Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-03-2023 15:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6b2570440fa2adf51b8f8135575290688bcdc01720c51ac27f257357bce076dd.exe

  • Size

    537KB

  • MD5

    a56ccd9667bf03ac08ef8963848a07c2

  • SHA1

    30dc242a6efcf6f205ab93827f544fc4f8c964e6

  • SHA256

    6b2570440fa2adf51b8f8135575290688bcdc01720c51ac27f257357bce076dd

  • SHA512

    6e452475a518be9661c331089c3aa9d2217362a407ae852a8b33be20819cd43d8c480730672df8c3e607f5f2401c1476c4c7c171c7c68fdbf712e50273f0e090

  • SSDEEP

    12288:ZMr5y90ERLraoA8X9yK7oBgaufBvm3XmbHZ:EyNxN3Jm3Xmb5

Score
10/10
redlineformarumfadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rumfa

C2

193.233.20.24:4123

Attributes
  • auth_value

    749d02a6b4ef1fa2ad908e44ec2296dc

Extracted

Family

redline

Botnet

forma

C2

193.233.20.24:4123

Attributes
  • auth_value

    50b8e065d7cb1e9e30786f7a370368f9

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6b2570440fa2adf51b8f8135575290688bcdc01720c51ac27f257357bce076dd.exe
    "C:\Users\Admin\AppData\Local\Temp\6b2570440fa2adf51b8f8135575290688bcdc01720c51ac27f257357bce076dd.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:448
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vxY3832fl.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vxY3832fl.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1664
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw89bt33xe01.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw89bt33xe01.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4392
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tga78bZ74.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tga78bZ74.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4752
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 1648
          4⤵
          • Program crash
          PID:2004
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uwX99gq67.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uwX99gq67.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3276
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4752 -ip 4752
    1⤵
      PID:4672

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uwX99gq67.exe
      Filesize

      177KB

      MD5

      52e95f2c67a8ccce1ed75ab905036a5e

      SHA1

      b1a51679014ba67643b9c247c331e691687c6564

      SHA256

      42f8cbae2216a8faa2dba170a92079e651864d1caeb5c213c5dcc77acea6bcc1

      SHA512

      f04132f8cd4cfdd75f9f2c2be7039dc3c835119ce55005b8e91837cb56adb0e090fac9f4c015c63e738871ea7c0556a04c59df6b26693172e66178eae81fa16a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uwX99gq67.exe
      Filesize

      177KB

      MD5

      52e95f2c67a8ccce1ed75ab905036a5e

      SHA1

      b1a51679014ba67643b9c247c331e691687c6564

      SHA256

      42f8cbae2216a8faa2dba170a92079e651864d1caeb5c213c5dcc77acea6bcc1

      SHA512

      f04132f8cd4cfdd75f9f2c2be7039dc3c835119ce55005b8e91837cb56adb0e090fac9f4c015c63e738871ea7c0556a04c59df6b26693172e66178eae81fa16a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vxY3832fl.exe
      Filesize

      392KB

      MD5

      504b4d7a7e1688e87da80a1138b4a20d

      SHA1

      233d855158b529f56f40ac3ffcc9f6bf03cbd11a

      SHA256

      b9643b045ea78fd941328c362f7147ddf76f1833b80d9b383d40417f3a1e82c7

      SHA512

      4c240f99ca0be27d754b8ccb2ed792f4c3bfe4271fe5d49a97430f72f5dac781e531f1ef35d304cd0bbf9a198212478cb6f08df538a5b2e984b947f9f5722db9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vxY3832fl.exe
      Filesize

      392KB

      MD5

      504b4d7a7e1688e87da80a1138b4a20d

      SHA1

      233d855158b529f56f40ac3ffcc9f6bf03cbd11a

      SHA256

      b9643b045ea78fd941328c362f7147ddf76f1833b80d9b383d40417f3a1e82c7

      SHA512

      4c240f99ca0be27d754b8ccb2ed792f4c3bfe4271fe5d49a97430f72f5dac781e531f1ef35d304cd0bbf9a198212478cb6f08df538a5b2e984b947f9f5722db9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw89bt33xe01.exe
      Filesize

      17KB

      MD5

      7a73bff4ec5226bcdfc89a73238ba292

      SHA1

      9b885b9fdca40e0b9f906574a61480ad9c70e51e

      SHA256

      dc5f57df2f512a5f1d3d8b15eda8fd16ce26600ee01005ef9c858e7454979beb

      SHA512

      1bc4c1de89b63c564f4616d3f99ba9ab3e5befee03c1edc8f458a2524db7dac61ac13190ceed4506f422005c6c978e91e622c7d247ef21d407f2ff7394643882

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw89bt33xe01.exe
      Filesize

      17KB

      MD5

      7a73bff4ec5226bcdfc89a73238ba292

      SHA1

      9b885b9fdca40e0b9f906574a61480ad9c70e51e

      SHA256

      dc5f57df2f512a5f1d3d8b15eda8fd16ce26600ee01005ef9c858e7454979beb

      SHA512

      1bc4c1de89b63c564f4616d3f99ba9ab3e5befee03c1edc8f458a2524db7dac61ac13190ceed4506f422005c6c978e91e622c7d247ef21d407f2ff7394643882

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tga78bZ74.exe
      Filesize

      304KB

      MD5

      bc94778948460579a0739b42d8018118

      SHA1

      f960e87471a354673dc63408a7cfd07052a18561

      SHA256

      164e02a2c9318020d3b3db0e977aadf0890dd6ad139cfcd07195e62578f44d8b

      SHA512

      ff267c27af132c2ce96ca075011a96596d045f771c3439d72b1ea1f567fe585f139b0e7dc8f5c97d340209f478d7e9cad374fc0497345998702f06e234ca657b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tga78bZ74.exe
      Filesize

      304KB

      MD5

      bc94778948460579a0739b42d8018118

      SHA1

      f960e87471a354673dc63408a7cfd07052a18561

      SHA256

      164e02a2c9318020d3b3db0e977aadf0890dd6ad139cfcd07195e62578f44d8b

      SHA512

      ff267c27af132c2ce96ca075011a96596d045f771c3439d72b1ea1f567fe585f139b0e7dc8f5c97d340209f478d7e9cad374fc0497345998702f06e234ca657b

      Download Submit

    • memory/3276-1085-0x0000000000990000-0x00000000009C2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/3276-1086-0x0000000005620000-0x0000000005630000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4392-147-0x0000000000AB0000-0x0000000000ABA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4752-189-0x00000000050F0000-0x000000000512E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4752-201-0x00000000050F0000-0x000000000512E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4752-155-0x0000000002650000-0x0000000002660000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4752-156-0x0000000002650000-0x0000000002660000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4752-157-0x0000000002650000-0x0000000002660000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4752-158-0x00000000050F0000-0x000000000512E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4752-161-0x00000000050F0000-0x000000000512E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4752-159-0x00000000050F0000-0x000000000512E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4752-163-0x00000000050F0000-0x000000000512E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4752-165-0x00000000050F0000-0x000000000512E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4752-167-0x00000000050F0000-0x000000000512E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4752-169-0x00000000050F0000-0x000000000512E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4752-171-0x00000000050F0000-0x000000000512E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4752-173-0x00000000050F0000-0x000000000512E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4752-175-0x00000000050F0000-0x000000000512E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4752-177-0x00000000050F0000-0x000000000512E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4752-179-0x00000000050F0000-0x000000000512E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4752-181-0x00000000050F0000-0x000000000512E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4752-183-0x00000000050F0000-0x000000000512E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4752-185-0x00000000050F0000-0x000000000512E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4752-187-0x00000000050F0000-0x000000000512E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4752-153-0x0000000004B30000-0x00000000050D4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4752-191-0x00000000050F0000-0x000000000512E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4752-193-0x00000000050F0000-0x000000000512E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4752-195-0x00000000050F0000-0x000000000512E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4752-197-0x00000000050F0000-0x000000000512E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4752-199-0x00000000050F0000-0x000000000512E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4752-154-0x0000000002210000-0x000000000225B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4752-203-0x00000000050F0000-0x000000000512E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4752-205-0x00000000050F0000-0x000000000512E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4752-207-0x00000000050F0000-0x000000000512E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4752-209-0x00000000050F0000-0x000000000512E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4752-211-0x00000000050F0000-0x000000000512E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4752-213-0x00000000050F0000-0x000000000512E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4752-215-0x00000000050F0000-0x000000000512E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4752-217-0x00000000050F0000-0x000000000512E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4752-219-0x00000000050F0000-0x000000000512E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4752-221-0x00000000050F0000-0x000000000512E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4752-1064-0x00000000052D0000-0x00000000058E8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4752-1065-0x0000000005970000-0x0000000005A7A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4752-1066-0x0000000005AB0000-0x0000000005AC2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4752-1067-0x0000000002650000-0x0000000002660000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4752-1068-0x0000000005AD0000-0x0000000005B0C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4752-1070-0x0000000005DC0000-0x0000000005E26000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4752-1071-0x0000000006570000-0x0000000006602000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4752-1072-0x0000000002650000-0x0000000002660000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4752-1073-0x0000000002650000-0x0000000002660000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4752-1074-0x0000000002650000-0x0000000002660000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4752-1075-0x0000000006680000-0x0000000006842000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4752-1076-0x0000000006850000-0x0000000006D7C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/4752-1077-0x0000000002650000-0x0000000002660000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4752-1078-0x0000000007150000-0x00000000071C6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4752-1079-0x00000000071D0000-0x0000000007220000-memory.dmp

      Filesize

      320KB

      Download