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:996
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3880 -ip 3880
    1⤵
      PID:2752

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uzI90Vi05.exe
      Filesize

      177KB

      MD5

      107ec48e3058370a6629dde5733cf54e

      SHA1

      538798a573ce8fb26574127967f07b56f3daef30

      SHA256

      8931d2b70f3176f57130fd9b6ff13638a15b506382d6b064947b3b0ffab8df5d

      SHA512

      402f3483d7822673bcd7789396ae5337894c68f37c5c104142a2dff873bf3b0cd303989a63a5cf7ba6750a42749c191591c489796ef4cc0203604c5a7f14b4e4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uzI90Vi05.exe
      Filesize

      177KB

      MD5

      107ec48e3058370a6629dde5733cf54e

      SHA1

      538798a573ce8fb26574127967f07b56f3daef30

      SHA256

      8931d2b70f3176f57130fd9b6ff13638a15b506382d6b064947b3b0ffab8df5d

      SHA512

      402f3483d7822673bcd7789396ae5337894c68f37c5c104142a2dff873bf3b0cd303989a63a5cf7ba6750a42749c191591c489796ef4cc0203604c5a7f14b4e4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vlZ1126vQ.exe
      Filesize

      391KB

      MD5

      b7d7d3a4bcc2ea01d47cb5ec68734e7c

      SHA1

      842b8ac15335440c2fa9935ad069c7d5979933e3

      SHA256

      a9169a396f77b81a0a2fda20a60883c4a942ddd3bbe1ece2162522af8b2406a8

      SHA512

      77631ae65b2c2d6a4716a0faa8fc8de652e49633e77080639f51f771cba5c0a9dd6e599693f75836b2d2141894bd9d517a75f0591383509aac103efef497a5b4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vlZ1126vQ.exe
      Filesize

      391KB

      MD5

      b7d7d3a4bcc2ea01d47cb5ec68734e7c

      SHA1

      842b8ac15335440c2fa9935ad069c7d5979933e3

      SHA256

      a9169a396f77b81a0a2fda20a60883c4a942ddd3bbe1ece2162522af8b2406a8

      SHA512

      77631ae65b2c2d6a4716a0faa8fc8de652e49633e77080639f51f771cba5c0a9dd6e599693f75836b2d2141894bd9d517a75f0591383509aac103efef497a5b4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw42Ta32Qr07.exe
      Filesize

      17KB

      MD5

      5f9c40a22d8288f4b6b8086c0a13438a

      SHA1

      ef510269bbccd40611378d4297f8495af03b2f2e

      SHA256

      d7d30ec9fcc27a381e55319605f81c98c9792c13908a25f4f53004a33b4bcc1a

      SHA512

      b0500ea73d7f8816d083eb39f6918b200b4793d78ddd1a03ea008fa57309bff9a97e39fdb531a4af0198b8d8b2709c7e67778e5a14c9acd9a09a0bf7a1b158f0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw42Ta32Qr07.exe
      Filesize

      17KB

      MD5

      5f9c40a22d8288f4b6b8086c0a13438a

      SHA1

      ef510269bbccd40611378d4297f8495af03b2f2e

      SHA256

      d7d30ec9fcc27a381e55319605f81c98c9792c13908a25f4f53004a33b4bcc1a

      SHA512

      b0500ea73d7f8816d083eb39f6918b200b4793d78ddd1a03ea008fa57309bff9a97e39fdb531a4af0198b8d8b2709c7e67778e5a14c9acd9a09a0bf7a1b158f0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tIp73lT66.exe
      Filesize

      303KB

      MD5

      12a07204bf4c65efdd968689ed260c4e

      SHA1

      8430e5110448dc962c4191a1a06b05c4e3c1a140

      SHA256

      e4666bb9e57296f0140b125a1c5e32f446659b0baa2c3d7fef87a7aef339433b

      SHA512

      61dbfcedae6259039196942064d62cae0de853c6c5afa3547e6394e789ddf3c0acc6e94cd2c89c090c6f891a77565b0fe332b21da0afa5a5102f1d12d4f3989a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tIp73lT66.exe
      Filesize

      303KB

      MD5

      12a07204bf4c65efdd968689ed260c4e

      SHA1

      8430e5110448dc962c4191a1a06b05c4e3c1a140

      SHA256

      e4666bb9e57296f0140b125a1c5e32f446659b0baa2c3d7fef87a7aef339433b

      SHA512

      61dbfcedae6259039196942064d62cae0de853c6c5afa3547e6394e789ddf3c0acc6e94cd2c89c090c6f891a77565b0fe332b21da0afa5a5102f1d12d4f3989a

      Download Submit

    • memory/996-1085-0x0000000000400000-0x0000000000432000-memory.dmp

      Filesize

      200KB

      Download

    • memory/996-1086-0x0000000005000000-0x0000000005010000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3880-191-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3880-201-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3880-154-0x00000000021D0000-0x000000000221B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3880-155-0x0000000002500000-0x0000000002510000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3880-157-0x0000000002500000-0x0000000002510000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3880-158-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3880-159-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3880-161-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3880-163-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3880-165-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3880-167-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3880-169-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3880-171-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3880-173-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3880-175-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3880-177-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3880-179-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3880-181-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3880-183-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3880-185-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3880-187-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3880-189-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3880-153-0x0000000004B20000-0x00000000050C4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3880-193-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3880-195-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3880-197-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3880-199-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3880-156-0x0000000002500000-0x0000000002510000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3880-203-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3880-205-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3880-207-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3880-209-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3880-211-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3880-213-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3880-215-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3880-217-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3880-219-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3880-221-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3880-1064-0x00000000052D0000-0x00000000058E8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3880-1065-0x0000000005970000-0x0000000005A7A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3880-1066-0x0000000005AB0000-0x0000000005AC2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3880-1067-0x0000000005AD0000-0x0000000005B0C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3880-1068-0x0000000002500000-0x0000000002510000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3880-1070-0x0000000005DC0000-0x0000000005E52000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3880-1071-0x0000000005E60000-0x0000000005EC6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3880-1072-0x0000000002500000-0x0000000002510000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3880-1073-0x0000000002500000-0x0000000002510000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3880-1074-0x0000000002500000-0x0000000002510000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3880-1075-0x0000000006680000-0x00000000066F6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/3880-1076-0x0000000006700000-0x0000000006750000-memory.dmp

      Filesize

      320KB

      Download

    • memory/3880-1077-0x0000000006770000-0x0000000006932000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3880-1078-0x0000000006940000-0x0000000006E6C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/3880-1079-0x0000000002500000-0x0000000002510000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4576-147-0x0000000000E60000-0x0000000000E6A000-memory.dmp

      Filesize

      40KB

      Download