Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    115s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/03/2023, 04:18

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    0b42dbf4ad6f2335cbb958d3f8d559b8137ddb02512068e31bf81ba5f29b3e2d.exe

  • Size

    659KB

  • MD5

    67cb938e8c6968d283aae5cf5579abf2

  • SHA1

    13cf1fbd45939ae9b4700ed58f27d0c3c17e222a

  • SHA256

    0b42dbf4ad6f2335cbb958d3f8d559b8137ddb02512068e31bf81ba5f29b3e2d

  • SHA512

    0f1e2e5e3ff47a5ff4ac66b4effb42d82955d8d7eecd82f4290964a418dedd99f883a8ee8e7a7edd85051e3577f2d1161229253cd4eb9b5f33edbe5c3bcd2471

  • SSDEEP

    12288:bMrPy909C6bDU4Vw/7k/Boph/CEXR86qKDqCqjQZzx5voFMSrBK:IyqC684e/gOj/vePQzfwGSrY

Score
10/10
redlinefoksarostodiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosto

C2

hueref.eu:4162

Attributes
  • auth_value

    07d81eba8cad42bbd0ae60042d48eac6

Extracted

Family

redline

Botnet

foksa

C2

hueref.eu:4162

Attributes
  • auth_value

    6a9b2601a21672b285de3ed41b5402e4

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 19 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b42dbf4ad6f2335cbb958d3f8d559b8137ddb02512068e31bf81ba5f29b3e2d.exe
    "C:\Users\Admin\AppData\Local\Temp\0b42dbf4ad6f2335cbb958d3f8d559b8137ddb02512068e31bf81ba5f29b3e2d.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3332
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycuN82Lg26.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycuN82Lg26.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3648
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urZt48zh96.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urZt48zh96.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2160
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 1084
          4⤵
          • Program crash
          PID:4488
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrXx49Ci06.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrXx49Ci06.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1808
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 1412
          4⤵
          • Program crash
          PID:4640
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xudN52vd95.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xudN52vd95.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1420
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2160 -ip 2160
    1⤵
      PID:736
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1808 -ip 1808
      1⤵
        PID:2472

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xudN52vd95.exe
              Filesize

              175KB

              MD5

              75ced8ad0d8cd237ebc9cb7b00852651

              SHA1

              adab63df3e0a40fd9f170ab57da66f01f226141c

              SHA256

              a35a264162c124ffd066dd867ed96359131d37b243cb0445c1c9eba6a58de819

              SHA512

              f565a49b14671683a1e48cece82a437a79bf8bdb456a3c6f35fac020e5fef3cd666399208633b7d2da9407f7b334a311a416b0a969c8b62ff28e15e7d4a0c431

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xudN52vd95.exe
              Filesize

              175KB

              MD5

              75ced8ad0d8cd237ebc9cb7b00852651

              SHA1

              adab63df3e0a40fd9f170ab57da66f01f226141c

              SHA256

              a35a264162c124ffd066dd867ed96359131d37b243cb0445c1c9eba6a58de819

              SHA512

              f565a49b14671683a1e48cece82a437a79bf8bdb456a3c6f35fac020e5fef3cd666399208633b7d2da9407f7b334a311a416b0a969c8b62ff28e15e7d4a0c431

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycuN82Lg26.exe
              Filesize

              514KB

              MD5

              5784aeb2dcc9811340111a36b17de8bd

              SHA1

              bc515af1ffb051201a6e6b54a658578ab8e5f397

              SHA256

              9f9328adb2e1d27d3e526b2b68e9da3d59b491764065e4b6d9c3aff154aa3ced

              SHA512

              e2a7c9884febdaa32d735f2cf5b60a9e86937cc4284c0224c27cae12bee8cd9bbdb6487b8fc91b5e52cf1dfb1280a9032466180eff5ae46ead92b62a364eb4b9

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycuN82Lg26.exe
              Filesize

              514KB

              MD5

              5784aeb2dcc9811340111a36b17de8bd

              SHA1

              bc515af1ffb051201a6e6b54a658578ab8e5f397

              SHA256

              9f9328adb2e1d27d3e526b2b68e9da3d59b491764065e4b6d9c3aff154aa3ced

              SHA512

              e2a7c9884febdaa32d735f2cf5b60a9e86937cc4284c0224c27cae12bee8cd9bbdb6487b8fc91b5e52cf1dfb1280a9032466180eff5ae46ead92b62a364eb4b9

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urZt48zh96.exe
              Filesize

              232KB

              MD5

              654d38a192aa90f8f2d4c64647ed64d1

              SHA1

              366c844b2fc2b4c0b0191754d4a1470e1763ccb4

              SHA256

              93f2d867562d5187beac7b8d7a55a8f435b7bbab77152b0c7bb3f8c22c2d23a2

              SHA512

              9ce88068e0e4cfac55467fbccc2621bbe431353bf4faf6a0957a6ae38f083023fbd130abb423e35f344e4d3952aed8470eba47c3ab71ff7ec61ff5a79aa80303

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urZt48zh96.exe
              Filesize

              232KB

              MD5

              654d38a192aa90f8f2d4c64647ed64d1

              SHA1

              366c844b2fc2b4c0b0191754d4a1470e1763ccb4

              SHA256

              93f2d867562d5187beac7b8d7a55a8f435b7bbab77152b0c7bb3f8c22c2d23a2

              SHA512

              9ce88068e0e4cfac55467fbccc2621bbe431353bf4faf6a0957a6ae38f083023fbd130abb423e35f344e4d3952aed8470eba47c3ab71ff7ec61ff5a79aa80303

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrXx49Ci06.exe
              Filesize

              289KB

              MD5

              1c795044102f7759152f7661b15c22bf

              SHA1

              66e3fee6ce5c4fd8974bb493b8ea7f63f0de4224

              SHA256

              8f76de3f10a19e704eaaa544d8b0aea616b3b55e5e9d4f91afed3db0c60714a4

              SHA512

              8c6313c1b71200f905a41b131ebb5a54f4057dd14fe062565674b4d86ebdb8ca2faf8655c970bb3ba279d34ea761c0d71d81c94f3fc9cec7dd2c49737b7653a1

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrXx49Ci06.exe
              Filesize

              289KB

              MD5

              1c795044102f7759152f7661b15c22bf

              SHA1

              66e3fee6ce5c4fd8974bb493b8ea7f63f0de4224

              SHA256

              8f76de3f10a19e704eaaa544d8b0aea616b3b55e5e9d4f91afed3db0c60714a4

              SHA512

              8c6313c1b71200f905a41b131ebb5a54f4057dd14fe062565674b4d86ebdb8ca2faf8655c970bb3ba279d34ea761c0d71d81c94f3fc9cec7dd2c49737b7653a1

              Download Submit

            • memory/1420-1119-0x0000000005680000-0x0000000005690000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1420-1118-0x0000000000AB0000-0x0000000000AE2000-memory.dmp

              Filesize

              200KB

              Download

            • memory/1808-1099-0x0000000005970000-0x0000000005982000-memory.dmp

              Filesize

              72KB

              Download

            • memory/1808-1101-0x0000000005990000-0x00000000059CC000-memory.dmp

              Filesize

              240KB

              Download

            • memory/1808-1112-0x0000000006950000-0x0000000006E7C000-memory.dmp

              Filesize

              5.2MB

              Download

            • memory/1808-1111-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1808-1110-0x0000000006780000-0x0000000006942000-memory.dmp

              Filesize

              1.8MB

              Download

            • memory/1808-1109-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1808-1108-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1808-1107-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1808-1106-0x00000000064B0000-0x0000000006500000-memory.dmp

              Filesize

              320KB

              Download

            • memory/1808-1105-0x0000000006420000-0x0000000006496000-memory.dmp

              Filesize

              472KB

              Download

            • memory/1808-1104-0x0000000005D30000-0x0000000005D96000-memory.dmp

              Filesize

              408KB

              Download

            • memory/1808-1103-0x0000000005C90000-0x0000000005D22000-memory.dmp

              Filesize

              584KB

              Download

            • memory/1808-1100-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1808-1098-0x0000000005830000-0x000000000593A000-memory.dmp

              Filesize

              1.0MB

              Download

            • memory/1808-1097-0x0000000005190000-0x00000000057A8000-memory.dmp

              Filesize

              6.1MB

              Download

            • memory/1808-394-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1808-391-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1808-188-0x0000000004B30000-0x0000000004B6E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/1808-190-0x0000000004B30000-0x0000000004B6E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/1808-192-0x0000000004B30000-0x0000000004B6E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/1808-187-0x0000000004B30000-0x0000000004B6E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/1808-194-0x0000000004B30000-0x0000000004B6E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/1808-196-0x0000000004B30000-0x0000000004B6E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/1808-198-0x0000000004B30000-0x0000000004B6E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/1808-200-0x0000000004B30000-0x0000000004B6E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/1808-202-0x0000000004B30000-0x0000000004B6E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/1808-204-0x0000000004B30000-0x0000000004B6E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/1808-206-0x0000000004B30000-0x0000000004B6E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/1808-208-0x0000000004B30000-0x0000000004B6E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/1808-210-0x0000000004B30000-0x0000000004B6E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/1808-212-0x0000000004B30000-0x0000000004B6E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/1808-214-0x0000000004B30000-0x0000000004B6E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/1808-216-0x0000000004B30000-0x0000000004B6E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/1808-218-0x0000000004B30000-0x0000000004B6E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/1808-220-0x0000000004B30000-0x0000000004B6E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/1808-387-0x0000000001F50000-0x0000000001F9B000-memory.dmp

              Filesize

              300KB

              Download

            • memory/1808-389-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2160-171-0x0000000004AE0000-0x0000000004AF2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2160-169-0x0000000004AE0000-0x0000000004AF2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2160-182-0x0000000000400000-0x000000000057E000-memory.dmp

              Filesize

              1.5MB

              Download

            • memory/2160-180-0x0000000000400000-0x000000000057E000-memory.dmp

              Filesize

              1.5MB

              Download

            • memory/2160-154-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2160-179-0x0000000004AE0000-0x0000000004AF2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2160-157-0x0000000004AE0000-0x0000000004AF2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2160-177-0x0000000004AE0000-0x0000000004AF2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2160-175-0x0000000004AE0000-0x0000000004AF2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2160-173-0x0000000004AE0000-0x0000000004AF2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2160-149-0x0000000000650000-0x000000000067D000-memory.dmp

              Filesize

              180KB

              Download

            • memory/2160-167-0x0000000004AE0000-0x0000000004AF2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2160-151-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2160-165-0x0000000004AE0000-0x0000000004AF2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2160-163-0x0000000004AE0000-0x0000000004AF2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2160-161-0x0000000004AE0000-0x0000000004AF2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2160-159-0x0000000004AE0000-0x0000000004AF2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2160-155-0x0000000004AE0000-0x0000000004AF2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2160-150-0x0000000004AE0000-0x0000000004AF2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2160-152-0x0000000004AE0000-0x0000000004AF2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2160-148-0x0000000004BD0000-0x0000000005174000-memory.dmp

              Filesize

              5.6MB

              Download