Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    54s
  • max time network
    66s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    05/03/2023, 18:52

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    1141bf777c1e17dff00f825f33760ee832f29e66bcd783320a4c0c5cdbe409d6.exe

  • Size

    526KB

  • MD5

    5eb4ea3dab50cb3fba930569cb5ba9db

  • SHA1

    5d3e398e2a8a95143fb6361ccf53da30a104da25

  • SHA256

    1141bf777c1e17dff00f825f33760ee832f29e66bcd783320a4c0c5cdbe409d6

  • SHA512

    e7fc7edffdbcc7f91c7c73c7de816ac6b50874991fcdfa1971f01024f457fdfc97a9aacf0e2f609ab706d7926870760fc5057999579c4262ed9fdf329ed71469

  • SSDEEP

    12288:xMrRy90eV50qGjII68EWxE2JLop9juxN1FypYjMaX:0yX50qQII6jouPj8QqMaX

Score
10/10
redlinefabiofuddiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

fud

C2

193.233.20.27:4123

Attributes
  • auth_value

    cddc991efd6918ad5321d80dac884b40

Extracted

Family

redline

Botnet

fabio

C2

193.233.20.27:4123

Attributes
  • auth_value

    56b82736c3f56b13be8e64c87d2cf9e5

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1141bf777c1e17dff00f825f33760ee832f29e66bcd783320a4c0c5cdbe409d6.exe
    "C:\Users\Admin\AppData\Local\Temp\1141bf777c1e17dff00f825f33760ee832f29e66bcd783320a4c0c5cdbe409d6.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3664
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhKe9547Zx.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhKe9547Zx.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2600
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf02vk42xo69.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf02vk42xo69.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4144
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf68dw77EB38.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf68dw77EB38.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4244
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhMa20AD15Aw.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhMa20AD15Aw.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4452

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhMa20AD15Aw.exe
          Filesize

          175KB

          MD5

          0140bc40d9ab7ffd721de8d6971cb06b

          SHA1

          50fa6e2112174d054b8bed110e636f09179032d0

          SHA256

          e682cfe3c92c0aca4197a2853314b3cdddc9deea6d7395cab7a2a045444a1452

          SHA512

          1cfa3c5df5177bda654acb61e555aebcd03f0903986be7733d5d44222f8c7799d7ed409f03d690edceaf81951732e9d97e1a7b4cfdbe80aef12a58e5e2519fbd

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhMa20AD15Aw.exe
          Filesize

          175KB

          MD5

          0140bc40d9ab7ffd721de8d6971cb06b

          SHA1

          50fa6e2112174d054b8bed110e636f09179032d0

          SHA256

          e682cfe3c92c0aca4197a2853314b3cdddc9deea6d7395cab7a2a045444a1452

          SHA512

          1cfa3c5df5177bda654acb61e555aebcd03f0903986be7733d5d44222f8c7799d7ed409f03d690edceaf81951732e9d97e1a7b4cfdbe80aef12a58e5e2519fbd

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhKe9547Zx.exe
          Filesize

          381KB

          MD5

          4a37adfdf66eb4196b838b1e55911df0

          SHA1

          d874e1666bc13110964c2dc3191877f0faea7991

          SHA256

          880c62520fcc3a4430412e3cabb91481ad08e2b025dd2c9b0343f1dfba29cb93

          SHA512

          1b7da0d109b749095f4dcf83f4bc25bcdf79dd8835373666cc859610f045ed70eb4739cfe13a63a61b9069aa9e8a46a3a6518421d4fbcb445377be561b09c979

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhKe9547Zx.exe
          Filesize

          381KB

          MD5

          4a37adfdf66eb4196b838b1e55911df0

          SHA1

          d874e1666bc13110964c2dc3191877f0faea7991

          SHA256

          880c62520fcc3a4430412e3cabb91481ad08e2b025dd2c9b0343f1dfba29cb93

          SHA512

          1b7da0d109b749095f4dcf83f4bc25bcdf79dd8835373666cc859610f045ed70eb4739cfe13a63a61b9069aa9e8a46a3a6518421d4fbcb445377be561b09c979

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf02vk42xo69.exe
          Filesize

          11KB

          MD5

          20548fc1b56126563d558e5f562f0c2d

          SHA1

          f915dbec9b28f6ed736c5183407ed12638c6b26f

          SHA256

          a79da7ff353422d672ae4844b43f54845ce25c27e00676520f7feb33a33ac9c7

          SHA512

          ad9f5fe08947ec0db09c6019c37246227e31ae57b929c96a0822f5f85fd48f77cd849e398fc13b1c139143a06a45b24f018558f91c724bb4ac3bd6657d011ee5

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf02vk42xo69.exe
          Filesize

          11KB

          MD5

          20548fc1b56126563d558e5f562f0c2d

          SHA1

          f915dbec9b28f6ed736c5183407ed12638c6b26f

          SHA256

          a79da7ff353422d672ae4844b43f54845ce25c27e00676520f7feb33a33ac9c7

          SHA512

          ad9f5fe08947ec0db09c6019c37246227e31ae57b929c96a0822f5f85fd48f77cd849e398fc13b1c139143a06a45b24f018558f91c724bb4ac3bd6657d011ee5

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf68dw77EB38.exe
          Filesize

          292KB

          MD5

          bd407beaed8912f6f9f5b269e5a85686

          SHA1

          f9d8fc6c0a1ca9a1e0af1ca278f629994df04b1b

          SHA256

          3fb5f126878146985387aac28dc8b1c17d8ee6ae3630a0c754c135138180d367

          SHA512

          79eca3bfa76f241986888271cbcf4858a6eb2c729b1dbebcf000ae13b9fb1e981360c930e40c39437c027794ecce33d9302e6db93d65208ad6bb458aa1b2ff72

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf68dw77EB38.exe
          Filesize

          292KB

          MD5

          bd407beaed8912f6f9f5b269e5a85686

          SHA1

          f9d8fc6c0a1ca9a1e0af1ca278f629994df04b1b

          SHA256

          3fb5f126878146985387aac28dc8b1c17d8ee6ae3630a0c754c135138180d367

          SHA512

          79eca3bfa76f241986888271cbcf4858a6eb2c729b1dbebcf000ae13b9fb1e981360c930e40c39437c027794ecce33d9302e6db93d65208ad6bb458aa1b2ff72

          Download Submit

        • memory/4144-134-0x0000000000A40000-0x0000000000A4A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4244-140-0x0000000000660000-0x00000000006AB000-memory.dmp

          Filesize

          300KB

          Download

        • memory/4244-141-0x00000000022D0000-0x0000000002316000-memory.dmp

          Filesize

          280KB

          Download

        • memory/4244-142-0x0000000004E20000-0x000000000531E000-memory.dmp

          Filesize

          5.0MB

          Download

        • memory/4244-143-0x0000000002380000-0x00000000023C4000-memory.dmp

          Filesize

          272KB

          Download

        • memory/4244-144-0x0000000004E10000-0x0000000004E20000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4244-145-0x0000000002380000-0x00000000023BE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4244-146-0x0000000002380000-0x00000000023BE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4244-148-0x0000000002380000-0x00000000023BE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4244-150-0x0000000002380000-0x00000000023BE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4244-152-0x0000000002380000-0x00000000023BE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4244-154-0x0000000002380000-0x00000000023BE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4244-156-0x0000000002380000-0x00000000023BE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4244-158-0x0000000002380000-0x00000000023BE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4244-160-0x0000000002380000-0x00000000023BE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4244-162-0x0000000002380000-0x00000000023BE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4244-164-0x0000000002380000-0x00000000023BE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4244-166-0x0000000002380000-0x00000000023BE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4244-168-0x0000000002380000-0x00000000023BE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4244-170-0x0000000002380000-0x00000000023BE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4244-172-0x0000000002380000-0x00000000023BE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4244-174-0x0000000002380000-0x00000000023BE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4244-176-0x0000000002380000-0x00000000023BE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4244-178-0x0000000002380000-0x00000000023BE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4244-180-0x0000000002380000-0x00000000023BE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4244-182-0x0000000002380000-0x00000000023BE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4244-184-0x0000000002380000-0x00000000023BE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4244-186-0x0000000002380000-0x00000000023BE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4244-188-0x0000000002380000-0x00000000023BE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4244-190-0x0000000002380000-0x00000000023BE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4244-192-0x0000000002380000-0x00000000023BE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4244-194-0x0000000002380000-0x00000000023BE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4244-196-0x0000000002380000-0x00000000023BE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4244-198-0x0000000002380000-0x00000000023BE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4244-200-0x0000000002380000-0x00000000023BE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4244-202-0x0000000002380000-0x00000000023BE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4244-204-0x0000000002380000-0x00000000023BE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4244-206-0x0000000002380000-0x00000000023BE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4244-208-0x0000000002380000-0x00000000023BE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4244-1051-0x0000000005930000-0x0000000005F36000-memory.dmp

          Filesize

          6.0MB

          Download

        • memory/4244-1052-0x0000000005320000-0x000000000542A000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/4244-1053-0x0000000002830000-0x0000000002842000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4244-1054-0x0000000004E10000-0x0000000004E20000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4244-1055-0x0000000004DB0000-0x0000000004DEE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4244-1056-0x0000000005530000-0x000000000557B000-memory.dmp

          Filesize

          300KB

          Download

        • memory/4244-1058-0x00000000056A0000-0x0000000005732000-memory.dmp

          Filesize

          584KB

          Download

        • memory/4244-1059-0x0000000005740000-0x00000000057A6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4244-1060-0x0000000004E10000-0x0000000004E20000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4244-1061-0x0000000006460000-0x0000000006622000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/4244-1062-0x0000000006640000-0x0000000006B6C000-memory.dmp

          Filesize

          5.2MB

          Download

        • memory/4244-1063-0x0000000006CA0000-0x0000000006D16000-memory.dmp

          Filesize

          472KB

          Download

        • memory/4244-1064-0x0000000006D20000-0x0000000006D70000-memory.dmp

          Filesize

          320KB

          Download

        • memory/4244-1065-0x0000000004E10000-0x0000000004E20000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4452-1071-0x0000000000770000-0x00000000007A2000-memory.dmp

          Filesize

          200KB

          Download

        • memory/4452-1072-0x00000000051B0000-0x00000000051FB000-memory.dmp

          Filesize

          300KB

          Download

        • memory/4452-1073-0x00000000052E0000-0x00000000052F0000-memory.dmp

          Filesize

          64KB

          Download