Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    53s
  • max time network
    146s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    01/03/2023, 14:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0035e2ac259bd395957b08f64ff8abb80468eade5fd70698006ffd97f6f407b0.exe

  • Size

    536KB

  • MD5

    092b80a1ac4e3e0f751fb2a904fd010e

  • SHA1

    33ce583c5698fea1f08193849b8021c45407c0c4

  • SHA256

    0035e2ac259bd395957b08f64ff8abb80468eade5fd70698006ffd97f6f407b0

  • SHA512

    6b6ba34c04e305511aecdf43c3ad2c9e6f21b16d465a72557157203c620534aa144725270fbd05ca55599ca52f39da9eddabf1ce435ae252ccfffd9c2e774a37

  • SSDEEP

    6144:KGy+bnr+Op0yN90QEGZN6wvWCrGu9cHn7AD8rJPVvhIuG6ZpAbUZOM78Zd6zFw9S:WMrKy90sZ0+1KMDiPN+Y8Y5ALMia7h

Score
10/10
redlineformarumfadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rumfa

C2

193.233.20.24:4123

Attributes
  • auth_value

    749d02a6b4ef1fa2ad908e44ec2296dc

Extracted

Family

redline

Botnet

forma

C2

193.233.20.24:4123

Attributes
  • auth_value

    50b8e065d7cb1e9e30786f7a370368f9

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 36 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0035e2ac259bd395957b08f64ff8abb80468eade5fd70698006ffd97f6f407b0.exe
    "C:\Users\Admin\AppData\Local\Temp\0035e2ac259bd395957b08f64ff8abb80468eade5fd70698006ffd97f6f407b0.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4192
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vLm3807HN.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vLm3807HN.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4236
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw31RB95jr75.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw31RB95jr75.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3928
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tOP59fF40.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tOP59fF40.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3916
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uRo45DJ52.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uRo45DJ52.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5016

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uRo45DJ52.exe
    Filesize

    177KB

    MD5

    aae606c1b141187a0c1f64eb36d56e89

    SHA1

    184b1f640800e11abc51bdcf0102e23e8f000dfa

    SHA256

    2f4eff4ca7d203b80acf80c9d3617823cf60ff35bf915bd491c30cd3285b711a

    SHA512

    b84f37d59ff50249bd7e6b7c30b94be739e6ff96b7982b8214358063a678fb6b316131f449fd2559ef951d42891296f8e106574d8c6b19f795b043591ec0e348

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uRo45DJ52.exe
    Filesize

    177KB

    MD5

    aae606c1b141187a0c1f64eb36d56e89

    SHA1

    184b1f640800e11abc51bdcf0102e23e8f000dfa

    SHA256

    2f4eff4ca7d203b80acf80c9d3617823cf60ff35bf915bd491c30cd3285b711a

    SHA512

    b84f37d59ff50249bd7e6b7c30b94be739e6ff96b7982b8214358063a678fb6b316131f449fd2559ef951d42891296f8e106574d8c6b19f795b043591ec0e348

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vLm3807HN.exe
    Filesize

    391KB

    MD5

    7988313c42bb67bc9fbe9c634d3870aa

    SHA1

    88016c84bfb5dec4657f3a80d71c636c85d85982

    SHA256

    bb9ee1e4e902df58f87f9bc1cf924a22a388bc32f401dda6cf375553a1456134

    SHA512

    a933ee15d46db71c6415d36aa9754d8f3a1a6827932cdd1ece01371ac9fac9b928a4e4e0d8f00477e675ab32b5569e911709deed3edd68c65bbbb0caef4fb90f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vLm3807HN.exe
    Filesize

    391KB

    MD5

    7988313c42bb67bc9fbe9c634d3870aa

    SHA1

    88016c84bfb5dec4657f3a80d71c636c85d85982

    SHA256

    bb9ee1e4e902df58f87f9bc1cf924a22a388bc32f401dda6cf375553a1456134

    SHA512

    a933ee15d46db71c6415d36aa9754d8f3a1a6827932cdd1ece01371ac9fac9b928a4e4e0d8f00477e675ab32b5569e911709deed3edd68c65bbbb0caef4fb90f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw31RB95jr75.exe
    Filesize

    17KB

    MD5

    31d72d8acd130092ad7d915c062975b1

    SHA1

    dadbf53cefd94cd8328e7c0ec2685948d617ab3b

    SHA256

    64e18776f0961bb678c1ba0e8ba5796e632c7260967599edd5807deaeb9d8416

    SHA512

    6c058731ea5fe4e260ff7bdca3a9b6f8bdbb9d0a39979b72ca3f3cd4aacec47b972cd779f99290c4ad172ab7be6519b70d749588c94e8b8643234d5347158262

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw31RB95jr75.exe
    Filesize

    17KB

    MD5

    31d72d8acd130092ad7d915c062975b1

    SHA1

    dadbf53cefd94cd8328e7c0ec2685948d617ab3b

    SHA256

    64e18776f0961bb678c1ba0e8ba5796e632c7260967599edd5807deaeb9d8416

    SHA512

    6c058731ea5fe4e260ff7bdca3a9b6f8bdbb9d0a39979b72ca3f3cd4aacec47b972cd779f99290c4ad172ab7be6519b70d749588c94e8b8643234d5347158262

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tOP59fF40.exe
    Filesize

    304KB

    MD5

    ad61b513e0bbc3784d0c28ba13ab19ff

    SHA1

    0d86785da45331516385d7d72e18457e32b89aed

    SHA256

    5e58f65612a82a7a2a61a80f45d1cc0d756372bc05a8160e1d962270d2e1b037

    SHA512

    80d72ceb8b82f962a85381078abf4826412537604ff74749d05ff926f79ca143107219d217520050561b09675b04bfef14ddee37b2dc4818a84bf04c785afe0a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tOP59fF40.exe
    Filesize

    304KB

    MD5

    ad61b513e0bbc3784d0c28ba13ab19ff

    SHA1

    0d86785da45331516385d7d72e18457e32b89aed

    SHA256

    5e58f65612a82a7a2a61a80f45d1cc0d756372bc05a8160e1d962270d2e1b037

    SHA512

    80d72ceb8b82f962a85381078abf4826412537604ff74749d05ff926f79ca143107219d217520050561b09675b04bfef14ddee37b2dc4818a84bf04c785afe0a

    Download Submit

  • memory/3916-140-0x0000000002240000-0x0000000002286000-memory.dmp

    Filesize

    280KB

    Download

  • memory/3916-141-0x0000000004E00000-0x00000000052FE000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/3916-143-0x00000000006A0000-0x00000000006EB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3916-145-0x0000000004DF0000-0x0000000004E00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3916-144-0x0000000004DF0000-0x0000000004E00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3916-146-0x0000000004DF0000-0x0000000004E00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3916-142-0x0000000002320000-0x0000000002364000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3916-147-0x0000000002320000-0x000000000235E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3916-148-0x0000000002320000-0x000000000235E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3916-150-0x0000000002320000-0x000000000235E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3916-152-0x0000000002320000-0x000000000235E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3916-154-0x0000000002320000-0x000000000235E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3916-156-0x0000000002320000-0x000000000235E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3916-158-0x0000000002320000-0x000000000235E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3916-160-0x0000000002320000-0x000000000235E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3916-162-0x0000000002320000-0x000000000235E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3916-164-0x0000000002320000-0x000000000235E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3916-166-0x0000000002320000-0x000000000235E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3916-168-0x0000000002320000-0x000000000235E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3916-170-0x0000000002320000-0x000000000235E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3916-172-0x0000000002320000-0x000000000235E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3916-174-0x0000000002320000-0x000000000235E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3916-176-0x0000000002320000-0x000000000235E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3916-178-0x0000000002320000-0x000000000235E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3916-180-0x0000000002320000-0x000000000235E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3916-182-0x0000000002320000-0x000000000235E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3916-184-0x0000000002320000-0x000000000235E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3916-186-0x0000000002320000-0x000000000235E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3916-188-0x0000000002320000-0x000000000235E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3916-190-0x0000000002320000-0x000000000235E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3916-192-0x0000000002320000-0x000000000235E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3916-194-0x0000000002320000-0x000000000235E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3916-196-0x0000000002320000-0x000000000235E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3916-198-0x0000000002320000-0x000000000235E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3916-200-0x0000000002320000-0x000000000235E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3916-202-0x0000000002320000-0x000000000235E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3916-204-0x0000000002320000-0x000000000235E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3916-206-0x0000000002320000-0x000000000235E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3916-208-0x0000000002320000-0x000000000235E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3916-210-0x0000000002320000-0x000000000235E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3916-1053-0x0000000005910000-0x0000000005F16000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/3916-1054-0x0000000005300000-0x000000000540A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3916-1055-0x00000000028F0000-0x0000000002902000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3916-1056-0x0000000002910000-0x000000000294E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3916-1057-0x0000000004DF0000-0x0000000004E00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3916-1058-0x0000000005410000-0x000000000545B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3916-1060-0x0000000005560000-0x00000000055F2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3916-1061-0x0000000005600000-0x0000000005666000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3916-1062-0x0000000006300000-0x0000000006376000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3916-1063-0x0000000006380000-0x00000000063D0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3916-1064-0x0000000004DF0000-0x0000000004E00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3916-1065-0x0000000004DF0000-0x0000000004E00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3916-1066-0x0000000004DF0000-0x0000000004E00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3916-1067-0x0000000006500000-0x00000000066C2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3916-1068-0x00000000066E0000-0x0000000006C0C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/3916-1069-0x0000000004DF0000-0x0000000004E00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3928-134-0x0000000000FD0000-0x0000000000FDA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/5016-1075-0x0000000000350000-0x0000000000382000-memory.dmp

    Filesize

    200KB

    Download

  • memory/5016-1076-0x0000000004BD0000-0x0000000004C1B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/5016-1077-0x0000000004C40000-0x0000000004C50000-memory.dmp

    Filesize

    64KB

    Download