Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    51s
  • max time network
    53s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    02/03/2023, 03:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    967e76e82025963405f0592f376daa76f3e5af0fb72a3ce1548b9b7d8da3658f.exe

  • Size

    536KB

  • MD5

    9f3a27839a14a9123beab377d8e3c491

  • SHA1

    746db4f66d9fb06978b770418c41afea5c680535

  • SHA256

    967e76e82025963405f0592f376daa76f3e5af0fb72a3ce1548b9b7d8da3658f

  • SHA512

    87c08b0248ef7541dae5fadf35cf39e9839b014a4713c7bdadd0dfc9d20453f43b48380080d8c1ddc875cd6139b372632747264bfa33a140521798d9c51f2552

  • SSDEEP

    12288:tMrBy90kjCmJTf2P5H6VyHwcapyO8zcDHc:0yhTs6+wcapyYD8

Score
10/10
redlinefubarouchdiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rouch

C2

193.56.146.11:4162

Attributes
  • auth_value

    1b1735bcfc122c708eae27ca352568de

Extracted

Family

redline

Botnet

fuba

C2

193.56.146.11:4162

Attributes
  • auth_value

    43015841fc23c63b15ca6ffe1d278d5e

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\967e76e82025963405f0592f376daa76f3e5af0fb72a3ce1548b9b7d8da3658f.exe
    "C:\Users\Admin\AppData\Local\Temp\967e76e82025963405f0592f376daa76f3e5af0fb72a3ce1548b9b7d8da3658f.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3188
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vqF9767lO.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vqF9767lO.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:396
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw74od59iq93.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw74od59iq93.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3320
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tSD19Iz02.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tSD19Iz02.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4180
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uST04bv99.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uST04bv99.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1560

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uST04bv99.exe
    Filesize

    175KB

    MD5

    6fbf763f3c22ee09126d104cb7978419

    SHA1

    a1cf7ab691c932104a88270d75b93f55cdfd720c

    SHA256

    b88fe659f4f9d9e3a576b6389e145f223afd6db6beab20310057c408dd2deec8

    SHA512

    b677ef17f477eb0a4b9e26cfbe0ebbf9273239773059ee39e7cf425e4a18244d7580a8420c641932e8e14dc25a1f5f81ce273b5e8027ac0cb19522aef33f4e2e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uST04bv99.exe
    Filesize

    175KB

    MD5

    6fbf763f3c22ee09126d104cb7978419

    SHA1

    a1cf7ab691c932104a88270d75b93f55cdfd720c

    SHA256

    b88fe659f4f9d9e3a576b6389e145f223afd6db6beab20310057c408dd2deec8

    SHA512

    b677ef17f477eb0a4b9e26cfbe0ebbf9273239773059ee39e7cf425e4a18244d7580a8420c641932e8e14dc25a1f5f81ce273b5e8027ac0cb19522aef33f4e2e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vqF9767lO.exe
    Filesize

    392KB

    MD5

    a3bd90753681e761c29fe568b1e0f5bb

    SHA1

    1dd5c68616b86b02d1492d39be9bb32f13250d19

    SHA256

    b5992fc5afabc123e49686f306b5d8ad42ff3cb52ad39ac00b83c828df31efe0

    SHA512

    9dfe4708a45a3a6d7e0e61b4e56139a07b8435ff952bcceef42951e6e1e86091ceb72899d70eb3c43d498da2f1a947905bfc01382c1173b451f93e2a180faf08

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vqF9767lO.exe
    Filesize

    392KB

    MD5

    a3bd90753681e761c29fe568b1e0f5bb

    SHA1

    1dd5c68616b86b02d1492d39be9bb32f13250d19

    SHA256

    b5992fc5afabc123e49686f306b5d8ad42ff3cb52ad39ac00b83c828df31efe0

    SHA512

    9dfe4708a45a3a6d7e0e61b4e56139a07b8435ff952bcceef42951e6e1e86091ceb72899d70eb3c43d498da2f1a947905bfc01382c1173b451f93e2a180faf08

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw74od59iq93.exe
    Filesize

    12KB

    MD5

    d992a50d35503669deab5e78c9c0cfbc

    SHA1

    34c5b257cf937569e876a8173332d109902f5c7a

    SHA256

    3215011960b66d9fd7c955dd8b208ec06ed32ad2563dc1d1fa7e1bc47d5dd21e

    SHA512

    032b68585f93efc15af0ef2a9a09b5757294ee1521406b89f901bc9f4fe7092ebf1ff369a72236aca468a71438686d3a2fd1f851d0d750d458af83e0c87bb2c2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw74od59iq93.exe
    Filesize

    12KB

    MD5

    d992a50d35503669deab5e78c9c0cfbc

    SHA1

    34c5b257cf937569e876a8173332d109902f5c7a

    SHA256

    3215011960b66d9fd7c955dd8b208ec06ed32ad2563dc1d1fa7e1bc47d5dd21e

    SHA512

    032b68585f93efc15af0ef2a9a09b5757294ee1521406b89f901bc9f4fe7092ebf1ff369a72236aca468a71438686d3a2fd1f851d0d750d458af83e0c87bb2c2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tSD19Iz02.exe
    Filesize

    304KB

    MD5

    6940451e769c094029427d1531775121

    SHA1

    03c763ca8ebc6896fb35c9f8d4d3fc64d03fe850

    SHA256

    ab9bbcc3bb273a1f13db7566032205b26f5a4a634194ba39007349aa34801dca

    SHA512

    53578c0693e6a171feec767f38f4601da453875d14a37f82e3ca30cce3b7217d4b5b0a6de659d54d11810ee238bd5816d2bc9635cf20dcd9f73901a09c08ff06

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tSD19Iz02.exe
    Filesize

    304KB

    MD5

    6940451e769c094029427d1531775121

    SHA1

    03c763ca8ebc6896fb35c9f8d4d3fc64d03fe850

    SHA256

    ab9bbcc3bb273a1f13db7566032205b26f5a4a634194ba39007349aa34801dca

    SHA512

    53578c0693e6a171feec767f38f4601da453875d14a37f82e3ca30cce3b7217d4b5b0a6de659d54d11810ee238bd5816d2bc9635cf20dcd9f73901a09c08ff06

    Download Submit

  • memory/1560-1076-0x0000000000DB0000-0x0000000000DE2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1560-1077-0x0000000005610000-0x0000000005620000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1560-1078-0x00000000057F0000-0x000000000583B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3320-135-0x00000000003A0000-0x00000000003AA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4180-175-0x0000000005030000-0x000000000506E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4180-189-0x0000000005030000-0x000000000506E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4180-144-0x0000000004B20000-0x0000000004B30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4180-145-0x0000000004B20000-0x0000000004B30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4180-146-0x0000000004B30000-0x000000000502E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/4180-147-0x0000000005030000-0x0000000005074000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4180-148-0x0000000005030000-0x000000000506E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4180-149-0x0000000005030000-0x000000000506E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4180-151-0x0000000005030000-0x000000000506E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4180-153-0x0000000005030000-0x000000000506E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4180-155-0x0000000005030000-0x000000000506E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4180-157-0x0000000005030000-0x000000000506E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4180-159-0x0000000005030000-0x000000000506E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4180-161-0x0000000005030000-0x000000000506E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4180-163-0x0000000005030000-0x000000000506E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4180-165-0x0000000005030000-0x000000000506E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4180-167-0x0000000005030000-0x000000000506E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4180-169-0x0000000005030000-0x000000000506E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4180-171-0x0000000005030000-0x000000000506E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4180-173-0x0000000005030000-0x000000000506E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4180-142-0x0000000004A60000-0x0000000004AA6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/4180-177-0x0000000005030000-0x000000000506E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4180-179-0x0000000005030000-0x000000000506E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4180-181-0x0000000005030000-0x000000000506E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4180-183-0x0000000005030000-0x000000000506E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4180-185-0x0000000005030000-0x000000000506E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4180-187-0x0000000005030000-0x000000000506E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4180-143-0x0000000004B20000-0x0000000004B30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4180-191-0x0000000005030000-0x000000000506E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4180-193-0x0000000005030000-0x000000000506E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4180-195-0x0000000005030000-0x000000000506E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4180-197-0x0000000005030000-0x000000000506E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4180-199-0x0000000005030000-0x000000000506E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4180-201-0x0000000005030000-0x000000000506E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4180-203-0x0000000005030000-0x000000000506E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4180-205-0x0000000005030000-0x000000000506E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4180-207-0x0000000005030000-0x000000000506E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4180-209-0x0000000005030000-0x000000000506E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4180-211-0x0000000005030000-0x000000000506E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4180-1054-0x00000000056B0000-0x0000000005CB6000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4180-1055-0x0000000005120000-0x000000000522A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4180-1056-0x0000000005260000-0x0000000005272000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4180-1057-0x0000000004B20000-0x0000000004B30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4180-1058-0x0000000005280000-0x00000000052BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4180-1059-0x00000000053D0000-0x000000000541B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4180-1061-0x0000000004B20000-0x0000000004B30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4180-1062-0x0000000004B20000-0x0000000004B30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4180-1063-0x0000000005560000-0x00000000055C6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4180-1064-0x0000000006260000-0x00000000062F2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4180-1065-0x0000000006310000-0x00000000064D2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4180-141-0x0000000000660000-0x00000000006AB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4180-1066-0x00000000064F0000-0x0000000006A1C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4180-1067-0x0000000004B20000-0x0000000004B30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4180-1069-0x0000000006D90000-0x0000000006E06000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4180-1070-0x0000000006E10000-0x0000000006E60000-memory.dmp

    Filesize

    320KB

    Download