Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/03/2023, 05:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    82634d3998af30fc3d479c925af57d3218fc99a57048535e672f225c97bf2850.exe

  • Size

    536KB

  • MD5

    56a0e6fde2cbaf44bc78259902cd16f2

  • SHA1

    6dfdb284ce71fdef397216d693465a90ccab7b60

  • SHA256

    82634d3998af30fc3d479c925af57d3218fc99a57048535e672f225c97bf2850

  • SHA512

    75a7518024363f1c0a1568043e3f38dbca73d4baf4497393c86984b39d8471a84ce8daa60f6638c8c46a1c3490568e0593759a326090a813236e808844a6166b

  • SSDEEP

    12288:DMrMy90fqcHiv+eyxyIGdNe2e9D3WieAUFm/s6:zyVcCv/y9KU9UF76

Score
10/10
redlinefubarouchdiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rouch

C2

193.56.146.11:4162

Attributes
  • auth_value

    1b1735bcfc122c708eae27ca352568de

Extracted

Family

redline

Botnet

fuba

C2

193.56.146.11:4162

Attributes
  • auth_value

    43015841fc23c63b15ca6ffe1d278d5e

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 34 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\82634d3998af30fc3d479c925af57d3218fc99a57048535e672f225c97bf2850.exe
    "C:\Users\Admin\AppData\Local\Temp\82634d3998af30fc3d479c925af57d3218fc99a57048535e672f225c97bf2850.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3348
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\viR4220LT.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\viR4220LT.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2612
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw01Wx76BF59.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw01Wx76BF59.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1276
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tlE75XZ44.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tlE75XZ44.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1836
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhP88Rp94.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhP88Rp94.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4644

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhP88Rp94.exe
    Filesize

    175KB

    MD5

    3139c3bcce98ee877a437c29f8cb80f6

    SHA1

    e08f34aaada2c1aa13ce372eb2c0c348c484e788

    SHA256

    3ca7657339d741aa4f0cac1c6f006c303f6b50a7cba5fb7dda9fe0e6300d8ff0

    SHA512

    37ee1d1d73d42c555fb22515c6ed91270f2507e392e55b013582516b8b15835ae3c1f31c513f78b1f877d3ec5f9fcff818595d44cfc7c63bfe438834c4b50023

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhP88Rp94.exe
    Filesize

    175KB

    MD5

    3139c3bcce98ee877a437c29f8cb80f6

    SHA1

    e08f34aaada2c1aa13ce372eb2c0c348c484e788

    SHA256

    3ca7657339d741aa4f0cac1c6f006c303f6b50a7cba5fb7dda9fe0e6300d8ff0

    SHA512

    37ee1d1d73d42c555fb22515c6ed91270f2507e392e55b013582516b8b15835ae3c1f31c513f78b1f877d3ec5f9fcff818595d44cfc7c63bfe438834c4b50023

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\viR4220LT.exe
    Filesize

    391KB

    MD5

    dbcf5b463f84a033af6c4500864ad4f3

    SHA1

    594e5186f0999563c93862754b1ec3d9769a44fb

    SHA256

    b0c8c58fa92079d94000ac4ed48ed7f8d1610ac71f8a696482ebfbb725e6e3c2

    SHA512

    7ccd1b4047f1a3065892753e7ba6609ee0ea7d815aff99e9d3dacee7548fa67d9f963ff4399d34a4b7d948ffedede458131c1e0802ad2f3a078c78c9fbd97c9b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\viR4220LT.exe
    Filesize

    391KB

    MD5

    dbcf5b463f84a033af6c4500864ad4f3

    SHA1

    594e5186f0999563c93862754b1ec3d9769a44fb

    SHA256

    b0c8c58fa92079d94000ac4ed48ed7f8d1610ac71f8a696482ebfbb725e6e3c2

    SHA512

    7ccd1b4047f1a3065892753e7ba6609ee0ea7d815aff99e9d3dacee7548fa67d9f963ff4399d34a4b7d948ffedede458131c1e0802ad2f3a078c78c9fbd97c9b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw01Wx76BF59.exe
    Filesize

    12KB

    MD5

    dd1c4d88b91749169dc38505624dbc94

    SHA1

    ddd248f01f004fe29d4d9929f5a378621285f979

    SHA256

    1e1f72280c6aa08b2c60a4e208aedb74d132bda9868b454a405d358152de9135

    SHA512

    9df621e7962f7a2a3c06a7f6734eaa59f88662c5e4a642f1922a22089be1040e144d5dbf07abb2fb9e2bba1aa641000fd499ac64bbf32d834c06193fcefd3bf9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw01Wx76BF59.exe
    Filesize

    12KB

    MD5

    dd1c4d88b91749169dc38505624dbc94

    SHA1

    ddd248f01f004fe29d4d9929f5a378621285f979

    SHA256

    1e1f72280c6aa08b2c60a4e208aedb74d132bda9868b454a405d358152de9135

    SHA512

    9df621e7962f7a2a3c06a7f6734eaa59f88662c5e4a642f1922a22089be1040e144d5dbf07abb2fb9e2bba1aa641000fd499ac64bbf32d834c06193fcefd3bf9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tlE75XZ44.exe
    Filesize

    304KB

    MD5

    96f412e9d1af706687c3bbdcf537b3e5

    SHA1

    71e807888a86b44247d2b12d72d5823094724c77

    SHA256

    192cf1ff85c6ca01e2d26f99ecb55fab5f80c2ff70f3d54dacb449f8b853c0ff

    SHA512

    22d47a05a99f654617d79b58f614d87d5792584cee7e4276d1f84fdfa9d164717d4019330afca7b345942871969f94526283d62948dfea9196b7d73f89430b7c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tlE75XZ44.exe
    Filesize

    304KB

    MD5

    96f412e9d1af706687c3bbdcf537b3e5

    SHA1

    71e807888a86b44247d2b12d72d5823094724c77

    SHA256

    192cf1ff85c6ca01e2d26f99ecb55fab5f80c2ff70f3d54dacb449f8b853c0ff

    SHA512

    22d47a05a99f654617d79b58f614d87d5792584cee7e4276d1f84fdfa9d164717d4019330afca7b345942871969f94526283d62948dfea9196b7d73f89430b7c

    Download Submit

  • memory/1276-147-0x0000000000360000-0x000000000036A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1836-153-0x0000000000840000-0x000000000088B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1836-154-0x0000000004CE0000-0x0000000005284000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1836-155-0x0000000002680000-0x00000000026BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1836-156-0x0000000002680000-0x00000000026BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1836-158-0x0000000002680000-0x00000000026BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1836-159-0x0000000002310000-0x0000000002320000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1836-161-0x0000000002310000-0x0000000002320000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1836-163-0x0000000002310000-0x0000000002320000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1836-162-0x0000000002680000-0x00000000026BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1836-165-0x0000000002680000-0x00000000026BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1836-167-0x0000000002680000-0x00000000026BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1836-169-0x0000000002680000-0x00000000026BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1836-171-0x0000000002680000-0x00000000026BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1836-173-0x0000000002680000-0x00000000026BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1836-175-0x0000000002680000-0x00000000026BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1836-177-0x0000000002680000-0x00000000026BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1836-179-0x0000000002680000-0x00000000026BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1836-181-0x0000000002680000-0x00000000026BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1836-183-0x0000000002680000-0x00000000026BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1836-185-0x0000000002680000-0x00000000026BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1836-187-0x0000000002680000-0x00000000026BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1836-189-0x0000000002680000-0x00000000026BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1836-191-0x0000000002680000-0x00000000026BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1836-193-0x0000000002680000-0x00000000026BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1836-195-0x0000000002680000-0x00000000026BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1836-197-0x0000000002680000-0x00000000026BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1836-199-0x0000000002680000-0x00000000026BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1836-201-0x0000000002680000-0x00000000026BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1836-203-0x0000000002680000-0x00000000026BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1836-205-0x0000000002680000-0x00000000026BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1836-207-0x0000000002680000-0x00000000026BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1836-211-0x0000000002680000-0x00000000026BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1836-213-0x0000000002680000-0x00000000026BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1836-209-0x0000000002680000-0x00000000026BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1836-215-0x0000000002680000-0x00000000026BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1836-217-0x0000000002680000-0x00000000026BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1836-219-0x0000000002680000-0x00000000026BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1836-221-0x0000000002680000-0x00000000026BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1836-1064-0x0000000005390000-0x00000000059A8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1836-1065-0x00000000059B0000-0x0000000005ABA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1836-1066-0x0000000005AC0000-0x0000000005AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1836-1067-0x0000000002310000-0x0000000002320000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1836-1068-0x0000000005AE0000-0x0000000005B1C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1836-1070-0x0000000005DC0000-0x0000000005E52000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1836-1071-0x0000000005E60000-0x0000000005EC6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1836-1072-0x0000000002310000-0x0000000002320000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1836-1073-0x0000000002310000-0x0000000002320000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1836-1074-0x0000000002310000-0x0000000002320000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1836-1075-0x0000000006660000-0x00000000066D6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1836-1076-0x00000000066F0000-0x0000000006740000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1836-1077-0x00000000068B0000-0x0000000006A72000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1836-1078-0x0000000006A80000-0x0000000006FAC000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/1836-1079-0x0000000002310000-0x0000000002320000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4644-1085-0x0000000000020000-0x0000000000052000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4644-1086-0x0000000004C00000-0x0000000004C10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4644-1087-0x0000000004C00000-0x0000000004C10000-memory.dmp

    Filesize

    64KB

    Download