Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/03/2023, 06:58

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    6c3d62487f45f3d30012cacb802a194121935b15b13866092c88cc9b646abb38.exe

  • Size

    666KB

  • MD5

    2af022b2c188b2f04569df13c2acd3a0

  • SHA1

    09305ecadb10019e7b82c508427d90f04b5472f4

  • SHA256

    6c3d62487f45f3d30012cacb802a194121935b15b13866092c88cc9b646abb38

  • SHA512

    a893c0884bf0305bc6c8307085e3f808235ce87b43a171aaca0d24d407e8d8b9f23291cb1927a63dae8e653cea425a77db7ddb7d4e8bd18fa9e5aee49b8851fc

  • SSDEEP

    12288:lMrCy90/v+0pVS3RYugnFZa77XdGs5k4Zr1mR3X6NZP9B3JePISYdSI6:bye2gV1LWLdGs5xrM3wjB3Jev

Score
10/10
redlinefchanruzhpediscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

ruzhpe

C2

pepunn.com:4162

Attributes
  • auth_value

    f735ced96ae8d01d0bd1d514240e54e0

Extracted

Family

redline

Botnet

fchan

C2

pepunn.com:4162

Attributes
  • auth_value

    127bd53d55e8c4f0dd2f6e1ea60deef4

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 19 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6c3d62487f45f3d30012cacb802a194121935b15b13866092c88cc9b646abb38.exe
    "C:\Users\Admin\AppData\Local\Temp\6c3d62487f45f3d30012cacb802a194121935b15b13866092c88cc9b646abb38.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4716
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycJA10OX24.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycJA10OX24.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2028
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urSo37Qh36.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urSo37Qh36.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3944
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 1084
          4⤵
          • Program crash
          PID:3156
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrZT43IA10.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrZT43IA10.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3864
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 1904
          4⤵
          • Program crash
          PID:32
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xuxV94tx89.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xuxV94tx89.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2500
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3944 -ip 3944
    1⤵
      PID:2144
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3864 -ip 3864
      1⤵
        PID:4428

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xuxV94tx89.exe
              Filesize

              175KB

              MD5

              9a121985dfc3626e25d6e74b4e6c6d7d

              SHA1

              389272db23131d841ed85d8de5e1d058523923fd

              SHA256

              2207e0a8bc48f1b96d586a4cab4a2f1a6353baaeae5718d4adb0ae2be573f02f

              SHA512

              1475b674971a9ad52477a4459cb2a70b222ff6ebfff56e3f83b9e172b493e57303a6c534425298570d7204047b67bf0d1ec1a95c3bde20c324a066d94c5e2d09

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xuxV94tx89.exe
              Filesize

              175KB

              MD5

              9a121985dfc3626e25d6e74b4e6c6d7d

              SHA1

              389272db23131d841ed85d8de5e1d058523923fd

              SHA256

              2207e0a8bc48f1b96d586a4cab4a2f1a6353baaeae5718d4adb0ae2be573f02f

              SHA512

              1475b674971a9ad52477a4459cb2a70b222ff6ebfff56e3f83b9e172b493e57303a6c534425298570d7204047b67bf0d1ec1a95c3bde20c324a066d94c5e2d09

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycJA10OX24.exe
              Filesize

              522KB

              MD5

              a08931124a5008dcba9a035627546ad0

              SHA1

              17382853457110d5d9653f1dd9bdbbcddb6384c1

              SHA256

              9b6010e343e4ce2c813202c14e4552496541d4bcd52d8d98b1a5a0e16137cd3c

              SHA512

              653365b609a21dce8a27e65338be5c85aed84f0568161d843a7577cd75018b8acafdbcb851dfb4e13cc50d5223e183a7da0873ccfe35118ff865c9aa5d827863

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycJA10OX24.exe
              Filesize

              522KB

              MD5

              a08931124a5008dcba9a035627546ad0

              SHA1

              17382853457110d5d9653f1dd9bdbbcddb6384c1

              SHA256

              9b6010e343e4ce2c813202c14e4552496541d4bcd52d8d98b1a5a0e16137cd3c

              SHA512

              653365b609a21dce8a27e65338be5c85aed84f0568161d843a7577cd75018b8acafdbcb851dfb4e13cc50d5223e183a7da0873ccfe35118ff865c9aa5d827863

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urSo37Qh36.exe
              Filesize

              250KB

              MD5

              452980bfe4732aaef2162c53c88f7ea4

              SHA1

              31b4e28e7ffdf36023ea859f0c343036dfb0470e

              SHA256

              855df086e7969ec6904fde9c5920ab3c6c364ebbc240aa266f78a3103b59d06d

              SHA512

              7ad12f0badc78bb1d42743e8776bece49a55e25244a9b7681c17c345f212bd2d28077e7fe495903de160d43aa7b3d57a419f0895ae3420a3b945d830d1d58707

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urSo37Qh36.exe
              Filesize

              250KB

              MD5

              452980bfe4732aaef2162c53c88f7ea4

              SHA1

              31b4e28e7ffdf36023ea859f0c343036dfb0470e

              SHA256

              855df086e7969ec6904fde9c5920ab3c6c364ebbc240aa266f78a3103b59d06d

              SHA512

              7ad12f0badc78bb1d42743e8776bece49a55e25244a9b7681c17c345f212bd2d28077e7fe495903de160d43aa7b3d57a419f0895ae3420a3b945d830d1d58707

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrZT43IA10.exe
              Filesize

              309KB

              MD5

              284f5cacca006d191a474f8c3eada4c1

              SHA1

              05ccc7b3be213f8543b80cd95e4cbd1aac6190dd

              SHA256

              52e7f367705bf1ad2aed8f9ac8dde3a1c3cd7fc0bd64ae3a3d5a44be416c1341

              SHA512

              26887be6f3f12322ca653e2ba5ee592d5dba31c09312c27d5d29b1d9832f84e42f19a4588787894792d26068dc029ab6abca08a02cc2651e3c8dfe75c41fe4ee

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrZT43IA10.exe
              Filesize

              309KB

              MD5

              284f5cacca006d191a474f8c3eada4c1

              SHA1

              05ccc7b3be213f8543b80cd95e4cbd1aac6190dd

              SHA256

              52e7f367705bf1ad2aed8f9ac8dde3a1c3cd7fc0bd64ae3a3d5a44be416c1341

              SHA512

              26887be6f3f12322ca653e2ba5ee592d5dba31c09312c27d5d29b1d9832f84e42f19a4588787894792d26068dc029ab6abca08a02cc2651e3c8dfe75c41fe4ee

              Download Submit

            • memory/2500-1123-0x0000000005850000-0x0000000005860000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2500-1122-0x0000000000BE0000-0x0000000000C12000-memory.dmp

              Filesize

              200KB

              Download

            • memory/3864-1102-0x00000000059A0000-0x0000000005AAA000-memory.dmp

              Filesize

              1.0MB

              Download

            • memory/3864-1104-0x0000000005AE0000-0x0000000005B1C000-memory.dmp

              Filesize

              240KB

              Download

            • memory/3864-1116-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3864-1115-0x00000000070A0000-0x00000000070F0000-memory.dmp

              Filesize

              320KB

              Download

            • memory/3864-1114-0x0000000007010000-0x0000000007086000-memory.dmp

              Filesize

              472KB

              Download

            • memory/3864-1113-0x00000000069B0000-0x0000000006EDC000-memory.dmp

              Filesize

              5.2MB

              Download

            • memory/3864-1112-0x00000000067D0000-0x0000000006992000-memory.dmp

              Filesize

              1.8MB

              Download

            • memory/3864-1111-0x0000000005E80000-0x0000000005EE6000-memory.dmp

              Filesize

              408KB

              Download

            • memory/3864-1110-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3864-1109-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3864-1108-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3864-1107-0x0000000005DE0000-0x0000000005E72000-memory.dmp

              Filesize

              584KB

              Download

            • memory/3864-1105-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3864-1103-0x0000000005AC0000-0x0000000005AD2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/3864-1101-0x0000000005380000-0x0000000005998000-memory.dmp

              Filesize

              6.1MB

              Download

            • memory/3864-257-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3864-258-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3864-254-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3864-253-0x0000000002210000-0x000000000225B000-memory.dmp

              Filesize

              300KB

              Download

            • memory/3864-224-0x0000000004C80000-0x0000000004CBE000-memory.dmp

              Filesize

              248KB

              Download

            • memory/3864-222-0x0000000004C80000-0x0000000004CBE000-memory.dmp

              Filesize

              248KB

              Download

            • memory/3864-191-0x0000000004C80000-0x0000000004CBE000-memory.dmp

              Filesize

              248KB

              Download

            • memory/3864-192-0x0000000004C80000-0x0000000004CBE000-memory.dmp

              Filesize

              248KB

              Download

            • memory/3864-194-0x0000000004C80000-0x0000000004CBE000-memory.dmp

              Filesize

              248KB

              Download

            • memory/3864-196-0x0000000004C80000-0x0000000004CBE000-memory.dmp

              Filesize

              248KB

              Download

            • memory/3864-202-0x0000000004C80000-0x0000000004CBE000-memory.dmp

              Filesize

              248KB

              Download

            • memory/3864-200-0x0000000004C80000-0x0000000004CBE000-memory.dmp

              Filesize

              248KB

              Download

            • memory/3864-198-0x0000000004C80000-0x0000000004CBE000-memory.dmp

              Filesize

              248KB

              Download

            • memory/3864-204-0x0000000004C80000-0x0000000004CBE000-memory.dmp

              Filesize

              248KB

              Download

            • memory/3864-206-0x0000000004C80000-0x0000000004CBE000-memory.dmp

              Filesize

              248KB

              Download

            • memory/3864-208-0x0000000004C80000-0x0000000004CBE000-memory.dmp

              Filesize

              248KB

              Download

            • memory/3864-210-0x0000000004C80000-0x0000000004CBE000-memory.dmp

              Filesize

              248KB

              Download

            • memory/3864-212-0x0000000004C80000-0x0000000004CBE000-memory.dmp

              Filesize

              248KB

              Download

            • memory/3864-214-0x0000000004C80000-0x0000000004CBE000-memory.dmp

              Filesize

              248KB

              Download

            • memory/3864-216-0x0000000004C80000-0x0000000004CBE000-memory.dmp

              Filesize

              248KB

              Download

            • memory/3864-218-0x0000000004C80000-0x0000000004CBE000-memory.dmp

              Filesize

              248KB

              Download

            • memory/3864-220-0x0000000004C80000-0x0000000004CBE000-memory.dmp

              Filesize

              248KB

              Download

            • memory/3944-176-0x0000000004C30000-0x0000000004C42000-memory.dmp

              Filesize

              72KB

              Download

            • memory/3944-151-0x0000000004C80000-0x0000000004C90000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3944-186-0x0000000000400000-0x0000000000582000-memory.dmp

              Filesize

              1.5MB

              Download

            • memory/3944-184-0x0000000004C80000-0x0000000004C90000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3944-183-0x0000000004C80000-0x0000000004C90000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3944-182-0x0000000004C80000-0x0000000004C90000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3944-181-0x0000000000400000-0x0000000000582000-memory.dmp

              Filesize

              1.5MB

              Download

            • memory/3944-152-0x0000000004C80000-0x0000000004C90000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3944-180-0x0000000004C30000-0x0000000004C42000-memory.dmp

              Filesize

              72KB

              Download

            • memory/3944-156-0x0000000004C30000-0x0000000004C42000-memory.dmp

              Filesize

              72KB

              Download

            • memory/3944-178-0x0000000004C30000-0x0000000004C42000-memory.dmp

              Filesize

              72KB

              Download

            • memory/3944-174-0x0000000004C30000-0x0000000004C42000-memory.dmp

              Filesize

              72KB

              Download

            • memory/3944-154-0x0000000004C30000-0x0000000004C42000-memory.dmp

              Filesize

              72KB

              Download

            • memory/3944-170-0x0000000004C30000-0x0000000004C42000-memory.dmp

              Filesize

              72KB

              Download

            • memory/3944-153-0x0000000004C30000-0x0000000004C42000-memory.dmp

              Filesize

              72KB

              Download

            • memory/3944-168-0x0000000004C30000-0x0000000004C42000-memory.dmp

              Filesize

              72KB

              Download

            • memory/3944-166-0x0000000004C30000-0x0000000004C42000-memory.dmp

              Filesize

              72KB

              Download

            • memory/3944-164-0x0000000004C30000-0x0000000004C42000-memory.dmp

              Filesize

              72KB

              Download

            • memory/3944-162-0x0000000004C30000-0x0000000004C42000-memory.dmp

              Filesize

              72KB

              Download

            • memory/3944-158-0x0000000004C30000-0x0000000004C42000-memory.dmp

              Filesize

              72KB

              Download

            • memory/3944-160-0x0000000004C30000-0x0000000004C42000-memory.dmp

              Filesize

              72KB

              Download

            • memory/3944-172-0x0000000004C30000-0x0000000004C42000-memory.dmp

              Filesize

              72KB

              Download

            • memory/3944-150-0x0000000004C90000-0x0000000005234000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/3944-149-0x0000000004C80000-0x0000000004C90000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3944-148-0x0000000000590000-0x00000000005BD000-memory.dmp

              Filesize

              180KB

              Download