Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/03/2023, 17:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ed7bd80ff2c82c2d1eaef2ff2b9bcf0f2481f6f3d4da929ddc75b5a4637177fb.exe

  • Size

    529KB

  • MD5

    0cba339f59d7d71e257bd5b3935017c7

  • SHA1

    02caccaa06ca3b95b6d6d2750f8018c62c34eff6

  • SHA256

    ed7bd80ff2c82c2d1eaef2ff2b9bcf0f2481f6f3d4da929ddc75b5a4637177fb

  • SHA512

    564ce52684a922f83bbe7026c3eb576289cb7a1807ed1ff29391499f10b79232848ac3085e00375b163ac7e473722a76d0a773f5c22da43240f68f9a374d3969

  • SSDEEP

    12288:gMrZy90VeIQjyR1OeVEXbWbjrJZ5RMXGgDDen15yOexB:pyZIQsOeVEXbIrJZ5R+GGDen15SxB

Score
10/10
redlinefabiofuddiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

fud

C2

193.233.20.27:4123

Attributes
  • auth_value

    cddc991efd6918ad5321d80dac884b40

Extracted

Family

redline

Botnet

fabio

C2

193.233.20.27:4123

Attributes
  • auth_value

    56b82736c3f56b13be8e64c87d2cf9e5

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ed7bd80ff2c82c2d1eaef2ff2b9bcf0f2481f6f3d4da929ddc75b5a4637177fb.exe
    "C:\Users\Admin\AppData\Local\Temp\ed7bd80ff2c82c2d1eaef2ff2b9bcf0f2481f6f3d4da929ddc75b5a4637177fb.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4764
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhpy4055FS.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhpy4055FS.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1352
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf33oV79RY00.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf33oV79RY00.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:368
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf03hD57bO25.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf03hD57bO25.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:336
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 336 -s 1540
          4⤵
          • Program crash
          PID:3352
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhmq49iC70qL.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhmq49iC70qL.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5108
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 336 -ip 336
    1⤵
      PID:4676

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhmq49iC70qL.exe
      Filesize

      175KB

      MD5

      e5000222db73c0d8530f983db153bf52

      SHA1

      37b9bf16d016828f3c4095b4f98ba45742c4f133

      SHA256

      f4d92417f2367d66af52ff00f377dd6d6e4f295d95b94d286f4d2a88c0b3f2b2

      SHA512

      da9f820704f51a169c1e2efe3c6986edbdc61027544ffa8bf9f8950b623c21af523787926d6ec5f502cbdb5fceac257057171b33a204248353b8b7bbc839d967

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhmq49iC70qL.exe
      Filesize

      175KB

      MD5

      e5000222db73c0d8530f983db153bf52

      SHA1

      37b9bf16d016828f3c4095b4f98ba45742c4f133

      SHA256

      f4d92417f2367d66af52ff00f377dd6d6e4f295d95b94d286f4d2a88c0b3f2b2

      SHA512

      da9f820704f51a169c1e2efe3c6986edbdc61027544ffa8bf9f8950b623c21af523787926d6ec5f502cbdb5fceac257057171b33a204248353b8b7bbc839d967

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhpy4055FS.exe
      Filesize

      385KB

      MD5

      1578c8af1bcb4fcbb759f665c9f5a60f

      SHA1

      4e01e76c21f474e682134c8b9adfb0d7ac475d6a

      SHA256

      939e8946c21b12d7d394e56117e55a926694a6787d19d013fa7be60d6f40b4cc

      SHA512

      9aaf874382553e0e63ba3881a6ef237f9d5b77e0816aed3c229eb6803134523abb25cd059568d044f3961d5d57ee3e28c4305d15b47468d4a2d5abc8244cf14c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhpy4055FS.exe
      Filesize

      385KB

      MD5

      1578c8af1bcb4fcbb759f665c9f5a60f

      SHA1

      4e01e76c21f474e682134c8b9adfb0d7ac475d6a

      SHA256

      939e8946c21b12d7d394e56117e55a926694a6787d19d013fa7be60d6f40b4cc

      SHA512

      9aaf874382553e0e63ba3881a6ef237f9d5b77e0816aed3c229eb6803134523abb25cd059568d044f3961d5d57ee3e28c4305d15b47468d4a2d5abc8244cf14c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf33oV79RY00.exe
      Filesize

      11KB

      MD5

      75c6f3fd60ece3e4ede4bea5e658f477

      SHA1

      01c72089d6aac4fe5b877fb4824de6de88bb9652

      SHA256

      8890f4c0b5722281c73502673849c9df4be8ddc373c1e32753eca0e69d174fe2

      SHA512

      f96f0447200527ee0c0e4ebf16129cb029e3fcb8d561087a524df5f07df0ddd2f8dc55532b2f0b9a88ee7f9cd4174876219abcbcf927c630f24796c8c637170c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf33oV79RY00.exe
      Filesize

      11KB

      MD5

      75c6f3fd60ece3e4ede4bea5e658f477

      SHA1

      01c72089d6aac4fe5b877fb4824de6de88bb9652

      SHA256

      8890f4c0b5722281c73502673849c9df4be8ddc373c1e32753eca0e69d174fe2

      SHA512

      f96f0447200527ee0c0e4ebf16129cb029e3fcb8d561087a524df5f07df0ddd2f8dc55532b2f0b9a88ee7f9cd4174876219abcbcf927c630f24796c8c637170c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf03hD57bO25.exe
      Filesize

      292KB

      MD5

      01f55e38d4139a3f84f11a36dbb67824

      SHA1

      28ba3e42c1bd4a60732f8a2b34771aa026253000

      SHA256

      2dcc02ccacc4b825f2b5d18d6139650cad2798618e2fd66cac757735a3824004

      SHA512

      56a9d5e32131b4d7265d3d0f7b049132400d58731717c3437b756b3597743637dce907a9932d4e82cc039e22c747380fe19c560df3dd6d8b0c7a98502a862de0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf03hD57bO25.exe
      Filesize

      292KB

      MD5

      01f55e38d4139a3f84f11a36dbb67824

      SHA1

      28ba3e42c1bd4a60732f8a2b34771aa026253000

      SHA256

      2dcc02ccacc4b825f2b5d18d6139650cad2798618e2fd66cac757735a3824004

      SHA512

      56a9d5e32131b4d7265d3d0f7b049132400d58731717c3437b756b3597743637dce907a9932d4e82cc039e22c747380fe19c560df3dd6d8b0c7a98502a862de0

      Download Submit

    • memory/336-153-0x0000000000590000-0x00000000005DB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/336-154-0x0000000004B70000-0x0000000005114000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/336-155-0x0000000004B60000-0x0000000004B70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/336-156-0x0000000004B60000-0x0000000004B70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/336-157-0x0000000004B60000-0x0000000004B70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/336-158-0x0000000005120000-0x000000000515E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/336-159-0x0000000005120000-0x000000000515E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/336-161-0x0000000005120000-0x000000000515E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/336-163-0x0000000005120000-0x000000000515E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/336-165-0x0000000005120000-0x000000000515E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/336-167-0x0000000005120000-0x000000000515E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/336-169-0x0000000005120000-0x000000000515E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/336-171-0x0000000005120000-0x000000000515E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/336-173-0x0000000005120000-0x000000000515E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/336-175-0x0000000005120000-0x000000000515E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/336-177-0x0000000005120000-0x000000000515E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/336-179-0x0000000005120000-0x000000000515E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/336-181-0x0000000005120000-0x000000000515E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/336-183-0x0000000005120000-0x000000000515E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/336-185-0x0000000005120000-0x000000000515E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/336-187-0x0000000005120000-0x000000000515E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/336-189-0x0000000005120000-0x000000000515E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/336-191-0x0000000005120000-0x000000000515E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/336-193-0x0000000005120000-0x000000000515E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/336-195-0x0000000005120000-0x000000000515E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/336-197-0x0000000005120000-0x000000000515E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/336-199-0x0000000005120000-0x000000000515E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/336-201-0x0000000005120000-0x000000000515E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/336-203-0x0000000005120000-0x000000000515E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/336-205-0x0000000005120000-0x000000000515E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/336-207-0x0000000005120000-0x000000000515E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/336-209-0x0000000005120000-0x000000000515E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/336-211-0x0000000005120000-0x000000000515E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/336-213-0x0000000005120000-0x000000000515E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/336-215-0x0000000005120000-0x000000000515E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/336-217-0x0000000005120000-0x000000000515E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/336-219-0x0000000005120000-0x000000000515E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/336-221-0x0000000005120000-0x000000000515E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/336-1064-0x0000000005190000-0x00000000057A8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/336-1065-0x0000000005830000-0x000000000593A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/336-1066-0x0000000005970000-0x0000000005982000-memory.dmp

      Filesize

      72KB

      Download

    • memory/336-1067-0x0000000004B60000-0x0000000004B70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/336-1068-0x0000000005990000-0x00000000059CC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/336-1070-0x0000000005C80000-0x0000000005D12000-memory.dmp

      Filesize

      584KB

      Download

    • memory/336-1071-0x0000000005D20000-0x0000000005D86000-memory.dmp

      Filesize

      408KB

      Download

    • memory/336-1072-0x0000000006440000-0x0000000006602000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/336-1073-0x0000000006620000-0x0000000006B4C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/336-1074-0x0000000004B60000-0x0000000004B70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/336-1075-0x0000000004B60000-0x0000000004B70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/336-1076-0x0000000004B60000-0x0000000004B70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/336-1077-0x0000000004B60000-0x0000000004B70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/336-1078-0x00000000081A0000-0x0000000008216000-memory.dmp

      Filesize

      472KB

      Download

    • memory/336-1079-0x0000000008230000-0x0000000008280000-memory.dmp

      Filesize

      320KB

      Download

    • memory/368-147-0x0000000000E00000-0x0000000000E0A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/5108-1085-0x00000000000A0000-0x00000000000D2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/5108-1086-0x0000000004E90000-0x0000000004EA0000-memory.dmp

      Filesize

      64KB

      Download