Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-03-2023 01:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eb93cf100dc41f71adf7f91546a3dd703023d25db045f5b63492736fa9776ccd.exe

  • Size

    552KB

  • MD5

    180e481ab3b4ab2fae5a329051edf63d

  • SHA1

    935404b20fa38f48d73f1e76357116c79587d2ac

  • SHA256

    eb93cf100dc41f71adf7f91546a3dd703023d25db045f5b63492736fa9776ccd

  • SHA512

    a193e1368ff7d3f7c9321d87722443cf29526e668b9618bc0816d01eaaef84cb0c4cf919404c7a93ca5f94358e64dec3f0f58eda32a890ba995ea5c59f950713

  • SSDEEP

    12288:gMrXy90PmZSS9oC+SH9D1i1o15yVYTKtl64VZnSdBMYPX:nyZHoC+SH9s1oSHtlDVZ0mYPX

Score
10/10
redlinefudmishadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

fud

C2

193.233.20.27:4123

Attributes
  • auth_value

    cddc991efd6918ad5321d80dac884b40

Extracted

Family

redline

Botnet

misha

C2

193.56.146.11:4173

Attributes
  • auth_value

    e17e441c954db214b94a603a7b0b1aea

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb93cf100dc41f71adf7f91546a3dd703023d25db045f5b63492736fa9776ccd.exe
    "C:\Users\Admin\AppData\Local\Temp\eb93cf100dc41f71adf7f91546a3dd703023d25db045f5b63492736fa9776ccd.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2724
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vktG8297qA.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vktG8297qA.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2212
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s3562RR.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s3562RR.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3100
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\t60Hx26.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\t60Hx26.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4660
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 1924
          4⤵
          • Program crash
          PID:4588
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uzSzW68.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uzSzW68.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4468
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4660 -ip 4660
    1⤵
      PID:2920

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uzSzW68.exe
      Filesize

      175KB

      MD5

      fb6b1dfc1d31819df66b4eba004f4f1e

      SHA1

      8fb4085acc6bdac0c653130d20ccf87dc0a4bc16

      SHA256

      4a8cf958110e605398244c588878680f5f367bf064573a69fded3f4ca70c7549

      SHA512

      270f0208fac6330d413709de2f1aa348f20e434bb70b886a96e7db87f74607c9dcbee92b458ea375ca9d22a89af46b31655b84d6f26fac3d12e63f8242d41f3a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uzSzW68.exe
      Filesize

      175KB

      MD5

      fb6b1dfc1d31819df66b4eba004f4f1e

      SHA1

      8fb4085acc6bdac0c653130d20ccf87dc0a4bc16

      SHA256

      4a8cf958110e605398244c588878680f5f367bf064573a69fded3f4ca70c7549

      SHA512

      270f0208fac6330d413709de2f1aa348f20e434bb70b886a96e7db87f74607c9dcbee92b458ea375ca9d22a89af46b31655b84d6f26fac3d12e63f8242d41f3a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vktG8297qA.exe
      Filesize

      408KB

      MD5

      c9da32f92fb01bb01957072ccdbf1496

      SHA1

      5fcd3ec2e71a07103a63de0b692ab4fecc138089

      SHA256

      5a18d3dc331e61e4410ea6eb4ef0179680f8ea985dcd84bee5a49d5f20cac045

      SHA512

      ae995ccc7fa2f88ea1e9ddde88d7ec5be3bf4efa1d3f01f36b7977dba9d854ddb05c6f453b44f30e124fb166ca530262adf75aac88be2343602c2434f251d3e8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vktG8297qA.exe
      Filesize

      408KB

      MD5

      c9da32f92fb01bb01957072ccdbf1496

      SHA1

      5fcd3ec2e71a07103a63de0b692ab4fecc138089

      SHA256

      5a18d3dc331e61e4410ea6eb4ef0179680f8ea985dcd84bee5a49d5f20cac045

      SHA512

      ae995ccc7fa2f88ea1e9ddde88d7ec5be3bf4efa1d3f01f36b7977dba9d854ddb05c6f453b44f30e124fb166ca530262adf75aac88be2343602c2434f251d3e8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s3562RR.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s3562RR.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\t60Hx26.exe
      Filesize

      379KB

      MD5

      078594e2ec8f1b2481d493ca8b67af44

      SHA1

      d961fe2be92902c074b04272f277320fa994490a

      SHA256

      8bb2f1b6ab119fe6fc0293fa4e325c01dbdd79a5dcb2b73db5d151217dba7c0e

      SHA512

      0d6610de14191c8f5491a80cc8f50fc70011636e35b6b30295abcba780879b882e70dbb9ca33be81ad697bf1cdee7b68a1474b20968db6fc1d71e2e8cce227c6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\t60Hx26.exe
      Filesize

      379KB

      MD5

      078594e2ec8f1b2481d493ca8b67af44

      SHA1

      d961fe2be92902c074b04272f277320fa994490a

      SHA256

      8bb2f1b6ab119fe6fc0293fa4e325c01dbdd79a5dcb2b73db5d151217dba7c0e

      SHA512

      0d6610de14191c8f5491a80cc8f50fc70011636e35b6b30295abcba780879b882e70dbb9ca33be81ad697bf1cdee7b68a1474b20968db6fc1d71e2e8cce227c6

      Download Submit

    • memory/3100-147-0x0000000000E50000-0x0000000000E5A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4468-1085-0x00000000002F0000-0x0000000000322000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4468-1086-0x0000000004C10000-0x0000000004C20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4660-189-0x0000000002880000-0x00000000028BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4660-201-0x0000000002880000-0x00000000028BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4660-155-0x0000000004D20000-0x0000000004D30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4660-156-0x0000000004D20000-0x0000000004D30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4660-157-0x0000000004D30000-0x00000000052D4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4660-158-0x0000000002880000-0x00000000028BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4660-161-0x0000000002880000-0x00000000028BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4660-159-0x0000000002880000-0x00000000028BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4660-163-0x0000000002880000-0x00000000028BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4660-165-0x0000000002880000-0x00000000028BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4660-167-0x0000000002880000-0x00000000028BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4660-169-0x0000000002880000-0x00000000028BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4660-171-0x0000000002880000-0x00000000028BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4660-173-0x0000000002880000-0x00000000028BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4660-175-0x0000000002880000-0x00000000028BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4660-177-0x0000000002880000-0x00000000028BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4660-179-0x0000000002880000-0x00000000028BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4660-181-0x0000000002880000-0x00000000028BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4660-183-0x0000000002880000-0x00000000028BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4660-185-0x0000000002880000-0x00000000028BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4660-187-0x0000000002880000-0x00000000028BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4660-153-0x0000000000750000-0x000000000079B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4660-191-0x0000000002880000-0x00000000028BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4660-193-0x0000000002880000-0x00000000028BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4660-195-0x0000000002880000-0x00000000028BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4660-197-0x0000000002880000-0x00000000028BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4660-199-0x0000000002880000-0x00000000028BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4660-154-0x0000000004D20000-0x0000000004D30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4660-203-0x0000000002880000-0x00000000028BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4660-205-0x0000000002880000-0x00000000028BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4660-207-0x0000000002880000-0x00000000028BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4660-209-0x0000000002880000-0x00000000028BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4660-211-0x0000000002880000-0x00000000028BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4660-213-0x0000000002880000-0x00000000028BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4660-215-0x0000000002880000-0x00000000028BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4660-217-0x0000000002880000-0x00000000028BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4660-219-0x0000000002880000-0x00000000028BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4660-221-0x0000000002880000-0x00000000028BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4660-1064-0x00000000052E0000-0x00000000058F8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4660-1065-0x0000000005900000-0x0000000005A0A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4660-1066-0x0000000005A10000-0x0000000005A22000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4660-1067-0x0000000005A30000-0x0000000005A6C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4660-1068-0x0000000004D20000-0x0000000004D30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4660-1069-0x0000000005D20000-0x0000000005DB2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4660-1072-0x0000000004D20000-0x0000000004D30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4660-1071-0x0000000005DC0000-0x0000000005E26000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4660-1073-0x0000000004D20000-0x0000000004D30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4660-1074-0x0000000004D20000-0x0000000004D30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4660-1075-0x00000000065C0000-0x0000000006636000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4660-1076-0x0000000006650000-0x00000000066A0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4660-1077-0x00000000066D0000-0x0000000006892000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4660-1078-0x00000000068B0000-0x0000000006DDC000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/4660-1079-0x0000000004D20000-0x0000000004D30000-memory.dmp

      Filesize

      64KB

      Download