Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    97s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-03-2023 23:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2ce6f4a1f39a2d70c327f3d34a31d46301e92d708f10cd825e0950929b6efd4f.exe

  • Size

    559KB

  • MD5

    3b9789d6e19bae01af6d304ef4ad5e41

  • SHA1

    17566c5dd1fd1f2ecb2ad8a49957942d91c51c64

  • SHA256

    2ce6f4a1f39a2d70c327f3d34a31d46301e92d708f10cd825e0950929b6efd4f

  • SHA512

    8a1df9511396bb25a80cc5f34b92cbcaf60cd813c84f133fb735574f421d5f2ce2d7eadec0deea8044d9a13f82ed54a78bbbdff8ebef000c2478c8b0ca91aafe

  • SSDEEP

    12288:XMr4y904gqQNAuutC8fqvIxt12TX/pzNMMdRJK7uaJoue:zy9gqQNhvzTv/VdS7uaJte

Score
10/10
redlinefudmishadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

fud

C2

193.233.20.27:4123

Attributes
  • auth_value

    cddc991efd6918ad5321d80dac884b40

Extracted

Family

redline

Botnet

misha

C2

193.56.146.11:4173

Attributes
  • auth_value

    e17e441c954db214b94a603a7b0b1aea

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2ce6f4a1f39a2d70c327f3d34a31d46301e92d708f10cd825e0950929b6efd4f.exe
    "C:\Users\Admin\AppData\Local\Temp\2ce6f4a1f39a2d70c327f3d34a31d46301e92d708f10cd825e0950929b6efd4f.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1180
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkWM3796ey.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkWM3796ey.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1536
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s7627ka.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s7627ka.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1964
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\t00oi87.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\t00oi87.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3316
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3316 -s 1776
          4⤵
          • Program crash
          PID:4708
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\utQPV86.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\utQPV86.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3792
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3316 -ip 3316
    1⤵
      PID:1288

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\utQPV86.exe
      Filesize

      175KB

      MD5

      fb6b1dfc1d31819df66b4eba004f4f1e

      SHA1

      8fb4085acc6bdac0c653130d20ccf87dc0a4bc16

      SHA256

      4a8cf958110e605398244c588878680f5f367bf064573a69fded3f4ca70c7549

      SHA512

      270f0208fac6330d413709de2f1aa348f20e434bb70b886a96e7db87f74607c9dcbee92b458ea375ca9d22a89af46b31655b84d6f26fac3d12e63f8242d41f3a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\utQPV86.exe
      Filesize

      175KB

      MD5

      fb6b1dfc1d31819df66b4eba004f4f1e

      SHA1

      8fb4085acc6bdac0c653130d20ccf87dc0a4bc16

      SHA256

      4a8cf958110e605398244c588878680f5f367bf064573a69fded3f4ca70c7549

      SHA512

      270f0208fac6330d413709de2f1aa348f20e434bb70b886a96e7db87f74607c9dcbee92b458ea375ca9d22a89af46b31655b84d6f26fac3d12e63f8242d41f3a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkWM3796ey.exe
      Filesize

      414KB

      MD5

      7b8c233e904d31314cf62478eca634e0

      SHA1

      c71577cb5593f8d78dd644d0b5affce8714a476e

      SHA256

      82ac3dab6147a9c97c7b2daa309bbd143772417098d1653f2b1151c6dcd9bc81

      SHA512

      f404df3e4fac7afe6dfaa998154b244aff56eee089c94f7790701438ee5ce53d2b9d32506e3f736cc42465d4d0883e78fd88a83414cfc99be61f9a8cfcb6c756

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkWM3796ey.exe
      Filesize

      414KB

      MD5

      7b8c233e904d31314cf62478eca634e0

      SHA1

      c71577cb5593f8d78dd644d0b5affce8714a476e

      SHA256

      82ac3dab6147a9c97c7b2daa309bbd143772417098d1653f2b1151c6dcd9bc81

      SHA512

      f404df3e4fac7afe6dfaa998154b244aff56eee089c94f7790701438ee5ce53d2b9d32506e3f736cc42465d4d0883e78fd88a83414cfc99be61f9a8cfcb6c756

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s7627ka.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s7627ka.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\t00oi87.exe
      Filesize

      392KB

      MD5

      c043039d011fe79d35f7b0bca0e4b9ac

      SHA1

      d9f8d058327a1e2232685832b9785c831b5465dd

      SHA256

      9dee345f969dda3f5c2ba41b9852030043a3c0e03ccea25983c18170a9a1b51c

      SHA512

      032401a08b4f2baf654c0c84d69b9c24821d6497c51f32816920606c458f603188cb3cd0400ce8814d937523765b0e6483a519abb44433bb4af1d6b391839365

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\t00oi87.exe
      Filesize

      392KB

      MD5

      c043039d011fe79d35f7b0bca0e4b9ac

      SHA1

      d9f8d058327a1e2232685832b9785c831b5465dd

      SHA256

      9dee345f969dda3f5c2ba41b9852030043a3c0e03ccea25983c18170a9a1b51c

      SHA512

      032401a08b4f2baf654c0c84d69b9c24821d6497c51f32816920606c458f603188cb3cd0400ce8814d937523765b0e6483a519abb44433bb4af1d6b391839365

      Download Submit

    • memory/1964-147-0x0000000000F50000-0x0000000000F5A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3316-153-0x00000000005D0000-0x000000000061B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3316-155-0x0000000004E20000-0x00000000053C4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3316-156-0x0000000004E10000-0x0000000004E20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3316-154-0x0000000004E10000-0x0000000004E20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3316-157-0x0000000004C20000-0x0000000004C5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3316-158-0x0000000004C20000-0x0000000004C5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3316-160-0x0000000004C20000-0x0000000004C5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3316-162-0x0000000004C20000-0x0000000004C5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3316-164-0x0000000004C20000-0x0000000004C5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3316-166-0x0000000004C20000-0x0000000004C5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3316-168-0x0000000004C20000-0x0000000004C5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3316-170-0x0000000004C20000-0x0000000004C5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3316-172-0x0000000004C20000-0x0000000004C5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3316-174-0x0000000004C20000-0x0000000004C5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3316-176-0x0000000004C20000-0x0000000004C5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3316-178-0x0000000004C20000-0x0000000004C5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3316-180-0x0000000004C20000-0x0000000004C5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3316-182-0x0000000004C20000-0x0000000004C5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3316-184-0x0000000004C20000-0x0000000004C5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3316-186-0x0000000004C20000-0x0000000004C5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3316-188-0x0000000004C20000-0x0000000004C5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3316-190-0x0000000004C20000-0x0000000004C5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3316-192-0x0000000004C20000-0x0000000004C5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3316-194-0x0000000004C20000-0x0000000004C5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3316-196-0x0000000004C20000-0x0000000004C5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3316-198-0x0000000004C20000-0x0000000004C5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3316-200-0x0000000004C20000-0x0000000004C5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3316-202-0x0000000004C20000-0x0000000004C5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3316-204-0x0000000004C20000-0x0000000004C5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3316-206-0x0000000004C20000-0x0000000004C5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3316-208-0x0000000004C20000-0x0000000004C5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3316-210-0x0000000004C20000-0x0000000004C5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3316-212-0x0000000004C20000-0x0000000004C5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3316-214-0x0000000004C20000-0x0000000004C5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3316-216-0x0000000004C20000-0x0000000004C5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3316-218-0x0000000004C20000-0x0000000004C5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3316-220-0x0000000004C20000-0x0000000004C5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3316-1063-0x00000000053D0000-0x00000000059E8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3316-1064-0x0000000004CF0000-0x0000000004DFA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3316-1065-0x0000000005A10000-0x0000000005A22000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3316-1066-0x0000000005A30000-0x0000000005A6C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3316-1067-0x0000000004E10000-0x0000000004E20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3316-1069-0x0000000004E10000-0x0000000004E20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3316-1070-0x0000000004E10000-0x0000000004E20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3316-1071-0x0000000004E10000-0x0000000004E20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3316-1072-0x0000000005D20000-0x0000000005D86000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3316-1073-0x00000000064F0000-0x0000000006582000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3316-1074-0x00000000065E0000-0x00000000067A2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3316-1075-0x00000000067C0000-0x0000000006CEC000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/3316-1076-0x0000000006E30000-0x0000000006EA6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/3316-1077-0x0000000006EC0000-0x0000000006F10000-memory.dmp

      Filesize

      320KB

      Download

    • memory/3316-1078-0x0000000004E10000-0x0000000004E20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3792-1084-0x0000000000C00000-0x0000000000C32000-memory.dmp

      Filesize

      200KB

      Download

    • memory/3792-1085-0x0000000005800000-0x0000000005810000-memory.dmp

      Filesize

      64KB

      Download