Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    77s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/03/2023, 01:01

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2b60dd4c6e082d05717e54335a5fe7fca84dbb96bee4a5e95d01574275cb5d41.exe

  • Size

    553KB

  • MD5

    12c9efe05435d34998d5252b987fa4cc

  • SHA1

    2eec29b8bed3fac0822434349d45c56925e1b28c

  • SHA256

    2b60dd4c6e082d05717e54335a5fe7fca84dbb96bee4a5e95d01574275cb5d41

  • SHA512

    5766aaa5b476de2a62077bd82c1de840a2c70bf94958c4c6aa186152175e4470231a06bd19bf3c72353852dfbec086e3cf819d4c77d0041f67383d25ee5391f4

  • SSDEEP

    12288:pMrxy90n7lFj2c88X31i1o1YzV7TKWl64VZlpclX:0yNR8Xg1omKWlDVZfS

Score
10/10
redlinefudmishadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

fud

C2

193.233.20.27:4123

Attributes
  • auth_value

    cddc991efd6918ad5321d80dac884b40

Extracted

Family

redline

Botnet

misha

C2

193.56.146.11:4173

Attributes
  • auth_value

    e17e441c954db214b94a603a7b0b1aea

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b60dd4c6e082d05717e54335a5fe7fca84dbb96bee4a5e95d01574275cb5d41.exe
    "C:\Users\Admin\AppData\Local\Temp\2b60dd4c6e082d05717e54335a5fe7fca84dbb96bee4a5e95d01574275cb5d41.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4364
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkjL0369nz.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkjL0369nz.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4008
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s8867RO.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s8867RO.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4804
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\t93dQ49.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\t93dQ49.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2040
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 1352
          4⤵
          • Program crash
          PID:3772
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\urGlS67.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\urGlS67.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4940
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2040 -ip 2040
    1⤵
      PID:440

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\urGlS67.exe
            Filesize

            175KB

            MD5

            fb6b1dfc1d31819df66b4eba004f4f1e

            SHA1

            8fb4085acc6bdac0c653130d20ccf87dc0a4bc16

            SHA256

            4a8cf958110e605398244c588878680f5f367bf064573a69fded3f4ca70c7549

            SHA512

            270f0208fac6330d413709de2f1aa348f20e434bb70b886a96e7db87f74607c9dcbee92b458ea375ca9d22a89af46b31655b84d6f26fac3d12e63f8242d41f3a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\urGlS67.exe
            Filesize

            175KB

            MD5

            fb6b1dfc1d31819df66b4eba004f4f1e

            SHA1

            8fb4085acc6bdac0c653130d20ccf87dc0a4bc16

            SHA256

            4a8cf958110e605398244c588878680f5f367bf064573a69fded3f4ca70c7549

            SHA512

            270f0208fac6330d413709de2f1aa348f20e434bb70b886a96e7db87f74607c9dcbee92b458ea375ca9d22a89af46b31655b84d6f26fac3d12e63f8242d41f3a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkjL0369nz.exe
            Filesize

            408KB

            MD5

            27157fbb7fe46b2a94a4aefc73d04fe1

            SHA1

            c12bf534adc27d329e3d2d9ea0c0fc1e2cc4e172

            SHA256

            6753fc1dc77304cb3196d8386337ecfe675266f734a195923c1b1ea33ed97f26

            SHA512

            b60971a2d07d062ff55816335ac80f92b56f5097c86496668c0a0fe49bffb5c69881b6f442bdb8b3194ea4eec9fed95439f2021de7e220f1522ef3b9dd5cb080

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkjL0369nz.exe
            Filesize

            408KB

            MD5

            27157fbb7fe46b2a94a4aefc73d04fe1

            SHA1

            c12bf534adc27d329e3d2d9ea0c0fc1e2cc4e172

            SHA256

            6753fc1dc77304cb3196d8386337ecfe675266f734a195923c1b1ea33ed97f26

            SHA512

            b60971a2d07d062ff55816335ac80f92b56f5097c86496668c0a0fe49bffb5c69881b6f442bdb8b3194ea4eec9fed95439f2021de7e220f1522ef3b9dd5cb080

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s8867RO.exe
            Filesize

            11KB

            MD5

            7e93bacbbc33e6652e147e7fe07572a0

            SHA1

            421a7167da01c8da4dc4d5234ca3dd84e319e762

            SHA256

            850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

            SHA512

            250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s8867RO.exe
            Filesize

            11KB

            MD5

            7e93bacbbc33e6652e147e7fe07572a0

            SHA1

            421a7167da01c8da4dc4d5234ca3dd84e319e762

            SHA256

            850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

            SHA512

            250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\t93dQ49.exe
            Filesize

            379KB

            MD5

            078594e2ec8f1b2481d493ca8b67af44

            SHA1

            d961fe2be92902c074b04272f277320fa994490a

            SHA256

            8bb2f1b6ab119fe6fc0293fa4e325c01dbdd79a5dcb2b73db5d151217dba7c0e

            SHA512

            0d6610de14191c8f5491a80cc8f50fc70011636e35b6b30295abcba780879b882e70dbb9ca33be81ad697bf1cdee7b68a1474b20968db6fc1d71e2e8cce227c6

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\t93dQ49.exe
            Filesize

            379KB

            MD5

            078594e2ec8f1b2481d493ca8b67af44

            SHA1

            d961fe2be92902c074b04272f277320fa994490a

            SHA256

            8bb2f1b6ab119fe6fc0293fa4e325c01dbdd79a5dcb2b73db5d151217dba7c0e

            SHA512

            0d6610de14191c8f5491a80cc8f50fc70011636e35b6b30295abcba780879b882e70dbb9ca33be81ad697bf1cdee7b68a1474b20968db6fc1d71e2e8cce227c6

            Download Submit

          • memory/2040-153-0x00000000004F0000-0x000000000053B000-memory.dmp

            Filesize

            300KB

            Download

          • memory/2040-155-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2040-156-0x0000000004CB0000-0x0000000005254000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/2040-154-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2040-158-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2040-160-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2040-157-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2040-162-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2040-164-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2040-166-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2040-170-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2040-168-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2040-172-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2040-174-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2040-176-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2040-178-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2040-180-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2040-182-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2040-184-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2040-186-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2040-188-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2040-190-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2040-192-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2040-194-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2040-196-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2040-198-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2040-200-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2040-202-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2040-204-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2040-206-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2040-208-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2040-210-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2040-212-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2040-214-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2040-216-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2040-218-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2040-220-0x0000000004AE0000-0x0000000004B1E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2040-1063-0x0000000005260000-0x0000000005878000-memory.dmp

            Filesize

            6.1MB

            Download

          • memory/2040-1064-0x0000000005880000-0x000000000598A000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/2040-1065-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2040-1066-0x0000000004C00000-0x0000000004C3C000-memory.dmp

            Filesize

            240KB

            Download

          • memory/2040-1067-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2040-1068-0x0000000005BE0000-0x0000000005C72000-memory.dmp

            Filesize

            584KB

            Download

          • memory/2040-1069-0x0000000005C80000-0x0000000005CE6000-memory.dmp

            Filesize

            408KB

            Download

          • memory/2040-1071-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2040-1072-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2040-1073-0x0000000006620000-0x0000000006696000-memory.dmp

            Filesize

            472KB

            Download

          • memory/2040-1074-0x00000000066B0000-0x0000000006700000-memory.dmp

            Filesize

            320KB

            Download

          • memory/2040-1075-0x0000000006810000-0x00000000069D2000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/2040-1076-0x00000000069E0000-0x0000000006F0C000-memory.dmp

            Filesize

            5.2MB

            Download

          • memory/2040-1077-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4804-147-0x0000000000320000-0x000000000032A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/4940-1083-0x0000000000050000-0x0000000000082000-memory.dmp

            Filesize

            200KB

            Download

          • memory/4940-1084-0x0000000004C60000-0x0000000004C70000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4940-1085-0x0000000004C60000-0x0000000004C70000-memory.dmp

            Filesize

            64KB

            Download