Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2023 12:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3ebfa871a8b6ab2e3a911b6e652908e069aec940315acbdb0039981fcfdc6ca9.exe

  • Size

    735KB

  • MD5

    cab1864e8205635e834abae78c520ce9

  • SHA1

    f6eeb9793c868cfafa8ae83de108660172d03218

  • SHA256

    3ebfa871a8b6ab2e3a911b6e652908e069aec940315acbdb0039981fcfdc6ca9

  • SHA512

    76e22375aa6c975bb8796f1b134a1d3d5c0dfb692957fb3ca1ad96188f5c45f7b0132f25ce6fd42b495460fee1234353de6ea8d3ec0f43eb85ffa19133dd5e57

  • SSDEEP

    12288:OMr8y90ayogIwKLvrOdAHeeqRsYkgSfM4gs9TfIXWi2IRXyG3vKzreJ:WydmInLvr2e3qSfM0TfyXyG3uC

Score
10/10
redlinemaxidiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3ebfa871a8b6ab2e3a911b6e652908e069aec940315acbdb0039981fcfdc6ca9.exe
    "C:\Users\Admin\AppData\Local\Temp\3ebfa871a8b6ab2e3a911b6e652908e069aec940315acbdb0039981fcfdc6ca9.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2676
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5852309.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5852309.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:960
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3896943.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3896943.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:964
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8066316.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8066316.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4520
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0923226.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0923226.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1884
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5399704.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5399704.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:3228
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3820
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 140
              6⤵
              • Program crash
              PID:4768
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7229968.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7229968.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3864
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3228 -ip 3228
    1⤵
      PID:4544

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5852309.exe
      Filesize

      530KB

      MD5

      f0ff97eba34e46e25f8c09ddbd6d57e5

      SHA1

      a328148844a0c0a01d76a2c9d497e1a087a43231

      SHA256

      975845cf97de2b373e6434ef758a24c29285d98721c9b59c30dd08d498a6fbb3

      SHA512

      7bba67f28ffa2f432ca77b327083dee8868ccbcfa9218cbf587967bc89c80b7ac152480fb51a3a8abfe8cc87765b2c0d8e8d96b2e595b21ea3a86806650d8818

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5852309.exe
      Filesize

      530KB

      MD5

      f0ff97eba34e46e25f8c09ddbd6d57e5

      SHA1

      a328148844a0c0a01d76a2c9d497e1a087a43231

      SHA256

      975845cf97de2b373e6434ef758a24c29285d98721c9b59c30dd08d498a6fbb3

      SHA512

      7bba67f28ffa2f432ca77b327083dee8868ccbcfa9218cbf587967bc89c80b7ac152480fb51a3a8abfe8cc87765b2c0d8e8d96b2e595b21ea3a86806650d8818

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3896943.exe
      Filesize

      358KB

      MD5

      e0df60375579ca58d4062fb750f2d555

      SHA1

      025ee274e6abca0729ce48ae3c2f71ee58e5f607

      SHA256

      bbcc186311859cee07d8784c23616bf0225f2fe0bc6aa3daeefa0dbb4eabaa0d

      SHA512

      49b4c70689b2d8123407f590f89904764db7dadc4eaca68b2becea9fca605d6562b87fdc4e22a2641392f08987b7ce10f11e3df36edb367c341a3997071e9be1

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3896943.exe
      Filesize

      358KB

      MD5

      e0df60375579ca58d4062fb750f2d555

      SHA1

      025ee274e6abca0729ce48ae3c2f71ee58e5f607

      SHA256

      bbcc186311859cee07d8784c23616bf0225f2fe0bc6aa3daeefa0dbb4eabaa0d

      SHA512

      49b4c70689b2d8123407f590f89904764db7dadc4eaca68b2becea9fca605d6562b87fdc4e22a2641392f08987b7ce10f11e3df36edb367c341a3997071e9be1

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7229968.exe
      Filesize

      172KB

      MD5

      68b9cf0d3ea4978f448636d7bf7024c5

      SHA1

      aa5f59dda309084217b072bdbd6b43b8f32e90ce

      SHA256

      e89f186a32aadd0bb5abd06f354993cae29e6f6361793acec6d94890cb256f0b

      SHA512

      a4bc335a9be356924c76966e21dbf47faddcecad768df5bdbab5e3199e33909d8c1f7894643a8d30fbfdaa523b8edc78424569182c91d9a196b26a731572bfe6

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7229968.exe
      Filesize

      172KB

      MD5

      68b9cf0d3ea4978f448636d7bf7024c5

      SHA1

      aa5f59dda309084217b072bdbd6b43b8f32e90ce

      SHA256

      e89f186a32aadd0bb5abd06f354993cae29e6f6361793acec6d94890cb256f0b

      SHA512

      a4bc335a9be356924c76966e21dbf47faddcecad768df5bdbab5e3199e33909d8c1f7894643a8d30fbfdaa523b8edc78424569182c91d9a196b26a731572bfe6

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8066316.exe
      Filesize

      203KB

      MD5

      1703b6b6fa73edd86681526c8a1eeae9

      SHA1

      4e773a88e30ebfa6a3cfe358d32f617d8e064a37

      SHA256

      cee6ed9fc61628066b313c74b2a4b7242097470ebe54ec180c3aece30788e830

      SHA512

      0e442f758761e23a4f1a0db7e4317b8f269b0e602bf843964af57ee1b4d35d15ad62d1afaf321d3150cc604a10c19d791ff6ba02955c6bc73c899134fb878a40

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8066316.exe
      Filesize

      203KB

      MD5

      1703b6b6fa73edd86681526c8a1eeae9

      SHA1

      4e773a88e30ebfa6a3cfe358d32f617d8e064a37

      SHA256

      cee6ed9fc61628066b313c74b2a4b7242097470ebe54ec180c3aece30788e830

      SHA512

      0e442f758761e23a4f1a0db7e4317b8f269b0e602bf843964af57ee1b4d35d15ad62d1afaf321d3150cc604a10c19d791ff6ba02955c6bc73c899134fb878a40

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0923226.exe
      Filesize

      13KB

      MD5

      0a4646229b5234e8194360e053f16388

      SHA1

      26bae3e2643fe61ae8680310337ce2c4115aa731

      SHA256

      8231765cac37ee401133861bf87d50800afd264086c7300996987795adeb04b4

      SHA512

      ae8d6c8cb3f72ad865e50df62456df28000566e9056fe13ab38afe4add6bb1da598e60128546eaa6ced9b3195f1f2dc6ef16f7adf6d703d275faa5a2180bf4cd

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0923226.exe
      Filesize

      13KB

      MD5

      0a4646229b5234e8194360e053f16388

      SHA1

      26bae3e2643fe61ae8680310337ce2c4115aa731

      SHA256

      8231765cac37ee401133861bf87d50800afd264086c7300996987795adeb04b4

      SHA512

      ae8d6c8cb3f72ad865e50df62456df28000566e9056fe13ab38afe4add6bb1da598e60128546eaa6ced9b3195f1f2dc6ef16f7adf6d703d275faa5a2180bf4cd

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5399704.exe
      Filesize

      120KB

      MD5

      84adf94cc212c6a19f2af362f87eabc6

      SHA1

      e5c749ccb1fc465e8ad63fd4240bb070df47adfa

      SHA256

      89b08acca450372cbd1b9421a8010546183363482e43f29d00d0567990c47343

      SHA512

      3a8cb3c8ead10cf14ebdc6587809948667b7278edf3cde3e528d48a662c7e9582c286d2e8a62e492d660fab2484b21bd1179ec5daaa51e567b0e82ea3659e696

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5399704.exe
      Filesize

      120KB

      MD5

      84adf94cc212c6a19f2af362f87eabc6

      SHA1

      e5c749ccb1fc465e8ad63fd4240bb070df47adfa

      SHA256

      89b08acca450372cbd1b9421a8010546183363482e43f29d00d0567990c47343

      SHA512

      3a8cb3c8ead10cf14ebdc6587809948667b7278edf3cde3e528d48a662c7e9582c286d2e8a62e492d660fab2484b21bd1179ec5daaa51e567b0e82ea3659e696

      Download Submit
    • memory/1884-161-0x0000000000FA0000-0x0000000000FAA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3820-167-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3864-175-0x00000000008F0000-0x0000000000920000-memory.dmp
      Filesize

      192KB

      Download
    • memory/3864-176-0x000000000ACF0000-0x000000000B308000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/3864-177-0x000000000A870000-0x000000000A97A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/3864-178-0x000000000A7B0000-0x000000000A7C2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3864-179-0x000000000A810000-0x000000000A84C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/3864-180-0x0000000002B00000-0x0000000002B10000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3864-181-0x000000000AC20000-0x000000000AC96000-memory.dmp
      Filesize

      472KB

      Download
    • memory/3864-182-0x000000000B3B0000-0x000000000B442000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3864-183-0x000000000BA00000-0x000000000BFA4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3864-184-0x000000000B450000-0x000000000B4B6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3864-185-0x000000000C180000-0x000000000C342000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/3864-186-0x000000000C880000-0x000000000CDAC000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/3864-188-0x000000000B920000-0x000000000B970000-memory.dmp
      Filesize

      320KB

      Download
    • memory/3864-189-0x0000000002B00000-0x0000000002B10000-memory.dmp
      Filesize

      64KB

      Download