Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-03-2023 01:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0547312c36dd1a53098c23113b52039354dc194a8535b4b52962990c33b5feba.exe

  • Size

    525KB

  • MD5

    f94148a53b329d97e1c28c12440202b9

  • SHA1

    c366b0be10719ecd29dcd0a1843c1a6a7285bb8a

  • SHA256

    0547312c36dd1a53098c23113b52039354dc194a8535b4b52962990c33b5feba

  • SHA512

    0fbde9b9ada812346b7794e550e458f1bcbdf9b1afd4b8fecd3637d4a67e4d8f56aa6105a86f1bba553f119f4f6ad79e652e9c26c38e4581809628eae2871f0b

  • SSDEEP

    12288:TMrny90QbFccV80j3dYTZ6tLXc/GGXk+B9:4yDHWXTZ6LXc/R9

Score
10/10
redlinefabiofuddiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

fud

C2

193.233.20.27:4123

Attributes
  • auth_value

    cddc991efd6918ad5321d80dac884b40

Extracted

Family

redline

Botnet

fabio

C2

193.233.20.27:4123

Attributes
  • auth_value

    56b82736c3f56b13be8e64c87d2cf9e5

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0547312c36dd1a53098c23113b52039354dc194a8535b4b52962990c33b5feba.exe
    "C:\Users\Admin\AppData\Local\Temp\0547312c36dd1a53098c23113b52039354dc194a8535b4b52962990c33b5feba.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2708
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhCt7337VX.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhCt7337VX.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1676
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf01hb49bP06.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf01hb49bP06.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4244
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf48dv50MD13.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf48dv50MD13.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1120
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 1996
          4⤵
          • Program crash
          PID:2188
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhCj48vs87US.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhCj48vs87US.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5008
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1120 -ip 1120
    1⤵
      PID:4784

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhCj48vs87US.exe
      Filesize

      176KB

      MD5

      f49dd246cc9942653737a812d3fbee05

      SHA1

      665c070818d646cc53c778b948b88a0d04db29b8

      SHA256

      ad9a7da5f02216a3eb559cab0e382f9d4c0e6ba2055fc6ba78e80ba2edd94605

      SHA512

      182370bd7b3c76280921eda5740920f89a9d4735c09f96c67067b92ada363f30073da6d228861ba9e808051a5fd59e92ffccddeafd2a588c7143b98749ca9ff0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhCj48vs87US.exe
      Filesize

      176KB

      MD5

      f49dd246cc9942653737a812d3fbee05

      SHA1

      665c070818d646cc53c778b948b88a0d04db29b8

      SHA256

      ad9a7da5f02216a3eb559cab0e382f9d4c0e6ba2055fc6ba78e80ba2edd94605

      SHA512

      182370bd7b3c76280921eda5740920f89a9d4735c09f96c67067b92ada363f30073da6d228861ba9e808051a5fd59e92ffccddeafd2a588c7143b98749ca9ff0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhCt7337VX.exe
      Filesize

      380KB

      MD5

      c2d519aae5e1e23a40db2f9d231c1e14

      SHA1

      9844884f1a6e746c8666c0ad51b6f94211972137

      SHA256

      d5adcd11a7401d690e86d81801f854ac3d52d5f02b239f0a93edb5ff914bcab0

      SHA512

      32459a85f0a28304563fa728652d494c35c24639e524db20420fd16e30584b6b35978d24ead37093db461c7adbefa2da47c04103deeeed98d906de6ed8c5747b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhCt7337VX.exe
      Filesize

      380KB

      MD5

      c2d519aae5e1e23a40db2f9d231c1e14

      SHA1

      9844884f1a6e746c8666c0ad51b6f94211972137

      SHA256

      d5adcd11a7401d690e86d81801f854ac3d52d5f02b239f0a93edb5ff914bcab0

      SHA512

      32459a85f0a28304563fa728652d494c35c24639e524db20420fd16e30584b6b35978d24ead37093db461c7adbefa2da47c04103deeeed98d906de6ed8c5747b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf01hb49bP06.exe
      Filesize

      12KB

      MD5

      eea569c1be7990cfd2a480e1063c95be

      SHA1

      a17040e300f60d4021795b49d49ba1e30bc4b143

      SHA256

      8e863d59e67e62a5265d68aebe192be6b2bea973b375ff24936be3ab5d4e4342

      SHA512

      e8a5c7befbcfe63ac6558f1e54bb16a0a5da56c15843c6889b10ef19ffa870e532a3859d815ffa162349c13ab556014c78f56cd2443893855bd7213b9360e815

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf01hb49bP06.exe
      Filesize

      12KB

      MD5

      eea569c1be7990cfd2a480e1063c95be

      SHA1

      a17040e300f60d4021795b49d49ba1e30bc4b143

      SHA256

      8e863d59e67e62a5265d68aebe192be6b2bea973b375ff24936be3ab5d4e4342

      SHA512

      e8a5c7befbcfe63ac6558f1e54bb16a0a5da56c15843c6889b10ef19ffa870e532a3859d815ffa162349c13ab556014c78f56cd2443893855bd7213b9360e815

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf48dv50MD13.exe
      Filesize

      291KB

      MD5

      434e2d5a4767741895ef183a448da368

      SHA1

      1e1d795ae169d4068d8da31d1aa89027804a21a3

      SHA256

      ad32f3b0b1f7b775e4235d6969f27886cc2fafeeb1bd02853fde41ddee1db27a

      SHA512

      e50de394d28557d67ae62bba669dacf8afcc1c925cfd04dcbf07f14ff2c7939579d12337cc8ed822c82bdfcbfcd1114289eede2411113a17c8f92485a15e50f0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf48dv50MD13.exe
      Filesize

      291KB

      MD5

      434e2d5a4767741895ef183a448da368

      SHA1

      1e1d795ae169d4068d8da31d1aa89027804a21a3

      SHA256

      ad32f3b0b1f7b775e4235d6969f27886cc2fafeeb1bd02853fde41ddee1db27a

      SHA512

      e50de394d28557d67ae62bba669dacf8afcc1c925cfd04dcbf07f14ff2c7939579d12337cc8ed822c82bdfcbfcd1114289eede2411113a17c8f92485a15e50f0

      Download Submit

    • memory/1120-153-0x0000000000470000-0x00000000004BB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/1120-154-0x0000000004B90000-0x0000000005134000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1120-155-0x00000000020F0000-0x0000000002100000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1120-156-0x00000000020F0000-0x0000000002100000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1120-157-0x00000000020F0000-0x0000000002100000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1120-158-0x0000000005140000-0x000000000517E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1120-161-0x0000000005140000-0x000000000517E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1120-159-0x0000000005140000-0x000000000517E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1120-163-0x0000000005140000-0x000000000517E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1120-165-0x0000000005140000-0x000000000517E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1120-167-0x0000000005140000-0x000000000517E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1120-169-0x0000000005140000-0x000000000517E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1120-171-0x0000000005140000-0x000000000517E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1120-173-0x0000000005140000-0x000000000517E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1120-175-0x0000000005140000-0x000000000517E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1120-177-0x0000000005140000-0x000000000517E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1120-179-0x0000000005140000-0x000000000517E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1120-181-0x0000000005140000-0x000000000517E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1120-183-0x0000000005140000-0x000000000517E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1120-185-0x0000000005140000-0x000000000517E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1120-187-0x0000000005140000-0x000000000517E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1120-189-0x0000000005140000-0x000000000517E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1120-191-0x0000000005140000-0x000000000517E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1120-193-0x0000000005140000-0x000000000517E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1120-195-0x0000000005140000-0x000000000517E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1120-197-0x0000000005140000-0x000000000517E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1120-199-0x0000000005140000-0x000000000517E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1120-201-0x0000000005140000-0x000000000517E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1120-203-0x0000000005140000-0x000000000517E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1120-205-0x0000000005140000-0x000000000517E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1120-207-0x0000000005140000-0x000000000517E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1120-209-0x0000000005140000-0x000000000517E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1120-211-0x0000000005140000-0x000000000517E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1120-213-0x0000000005140000-0x000000000517E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1120-215-0x0000000005140000-0x000000000517E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1120-217-0x0000000005140000-0x000000000517E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1120-219-0x0000000005140000-0x000000000517E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1120-221-0x0000000005140000-0x000000000517E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1120-1064-0x00000000051B0000-0x00000000057C8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1120-1065-0x0000000005850000-0x000000000595A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1120-1066-0x0000000005990000-0x00000000059A2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1120-1067-0x00000000059B0000-0x00000000059EC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1120-1068-0x00000000020F0000-0x0000000002100000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1120-1070-0x00000000020F0000-0x0000000002100000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1120-1071-0x00000000020F0000-0x0000000002100000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1120-1072-0x00000000020F0000-0x0000000002100000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1120-1073-0x0000000005CA0000-0x0000000005D06000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1120-1074-0x0000000006370000-0x0000000006402000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1120-1075-0x0000000006560000-0x0000000006722000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/1120-1076-0x0000000006740000-0x0000000006C6C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/1120-1077-0x0000000006D90000-0x0000000006E06000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1120-1078-0x0000000006E30000-0x0000000006E80000-memory.dmp

      Filesize

      320KB

      Download

    • memory/1120-1079-0x00000000020F0000-0x0000000002100000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4244-147-0x0000000000C20000-0x0000000000C2A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/5008-1086-0x0000000000860000-0x0000000000892000-memory.dmp

      Filesize

      200KB

      Download

    • memory/5008-1087-0x00000000051A0000-0x00000000051B0000-memory.dmp

      Filesize

      64KB

      Download