Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Resubmissions

29-10-2024 10:37

241029-mn6xmawjcj 10

05-03-2023 17:28

230305-v187hsgh79 10

Analysis

  • max time kernel
    99s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-03-2023 17:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    db89c00ee892015b59cd0e96504940d720a3c218c4670f09c24a70bc0025a468.exe

  • Size

    529KB

  • MD5

    7ea17ce2e57f77f5bf085c72e1459a35

  • SHA1

    752bea1a4b8b14e8f2ea3d3ab6a6e737c210a490

  • SHA256

    db89c00ee892015b59cd0e96504940d720a3c218c4670f09c24a70bc0025a468

  • SHA512

    2aa4d8e89498b6c6bf306afd7927297faa4ba189b2f65a89616815cdf51da734c0bf36e936d68140fc0549e72dad7af50c78e43c9fed2b97f5e88da20f237d72

  • SSDEEP

    12288:ZMrLy90oHmLzFC0J0MuRWjwJZvRSXGwLrwndwCl5go:uyECou6wJZvRoG6KwCl3

Score
10/10
redlinefabiofuddiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

fud

C2

193.233.20.27:4123

Attributes
  • auth_value

    cddc991efd6918ad5321d80dac884b40

Extracted

Family

redline

Botnet

fabio

C2

193.233.20.27:4123

Attributes
  • auth_value

    56b82736c3f56b13be8e64c87d2cf9e5

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\db89c00ee892015b59cd0e96504940d720a3c218c4670f09c24a70bc0025a468.exe
    "C:\Users\Admin\AppData\Local\Temp\db89c00ee892015b59cd0e96504940d720a3c218c4670f09c24a70bc0025a468.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1400
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhda6412ZQ.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhda6412ZQ.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1456
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf76Bk98wk38.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf76Bk98wk38.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2624
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf55Ni81Pf68.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf55Ni81Pf68.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2292
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 1188
          4⤵
          • Program crash
          PID:4484
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhbW30kb04vq.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhbW30kb04vq.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2900
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2292 -ip 2292
    1⤵
      PID:1068

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhbW30kb04vq.exe
      Filesize

      175KB

      MD5

      e87293095374fb2ad99847313d2ce555

      SHA1

      594230f01339a47aad015e9667d885c44da4aa1c

      SHA256

      c372e189e8c2c27f0529be545c7e3f6ff28d9d200610f750231746d3148fa3aa

      SHA512

      93313717f7541ca0b1b6478cf8fb06885a0e09c189302c07c2418287e617fb8014a7b5e8fc3e04ad316115c1abb5699bc549caea6f90638ec5ef6477d9b5601c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhbW30kb04vq.exe
      Filesize

      175KB

      MD5

      e87293095374fb2ad99847313d2ce555

      SHA1

      594230f01339a47aad015e9667d885c44da4aa1c

      SHA256

      c372e189e8c2c27f0529be545c7e3f6ff28d9d200610f750231746d3148fa3aa

      SHA512

      93313717f7541ca0b1b6478cf8fb06885a0e09c189302c07c2418287e617fb8014a7b5e8fc3e04ad316115c1abb5699bc549caea6f90638ec5ef6477d9b5601c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhda6412ZQ.exe
      Filesize

      385KB

      MD5

      e1e184ad47c64021cfd35abc4af766f4

      SHA1

      4906ad7d6b7388ef759a2363152627410b420c21

      SHA256

      0aba26326c04ce917e36869973bfabe38c7125ba69755afd9f13951f87e853e9

      SHA512

      5840bb91368be94cf1c6af9c17950ef45f3a03c8522a6be99867dbb9aebbd7d8a48217de026402238a7c28caa6651702f41634c6a93b0b1fcb33c8460d126336

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhda6412ZQ.exe
      Filesize

      385KB

      MD5

      e1e184ad47c64021cfd35abc4af766f4

      SHA1

      4906ad7d6b7388ef759a2363152627410b420c21

      SHA256

      0aba26326c04ce917e36869973bfabe38c7125ba69755afd9f13951f87e853e9

      SHA512

      5840bb91368be94cf1c6af9c17950ef45f3a03c8522a6be99867dbb9aebbd7d8a48217de026402238a7c28caa6651702f41634c6a93b0b1fcb33c8460d126336

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf76Bk98wk38.exe
      Filesize

      11KB

      MD5

      14a78ce221fe8260ea11839b96260d7a

      SHA1

      170b71519031db5813d26c050c08e228d0993971

      SHA256

      bff201e862ffe1aab4b8349062bdf7a4fb094588b458de08a4239351d8c910c4

      SHA512

      f66db240612684a84fc0c5a487b0fb87218e40066d39a1a4b9ea0390ee251522b2061d1b17bfbef944f1d352f3d78b68d75eff0c09f11039c2f45084b35656b3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf76Bk98wk38.exe
      Filesize

      11KB

      MD5

      14a78ce221fe8260ea11839b96260d7a

      SHA1

      170b71519031db5813d26c050c08e228d0993971

      SHA256

      bff201e862ffe1aab4b8349062bdf7a4fb094588b458de08a4239351d8c910c4

      SHA512

      f66db240612684a84fc0c5a487b0fb87218e40066d39a1a4b9ea0390ee251522b2061d1b17bfbef944f1d352f3d78b68d75eff0c09f11039c2f45084b35656b3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf55Ni81Pf68.exe
      Filesize

      292KB

      MD5

      01f55e38d4139a3f84f11a36dbb67824

      SHA1

      28ba3e42c1bd4a60732f8a2b34771aa026253000

      SHA256

      2dcc02ccacc4b825f2b5d18d6139650cad2798618e2fd66cac757735a3824004

      SHA512

      56a9d5e32131b4d7265d3d0f7b049132400d58731717c3437b756b3597743637dce907a9932d4e82cc039e22c747380fe19c560df3dd6d8b0c7a98502a862de0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf55Ni81Pf68.exe
      Filesize

      292KB

      MD5

      01f55e38d4139a3f84f11a36dbb67824

      SHA1

      28ba3e42c1bd4a60732f8a2b34771aa026253000

      SHA256

      2dcc02ccacc4b825f2b5d18d6139650cad2798618e2fd66cac757735a3824004

      SHA512

      56a9d5e32131b4d7265d3d0f7b049132400d58731717c3437b756b3597743637dce907a9932d4e82cc039e22c747380fe19c560df3dd6d8b0c7a98502a862de0

      Download Submit

    • memory/2292-153-0x00000000007B0000-0x00000000007FB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2292-154-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2292-155-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2292-156-0x0000000004CD0000-0x0000000005274000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2292-157-0x0000000004B30000-0x0000000004B6E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2292-158-0x0000000004B30000-0x0000000004B6E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2292-160-0x0000000004B30000-0x0000000004B6E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2292-162-0x0000000004B30000-0x0000000004B6E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2292-164-0x0000000004B30000-0x0000000004B6E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2292-166-0x0000000004B30000-0x0000000004B6E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2292-168-0x0000000004B30000-0x0000000004B6E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2292-170-0x0000000004B30000-0x0000000004B6E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2292-172-0x0000000004B30000-0x0000000004B6E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2292-174-0x0000000004B30000-0x0000000004B6E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2292-176-0x0000000004B30000-0x0000000004B6E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2292-178-0x0000000004B30000-0x0000000004B6E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2292-180-0x0000000004B30000-0x0000000004B6E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2292-182-0x0000000004B30000-0x0000000004B6E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2292-184-0x0000000004B30000-0x0000000004B6E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2292-186-0x0000000004B30000-0x0000000004B6E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2292-188-0x0000000004B30000-0x0000000004B6E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2292-190-0x0000000004B30000-0x0000000004B6E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2292-192-0x0000000004B30000-0x0000000004B6E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2292-194-0x0000000004B30000-0x0000000004B6E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2292-196-0x0000000004B30000-0x0000000004B6E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2292-198-0x0000000004B30000-0x0000000004B6E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2292-200-0x0000000004B30000-0x0000000004B6E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2292-202-0x0000000004B30000-0x0000000004B6E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2292-204-0x0000000004B30000-0x0000000004B6E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2292-206-0x0000000004B30000-0x0000000004B6E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2292-208-0x0000000004B30000-0x0000000004B6E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2292-210-0x0000000004B30000-0x0000000004B6E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2292-212-0x0000000004B30000-0x0000000004B6E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2292-214-0x0000000004B30000-0x0000000004B6E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2292-216-0x0000000004B30000-0x0000000004B6E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2292-218-0x0000000004B30000-0x0000000004B6E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2292-220-0x0000000004B30000-0x0000000004B6E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2292-1063-0x0000000005280000-0x0000000005898000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2292-1064-0x00000000058A0000-0x00000000059AA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2292-1065-0x0000000004C80000-0x0000000004C92000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2292-1066-0x00000000059B0000-0x00000000059EC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2292-1067-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2292-1069-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2292-1070-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2292-1071-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2292-1072-0x0000000005C80000-0x0000000005D12000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2292-1073-0x0000000005D20000-0x0000000005D86000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2292-1074-0x0000000006680000-0x0000000006842000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2292-1075-0x0000000006860000-0x0000000006D8C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/2292-1076-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2292-1077-0x00000000081A0000-0x0000000008216000-memory.dmp

      Filesize

      472KB

      Download

    • memory/2292-1078-0x0000000008230000-0x0000000008280000-memory.dmp

      Filesize

      320KB

      Download

    • memory/2624-147-0x0000000000130000-0x000000000013A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2900-1084-0x0000000000D20000-0x0000000000D52000-memory.dmp

      Filesize

      200KB

      Download

    • memory/2900-1085-0x0000000005960000-0x0000000005970000-memory.dmp

      Filesize

      64KB

      Download