Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    114s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/03/2023, 07:54

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    6ba85e1898ef2155063bdc5676e53e5cfee1fc0269dd7fa03b8ef72e876cbf11.exe

  • Size

    530KB

  • MD5

    058621a56040b965895fb5c1c4e29f20

  • SHA1

    30e7540b717383ff31b3b80a917deb98463a81aa

  • SHA256

    6ba85e1898ef2155063bdc5676e53e5cfee1fc0269dd7fa03b8ef72e876cbf11

  • SHA512

    7188cc72dc3918a47367d0877c747914a2a189a05a3c0c5f288cc028e274dd72f481268149b97decb1a771aa93ff56d4d8500d365423007eb94fca0fad902268

  • SSDEEP

    12288:BMr5y90dNzS1Yjz+Oo8JE9K4NO1/Bjg1TC4WEw85:IyejzDh+q/heTDpv

Score
10/10
redlinefoksarostodiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosto

C2

hueref.eu:4162

Attributes
  • auth_value

    07d81eba8cad42bbd0ae60042d48eac6

Extracted

Family

redline

Botnet

foksa

C2

hueref.eu:4162

Attributes
  • auth_value

    6a9b2601a21672b285de3ed41b5402e4

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6ba85e1898ef2155063bdc5676e53e5cfee1fc0269dd7fa03b8ef72e876cbf11.exe
    "C:\Users\Admin\AppData\Local\Temp\6ba85e1898ef2155063bdc5676e53e5cfee1fc0269dd7fa03b8ef72e876cbf11.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:392
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkxH1443Qd.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkxH1443Qd.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:556
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw59OK09Rg09.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw59OK09Rg09.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4384
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tkeu62Es48Bv.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tkeu62Es48Bv.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3880
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 968
          4⤵
          • Program crash
          PID:4256
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\upWV71XW71df.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\upWV71XW71df.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4288
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3880 -ip 3880
    1⤵
      PID:3424

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\upWV71XW71df.exe
            Filesize

            175KB

            MD5

            75ced8ad0d8cd237ebc9cb7b00852651

            SHA1

            adab63df3e0a40fd9f170ab57da66f01f226141c

            SHA256

            a35a264162c124ffd066dd867ed96359131d37b243cb0445c1c9eba6a58de819

            SHA512

            f565a49b14671683a1e48cece82a437a79bf8bdb456a3c6f35fac020e5fef3cd666399208633b7d2da9407f7b334a311a416b0a969c8b62ff28e15e7d4a0c431

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\upWV71XW71df.exe
            Filesize

            175KB

            MD5

            75ced8ad0d8cd237ebc9cb7b00852651

            SHA1

            adab63df3e0a40fd9f170ab57da66f01f226141c

            SHA256

            a35a264162c124ffd066dd867ed96359131d37b243cb0445c1c9eba6a58de819

            SHA512

            f565a49b14671683a1e48cece82a437a79bf8bdb456a3c6f35fac020e5fef3cd666399208633b7d2da9407f7b334a311a416b0a969c8b62ff28e15e7d4a0c431

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkxH1443Qd.exe
            Filesize

            385KB

            MD5

            24fc45b02c557e30dd2e564759f7e6ed

            SHA1

            10e2820aee6f569c3324ca65bcb05e032cc6291a

            SHA256

            26580233272e0893c75615fbfda66646ee7121126559ed9ab9fb5f92032f5a8c

            SHA512

            0b1506413683edaeac18b60085357d58c0504703a173d6ef72a449ddabdc5b3094bfffe308b39fc17e33f6190ace276d47d6442a6efc67c3852d5a6c9570e0d0

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkxH1443Qd.exe
            Filesize

            385KB

            MD5

            24fc45b02c557e30dd2e564759f7e6ed

            SHA1

            10e2820aee6f569c3324ca65bcb05e032cc6291a

            SHA256

            26580233272e0893c75615fbfda66646ee7121126559ed9ab9fb5f92032f5a8c

            SHA512

            0b1506413683edaeac18b60085357d58c0504703a173d6ef72a449ddabdc5b3094bfffe308b39fc17e33f6190ace276d47d6442a6efc67c3852d5a6c9570e0d0

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw59OK09Rg09.exe
            Filesize

            11KB

            MD5

            7e93bacbbc33e6652e147e7fe07572a0

            SHA1

            421a7167da01c8da4dc4d5234ca3dd84e319e762

            SHA256

            850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

            SHA512

            250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw59OK09Rg09.exe
            Filesize

            11KB

            MD5

            7e93bacbbc33e6652e147e7fe07572a0

            SHA1

            421a7167da01c8da4dc4d5234ca3dd84e319e762

            SHA256

            850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

            SHA512

            250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tkeu62Es48Bv.exe
            Filesize

            289KB

            MD5

            2f4cc1f23eb48e82efaebf3a1896f859

            SHA1

            4ab1e0c840ff9a17750eb2d04f83232e405ba4aa

            SHA256

            d8c6b8b67be7dff9b41a2698e9e243f50e9ad18cd93e72eef94364ff33af80c5

            SHA512

            62a32e76aaad71a247765270b993d8da7f6b8a4c9c1bd309c152cb7daaee208994cde3bda2d568882dc73d7a5ff8698deec22ca63344c721c8c096453aaf1520

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tkeu62Es48Bv.exe
            Filesize

            289KB

            MD5

            2f4cc1f23eb48e82efaebf3a1896f859

            SHA1

            4ab1e0c840ff9a17750eb2d04f83232e405ba4aa

            SHA256

            d8c6b8b67be7dff9b41a2698e9e243f50e9ad18cd93e72eef94364ff33af80c5

            SHA512

            62a32e76aaad71a247765270b993d8da7f6b8a4c9c1bd309c152cb7daaee208994cde3bda2d568882dc73d7a5ff8698deec22ca63344c721c8c096453aaf1520

            Download Submit

          • memory/3880-153-0x0000000000590000-0x00000000005DB000-memory.dmp

            Filesize

            300KB

            Download

          • memory/3880-154-0x0000000004E30000-0x00000000053D4000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/3880-155-0x0000000004E20000-0x0000000004E30000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3880-156-0x0000000004E20000-0x0000000004E30000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3880-157-0x0000000004E20000-0x0000000004E30000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3880-158-0x0000000004C90000-0x0000000004CCE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3880-161-0x0000000004C90000-0x0000000004CCE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3880-159-0x0000000004C90000-0x0000000004CCE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3880-163-0x0000000004C90000-0x0000000004CCE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3880-165-0x0000000004C90000-0x0000000004CCE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3880-167-0x0000000004C90000-0x0000000004CCE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3880-169-0x0000000004C90000-0x0000000004CCE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3880-171-0x0000000004C90000-0x0000000004CCE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3880-173-0x0000000004C90000-0x0000000004CCE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3880-175-0x0000000004C90000-0x0000000004CCE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3880-177-0x0000000004C90000-0x0000000004CCE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3880-179-0x0000000004C90000-0x0000000004CCE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3880-181-0x0000000004C90000-0x0000000004CCE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3880-183-0x0000000004C90000-0x0000000004CCE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3880-185-0x0000000004C90000-0x0000000004CCE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3880-187-0x0000000004C90000-0x0000000004CCE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3880-189-0x0000000004C90000-0x0000000004CCE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3880-191-0x0000000004C90000-0x0000000004CCE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3880-193-0x0000000004C90000-0x0000000004CCE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3880-195-0x0000000004C90000-0x0000000004CCE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3880-197-0x0000000004C90000-0x0000000004CCE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3880-199-0x0000000004C90000-0x0000000004CCE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3880-201-0x0000000004C90000-0x0000000004CCE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3880-203-0x0000000004C90000-0x0000000004CCE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3880-205-0x0000000004C90000-0x0000000004CCE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3880-207-0x0000000004C90000-0x0000000004CCE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3880-209-0x0000000004C90000-0x0000000004CCE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3880-211-0x0000000004C90000-0x0000000004CCE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3880-213-0x0000000004C90000-0x0000000004CCE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3880-215-0x0000000004C90000-0x0000000004CCE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3880-217-0x0000000004C90000-0x0000000004CCE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3880-219-0x0000000004C90000-0x0000000004CCE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3880-221-0x0000000004C90000-0x0000000004CCE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3880-1064-0x00000000053E0000-0x00000000059F8000-memory.dmp

            Filesize

            6.1MB

            Download

          • memory/3880-1065-0x0000000005A00000-0x0000000005B0A000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/3880-1066-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/3880-1067-0x0000000004E20000-0x0000000004E30000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3880-1068-0x0000000004DE0000-0x0000000004E1C000-memory.dmp

            Filesize

            240KB

            Download

          • memory/3880-1070-0x0000000005DD0000-0x0000000005E62000-memory.dmp

            Filesize

            584KB

            Download

          • memory/3880-1071-0x0000000005E70000-0x0000000005ED6000-memory.dmp

            Filesize

            408KB

            Download

          • memory/3880-1072-0x0000000004E20000-0x0000000004E30000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3880-1073-0x0000000004E20000-0x0000000004E30000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3880-1074-0x0000000004E20000-0x0000000004E30000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3880-1075-0x0000000006560000-0x00000000065D6000-memory.dmp

            Filesize

            472KB

            Download

          • memory/3880-1076-0x00000000065F0000-0x0000000006640000-memory.dmp

            Filesize

            320KB

            Download

          • memory/3880-1077-0x0000000006770000-0x0000000006932000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/3880-1078-0x0000000006950000-0x0000000006E7C000-memory.dmp

            Filesize

            5.2MB

            Download

          • memory/3880-1079-0x0000000004E20000-0x0000000004E30000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4288-1085-0x0000000000640000-0x0000000000672000-memory.dmp

            Filesize

            200KB

            Download

          • memory/4288-1086-0x0000000004F50000-0x0000000004F60000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4288-1087-0x0000000004F50000-0x0000000004F60000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4384-147-0x0000000000B80000-0x0000000000B8A000-memory.dmp

            Filesize

            40KB

            Download