Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Resubmissions

29-10-2024 12:29

241029-pn4tdavgqc 10

02-03-2023 17:29

230302-v23q5aea43 10

Analysis

  • max time kernel
    79s
  • max time network
    81s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    02-03-2023 17:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    78f2532416cdf8fa1880a04cfa6cdcc475b1a84525b02759dff5550cab182e00.exe

  • Size

    545KB

  • MD5

    799b94c7eb6b0247fd94945a410e2f0a

  • SHA1

    afa3bd9d6cd4cd92b34e20f71e9792e4a34a89d6

  • SHA256

    78f2532416cdf8fa1880a04cfa6cdcc475b1a84525b02759dff5550cab182e00

  • SHA512

    86cf857e588dee09d0a94ea8ea1a39b3eb9bbb3027cb590fbfa6275b02d1f65d96b30f85287bb09307266e8ffff84b6f253131be0aa6fc4aa24b065bc2087126

  • SSDEEP

    12288:7MrKy90rkXVAU0WTEZERcwUFXsWtAisq9Bv2A:dyDVPgzBTtAwzv2A

Score
10/10
redlinefomichstekdiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

stek

C2

melevv.eu:4162

Attributes
  • auth_value

    4205381daf6946b2df5fe3bc7eacc918

Extracted

Family

redline

Botnet

fomich

C2

melevv.eu:4162

Attributes
  • auth_value

    b018e52ac946001794d8b8c23e901859

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 36 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\78f2532416cdf8fa1880a04cfa6cdcc475b1a84525b02759dff5550cab182e00.exe
    "C:\Users\Admin\AppData\Local\Temp\78f2532416cdf8fa1880a04cfa6cdcc475b1a84525b02759dff5550cab182e00.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1780
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vJk1158PR.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vJk1158PR.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:5052
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw11Qq09Tb23.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw11Qq09Tb23.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:824
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tkM57Er72.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tkM57Er72.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2592
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uug42MM41.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uug42MM41.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2892

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uug42MM41.exe
    Filesize

    175KB

    MD5

    9f219b5ac9731f5218d8e9fecbdfbf94

    SHA1

    2042e2480aa01116261d1c000934cd0afdb68564

    SHA256

    5e1b0b4d2386297abe05a58b4d6289483e87ae8585d7c9c407f1dc5964fd04fb

    SHA512

    f9814816b3b0aa44f800a0fab880c035f93a4c097543eca120f6ca07c00dee5ff6117570a686643eae8f6d8c3a71e11401eaf5f4b4ba94feccf165513fffa73e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uug42MM41.exe
    Filesize

    175KB

    MD5

    9f219b5ac9731f5218d8e9fecbdfbf94

    SHA1

    2042e2480aa01116261d1c000934cd0afdb68564

    SHA256

    5e1b0b4d2386297abe05a58b4d6289483e87ae8585d7c9c407f1dc5964fd04fb

    SHA512

    f9814816b3b0aa44f800a0fab880c035f93a4c097543eca120f6ca07c00dee5ff6117570a686643eae8f6d8c3a71e11401eaf5f4b4ba94feccf165513fffa73e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vJk1158PR.exe
    Filesize

    401KB

    MD5

    3aa20ccc0dce19f7f412160c2eb3af20

    SHA1

    121b7f4aff0e102f9b8d9d63d36a0a2175eb5e62

    SHA256

    aefe56a35d5b9a839aa2409eaa5b3be35eefe1ed9cba6ba92db5cb4caf56844f

    SHA512

    4a5b0e64b03a54d0a52021b58a4c2836f32c0713189bc9d5a7a0e6095bd156fe3ebd7fdf8a2a7ed5baca386fd04900e12469d9e0c7fa23081e34e0444d8b8d7a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vJk1158PR.exe
    Filesize

    401KB

    MD5

    3aa20ccc0dce19f7f412160c2eb3af20

    SHA1

    121b7f4aff0e102f9b8d9d63d36a0a2175eb5e62

    SHA256

    aefe56a35d5b9a839aa2409eaa5b3be35eefe1ed9cba6ba92db5cb4caf56844f

    SHA512

    4a5b0e64b03a54d0a52021b58a4c2836f32c0713189bc9d5a7a0e6095bd156fe3ebd7fdf8a2a7ed5baca386fd04900e12469d9e0c7fa23081e34e0444d8b8d7a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw11Qq09Tb23.exe
    Filesize

    17KB

    MD5

    7f8fdbe1239e7ea5d0859ddf3a8e7f81

    SHA1

    892620725e606396f80c77a62b1de55f8eb3dc0c

    SHA256

    fcdb7812d3065d46df850ad25064d76c8cb9063a4d52e759bbb40dcbd9d4ba71

    SHA512

    b20fa8434d12f45282f40200f3069ba6fa50286a0c7ef12f0d1eceff2073383ed1feb687289ffebf8e6cd4d4acaa718f426e3d815965355661f54a2b1317e874

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw11Qq09Tb23.exe
    Filesize

    17KB

    MD5

    7f8fdbe1239e7ea5d0859ddf3a8e7f81

    SHA1

    892620725e606396f80c77a62b1de55f8eb3dc0c

    SHA256

    fcdb7812d3065d46df850ad25064d76c8cb9063a4d52e759bbb40dcbd9d4ba71

    SHA512

    b20fa8434d12f45282f40200f3069ba6fa50286a0c7ef12f0d1eceff2073383ed1feb687289ffebf8e6cd4d4acaa718f426e3d815965355661f54a2b1317e874

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tkM57Er72.exe
    Filesize

    377KB

    MD5

    a9bb941524fc5973d45dad1da3e23d17

    SHA1

    357a2a768bbec255880067c4a774ca2d4bee0588

    SHA256

    e2e687091711d776f73e3877ee7020f8ed6472855af0db8ee6f5ea796fc34659

    SHA512

    4beab17e28078481420dfdf5425a6829695cdfdf50c1231c509654bdcaf21d6de21f12ee44b4cbe9c3b555bed3a91542b2dc37b25b2d093e03af9941723d9256

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tkM57Er72.exe
    Filesize

    377KB

    MD5

    a9bb941524fc5973d45dad1da3e23d17

    SHA1

    357a2a768bbec255880067c4a774ca2d4bee0588

    SHA256

    e2e687091711d776f73e3877ee7020f8ed6472855af0db8ee6f5ea796fc34659

    SHA512

    4beab17e28078481420dfdf5425a6829695cdfdf50c1231c509654bdcaf21d6de21f12ee44b4cbe9c3b555bed3a91542b2dc37b25b2d093e03af9941723d9256

    Download Submit

  • memory/824-132-0x00000000006E0000-0x00000000006EA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2592-138-0x0000000004580000-0x00000000045CB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2592-139-0x0000000004820000-0x0000000004866000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2592-140-0x0000000007330000-0x000000000782E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2592-141-0x0000000004CF0000-0x0000000004D34000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2592-142-0x0000000007320000-0x0000000007330000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2592-144-0x0000000007320000-0x0000000007330000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2592-143-0x0000000007320000-0x0000000007330000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2592-146-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2592-145-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2592-148-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2592-150-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2592-152-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2592-154-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2592-156-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2592-158-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2592-160-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2592-162-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2592-168-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2592-166-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2592-170-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2592-164-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2592-172-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2592-174-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2592-178-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2592-180-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2592-176-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2592-182-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2592-184-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2592-194-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2592-192-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2592-196-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2592-204-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2592-206-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2592-202-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2592-200-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2592-208-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2592-198-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2592-190-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2592-188-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2592-186-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2592-1051-0x0000000007E40000-0x0000000008446000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2592-1052-0x0000000007830000-0x000000000793A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2592-1053-0x0000000007280000-0x0000000007292000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2592-1054-0x0000000007320000-0x0000000007330000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2592-1055-0x00000000072A0000-0x00000000072DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2592-1056-0x0000000007A40000-0x0000000007A8B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2592-1058-0x0000000007320000-0x0000000007330000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2592-1059-0x0000000007320000-0x0000000007330000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2592-1060-0x0000000007320000-0x0000000007330000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2592-1061-0x0000000007BB0000-0x0000000007C42000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2592-1062-0x0000000007C50000-0x0000000007CB6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2592-1063-0x0000000008AA0000-0x0000000008C62000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2592-1064-0x0000000007320000-0x0000000007330000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2592-1065-0x0000000008C70000-0x000000000919C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/2592-1066-0x00000000093D0000-0x0000000009446000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2592-1067-0x0000000009450000-0x00000000094A0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2892-1074-0x0000000000890000-0x00000000008C2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2892-1075-0x00000000052D0000-0x000000000531B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2892-1076-0x0000000005130000-0x0000000005140000-memory.dmp

    Filesize

    64KB

    Download