Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    53s
  • max time network
    139s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    06-03-2023 08:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7b795417cc7a5314630604fe64b969ca069ececbd6a3632cd475d2b6625640ed.exe

  • Size

    560KB

  • MD5

    3fa267f3f3278c4ccf1eb97f2b94c7e7

  • SHA1

    b51b8e6d256fe537fb5883e1c1dc428bece85369

  • SHA256

    7b795417cc7a5314630604fe64b969ca069ececbd6a3632cd475d2b6625640ed

  • SHA512

    ee3f10ebeccd4094242787ae4bdc83ff862da07bf5544c6e9208eeab0b24e2880812a2d81ffff206e971926f877de6d162759fe38f4794d11a58a69acb1053b7

  • SSDEEP

    12288:kMr0y90aIRv5VVZnMOqE2MFiVGKT/q2DUL9taEN:Qyy55Vrpr2MFiE2qv

Score
10/10
redlinefabiofuddiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

fud

C2

193.233.20.27:4123

Attributes
  • auth_value

    cddc991efd6918ad5321d80dac884b40

Extracted

Family

redline

Botnet

fabio

C2

193.233.20.27:4123

Attributes
  • auth_value

    56b82736c3f56b13be8e64c87d2cf9e5

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7b795417cc7a5314630604fe64b969ca069ececbd6a3632cd475d2b6625640ed.exe
    "C:\Users\Admin\AppData\Local\Temp\7b795417cc7a5314630604fe64b969ca069ececbd6a3632cd475d2b6625640ed.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4100
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhPk1191Ca.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhPk1191Ca.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3640
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf96MV40nU14.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf96MV40nU14.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2368
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf34wc26Aa51.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf34wc26Aa51.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5116
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhHD71sL98wX.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhHD71sL98wX.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3908

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhHD71sL98wX.exe
    Filesize

    175KB

    MD5

    f489b3ed087bb9570d77b3f28841d04d

    SHA1

    c8b06e39fe8411c1758718dbdfe6912792cc9c20

    SHA256

    f4c0480c5c4940a56bcd52307d8b15367defd87f814f5a772ad40727009d6a2e

    SHA512

    da4338e5128871b9a5e990172c00dd2d9ba03822b1d108000c02827277be9fa0a03b4cfac85d5834bc265f5658b56aca21f5c1ed82a73a316a0d5610cca5ffe2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhHD71sL98wX.exe
    Filesize

    175KB

    MD5

    f489b3ed087bb9570d77b3f28841d04d

    SHA1

    c8b06e39fe8411c1758718dbdfe6912792cc9c20

    SHA256

    f4c0480c5c4940a56bcd52307d8b15367defd87f814f5a772ad40727009d6a2e

    SHA512

    da4338e5128871b9a5e990172c00dd2d9ba03822b1d108000c02827277be9fa0a03b4cfac85d5834bc265f5658b56aca21f5c1ed82a73a316a0d5610cca5ffe2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhPk1191Ca.exe
    Filesize

    416KB

    MD5

    18cf86fbc76b036b1b36d174ae21ccac

    SHA1

    fde2f530befdf24077345e436da569043c38e7b6

    SHA256

    90460ca103b6094d1b57b058911ebc2c2daebea56579a9d2245bfda987377b83

    SHA512

    9a00af7a8e149a3ff491dd77023d9ba29e84359be38ef8ab22d67d70badbbbbe977a2662afb76a5cd77f3c3ce5c7bb47020c53870535fb26d1d3577b145e5a0a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhPk1191Ca.exe
    Filesize

    416KB

    MD5

    18cf86fbc76b036b1b36d174ae21ccac

    SHA1

    fde2f530befdf24077345e436da569043c38e7b6

    SHA256

    90460ca103b6094d1b57b058911ebc2c2daebea56579a9d2245bfda987377b83

    SHA512

    9a00af7a8e149a3ff491dd77023d9ba29e84359be38ef8ab22d67d70badbbbbe977a2662afb76a5cd77f3c3ce5c7bb47020c53870535fb26d1d3577b145e5a0a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf96MV40nU14.exe
    Filesize

    11KB

    MD5

    d77cdbe802fa4c0b9802e69417e56a00

    SHA1

    b3d806e546cebc873fa9c177f81c1d0f0f9806ba

    SHA256

    011a958959079cfde2c4e7e61045820995e56c18f7d649682dac34906b5359bb

    SHA512

    01028d605352694b50f3fc5702ba4bc8b5fb30eb24559d800e2206b87d21c86c7d1ca10c35e4d33a24d9c83aa792fc5acf0ae67d3f7dad35e0f165f67c2c048b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf96MV40nU14.exe
    Filesize

    11KB

    MD5

    d77cdbe802fa4c0b9802e69417e56a00

    SHA1

    b3d806e546cebc873fa9c177f81c1d0f0f9806ba

    SHA256

    011a958959079cfde2c4e7e61045820995e56c18f7d649682dac34906b5359bb

    SHA512

    01028d605352694b50f3fc5702ba4bc8b5fb30eb24559d800e2206b87d21c86c7d1ca10c35e4d33a24d9c83aa792fc5acf0ae67d3f7dad35e0f165f67c2c048b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf34wc26Aa51.exe
    Filesize

    416KB

    MD5

    9ce8c74a533c9909e622ad2c5700ca63

    SHA1

    bcce3e38eaf3c3b741bad36507671231d94ef844

    SHA256

    a41658d0c260a9fa32e4797a385856dcbcd11ec5afd2135cee0f69ee6a52576d

    SHA512

    98491caf62c0bfd90a89e3172801096e12328a4ac379f99a6895db5d85eb70468ccede97678b46eceabdc419d1114f3da59b9e72d68847be2384c58169cb0e73

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf34wc26Aa51.exe
    Filesize

    416KB

    MD5

    9ce8c74a533c9909e622ad2c5700ca63

    SHA1

    bcce3e38eaf3c3b741bad36507671231d94ef844

    SHA256

    a41658d0c260a9fa32e4797a385856dcbcd11ec5afd2135cee0f69ee6a52576d

    SHA512

    98491caf62c0bfd90a89e3172801096e12328a4ac379f99a6895db5d85eb70468ccede97678b46eceabdc419d1114f3da59b9e72d68847be2384c58169cb0e73

    Download Submit

  • memory/2368-130-0x0000000000540000-0x000000000054A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3908-1071-0x0000000000DB0000-0x0000000000DE2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/3908-1073-0x00000000059B0000-0x00000000059C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3908-1072-0x00000000057F0000-0x000000000583B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/5116-176-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5116-186-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5116-141-0x0000000007270000-0x0000000007280000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5116-139-0x0000000007270000-0x0000000007280000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5116-142-0x0000000007270000-0x0000000007280000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5116-143-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5116-144-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5116-146-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5116-148-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5116-150-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5116-152-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5116-154-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5116-156-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5116-158-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5116-160-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5116-162-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5116-164-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5116-166-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5116-168-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5116-170-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5116-172-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5116-174-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5116-138-0x0000000002BE0000-0x0000000002C2B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/5116-178-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5116-180-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5116-182-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5116-184-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5116-140-0x00000000071A0000-0x00000000071E4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/5116-188-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5116-190-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5116-192-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5116-194-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5116-196-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5116-198-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5116-200-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5116-202-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5116-204-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5116-206-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5116-1049-0x0000000007780000-0x0000000007D86000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/5116-1050-0x0000000007D90000-0x0000000007E9A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/5116-1051-0x0000000007EC0000-0x0000000007ED2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5116-1052-0x0000000007270000-0x0000000007280000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5116-1053-0x0000000007EE0000-0x0000000007F1E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5116-1054-0x0000000008030000-0x000000000807B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/5116-1056-0x00000000081C0000-0x0000000008226000-memory.dmp

    Filesize

    408KB

    Download

  • memory/5116-1057-0x00000000088B0000-0x0000000008942000-memory.dmp

    Filesize

    584KB

    Download

  • memory/5116-1058-0x0000000007270000-0x0000000007280000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5116-1059-0x0000000007270000-0x0000000007280000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5116-1060-0x0000000007270000-0x0000000007280000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5116-1061-0x0000000007270000-0x0000000007280000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5116-1062-0x0000000008BA0000-0x0000000008D62000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/5116-137-0x0000000007280000-0x000000000777E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/5116-136-0x0000000007120000-0x0000000007166000-memory.dmp

    Filesize

    280KB

    Download

  • memory/5116-1063-0x0000000008D90000-0x00000000092BC000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/5116-1064-0x000000000A660000-0x000000000A6D6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/5116-1065-0x000000000A6E0000-0x000000000A730000-memory.dmp

    Filesize

    320KB

    Download