Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    55s
  • max time network
    146s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    08/03/2023, 02:51

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    363a79b0d8826cd09a9b95d8a47141d909c6291e0ff1edab6d94be29842a1011.exe

  • Size

    550KB

  • MD5

    a341aea8664f3be9a7b53accef0e6d51

  • SHA1

    346e5f32cb27df60ae2eff124024d293c9208a74

  • SHA256

    363a79b0d8826cd09a9b95d8a47141d909c6291e0ff1edab6d94be29842a1011

  • SHA512

    a46af431a64dc5d0e65c0c31eb54c8080196d23b483ecbc719a42d02f87aa143a4dec68dd309c1873ca50f0a75bf94be79d8ef2fd92ca626c7d25973eea0470e

  • SSDEEP

    12288:pMrKy90Hahimz7AuxqVlVWvo6dfmG85DXHhzjGJ:3yOsVAuxYj+6DlK

Score
10/10
redlinefuddiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

fud

C2

193.233.20.27:4123

Attributes
  • auth_value

    cddc991efd6918ad5321d80dac884b40

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\363a79b0d8826cd09a9b95d8a47141d909c6291e0ff1edab6d94be29842a1011.exe
    "C:\Users\Admin\AppData\Local\Temp\363a79b0d8826cd09a9b95d8a47141d909c6291e0ff1edab6d94be29842a1011.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5096
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r7086bX.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r7086bX.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4108
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w00Qc29.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w00Qc29.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1416

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r7086bX.exe
          Filesize

          322KB

          MD5

          8141937b23cd1895e561d8e90fdeeff3

          SHA1

          6f810e9e480564f5837461f8ccdd07c951a1bece

          SHA256

          ddda10348c77cf0a1539c3a42ce4f71e2c1895ab9b77348256e0a1f01c0936b6

          SHA512

          40957cd33c4be1dab98ac0c40424c868aa3be6f6265fa28df050e5a4844ac6324acb93770bc6cb7cafedabc93fab9b9179a6e6525f6b3dd6fa9e31b4d5da5bec

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r7086bX.exe
          Filesize

          322KB

          MD5

          8141937b23cd1895e561d8e90fdeeff3

          SHA1

          6f810e9e480564f5837461f8ccdd07c951a1bece

          SHA256

          ddda10348c77cf0a1539c3a42ce4f71e2c1895ab9b77348256e0a1f01c0936b6

          SHA512

          40957cd33c4be1dab98ac0c40424c868aa3be6f6265fa28df050e5a4844ac6324acb93770bc6cb7cafedabc93fab9b9179a6e6525f6b3dd6fa9e31b4d5da5bec

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w00Qc29.exe
          Filesize

          380KB

          MD5

          7703b533b6e72a90817e85a9fd1f7126

          SHA1

          f4cc506f60b36ddf6474504989a9b171b1418570

          SHA256

          f6660c406e330206727065c74443d77ab4689c53984e6c2158f130c03cd2e86d

          SHA512

          3ee516734c6246d7b492af2a6ba3cae18d59d83cc281d75544b29918073a472b37d52ad6cf5c78bb36e81cc67e27d5cb2b0a1e6af098eaa4b5f5a3441f8ce031

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w00Qc29.exe
          Filesize

          380KB

          MD5

          7703b533b6e72a90817e85a9fd1f7126

          SHA1

          f4cc506f60b36ddf6474504989a9b171b1418570

          SHA256

          f6660c406e330206727065c74443d77ab4689c53984e6c2158f130c03cd2e86d

          SHA512

          3ee516734c6246d7b492af2a6ba3cae18d59d83cc281d75544b29918073a472b37d52ad6cf5c78bb36e81cc67e27d5cb2b0a1e6af098eaa4b5f5a3441f8ce031

          Download Submit

        • memory/1416-319-0x0000000004B30000-0x0000000004B40000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1416-1082-0x0000000005650000-0x0000000005C56000-memory.dmp

          Filesize

          6.0MB

          Download

        • memory/1416-1098-0x0000000008060000-0x00000000080B0000-memory.dmp

          Filesize

          320KB

          Download

        • memory/1416-1097-0x0000000007FE0000-0x0000000008056000-memory.dmp

          Filesize

          472KB

          Download

        • memory/1416-1096-0x0000000004B30000-0x0000000004B40000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1416-1095-0x0000000006450000-0x000000000697C000-memory.dmp

          Filesize

          5.2MB

          Download

        • memory/1416-1094-0x0000000006280000-0x0000000006442000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/1416-1093-0x0000000004B30000-0x0000000004B40000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1416-1092-0x0000000004B30000-0x0000000004B40000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1416-1091-0x0000000004B30000-0x0000000004B40000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1416-1089-0x0000000006070000-0x0000000006102000-memory.dmp

          Filesize

          584KB

          Download

        • memory/1416-1088-0x00000000054C0000-0x0000000005526000-memory.dmp

          Filesize

          408KB

          Download

        • memory/1416-1087-0x0000000005330000-0x000000000537B000-memory.dmp

          Filesize

          300KB

          Download

        • memory/1416-1086-0x00000000051E0000-0x000000000521E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/1416-1085-0x0000000004B30000-0x0000000004B40000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1416-1084-0x00000000051C0000-0x00000000051D2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1416-1083-0x0000000005080000-0x000000000518A000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1416-185-0x0000000004A50000-0x0000000004A8E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/1416-323-0x0000000004B30000-0x0000000004B40000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1416-322-0x0000000004B30000-0x0000000004B40000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1416-318-0x00000000005C0000-0x000000000060B000-memory.dmp

          Filesize

          300KB

          Download

        • memory/1416-205-0x0000000004A50000-0x0000000004A8E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/1416-203-0x0000000004A50000-0x0000000004A8E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/1416-201-0x0000000004A50000-0x0000000004A8E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/1416-199-0x0000000004A50000-0x0000000004A8E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/1416-170-0x0000000002310000-0x0000000002356000-memory.dmp

          Filesize

          280KB

          Download

        • memory/1416-171-0x0000000004A50000-0x0000000004A94000-memory.dmp

          Filesize

          272KB

          Download

        • memory/1416-172-0x0000000004A50000-0x0000000004A8E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/1416-173-0x0000000004A50000-0x0000000004A8E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/1416-175-0x0000000004A50000-0x0000000004A8E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/1416-177-0x0000000004A50000-0x0000000004A8E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/1416-179-0x0000000004A50000-0x0000000004A8E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/1416-197-0x0000000004A50000-0x0000000004A8E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/1416-183-0x0000000004A50000-0x0000000004A8E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/1416-181-0x0000000004A50000-0x0000000004A8E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/1416-187-0x0000000004A50000-0x0000000004A8E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/1416-189-0x0000000004A50000-0x0000000004A8E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/1416-191-0x0000000004A50000-0x0000000004A8E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/1416-193-0x0000000004A50000-0x0000000004A8E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/1416-195-0x0000000004A50000-0x0000000004A8E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4108-136-0x0000000004A00000-0x0000000004A12000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4108-154-0x0000000004A00000-0x0000000004A12000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4108-129-0x0000000004AA0000-0x0000000004F9E000-memory.dmp

          Filesize

          5.0MB

          Download

        • memory/4108-165-0x0000000004A90000-0x0000000004AA0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4108-164-0x0000000000400000-0x00000000004D4000-memory.dmp

          Filesize

          848KB

          Download

        • memory/4108-162-0x0000000000400000-0x00000000004D4000-memory.dmp

          Filesize

          848KB

          Download

        • memory/4108-161-0x0000000004A90000-0x0000000004AA0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4108-127-0x00000000001D0000-0x00000000001FD000-memory.dmp

          Filesize

          180KB

          Download

        • memory/4108-160-0x0000000004A90000-0x0000000004AA0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4108-159-0x0000000004A90000-0x0000000004AA0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4108-158-0x0000000004A00000-0x0000000004A12000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4108-130-0x0000000004A00000-0x0000000004A18000-memory.dmp

          Filesize

          96KB

          Download

        • memory/4108-128-0x0000000004980000-0x000000000499A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/4108-150-0x0000000004A00000-0x0000000004A12000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4108-156-0x0000000004A00000-0x0000000004A12000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4108-148-0x0000000004A00000-0x0000000004A12000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4108-146-0x0000000004A00000-0x0000000004A12000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4108-152-0x0000000004A00000-0x0000000004A12000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4108-142-0x0000000004A00000-0x0000000004A12000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4108-140-0x0000000004A00000-0x0000000004A12000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4108-138-0x0000000004A00000-0x0000000004A12000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4108-144-0x0000000004A00000-0x0000000004A12000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4108-134-0x0000000004A00000-0x0000000004A12000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4108-132-0x0000000004A00000-0x0000000004A12000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4108-131-0x0000000004A00000-0x0000000004A12000-memory.dmp

          Filesize

          72KB

          Download