Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/03/2023, 17:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    27f1a39fbbf89ad3ba78511891f685d69a58750589eb4ebb3a5240e1291799ed.exe

  • Size

    562KB

  • MD5

    d7d67929d80a9dd8de43103b2e5c6fe0

  • SHA1

    02d3c4be29fe54b64a45ada729f353b5ad4576e6

  • SHA256

    27f1a39fbbf89ad3ba78511891f685d69a58750589eb4ebb3a5240e1291799ed

  • SHA512

    1a9ac2cca28edbe4decfe3cb715d32a7645d1675ed429fd3a344f32a8a15f6c4285663e9007576755fdbab53baa9702a22bf806371c88eee6846e15378b0082f

  • SSDEEP

    12288:PMr7y90UEJjPPyz4L8NnL/ylYYyn01FLloDjf0T:4y7E5PE4LsnL/yW0zLlUze

Score
10/10
redlinefabiofuddiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

fabio

C2

193.233.20.27:4123

Attributes
  • auth_value

    56b82736c3f56b13be8e64c87d2cf9e5

Extracted

Family

redline

Botnet

fud

C2

193.233.20.27:4123

Attributes
  • auth_value

    cddc991efd6918ad5321d80dac884b40

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 32 IoCs
  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\27f1a39fbbf89ad3ba78511891f685d69a58750589eb4ebb3a5240e1291799ed.exe
    "C:\Users\Admin\AppData\Local\Temp\27f1a39fbbf89ad3ba78511891f685d69a58750589eb4ebb3a5240e1291799ed.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1944
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhUf0497Fh.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhUf0497Fh.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2096
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf01tV56RH88.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf01tV56RH88.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2444
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf12Mj80Wb42.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf12Mj80Wb42.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2148
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf12Mj80Wb42.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf12Mj80Wb42.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2612
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhky53Bv03dE.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhky53Bv03dE.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3640

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhky53Bv03dE.exe
    Filesize

    176KB

    MD5

    419a48ebe5452f8af10fafc1bac94359

    SHA1

    a62c08978b0ba0d6057ccc2551848032403ff0c8

    SHA256

    be5ab1ab600697fb895d51eb9829bec49fc56c4b3e3bf383cf409025bf3e6906

    SHA512

    3778d40e04f61316203ee073c892ecdd91e32edf7be56044c2249dfda9a1860fe15130111821b5b33bd346796ff803483c71ce2954923cff3acccfdc95ae77f1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhky53Bv03dE.exe
    Filesize

    176KB

    MD5

    419a48ebe5452f8af10fafc1bac94359

    SHA1

    a62c08978b0ba0d6057ccc2551848032403ff0c8

    SHA256

    be5ab1ab600697fb895d51eb9829bec49fc56c4b3e3bf383cf409025bf3e6906

    SHA512

    3778d40e04f61316203ee073c892ecdd91e32edf7be56044c2249dfda9a1860fe15130111821b5b33bd346796ff803483c71ce2954923cff3acccfdc95ae77f1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhUf0497Fh.exe
    Filesize

    417KB

    MD5

    65340dcae151fcfa3a5ed1b0d92f4a77

    SHA1

    810bd330b02927af519b7a1bb324c53b11bf9044

    SHA256

    5937b94037a4804fe6e4bdb5fc66174965fe421f6cae5f7dc9622113442820fa

    SHA512

    de4b5925aef337f1f38441e7988077f16e153893d92cb76c64f7bfd50c15dd8b52620221f24860275b3c6a8342ef5b1b1bc82d0276f94ca5233edef2afe763f4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhUf0497Fh.exe
    Filesize

    417KB

    MD5

    65340dcae151fcfa3a5ed1b0d92f4a77

    SHA1

    810bd330b02927af519b7a1bb324c53b11bf9044

    SHA256

    5937b94037a4804fe6e4bdb5fc66174965fe421f6cae5f7dc9622113442820fa

    SHA512

    de4b5925aef337f1f38441e7988077f16e153893d92cb76c64f7bfd50c15dd8b52620221f24860275b3c6a8342ef5b1b1bc82d0276f94ca5233edef2afe763f4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf01tV56RH88.exe
    Filesize

    12KB

    MD5

    6654387c0152108bea0c0766fc4f4631

    SHA1

    36756902f50f59db94e85ba755c742eda871b16a

    SHA256

    aa41485a0c6b11dae864530cb15bf4233ff11fb5c0e3da5a9095719ce0899a3a

    SHA512

    24f9acae9612ca5ae42d0e6404d100b84aa77e4b4ec867bab49a71417fdc818a91159ad6eb21c14597130706f7c3380582a5a8ea6ca95933a637ed3b21982e12

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf01tV56RH88.exe
    Filesize

    12KB

    MD5

    6654387c0152108bea0c0766fc4f4631

    SHA1

    36756902f50f59db94e85ba755c742eda871b16a

    SHA256

    aa41485a0c6b11dae864530cb15bf4233ff11fb5c0e3da5a9095719ce0899a3a

    SHA512

    24f9acae9612ca5ae42d0e6404d100b84aa77e4b4ec867bab49a71417fdc818a91159ad6eb21c14597130706f7c3380582a5a8ea6ca95933a637ed3b21982e12

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf12Mj80Wb42.exe
    Filesize

    421KB

    MD5

    a1a8c7e021590c6ccb05a2a54e7d6f12

    SHA1

    76cabb2806779c8bcaba0f6ca25de05d2a4cda32

    SHA256

    ffa315cca20806209add23fb058b99380ac07212267bf8fceb265976a24207b8

    SHA512

    556cb80ba26000eb1426c652b995add13e2f8eb062820d34549317e82e785805b10d19b72942c505e3e1a0c5d985e9e01fcff7ab41124d903b72ce0570acaac2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf12Mj80Wb42.exe
    Filesize

    421KB

    MD5

    a1a8c7e021590c6ccb05a2a54e7d6f12

    SHA1

    76cabb2806779c8bcaba0f6ca25de05d2a4cda32

    SHA256

    ffa315cca20806209add23fb058b99380ac07212267bf8fceb265976a24207b8

    SHA512

    556cb80ba26000eb1426c652b995add13e2f8eb062820d34549317e82e785805b10d19b72942c505e3e1a0c5d985e9e01fcff7ab41124d903b72ce0570acaac2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf12Mj80Wb42.exe
    Filesize

    421KB

    MD5

    a1a8c7e021590c6ccb05a2a54e7d6f12

    SHA1

    76cabb2806779c8bcaba0f6ca25de05d2a4cda32

    SHA256

    ffa315cca20806209add23fb058b99380ac07212267bf8fceb265976a24207b8

    SHA512

    556cb80ba26000eb1426c652b995add13e2f8eb062820d34549317e82e785805b10d19b72942c505e3e1a0c5d985e9e01fcff7ab41124d903b72ce0570acaac2

    Download Submit

  • memory/2148-155-0x0000000002CB0000-0x0000000002CFC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2444-147-0x00000000005B0000-0x00000000005BA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2612-191-0x0000000004F60000-0x0000000004F9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2612-230-0x0000000004F60000-0x0000000004F9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2612-157-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/2612-1095-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/2612-163-0x0000000004970000-0x0000000004F14000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2612-164-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/2612-167-0x0000000004F60000-0x0000000004F9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2612-166-0x0000000002280000-0x0000000002290000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2612-165-0x0000000004F60000-0x0000000004F9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2612-168-0x0000000002280000-0x0000000002290000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2612-170-0x0000000002280000-0x0000000002290000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2612-171-0x0000000004F60000-0x0000000004F9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2612-173-0x0000000004F60000-0x0000000004F9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2612-1089-0x0000000002280000-0x0000000002290000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2612-176-0x0000000004F60000-0x0000000004F9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2612-1087-0x0000000002280000-0x0000000002290000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2612-1088-0x0000000002280000-0x0000000002290000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2612-180-0x0000000004F60000-0x0000000004F9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2612-182-0x0000000004F60000-0x0000000004F9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2612-1079-0x0000000002280000-0x0000000002290000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2612-185-0x0000000004F60000-0x0000000004F9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2612-187-0x0000000004F60000-0x0000000004F9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2612-189-0x0000000004F60000-0x0000000004F9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2612-153-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/2612-193-0x0000000004F60000-0x0000000004F9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2612-232-0x0000000004F60000-0x0000000004F9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2612-198-0x0000000004F60000-0x0000000004F9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2612-196-0x0000000004F60000-0x0000000004F9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2612-200-0x0000000004F60000-0x0000000004F9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2612-202-0x0000000004F60000-0x0000000004F9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2612-204-0x0000000004F60000-0x0000000004F9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2612-206-0x0000000004F60000-0x0000000004F9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2612-208-0x0000000004F60000-0x0000000004F9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2612-210-0x0000000004F60000-0x0000000004F9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2612-212-0x0000000004F60000-0x0000000004F9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2612-214-0x0000000004F60000-0x0000000004F9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2612-216-0x0000000004F60000-0x0000000004F9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2612-218-0x0000000004F60000-0x0000000004F9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2612-220-0x0000000004F60000-0x0000000004F9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2612-222-0x0000000004F60000-0x0000000004F9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2612-224-0x0000000004F60000-0x0000000004F9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2612-226-0x0000000004F60000-0x0000000004F9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2612-228-0x0000000004F60000-0x0000000004F9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2612-156-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/3640-1084-0x0000000007100000-0x0000000007176000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3640-183-0x0000000005870000-0x00000000058AC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3640-1080-0x0000000006200000-0x0000000006292000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3640-1081-0x0000000005B50000-0x0000000005BB6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3640-1082-0x0000000006F30000-0x00000000070F2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3640-1083-0x0000000007630000-0x0000000007B5C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/3640-195-0x00000000056E0000-0x00000000056F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3640-1085-0x0000000006EC0000-0x0000000006F10000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3640-179-0x0000000005690000-0x00000000056A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3640-178-0x0000000005760000-0x000000000586A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3640-175-0x0000000005BE0000-0x00000000061F8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3640-1090-0x00000000056E0000-0x00000000056F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3640-162-0x0000000000DF0000-0x0000000000E22000-memory.dmp

    Filesize

    200KB

    Download