Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    127s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/03/2023, 03:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e39ed6e459dbb7646bbedc451d6881ec9bd99455c0ec38bb714a3fded93f308f.exe

  • Size

    526KB

  • MD5

    d0e299697f773a5bccb3c51514f54c5c

  • SHA1

    a42b14f38ddacb7725acc1b1356b56ab4a322d2b

  • SHA256

    e39ed6e459dbb7646bbedc451d6881ec9bd99455c0ec38bb714a3fded93f308f

  • SHA512

    a2f0d1f068a905b13054df36b96ea6b37ce9fff5451daf68a8e922a44ea8f114af035aa04cef84bc04f25c5adeb36f51b9dc2734f6968f694e5a1f872277ab00

  • SSDEEP

    12288:ZMr0y90FVOTtqGWb8BS/q7jOVt9YCYfQpgUKObON:BycVOTt8bZ4jU0fVUKOM

Score
10/10
redlinefabiofuddiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

fud

C2

193.233.20.27:4123

Attributes
  • auth_value

    cddc991efd6918ad5321d80dac884b40

Extracted

Family

redline

Botnet

fabio

C2

193.233.20.27:4123

Attributes
  • auth_value

    56b82736c3f56b13be8e64c87d2cf9e5

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 36 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e39ed6e459dbb7646bbedc451d6881ec9bd99455c0ec38bb714a3fded93f308f.exe
    "C:\Users\Admin\AppData\Local\Temp\e39ed6e459dbb7646bbedc451d6881ec9bd99455c0ec38bb714a3fded93f308f.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3728
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhpT9205Ei.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhpT9205Ei.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4780
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf98WF65RG94.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf98WF65RG94.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:632
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf83Uz33Lf31.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf83Uz33Lf31.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1600
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 1348
          4⤵
          • Program crash
          PID:704
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhLS33Kz90do.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhLS33Kz90do.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4712
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1600 -ip 1600
    1⤵
      PID:4692

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhLS33Kz90do.exe
      Filesize

      175KB

      MD5

      d9ea2edae77ddaf8a34f61515b28b58f

      SHA1

      ef8874a396c655bcf4a28b544b3ab52151cded9e

      SHA256

      687cc9b0a731227ddad51cf1968be5935290770025a251c44178e17e8f4b03aa

      SHA512

      a0145b9621923dc04a83a097115b418d026130b16645b555ef45e3a56712e69ddc9ca8c60c5b9c66e5e9811f7320b3a99b8247951884f7f1e2d41fc2966c8291

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhLS33Kz90do.exe
      Filesize

      175KB

      MD5

      d9ea2edae77ddaf8a34f61515b28b58f

      SHA1

      ef8874a396c655bcf4a28b544b3ab52151cded9e

      SHA256

      687cc9b0a731227ddad51cf1968be5935290770025a251c44178e17e8f4b03aa

      SHA512

      a0145b9621923dc04a83a097115b418d026130b16645b555ef45e3a56712e69ddc9ca8c60c5b9c66e5e9811f7320b3a99b8247951884f7f1e2d41fc2966c8291

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhpT9205Ei.exe
      Filesize

      382KB

      MD5

      9ffdd9b94aece0740d4ec272bc793736

      SHA1

      0acfbdba45acf596450d20224c10c2677cad2b41

      SHA256

      9c272dc6d8327c61b2e696482d238b9f27fda3054199a05ed2585f0f5858ccab

      SHA512

      dfeb893b2d20377b3b97b8d3a393563b8bfbe4428b8a5475e1d73d333d5c7d7d96b29583f3952b49433edd1169fc096aaf01394b3aedc697dd9c4f568b3182a1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhpT9205Ei.exe
      Filesize

      382KB

      MD5

      9ffdd9b94aece0740d4ec272bc793736

      SHA1

      0acfbdba45acf596450d20224c10c2677cad2b41

      SHA256

      9c272dc6d8327c61b2e696482d238b9f27fda3054199a05ed2585f0f5858ccab

      SHA512

      dfeb893b2d20377b3b97b8d3a393563b8bfbe4428b8a5475e1d73d333d5c7d7d96b29583f3952b49433edd1169fc096aaf01394b3aedc697dd9c4f568b3182a1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf98WF65RG94.exe
      Filesize

      11KB

      MD5

      2d4e895d4c80ddccf0937e4b40a2b758

      SHA1

      e59050092e1904af66c6e1d4c06fc3da11d5d462

      SHA256

      c0b421f56b61a59a22b05b0609640ade7584d64e0cf666b6f2975f02a976ddd1

      SHA512

      6e552e0984efaaf9bc4d7346dca9322a0d6da8bb7834e4c76ac3edd26bcf47dea1cb9c8866b8494a110b9f31a262141a54f5b72bc9114457f1e0631411d8635d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf98WF65RG94.exe
      Filesize

      11KB

      MD5

      2d4e895d4c80ddccf0937e4b40a2b758

      SHA1

      e59050092e1904af66c6e1d4c06fc3da11d5d462

      SHA256

      c0b421f56b61a59a22b05b0609640ade7584d64e0cf666b6f2975f02a976ddd1

      SHA512

      6e552e0984efaaf9bc4d7346dca9322a0d6da8bb7834e4c76ac3edd26bcf47dea1cb9c8866b8494a110b9f31a262141a54f5b72bc9114457f1e0631411d8635d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf83Uz33Lf31.exe
      Filesize

      364KB

      MD5

      0fb36e6dfd2286b0bb7e48c476a3f73b

      SHA1

      38801c7ea1faf291cb471397c38630a305518828

      SHA256

      edb3b7633dd16579b23dc83d9950c525d7a9c2bec60785c04dc3b63ea3eaba8e

      SHA512

      95c334ce7bae2ccdff2bf4f288c544a2d87946405b723367df421de635a8037167aaeb9b655dd48f8ed9a10a5cfad6b25b4bfd5dc88e99c26ded8e4d694de64d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf83Uz33Lf31.exe
      Filesize

      364KB

      MD5

      0fb36e6dfd2286b0bb7e48c476a3f73b

      SHA1

      38801c7ea1faf291cb471397c38630a305518828

      SHA256

      edb3b7633dd16579b23dc83d9950c525d7a9c2bec60785c04dc3b63ea3eaba8e

      SHA512

      95c334ce7bae2ccdff2bf4f288c544a2d87946405b723367df421de635a8037167aaeb9b655dd48f8ed9a10a5cfad6b25b4bfd5dc88e99c26ded8e4d694de64d

      Download Submit

    • memory/632-147-0x0000000000900000-0x000000000090A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1600-153-0x00000000005A0000-0x00000000005EB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/1600-154-0x0000000004C60000-0x0000000005204000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1600-155-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1600-156-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1600-158-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1600-160-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1600-162-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1600-164-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1600-168-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1600-166-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1600-170-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1600-172-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1600-174-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1600-176-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1600-178-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1600-180-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1600-182-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1600-186-0x0000000004C50000-0x0000000004C60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1600-185-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1600-184-0x0000000004C50000-0x0000000004C60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1600-188-0x0000000004C50000-0x0000000004C60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1600-189-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1600-191-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1600-193-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1600-195-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1600-197-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1600-199-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1600-201-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1600-203-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1600-205-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1600-207-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1600-209-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1600-211-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1600-213-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1600-215-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1600-217-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1600-219-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1600-221-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1600-1064-0x0000000005310000-0x0000000005928000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1600-1065-0x0000000005980000-0x0000000005A8A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1600-1066-0x0000000005AC0000-0x0000000005AD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1600-1067-0x0000000005AE0000-0x0000000005B1C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1600-1068-0x0000000004C50000-0x0000000004C60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1600-1070-0x0000000005DD0000-0x0000000005E62000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1600-1071-0x0000000005E70000-0x0000000005ED6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1600-1073-0x0000000004C50000-0x0000000004C60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1600-1072-0x0000000004C50000-0x0000000004C60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1600-1074-0x0000000004C50000-0x0000000004C60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1600-1075-0x00000000067D0000-0x0000000006992000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/1600-1076-0x00000000069B0000-0x0000000006EDC000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/1600-1077-0x0000000007150000-0x00000000071C6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1600-1079-0x00000000071F0000-0x0000000007240000-memory.dmp

      Filesize

      320KB

      Download

    • memory/1600-1078-0x0000000004C50000-0x0000000004C60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4712-1085-0x0000000000ED0000-0x0000000000F02000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4712-1086-0x0000000005B30000-0x0000000005B40000-memory.dmp

      Filesize

      64KB

      Download