Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/03/2023, 09:16

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    18dd85fb365b907bfd913272da3ef0f2bfd2131ff1142adbe99b3f75783b49d0.exe

  • Size

    548KB

  • MD5

    e3e7dda40dc6e1cdd5e36d6e434ef358

  • SHA1

    d321a5afa268791ff2be9bd3ed602cb597ef5384

  • SHA256

    18dd85fb365b907bfd913272da3ef0f2bfd2131ff1142adbe99b3f75783b49d0

  • SHA512

    38599c41beae6d658e35074152b865a9d058d163b4008bcb183fe1c8fcc0b19f462cfd8f9ff2d14078feba92e33e4647be8f76c180979f37900124441baecfbb

  • SSDEEP

    12288:iMrSy90IyJRBxjvB4DrnSyS74cG7M/1Jjs13gxjEw:4ypynBxjZszhSTGqJi3En

Score
10/10
redlinefubarouchdiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rouch

C2

193.56.146.11:4162

Attributes
  • auth_value

    1b1735bcfc122c708eae27ca352568de

Extracted

Family

redline

Botnet

fuba

C2

193.56.146.11:4162

Attributes
  • auth_value

    43015841fc23c63b15ca6ffe1d278d5e

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\18dd85fb365b907bfd913272da3ef0f2bfd2131ff1142adbe99b3f75783b49d0.exe
    "C:\Users\Admin\AppData\Local\Temp\18dd85fb365b907bfd913272da3ef0f2bfd2131ff1142adbe99b3f75783b49d0.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4540
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vNE2147Ip.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vNE2147Ip.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2160
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw63uU27Hg38.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw63uU27Hg38.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3528
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tOC03Ym16.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tOC03Ym16.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4920
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 1348
          4⤵
          • Program crash
          PID:2888
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uez84AM23.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uez84AM23.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4800
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4920 -ip 4920
    1⤵
      PID:2088

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uez84AM23.exe
            Filesize

            175KB

            MD5

            fab3279892ab0cf8c3e57d993b05f65d

            SHA1

            96e64efaf593fcc646f592ea2f7ab8cc0a8d0ecd

            SHA256

            7761311c28140a751946da7cb2768550803a1be9fcdb714b2afe2e5625f8e431

            SHA512

            7361b645cf1e364aa2b9dec9e8dea355f1b0a3e36a8d1f126c8ad2e50a36d0f71fc1cb89dc74379bcbd323fe959be43d2ed7d8b7137d489e0448a4b5f59a3e32

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uez84AM23.exe
            Filesize

            175KB

            MD5

            fab3279892ab0cf8c3e57d993b05f65d

            SHA1

            96e64efaf593fcc646f592ea2f7ab8cc0a8d0ecd

            SHA256

            7761311c28140a751946da7cb2768550803a1be9fcdb714b2afe2e5625f8e431

            SHA512

            7361b645cf1e364aa2b9dec9e8dea355f1b0a3e36a8d1f126c8ad2e50a36d0f71fc1cb89dc74379bcbd323fe959be43d2ed7d8b7137d489e0448a4b5f59a3e32

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vNE2147Ip.exe
            Filesize

            404KB

            MD5

            af83b7aac9c00ac2437d2d0ede36a8e3

            SHA1

            8a62faa6be16fc3c904acdb8bf0e4edbce48be53

            SHA256

            4ba855ed59aabed247026c3e973184bf61519d49bbfb15d7e467f8e7ce2a3ae1

            SHA512

            43b837f5a114fb342a2c450820531daef474e858a0ea7d252c00d49b5357d9c8745ad00294ec6c22f4c8eb8804d4397eec5786838400e1da919e88fce7faab1e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vNE2147Ip.exe
            Filesize

            404KB

            MD5

            af83b7aac9c00ac2437d2d0ede36a8e3

            SHA1

            8a62faa6be16fc3c904acdb8bf0e4edbce48be53

            SHA256

            4ba855ed59aabed247026c3e973184bf61519d49bbfb15d7e467f8e7ce2a3ae1

            SHA512

            43b837f5a114fb342a2c450820531daef474e858a0ea7d252c00d49b5357d9c8745ad00294ec6c22f4c8eb8804d4397eec5786838400e1da919e88fce7faab1e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw63uU27Hg38.exe
            Filesize

            12KB

            MD5

            1a7a640f8f6cd1dee20713bbbad2d767

            SHA1

            0921e87f4a3f445f1e83d62fb30241874c6a1a40

            SHA256

            eca0d10844a5907fc1b0281ca27af1a2416ee7d6a65915aa3e86fe79a9498127

            SHA512

            cf81673089fae1d68da09293cb37aea0cc6325d7699b3e12722bf73ccb9908b7acaeb9d789b8057e84cf54cba16724e18747b5bc528143dc4e9fc55f20a30d91

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw63uU27Hg38.exe
            Filesize

            12KB

            MD5

            1a7a640f8f6cd1dee20713bbbad2d767

            SHA1

            0921e87f4a3f445f1e83d62fb30241874c6a1a40

            SHA256

            eca0d10844a5907fc1b0281ca27af1a2416ee7d6a65915aa3e86fe79a9498127

            SHA512

            cf81673089fae1d68da09293cb37aea0cc6325d7699b3e12722bf73ccb9908b7acaeb9d789b8057e84cf54cba16724e18747b5bc528143dc4e9fc55f20a30d91

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tOC03Ym16.exe
            Filesize

            380KB

            MD5

            a3da8951bb23f305fd251958e8535aa4

            SHA1

            ef6115e81f6e8a5a7ed3428db8ff7e34619e7e54

            SHA256

            786dcca370472e838015aaff2797f569f05b3fe168087a60e95294354ced715a

            SHA512

            be73e7708641e3d8d8f3f7b9136287bdf4de58798dd98ba5b03d1e486ff97aafcba07f428d135c87cb84098595e711a64d72b3ec43100375049d49d88618fe9d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tOC03Ym16.exe
            Filesize

            380KB

            MD5

            a3da8951bb23f305fd251958e8535aa4

            SHA1

            ef6115e81f6e8a5a7ed3428db8ff7e34619e7e54

            SHA256

            786dcca370472e838015aaff2797f569f05b3fe168087a60e95294354ced715a

            SHA512

            be73e7708641e3d8d8f3f7b9136287bdf4de58798dd98ba5b03d1e486ff97aafcba07f428d135c87cb84098595e711a64d72b3ec43100375049d49d88618fe9d

            Download Submit

          • memory/3528-147-0x0000000000480000-0x000000000048A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/4800-1086-0x0000000000E80000-0x0000000000EB2000-memory.dmp

            Filesize

            200KB

            Download

          • memory/4800-1087-0x0000000005A30000-0x0000000005A40000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4920-211-0x0000000007760000-0x000000000779E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4920-193-0x0000000007760000-0x000000000779E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4920-157-0x0000000004A80000-0x0000000004A90000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4920-156-0x0000000004A80000-0x0000000004A90000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4920-155-0x0000000004A80000-0x0000000004A90000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4920-158-0x0000000007760000-0x000000000779E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4920-159-0x0000000007760000-0x000000000779E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4920-171-0x0000000007760000-0x000000000779E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4920-173-0x0000000007760000-0x000000000779E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4920-179-0x0000000007760000-0x000000000779E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4920-177-0x0000000007760000-0x000000000779E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4920-181-0x0000000007760000-0x000000000779E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4920-187-0x0000000007760000-0x000000000779E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4920-195-0x0000000007760000-0x000000000779E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4920-201-0x0000000007760000-0x000000000779E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4920-209-0x0000000007760000-0x000000000779E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4920-215-0x0000000007760000-0x000000000779E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4920-221-0x0000000007760000-0x000000000779E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4920-219-0x0000000007760000-0x000000000779E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4920-217-0x0000000007760000-0x000000000779E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4920-213-0x0000000007760000-0x000000000779E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4920-153-0x0000000004840000-0x000000000488B000-memory.dmp

            Filesize

            300KB

            Download

          • memory/4920-207-0x0000000007760000-0x000000000779E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4920-205-0x0000000007760000-0x000000000779E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4920-203-0x0000000007760000-0x000000000779E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4920-199-0x0000000007760000-0x000000000779E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4920-197-0x0000000007760000-0x000000000779E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4920-154-0x0000000007170000-0x0000000007714000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/4920-191-0x0000000007760000-0x000000000779E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4920-189-0x0000000007760000-0x000000000779E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4920-185-0x0000000007760000-0x000000000779E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4920-183-0x0000000007760000-0x000000000779E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4920-175-0x0000000007760000-0x000000000779E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4920-169-0x0000000007760000-0x000000000779E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4920-167-0x0000000007760000-0x000000000779E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4920-165-0x0000000007760000-0x000000000779E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4920-163-0x0000000007760000-0x000000000779E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4920-161-0x0000000007760000-0x000000000779E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4920-1064-0x00000000077D0000-0x0000000007DE8000-memory.dmp

            Filesize

            6.1MB

            Download

          • memory/4920-1065-0x0000000007E70000-0x0000000007F7A000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/4920-1066-0x0000000007FB0000-0x0000000007FC2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/4920-1067-0x0000000004A80000-0x0000000004A90000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4920-1068-0x0000000007FD0000-0x000000000800C000-memory.dmp

            Filesize

            240KB

            Download

          • memory/4920-1070-0x0000000004A80000-0x0000000004A90000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4920-1071-0x0000000004A80000-0x0000000004A90000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4920-1072-0x0000000004A80000-0x0000000004A90000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4920-1073-0x00000000082C0000-0x0000000008352000-memory.dmp

            Filesize

            584KB

            Download

          • memory/4920-1074-0x0000000008360000-0x00000000083C6000-memory.dmp

            Filesize

            408KB

            Download

          • memory/4920-1075-0x0000000008B80000-0x0000000008D42000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/4920-1076-0x0000000008D60000-0x000000000928C000-memory.dmp

            Filesize

            5.2MB

            Download

          • memory/4920-1077-0x0000000004A80000-0x0000000004A90000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4920-1078-0x00000000093C0000-0x0000000009436000-memory.dmp

            Filesize

            472KB

            Download

          • memory/4920-1079-0x0000000009450000-0x00000000094A0000-memory.dmp

            Filesize

            320KB

            Download