Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    109s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/03/2023, 19:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1de72482a538cf12388debeb12e57d895cc80d278346a89328d79697cce6e2b8.exe

  • Size

    546KB

  • MD5

    ab5381c6a50b6a3f3904d19e2ed1d75e

  • SHA1

    8236cbd83287e38ed52011390e9a86f10c6d30f1

  • SHA256

    1de72482a538cf12388debeb12e57d895cc80d278346a89328d79697cce6e2b8

  • SHA512

    aae11849b4476cbf4fd521aa71e25be48726884ad7b3549f19896fd411b349624c3dcc187e69bc828f2f73201f4573817772b29acaa7930af3374690a9c6925a

  • SSDEEP

    12288:8Mrry903xbCJ4aJxENKjTa/1BA2DhnR4IWLqB7k:fyqCJJxkK3SWqhqA4

Score
10/10
redlinefomichstekdiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

stek

C2

melevv.eu:4162

Attributes
  • auth_value

    4205381daf6946b2df5fe3bc7eacc918

Extracted

Family

redline

Botnet

fomich

C2

melevv.eu:4162

Attributes
  • auth_value

    b018e52ac946001794d8b8c23e901859

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1de72482a538cf12388debeb12e57d895cc80d278346a89328d79697cce6e2b8.exe
    "C:\Users\Admin\AppData\Local\Temp\1de72482a538cf12388debeb12e57d895cc80d278346a89328d79697cce6e2b8.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vyP3920EO.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vyP3920EO.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3388
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw91ah86gT63.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw91ah86gT63.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3992
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tBl69xG38.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tBl69xG38.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4508
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1388
          4⤵
          • Program crash
          PID:3584
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uaD66xj41.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uaD66xj41.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2000
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4508 -ip 4508
    1⤵
      PID:4892

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uaD66xj41.exe
      Filesize

      175KB

      MD5

      8fa3c4181cc7d1fec1d18645fde2f246

      SHA1

      678ca5d1b3f26a5ff2d385fc373b43bc420bf7ff

      SHA256

      1a8824b03168c0113abda3bd982be7611e176678d09fdc85c39798802b272c65

      SHA512

      654a1cb1ed6e520eb03e9425de2ddec9ba347b9ef2c0fe356d94ff76dadc405a92a3607a4e58f879c578b1033240935971ded708373b6f1c6b8df7b6b52d2a21

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uaD66xj41.exe
      Filesize

      175KB

      MD5

      8fa3c4181cc7d1fec1d18645fde2f246

      SHA1

      678ca5d1b3f26a5ff2d385fc373b43bc420bf7ff

      SHA256

      1a8824b03168c0113abda3bd982be7611e176678d09fdc85c39798802b272c65

      SHA512

      654a1cb1ed6e520eb03e9425de2ddec9ba347b9ef2c0fe356d94ff76dadc405a92a3607a4e58f879c578b1033240935971ded708373b6f1c6b8df7b6b52d2a21

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vyP3920EO.exe
      Filesize

      401KB

      MD5

      a058fcf603155923638830623c0e8b2a

      SHA1

      ec91b1c8498289a8c3d637100837636bf23fca77

      SHA256

      ec291fbc7df5c6edadb143a2f0210a96116ea0e1dec034ab4f8e7ebf6a74868f

      SHA512

      e629f7db957a8c67effbda520a91f16f724060862d828a4209eca39496aee44993a33a6c86e1ae83281b6e6cea15e0011c813a80b16cec760d2ec5bf678a01b0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vyP3920EO.exe
      Filesize

      401KB

      MD5

      a058fcf603155923638830623c0e8b2a

      SHA1

      ec91b1c8498289a8c3d637100837636bf23fca77

      SHA256

      ec291fbc7df5c6edadb143a2f0210a96116ea0e1dec034ab4f8e7ebf6a74868f

      SHA512

      e629f7db957a8c67effbda520a91f16f724060862d828a4209eca39496aee44993a33a6c86e1ae83281b6e6cea15e0011c813a80b16cec760d2ec5bf678a01b0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw91ah86gT63.exe
      Filesize

      17KB

      MD5

      4edc669abdf0bb05b346d5a5c5ca6d54

      SHA1

      fccb2fe77269ef921ff9c79ae6f5b157247e1402

      SHA256

      4e4501444951b4d5ec5da92774c190e86b1db702d739a9a3f8f940d90cba02a7

      SHA512

      b50c19679c4e68d165a1d216ba87d9745d6ec7eced8f58d7b7635505f3adc53d2c80d60a8c2a82e1b5b23f7e70c590b48be849203d95ea978c254da8d7b57084

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw91ah86gT63.exe
      Filesize

      17KB

      MD5

      4edc669abdf0bb05b346d5a5c5ca6d54

      SHA1

      fccb2fe77269ef921ff9c79ae6f5b157247e1402

      SHA256

      4e4501444951b4d5ec5da92774c190e86b1db702d739a9a3f8f940d90cba02a7

      SHA512

      b50c19679c4e68d165a1d216ba87d9745d6ec7eced8f58d7b7635505f3adc53d2c80d60a8c2a82e1b5b23f7e70c590b48be849203d95ea978c254da8d7b57084

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tBl69xG38.exe
      Filesize

      376KB

      MD5

      d59f82338e5d937f8762de73d2fe5bfd

      SHA1

      405e65a38c7677eaed8a28a9b9ef72a0ad7bdacb

      SHA256

      138b6143c345a24a8f866d24f461d19ce4c9ed06204f12eb4d09207baff6ebf1

      SHA512

      bf1cfe667b92ecdfd20625a50245e2640ddcc7f0320ae842b28ebd9e48582a437ed68360745d997d0cb5064926b84ec7de4450bf9f3d89692ea5f1ddf4775e75

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tBl69xG38.exe
      Filesize

      376KB

      MD5

      d59f82338e5d937f8762de73d2fe5bfd

      SHA1

      405e65a38c7677eaed8a28a9b9ef72a0ad7bdacb

      SHA256

      138b6143c345a24a8f866d24f461d19ce4c9ed06204f12eb4d09207baff6ebf1

      SHA512

      bf1cfe667b92ecdfd20625a50245e2640ddcc7f0320ae842b28ebd9e48582a437ed68360745d997d0cb5064926b84ec7de4450bf9f3d89692ea5f1ddf4775e75

      Download Submit

    • memory/2000-1082-0x00000000006C0000-0x00000000006F2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/2000-1083-0x00000000052B0000-0x00000000052C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3992-147-0x0000000000930000-0x000000000093A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4508-187-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4508-199-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4508-155-0x00000000073A0000-0x0000000007944000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4508-156-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4508-159-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4508-161-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4508-157-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4508-163-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4508-165-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4508-167-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4508-169-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4508-171-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4508-173-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4508-175-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4508-177-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4508-179-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4508-181-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4508-183-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4508-185-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4508-153-0x0000000002BD0000-0x0000000002C1B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4508-189-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4508-195-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4508-193-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4508-191-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4508-197-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4508-154-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4508-201-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4508-203-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4508-205-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4508-207-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4508-209-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4508-211-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4508-213-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4508-215-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4508-217-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4508-219-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4508-1062-0x0000000007950000-0x0000000007F68000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4508-1063-0x0000000007FB0000-0x00000000080BA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4508-1064-0x00000000080F0000-0x0000000008102000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4508-1065-0x0000000008110000-0x000000000814C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4508-1066-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4508-1067-0x0000000008410000-0x0000000008476000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4508-1069-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4508-1070-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4508-1071-0x0000000008C00000-0x0000000008C92000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4508-1072-0x0000000008D00000-0x0000000008EC2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4508-1073-0x0000000008EE0000-0x000000000940C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/4508-1074-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4508-1075-0x0000000009650000-0x00000000096C6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4508-1076-0x00000000096E0000-0x0000000009730000-memory.dmp

      Filesize

      320KB

      Download