Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    54s
  • max time network
    57s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    06/03/2023, 10:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    005246f6e658ffe0a40c332315f6d49eaef689cacbfdbf3b8a75e8342fa719cb.exe

  • Size

    560KB

  • MD5

    06be466217b8384774b1898400dc3892

  • SHA1

    8726a74c5aaff8da9de16edf17179f083ea374ff

  • SHA256

    005246f6e658ffe0a40c332315f6d49eaef689cacbfdbf3b8a75e8342fa719cb

  • SHA512

    7d415286013ff840b06a142219a66c1a10613e2738ce91aa01b9dcd41c86c6697ae16c7d7e1fdd79e81e2fc0986bb8f119c1e66f22a2ddeac7858fa00a10657c

  • SSDEEP

    12288:pMryy90rG08j5kt0S+GtEsHlbCUFMVGKT/JL4UncZdP5HNf1q:7y478j65Hl+UFM7LVE5tQ

Score
10/10
redlinefabiofuddiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

fud

C2

193.233.20.27:4123

Attributes
  • auth_value

    cddc991efd6918ad5321d80dac884b40

Extracted

Family

redline

Botnet

fabio

C2

193.233.20.27:4123

Attributes
  • auth_value

    56b82736c3f56b13be8e64c87d2cf9e5

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\005246f6e658ffe0a40c332315f6d49eaef689cacbfdbf3b8a75e8342fa719cb.exe
    "C:\Users\Admin\AppData\Local\Temp\005246f6e658ffe0a40c332315f6d49eaef689cacbfdbf3b8a75e8342fa719cb.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhhg9868ym.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhhg9868ym.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2436
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf30dJ52sJ80.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf30dJ52sJ80.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2524
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf20pW60EE15.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf20pW60EE15.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2124
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhRs12xk18Ll.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhRs12xk18Ll.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4900

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhRs12xk18Ll.exe
    Filesize

    175KB

    MD5

    b2fc4a89ebf383e80ff75e850d6c1d02

    SHA1

    a3cfde511237ad97f4a6e949d15a5ccb8d6e020d

    SHA256

    ce873ffba669a05cac4742ee6a0a89b641a3d3d8039115e089d00446ebc721bf

    SHA512

    0a60fba5bdcc5a9f035dce3caa1acf82f604007cd5241e0704e6fdd7057f306605c6e1ab383fffa3af992311a1c67fac012eb5795b4c8396ffb07fcd46c1821d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhRs12xk18Ll.exe
    Filesize

    175KB

    MD5

    b2fc4a89ebf383e80ff75e850d6c1d02

    SHA1

    a3cfde511237ad97f4a6e949d15a5ccb8d6e020d

    SHA256

    ce873ffba669a05cac4742ee6a0a89b641a3d3d8039115e089d00446ebc721bf

    SHA512

    0a60fba5bdcc5a9f035dce3caa1acf82f604007cd5241e0704e6fdd7057f306605c6e1ab383fffa3af992311a1c67fac012eb5795b4c8396ffb07fcd46c1821d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhhg9868ym.exe
    Filesize

    415KB

    MD5

    2028d0c150da8bdc3f8f8c1b074c19c5

    SHA1

    ad3c40217d601a75b91e022e601a8240688b48d9

    SHA256

    ed5caf2f46b024f50cf772f732fe8669b69b72916926e40b2ea4d3985d7929a1

    SHA512

    bdbee21ca730693ae45dc739d93e6520155717ca1356788eef9775ace0295955c9879718d3dd27d1c6d23440345317de942b648d1d87280afe28ab14f4bde8f9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhhg9868ym.exe
    Filesize

    415KB

    MD5

    2028d0c150da8bdc3f8f8c1b074c19c5

    SHA1

    ad3c40217d601a75b91e022e601a8240688b48d9

    SHA256

    ed5caf2f46b024f50cf772f732fe8669b69b72916926e40b2ea4d3985d7929a1

    SHA512

    bdbee21ca730693ae45dc739d93e6520155717ca1356788eef9775ace0295955c9879718d3dd27d1c6d23440345317de942b648d1d87280afe28ab14f4bde8f9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf30dJ52sJ80.exe
    Filesize

    11KB

    MD5

    c980f9b51f735536cb17f33896f058f5

    SHA1

    8bb70679a73bf5239032ecde2bc9958f1811dbe7

    SHA256

    8c5ce5f2fce798c91cb265b84aea50262834c4e3399d28efece531e8209a8c66

    SHA512

    5435e6993a4bdc23e93cf3bef623cb5493d37ecf79532316f583a7f1ff2355ca676e3b1f05740a54bd8eb36c86e3169c9f5663ec5ce8bb1f363e254f4461546d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf30dJ52sJ80.exe
    Filesize

    11KB

    MD5

    c980f9b51f735536cb17f33896f058f5

    SHA1

    8bb70679a73bf5239032ecde2bc9958f1811dbe7

    SHA256

    8c5ce5f2fce798c91cb265b84aea50262834c4e3399d28efece531e8209a8c66

    SHA512

    5435e6993a4bdc23e93cf3bef623cb5493d37ecf79532316f583a7f1ff2355ca676e3b1f05740a54bd8eb36c86e3169c9f5663ec5ce8bb1f363e254f4461546d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf20pW60EE15.exe
    Filesize

    416KB

    MD5

    9ce8c74a533c9909e622ad2c5700ca63

    SHA1

    bcce3e38eaf3c3b741bad36507671231d94ef844

    SHA256

    a41658d0c260a9fa32e4797a385856dcbcd11ec5afd2135cee0f69ee6a52576d

    SHA512

    98491caf62c0bfd90a89e3172801096e12328a4ac379f99a6895db5d85eb70468ccede97678b46eceabdc419d1114f3da59b9e72d68847be2384c58169cb0e73

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf20pW60EE15.exe
    Filesize

    416KB

    MD5

    9ce8c74a533c9909e622ad2c5700ca63

    SHA1

    bcce3e38eaf3c3b741bad36507671231d94ef844

    SHA256

    a41658d0c260a9fa32e4797a385856dcbcd11ec5afd2135cee0f69ee6a52576d

    SHA512

    98491caf62c0bfd90a89e3172801096e12328a4ac379f99a6895db5d85eb70468ccede97678b46eceabdc419d1114f3da59b9e72d68847be2384c58169cb0e73

    Download Submit

  • memory/2124-141-0x0000000004770000-0x00000000047B6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2124-142-0x0000000007250000-0x000000000774E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2124-143-0x0000000004830000-0x0000000004874000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2124-144-0x0000000004830000-0x000000000486E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2124-145-0x0000000004830000-0x000000000486E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2124-147-0x0000000004830000-0x000000000486E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2124-149-0x0000000004830000-0x000000000486E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2124-151-0x0000000004830000-0x000000000486E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2124-153-0x0000000004830000-0x000000000486E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2124-155-0x0000000002CB0000-0x0000000002CFB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2124-157-0x0000000004830000-0x000000000486E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2124-159-0x00000000047B0000-0x00000000047C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2124-160-0x0000000004830000-0x000000000486E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2124-156-0x00000000047B0000-0x00000000047C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2124-162-0x0000000004830000-0x000000000486E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2124-164-0x0000000004830000-0x000000000486E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2124-166-0x0000000004830000-0x000000000486E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2124-168-0x0000000004830000-0x000000000486E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2124-170-0x0000000004830000-0x000000000486E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2124-172-0x0000000004830000-0x000000000486E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2124-176-0x0000000004830000-0x000000000486E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2124-178-0x0000000004830000-0x000000000486E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2124-184-0x0000000004830000-0x000000000486E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2124-182-0x0000000004830000-0x000000000486E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2124-186-0x0000000004830000-0x000000000486E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2124-180-0x0000000004830000-0x000000000486E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2124-188-0x0000000004830000-0x000000000486E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2124-190-0x0000000004830000-0x000000000486E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2124-192-0x0000000004830000-0x000000000486E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2124-196-0x0000000004830000-0x000000000486E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2124-198-0x0000000004830000-0x000000000486E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2124-194-0x0000000004830000-0x000000000486E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2124-174-0x0000000004830000-0x000000000486E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2124-206-0x0000000004830000-0x000000000486E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2124-204-0x0000000004830000-0x000000000486E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2124-210-0x0000000004830000-0x000000000486E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2124-208-0x0000000004830000-0x000000000486E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2124-202-0x0000000004830000-0x000000000486E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2124-200-0x0000000004830000-0x000000000486E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2124-1053-0x0000000007750000-0x0000000007D56000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2124-1054-0x0000000007D80000-0x0000000007E8A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2124-1055-0x0000000007EC0000-0x0000000007ED2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2124-1056-0x0000000007F20000-0x0000000007F5E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2124-1057-0x00000000047B0000-0x00000000047C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2124-1058-0x0000000008060000-0x00000000080AB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2124-1060-0x00000000081C0000-0x0000000008226000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2124-1061-0x0000000008880000-0x0000000008912000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2124-1062-0x0000000008980000-0x0000000008B42000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2124-1063-0x0000000008B50000-0x000000000907C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/2124-1065-0x00000000047B0000-0x00000000047C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2124-1064-0x00000000047B0000-0x00000000047C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2124-1066-0x0000000009420000-0x0000000009496000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2124-1067-0x00000000094A0000-0x00000000094F0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2124-1068-0x00000000047B0000-0x00000000047C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2524-135-0x0000000000D30000-0x0000000000D3A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4900-1074-0x0000000000A40000-0x0000000000A72000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4900-1075-0x0000000005480000-0x00000000054CB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4900-1076-0x0000000005600000-0x0000000005610000-memory.dmp

    Filesize

    64KB

    Download