Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    78s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/03/2023, 18:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eeff4236c485049d8efd1d0ceb77fd882b5e37153293e2ece84431b2a0df1767.exe

  • Size

    526KB

  • MD5

    0d78e75dd040d4ac9324586c7cf0babb

  • SHA1

    6436026a4d8b04a722d77b5d1f0c65be0081dc7e

  • SHA256

    eeff4236c485049d8efd1d0ceb77fd882b5e37153293e2ece84431b2a0df1767

  • SHA512

    bfa52f54b1d7ce3b506e2cc6dfb725abdfd604bfaa997a52620b5a0de72bad2b2498a7666c3073626b605a14859c806cb8ba653481b3003efac52ed367f52df2

  • SSDEEP

    12288:HMr3y90w/Q3RsSZn4Jpkeb0jd2uZt1XhyU9u5ZEJC4sZ:sycVwkewZ28Xhyd5API

Score
10/10
redlinefabiofuddiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

fud

C2

193.233.20.27:4123

Attributes
  • auth_value

    cddc991efd6918ad5321d80dac884b40

Extracted

Family

redline

Botnet

fabio

C2

193.233.20.27:4123

Attributes
  • auth_value

    56b82736c3f56b13be8e64c87d2cf9e5

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eeff4236c485049d8efd1d0ceb77fd882b5e37153293e2ece84431b2a0df1767.exe
    "C:\Users\Admin\AppData\Local\Temp\eeff4236c485049d8efd1d0ceb77fd882b5e37153293e2ece84431b2a0df1767.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2552
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhre1977kc.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhre1977kc.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4912
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf67hP37Jg51.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf67hP37Jg51.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1572
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf05YJ74Us33.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf05YJ74Us33.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2492
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 1352
          4⤵
          • Program crash
          PID:4504
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhjX11ob95PV.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhjX11ob95PV.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2152
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2492 -ip 2492
    1⤵
      PID:2556

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhjX11ob95PV.exe
      Filesize

      175KB

      MD5

      9063003c6a480fb809f093bba32f216e

      SHA1

      f7e3cc04166455417d9fdd65b8b77944ef1f8c3b

      SHA256

      779ffdd28b71e376e1c0f50ea56b51a110e350fe0afaf79a1b8bd8f888fa86eb

      SHA512

      953e18cd20e5c640f2d72ae65258f331d527a77b67b7ad3a6aec02defbbf6f1a9e2367aa79998b19a144909264744c7d8c8fcfc1f6197d7aae15a8fda9fdd9b0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhjX11ob95PV.exe
      Filesize

      175KB

      MD5

      9063003c6a480fb809f093bba32f216e

      SHA1

      f7e3cc04166455417d9fdd65b8b77944ef1f8c3b

      SHA256

      779ffdd28b71e376e1c0f50ea56b51a110e350fe0afaf79a1b8bd8f888fa86eb

      SHA512

      953e18cd20e5c640f2d72ae65258f331d527a77b67b7ad3a6aec02defbbf6f1a9e2367aa79998b19a144909264744c7d8c8fcfc1f6197d7aae15a8fda9fdd9b0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhre1977kc.exe
      Filesize

      381KB

      MD5

      d7c2c64a022cfb091b75d69571fc8afd

      SHA1

      306a6aa2fb8ad6c6e0e8d9def9afd41f7037fe4e

      SHA256

      a2521b20eb3bf82e2d02a4c5fe7fa7b4f931da449a99d4f6004835a3ec17bddb

      SHA512

      cb8ba4e9efbcfbd30cabd614e969629d14f7d3bd2d85a096a33b9507bc88d6b3e2771a4d368b2980fe42144d4294125b6f54139988f55bdde668ef487b59dfae

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhre1977kc.exe
      Filesize

      381KB

      MD5

      d7c2c64a022cfb091b75d69571fc8afd

      SHA1

      306a6aa2fb8ad6c6e0e8d9def9afd41f7037fe4e

      SHA256

      a2521b20eb3bf82e2d02a4c5fe7fa7b4f931da449a99d4f6004835a3ec17bddb

      SHA512

      cb8ba4e9efbcfbd30cabd614e969629d14f7d3bd2d85a096a33b9507bc88d6b3e2771a4d368b2980fe42144d4294125b6f54139988f55bdde668ef487b59dfae

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf67hP37Jg51.exe
      Filesize

      11KB

      MD5

      56437247eac756c77d8358b886d51dd3

      SHA1

      697718c23e3e4725f7327d69128bd3fff4d6c2f6

      SHA256

      30f08dc44e1d8dfc1d1c568415abaa51805e07d8abe233fac97fe89724a4426e

      SHA512

      c7be7a9450262fa574941c2e212a6f69d7a9ed1b4faf04ef912313ca75e82e8bfc9932c569ce357f3c3c8dd2b95a57eb12aaaf49a0c378bf888986d262b5f594

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf67hP37Jg51.exe
      Filesize

      11KB

      MD5

      56437247eac756c77d8358b886d51dd3

      SHA1

      697718c23e3e4725f7327d69128bd3fff4d6c2f6

      SHA256

      30f08dc44e1d8dfc1d1c568415abaa51805e07d8abe233fac97fe89724a4426e

      SHA512

      c7be7a9450262fa574941c2e212a6f69d7a9ed1b4faf04ef912313ca75e82e8bfc9932c569ce357f3c3c8dd2b95a57eb12aaaf49a0c378bf888986d262b5f594

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf05YJ74Us33.exe
      Filesize

      292KB

      MD5

      bd407beaed8912f6f9f5b269e5a85686

      SHA1

      f9d8fc6c0a1ca9a1e0af1ca278f629994df04b1b

      SHA256

      3fb5f126878146985387aac28dc8b1c17d8ee6ae3630a0c754c135138180d367

      SHA512

      79eca3bfa76f241986888271cbcf4858a6eb2c729b1dbebcf000ae13b9fb1e981360c930e40c39437c027794ecce33d9302e6db93d65208ad6bb458aa1b2ff72

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf05YJ74Us33.exe
      Filesize

      292KB

      MD5

      bd407beaed8912f6f9f5b269e5a85686

      SHA1

      f9d8fc6c0a1ca9a1e0af1ca278f629994df04b1b

      SHA256

      3fb5f126878146985387aac28dc8b1c17d8ee6ae3630a0c754c135138180d367

      SHA512

      79eca3bfa76f241986888271cbcf4858a6eb2c729b1dbebcf000ae13b9fb1e981360c930e40c39437c027794ecce33d9302e6db93d65208ad6bb458aa1b2ff72

      Download Submit

    • memory/1572-147-0x0000000000C00000-0x0000000000C0A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2152-1084-0x0000000000550000-0x0000000000582000-memory.dmp

      Filesize

      200KB

      Download

    • memory/2152-1085-0x0000000004E00000-0x0000000004E10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2492-186-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2492-198-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2492-155-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2492-157-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2492-159-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2492-163-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2492-161-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2492-165-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2492-168-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2492-170-0x00000000026C0000-0x00000000026D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2492-167-0x0000000000660000-0x00000000006AB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2492-171-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2492-173-0x00000000026C0000-0x00000000026D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2492-174-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2492-176-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2492-178-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2492-180-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2492-182-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2492-184-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2492-153-0x0000000004B40000-0x00000000050E4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2492-188-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2492-190-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2492-192-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2492-194-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2492-196-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2492-154-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2492-200-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2492-202-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2492-204-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2492-206-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2492-208-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2492-210-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2492-212-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2492-214-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2492-216-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2492-218-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2492-220-0x0000000005130000-0x000000000516E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2492-1063-0x00000000052D0000-0x00000000058E8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2492-1064-0x0000000005970000-0x0000000005A7A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2492-1065-0x0000000005AB0000-0x0000000005AC2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2492-1066-0x0000000005AD0000-0x0000000005B0C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2492-1067-0x00000000026C0000-0x00000000026D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2492-1069-0x0000000005DC0000-0x0000000005E52000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2492-1070-0x0000000005E60000-0x0000000005EC6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2492-1071-0x00000000026C0000-0x00000000026D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2492-1072-0x00000000026C0000-0x00000000026D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2492-1073-0x00000000026C0000-0x00000000026D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2492-1074-0x00000000066A0000-0x0000000006862000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2492-1075-0x0000000006870000-0x0000000006D9C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/2492-1076-0x00000000026C0000-0x00000000026D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2492-1077-0x00000000081A0000-0x0000000008216000-memory.dmp

      Filesize

      472KB

      Download

    • memory/2492-1078-0x0000000008230000-0x0000000008280000-memory.dmp

      Filesize

      320KB

      Download