Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-03-2023 12:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    70f06dab9cd5714df376fd3bb9228e0bd2a4dd7be1df4a2e3f90512c427b8dd5.exe

  • Size

    530KB

  • MD5

    6a123325bcb970084369fd0fa00ea6cb

  • SHA1

    962b29a4bb031914349fe0b3551a36082fdd6c96

  • SHA256

    70f06dab9cd5714df376fd3bb9228e0bd2a4dd7be1df4a2e3f90512c427b8dd5

  • SHA512

    ee07365c6b43cb73d084e6d253873c51543550017f8c26d0229092657c27b1cae9990f49a5901551715bd878966c4e578518f6dc290ea71b945c0b8f7bbd6f9e

  • SSDEEP

    12288:qMr3y90pHLtWfe/G19hBosQTvh3cOAPuIcOK:9ywHLtl/GPhBHGNYugK

Score
10/10
redlinefabiorulitdiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rulit

C2

pedigj.eu:4162

Attributes
  • auth_value

    f4df9ef56871d4ac883b282abaf635e0

Extracted

Family

redline

Botnet

fabio

C2

193.233.20.27:4123

Attributes
  • auth_value

    56b82736c3f56b13be8e64c87d2cf9e5

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 34 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\70f06dab9cd5714df376fd3bb9228e0bd2a4dd7be1df4a2e3f90512c427b8dd5.exe
    "C:\Users\Admin\AppData\Local\Temp\70f06dab9cd5714df376fd3bb9228e0bd2a4dd7be1df4a2e3f90512c427b8dd5.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3276
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhCb9975WO.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhCb9975WO.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1992
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf12Vb16Ru91.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf12Vb16Ru91.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2828
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf05QC29jB92.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf05QC29jB92.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:220
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 1412
          4⤵
          • Program crash
          PID:5020
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhQz50ks62gt.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhQz50ks62gt.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4612
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 220 -ip 220
    1⤵
      PID:5044

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhQz50ks62gt.exe
      Filesize

      175KB

      MD5

      b060f8b79e8314205889a7f7472c0f99

      SHA1

      1b0d30a26a848c628d56952b366f5ef6bc8544bd

      SHA256

      26b591919dd56618debd75b42e733ddf15d44ea24002e1a658529c2014cbef5a

      SHA512

      5cba2545c28f358ed68bd7991b780203647a7934138e6955c5522261fb68b26a68622edfe6d6f3c3ceeb76395a3dc55aad1bb52829282f31f37874c5e9e0c44c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhQz50ks62gt.exe
      Filesize

      175KB

      MD5

      b060f8b79e8314205889a7f7472c0f99

      SHA1

      1b0d30a26a848c628d56952b366f5ef6bc8544bd

      SHA256

      26b591919dd56618debd75b42e733ddf15d44ea24002e1a658529c2014cbef5a

      SHA512

      5cba2545c28f358ed68bd7991b780203647a7934138e6955c5522261fb68b26a68622edfe6d6f3c3ceeb76395a3dc55aad1bb52829282f31f37874c5e9e0c44c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhCb9975WO.exe
      Filesize

      385KB

      MD5

      cbf40db3187871a26d31fb6b8d93c9fc

      SHA1

      bcb6efd82bc8d66a20e90edf90d30ac38e2fdd5f

      SHA256

      695efe9a1b8f41460277ae486a26551185fc9ad2f5a206a8ee83e683542fddb5

      SHA512

      25e81701687488e691bd3ed6c83dcbcd89d4ddda39a828b54f5e56f6c79cbd6605bb3d5f09ce8fe6680c6dc852d2ec68c5c2f2bbab57772b5c77e5b9f45d40b1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhCb9975WO.exe
      Filesize

      385KB

      MD5

      cbf40db3187871a26d31fb6b8d93c9fc

      SHA1

      bcb6efd82bc8d66a20e90edf90d30ac38e2fdd5f

      SHA256

      695efe9a1b8f41460277ae486a26551185fc9ad2f5a206a8ee83e683542fddb5

      SHA512

      25e81701687488e691bd3ed6c83dcbcd89d4ddda39a828b54f5e56f6c79cbd6605bb3d5f09ce8fe6680c6dc852d2ec68c5c2f2bbab57772b5c77e5b9f45d40b1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf12Vb16Ru91.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf12Vb16Ru91.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf05QC29jB92.exe
      Filesize

      293KB

      MD5

      91f5202c32c2a2d4a7e7af26352b5b24

      SHA1

      496ff68b2294092b940ff0210bc91973d6070ad2

      SHA256

      02f76b753cbd8fab30cea99525d27557e14af109c1ebc0490e2ba2a98642188f

      SHA512

      71fca8e87fab71725b2a67c731322d633fca9670210bff9266bb7e543f0bc296b4a827afef3a272e596c484915e14d8f0c7651dcdb4b7bb83ea74a84570a4518

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf05QC29jB92.exe
      Filesize

      293KB

      MD5

      91f5202c32c2a2d4a7e7af26352b5b24

      SHA1

      496ff68b2294092b940ff0210bc91973d6070ad2

      SHA256

      02f76b753cbd8fab30cea99525d27557e14af109c1ebc0490e2ba2a98642188f

      SHA512

      71fca8e87fab71725b2a67c731322d633fca9670210bff9266bb7e543f0bc296b4a827afef3a272e596c484915e14d8f0c7651dcdb4b7bb83ea74a84570a4518

      Download Submit

    • memory/220-153-0x00000000006B0000-0x00000000006FB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/220-154-0x0000000004D50000-0x00000000052F4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/220-155-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/220-156-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/220-158-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/220-160-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/220-162-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/220-165-0x0000000004D40000-0x0000000004D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/220-164-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/220-167-0x0000000004D40000-0x0000000004D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/220-168-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/220-171-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/220-169-0x0000000004D40000-0x0000000004D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/220-173-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/220-175-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/220-177-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/220-179-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/220-181-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/220-183-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/220-185-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/220-187-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/220-189-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/220-191-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/220-193-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/220-195-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/220-197-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/220-199-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/220-201-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/220-203-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/220-205-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/220-207-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/220-209-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/220-211-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/220-213-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/220-215-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/220-217-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/220-219-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/220-221-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/220-1064-0x0000000005300000-0x0000000005918000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/220-1065-0x0000000005970000-0x0000000005A7A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/220-1066-0x0000000005AB0000-0x0000000005AC2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/220-1067-0x0000000005AD0000-0x0000000005B0C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/220-1068-0x0000000004D40000-0x0000000004D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/220-1070-0x0000000005DD0000-0x0000000005E62000-memory.dmp

      Filesize

      584KB

      Download

    • memory/220-1071-0x0000000005E70000-0x0000000005ED6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/220-1072-0x0000000004D40000-0x0000000004D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/220-1073-0x0000000004D40000-0x0000000004D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/220-1074-0x0000000004D40000-0x0000000004D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/220-1075-0x0000000006450000-0x00000000064C6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/220-1076-0x0000000006730000-0x0000000006780000-memory.dmp

      Filesize

      320KB

      Download

    • memory/220-1077-0x0000000004D40000-0x0000000004D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/220-1078-0x0000000006780000-0x0000000006942000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/220-1079-0x0000000006950000-0x0000000006E7C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/2828-147-0x0000000000F40000-0x0000000000F4A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4612-1085-0x0000000000D20000-0x0000000000D52000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4612-1086-0x0000000005650000-0x0000000005660000-memory.dmp

      Filesize

      64KB

      Download