Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2023 09:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c6fbb7022c7beb3b4c840cb4d46b35f237a29ef70d6c400e673eedc55698d3c4.exe

  • Size

    1.9MB

  • MD5

    b483c722d53182cb7b35e0604b6603c7

  • SHA1

    821a586245f977e3a6d2aae29c7a262c080cb5a2

  • SHA256

    c6fbb7022c7beb3b4c840cb4d46b35f237a29ef70d6c400e673eedc55698d3c4

  • SHA512

    efe2bc96cce1802c74277d72cd848b3c4a275bb5a1537ec59d1dc9b9a4ad60b6e733f14404d7cd07b479a8018a3872eb924befbd25256764d8f10f583a86372e

  • SSDEEP

    49152:vmMEPx6vQA7b0IyUWN/vgy0j3c6Byf1gTT:hHQAXtyBN/R0TE2X

Score
10/10
eternityredlinecollectioninfostealerspyware

Malware Config

Extracted

Family

eternity

C2

http://izrukvro5khcol3z7cvvdq3akeunlod2gshgn7ppo3a4jvse3z5hpiyd.onion

Signatures

  • Eternity

    Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

    eternity
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c6fbb7022c7beb3b4c840cb4d46b35f237a29ef70d6c400e673eedc55698d3c4.exe
    "C:\Users\Admin\AppData\Local\Temp\c6fbb7022c7beb3b4c840cb4d46b35f237a29ef70d6c400e673eedc55698d3c4.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4100
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2288
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3884
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:3548
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3324
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
            PID:4804
          • C:\Windows\SysWOW64\netsh.exe
            netsh wlan show profile
            4⤵
              PID:2088
            • C:\Windows\SysWOW64\findstr.exe
              findstr All
              4⤵
                PID:2748
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:4548
              • C:\Windows\SysWOW64\chcp.com
                chcp 65001
                4⤵
                  PID:4584
                • C:\Windows\SysWOW64\findstr.exe
                  findstr Key
                  4⤵
                    PID:1308
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh wlan show profile name="65001" key=clear
                    4⤵
                      PID:2284

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log
                Filesize

                1KB

                MD5

                dac6c404215ce4c9c1d55aa278911b01

                SHA1

                f8629f9deb79217859e4c9b7dcf439b32e55cd32

                SHA256

                d947ebeaa47715a54aa9ef8cdee737ffe9920551b8ea700cc220021cf535e333

                SHA512

                35deddab04a28e05083ddb5ec7754402d25975de5b34a7190f1a3c9b552688168b4a28c52d9fc5c53dd6b2965197e67809d1ff4c80650b1828ad7b42b4814ed9

                Download Submit

              • memory/2288-19-0x0000000074F00000-0x00000000756B0000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/2288-32-0x0000000074F00000-0x00000000756B0000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/2288-16-0x00000000057B0000-0x00000000057C0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2288-14-0x0000000000400000-0x00000000004CE000-memory.dmp

                Filesize

                824KB

                Download

              • memory/2288-12-0x0000000000400000-0x00000000004CE000-memory.dmp

                Filesize

                824KB

                Download

              • memory/2288-15-0x0000000074F00000-0x00000000756B0000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/2288-17-0x00000000057B0000-0x00000000057C0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2288-22-0x00000000057B0000-0x00000000057C0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3548-25-0x00000000051A0000-0x00000000051B0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3548-20-0x0000000000400000-0x000000000045A000-memory.dmp

                Filesize

                360KB

                Download

              • memory/3548-23-0x0000000074F00000-0x00000000756B0000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/3548-26-0x0000000006070000-0x00000000060D6000-memory.dmp

                Filesize

                408KB

                Download

              • memory/3548-27-0x00000000064D0000-0x0000000006520000-memory.dmp

                Filesize

                320KB

                Download

              • memory/3548-29-0x0000000074F00000-0x00000000756B0000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/3884-35-0x00000000089B0000-0x0000000008FC8000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/3884-33-0x0000000074F00000-0x00000000756B0000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/3884-46-0x0000000074F00000-0x00000000756B0000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/3884-45-0x0000000007A10000-0x0000000007A20000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3884-44-0x0000000074F00000-0x00000000756B0000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/3884-43-0x0000000009420000-0x000000000943E000-memory.dmp

                Filesize

                120KB

                Download

              • memory/3884-42-0x0000000009C00000-0x000000000A12C000-memory.dmp

                Filesize

                5.2MB

                Download

              • memory/3884-41-0x0000000009500000-0x00000000096C2000-memory.dmp

                Filesize

                1.8MB

                Download

              • memory/3884-40-0x00000000092B0000-0x0000000009326000-memory.dmp

                Filesize

                472KB

                Download

              • memory/3884-39-0x0000000007C10000-0x0000000007C5C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/3884-38-0x0000000007BD0000-0x0000000007C0C000-memory.dmp

                Filesize

                240KB

                Download

              • memory/3884-37-0x0000000007CA0000-0x0000000007DAA000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/3884-36-0x0000000007B50000-0x0000000007B62000-memory.dmp

                Filesize

                72KB

                Download

              • memory/3884-30-0x0000000000400000-0x000000000045A000-memory.dmp

                Filesize

                360KB

                Download

              • memory/3884-34-0x0000000007A10000-0x0000000007A20000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4100-24-0x0000000074F00000-0x00000000756B0000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/4100-6-0x00000000058C0000-0x0000000005904000-memory.dmp

                Filesize

                272KB

                Download

              • memory/4100-2-0x0000000005100000-0x000000000519C000-memory.dmp

                Filesize

                624KB

                Download

              • memory/4100-0-0x0000000074F00000-0x00000000756B0000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/4100-3-0x00000000051A0000-0x0000000005232000-memory.dmp

                Filesize

                584KB

                Download

              • memory/4100-4-0x0000000005960000-0x0000000005F04000-memory.dmp

                Filesize

                5.6MB

                Download

              • memory/4100-5-0x00000000053A0000-0x00000000053B0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4100-1-0x00000000004F0000-0x00000000006D0000-memory.dmp

                Filesize

                1.9MB

                Download

              • memory/4100-13-0x00000000053A0000-0x00000000053B0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4100-7-0x0000000006270000-0x000000000627A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/4100-8-0x0000000074F00000-0x00000000756B0000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/4100-9-0x00000000053A0000-0x00000000053B0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4100-10-0x0000000007260000-0x000000000727A000-memory.dmp

                Filesize

                104KB

                Download

              • memory/4100-18-0x00000000053A0000-0x00000000053B0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4100-11-0x0000000007280000-0x0000000007286000-memory.dmp

                Filesize

                24KB

                Download