Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    108s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/03/2023, 06:43

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    469cc82ca9e821ef410447e616ab4e340d6e2e535adec14b8554ce9a7175853c.exe

  • Size

    557KB

  • MD5

    1dce306b8d420c0929122b14e460c619

  • SHA1

    a2b2a56c6b29498068f145e77e8387f67328b1ca

  • SHA256

    469cc82ca9e821ef410447e616ab4e340d6e2e535adec14b8554ce9a7175853c

  • SHA512

    cf53ccf5b21d97f77f6ec73f5dfd0d0677bcf1bd8acfd18d95c068da8eeda02f4ba673d7ba3875da222801c75368b6b553e020005321adcdfb3503eb5db7e6d5

  • SSDEEP

    12288:aMrky90fGxy2DUwO+Ffiy7GfG24UpdYFv1:ayBxZYwO+ZFGfGrUHYFt

Score
10/10
redlinefabiofuddiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

fud

C2

193.233.20.27:4123

Attributes
  • auth_value

    cddc991efd6918ad5321d80dac884b40

Extracted

Family

redline

Botnet

fabio

C2

193.233.20.27:4123

Attributes
  • auth_value

    56b82736c3f56b13be8e64c87d2cf9e5

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 34 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\469cc82ca9e821ef410447e616ab4e340d6e2e535adec14b8554ce9a7175853c.exe
    "C:\Users\Admin\AppData\Local\Temp\469cc82ca9e821ef410447e616ab4e340d6e2e535adec14b8554ce9a7175853c.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5092
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhEg5850Nd.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhEg5850Nd.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4256
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf82qa84VY90.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf82qa84VY90.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3272
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf53br33uA36.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf53br33uA36.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:856
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 1896
          4⤵
          • Program crash
          PID:5060
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhkl33MS83bB.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhkl33MS83bB.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2676
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 856 -ip 856
    1⤵
      PID:548

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhkl33MS83bB.exe
            Filesize

            175KB

            MD5

            8fd92236c4427e2a4b8db9e955091e7b

            SHA1

            1586ada7966dd53e35fdec464e6bbbd47c45224a

            SHA256

            331303f5c6f3a8ae7a84f854c3127d4fd41e3d75e7313d184177f6a0c96b0ff0

            SHA512

            d440c1209e387bcd338c565da61c91be7ff69ba38b77582c27e760d79f7b856ebeb341ccefe17346039faefba17cc19072dfa640e82a9ebaedfb09a0469cd7fc

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhkl33MS83bB.exe
            Filesize

            175KB

            MD5

            8fd92236c4427e2a4b8db9e955091e7b

            SHA1

            1586ada7966dd53e35fdec464e6bbbd47c45224a

            SHA256

            331303f5c6f3a8ae7a84f854c3127d4fd41e3d75e7313d184177f6a0c96b0ff0

            SHA512

            d440c1209e387bcd338c565da61c91be7ff69ba38b77582c27e760d79f7b856ebeb341ccefe17346039faefba17cc19072dfa640e82a9ebaedfb09a0469cd7fc

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhEg5850Nd.exe
            Filesize

            412KB

            MD5

            aee25169d3df76b8aafa9b3283cc807b

            SHA1

            cfb4e39a2ae4a1dd790f47ed698bee321b34eee3

            SHA256

            aebcbd25537ad0e09e273a00c71435c762d8c9fbc49479a396d06aabdbc8cd78

            SHA512

            7bdec400f7201d40ff455499f2c26aa3ec2ee832a325e0a374970e31fd0e6674a069371467f1a05599f9e5996e200dac494f0f11ba265b79359ff3050b49d486

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhEg5850Nd.exe
            Filesize

            412KB

            MD5

            aee25169d3df76b8aafa9b3283cc807b

            SHA1

            cfb4e39a2ae4a1dd790f47ed698bee321b34eee3

            SHA256

            aebcbd25537ad0e09e273a00c71435c762d8c9fbc49479a396d06aabdbc8cd78

            SHA512

            7bdec400f7201d40ff455499f2c26aa3ec2ee832a325e0a374970e31fd0e6674a069371467f1a05599f9e5996e200dac494f0f11ba265b79359ff3050b49d486

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf82qa84VY90.exe
            Filesize

            11KB

            MD5

            f98262dafbc87c8f25177129b13c62f0

            SHA1

            15185689422140bacdec8095d5eb0407347993b7

            SHA256

            34243e0a87cee8c94d413dd9d3d478fe849e29d3ab802b99f4ada3e0dbf0eaa4

            SHA512

            e0fdf9ab1e81bbb3de224a07607dcb94859a6e2bd2855a66fd3be4d1a59aac60ed36c296cbcff9c3e8d65be82f9defd1c2a556d038ec469699bea645a67831c2

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf82qa84VY90.exe
            Filesize

            11KB

            MD5

            f98262dafbc87c8f25177129b13c62f0

            SHA1

            15185689422140bacdec8095d5eb0407347993b7

            SHA256

            34243e0a87cee8c94d413dd9d3d478fe849e29d3ab802b99f4ada3e0dbf0eaa4

            SHA512

            e0fdf9ab1e81bbb3de224a07607dcb94859a6e2bd2855a66fd3be4d1a59aac60ed36c296cbcff9c3e8d65be82f9defd1c2a556d038ec469699bea645a67831c2

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf53br33uA36.exe
            Filesize

            409KB

            MD5

            d918db9077504212d04e97bc5857b710

            SHA1

            cbac3bfca65f8dfe4efd408bcf480f3d603f1d06

            SHA256

            ab46765a44c015f420a104a2ffee2d036dc0cb4ce25e72be2540eed2cd521bb3

            SHA512

            f00800d9c2616090029632b5fea54abacc92e9c323feda1ea3c50a2ffdacd0f047d4da66b185b75d4570bee869c9684a3746b1daf58cc66278cbb09a0946f187

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf53br33uA36.exe
            Filesize

            409KB

            MD5

            d918db9077504212d04e97bc5857b710

            SHA1

            cbac3bfca65f8dfe4efd408bcf480f3d603f1d06

            SHA256

            ab46765a44c015f420a104a2ffee2d036dc0cb4ce25e72be2540eed2cd521bb3

            SHA512

            f00800d9c2616090029632b5fea54abacc92e9c323feda1ea3c50a2ffdacd0f047d4da66b185b75d4570bee869c9684a3746b1daf58cc66278cbb09a0946f187

            Download Submit

          • memory/856-153-0x0000000002BE0000-0x0000000002C2B000-memory.dmp

            Filesize

            300KB

            Download

          • memory/856-154-0x0000000007250000-0x0000000007260000-memory.dmp

            Filesize

            64KB

            Download

          • memory/856-155-0x0000000007260000-0x0000000007804000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/856-156-0x00000000071D0000-0x000000000720E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/856-157-0x00000000071D0000-0x000000000720E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/856-159-0x00000000071D0000-0x000000000720E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/856-161-0x00000000071D0000-0x000000000720E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/856-163-0x00000000071D0000-0x000000000720E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/856-165-0x00000000071D0000-0x000000000720E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/856-167-0x00000000071D0000-0x000000000720E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/856-169-0x00000000071D0000-0x000000000720E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/856-171-0x00000000071D0000-0x000000000720E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/856-173-0x00000000071D0000-0x000000000720E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/856-175-0x00000000071D0000-0x000000000720E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/856-177-0x00000000071D0000-0x000000000720E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/856-179-0x00000000071D0000-0x000000000720E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/856-182-0x0000000007250000-0x0000000007260000-memory.dmp

            Filesize

            64KB

            Download

          • memory/856-184-0x0000000007250000-0x0000000007260000-memory.dmp

            Filesize

            64KB

            Download

          • memory/856-185-0x00000000071D0000-0x000000000720E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/856-181-0x00000000071D0000-0x000000000720E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/856-187-0x00000000071D0000-0x000000000720E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/856-189-0x00000000071D0000-0x000000000720E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/856-191-0x00000000071D0000-0x000000000720E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/856-193-0x00000000071D0000-0x000000000720E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/856-195-0x00000000071D0000-0x000000000720E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/856-199-0x00000000071D0000-0x000000000720E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/856-197-0x00000000071D0000-0x000000000720E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/856-201-0x00000000071D0000-0x000000000720E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/856-203-0x00000000071D0000-0x000000000720E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/856-205-0x00000000071D0000-0x000000000720E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/856-207-0x00000000071D0000-0x000000000720E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/856-209-0x00000000071D0000-0x000000000720E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/856-211-0x00000000071D0000-0x000000000720E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/856-213-0x00000000071D0000-0x000000000720E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/856-215-0x00000000071D0000-0x000000000720E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/856-217-0x00000000071D0000-0x000000000720E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/856-219-0x00000000071D0000-0x000000000720E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/856-221-0x00000000071D0000-0x000000000720E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/856-1064-0x0000000007920000-0x0000000007F38000-memory.dmp

            Filesize

            6.1MB

            Download

          • memory/856-1065-0x0000000007FC0000-0x00000000080CA000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/856-1066-0x0000000008100000-0x0000000008112000-memory.dmp

            Filesize

            72KB

            Download

          • memory/856-1067-0x0000000008120000-0x000000000815C000-memory.dmp

            Filesize

            240KB

            Download

          • memory/856-1068-0x0000000007250000-0x0000000007260000-memory.dmp

            Filesize

            64KB

            Download

          • memory/856-1069-0x0000000008410000-0x00000000084A2000-memory.dmp

            Filesize

            584KB

            Download

          • memory/856-1070-0x00000000084B0000-0x0000000008516000-memory.dmp

            Filesize

            408KB

            Download

          • memory/856-1072-0x0000000007250000-0x0000000007260000-memory.dmp

            Filesize

            64KB

            Download

          • memory/856-1073-0x0000000008BB0000-0x0000000008C26000-memory.dmp

            Filesize

            472KB

            Download

          • memory/856-1074-0x0000000008C40000-0x0000000008C90000-memory.dmp

            Filesize

            320KB

            Download

          • memory/856-1075-0x0000000007250000-0x0000000007260000-memory.dmp

            Filesize

            64KB

            Download

          • memory/856-1076-0x0000000007250000-0x0000000007260000-memory.dmp

            Filesize

            64KB

            Download

          • memory/856-1077-0x0000000008EF0000-0x00000000090B2000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/856-1078-0x00000000090D0000-0x00000000095FC000-memory.dmp

            Filesize

            5.2MB

            Download

          • memory/856-1079-0x0000000007250000-0x0000000007260000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2676-1085-0x0000000000D60000-0x0000000000D92000-memory.dmp

            Filesize

            200KB

            Download

          • memory/2676-1086-0x0000000005660000-0x0000000005670000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3272-147-0x00000000005E0000-0x00000000005EA000-memory.dmp

            Filesize

            40KB

            Download