Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    77s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/03/2023, 18:06

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    0b9e27416b5a34c7b7ab25b61a2b4c598d2e0ff5683e23fe59a7c60fa7ecfecc.exe

  • Size

    551KB

  • MD5

    08399fbd2b2bfb73d66d93bdda8b7d48

  • SHA1

    4a01afecf211de913c551a697160b94c7ec229c6

  • SHA256

    0b9e27416b5a34c7b7ab25b61a2b4c598d2e0ff5683e23fe59a7c60fa7ecfecc

  • SHA512

    36d58277ddb0a65e82948995c0949724d6b353b7c8b0eba16fa6c8e489018a4eb055d69c36c304452b79a1a1554ab0a70b69d4ccace9c9fb55414295e400cd93

  • SSDEEP

    12288:vMrey90ooJtTcJaWHcC9qWRP2XeUS3d7NAKSs:hyboLs8ul4XTiNAKL

Score
10/10
redlinedezikmangodiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

mango

C2

193.233.20.28:4125

Attributes
  • auth_value

    ecf79d7f5227d998a3501c972d915d23

Extracted

Family

redline

Botnet

dezik

C2

193.56.146.220:4174

Attributes
  • auth_value

    d39f21dca8edc10800b036ab83f4d75e

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 34 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b9e27416b5a34c7b7ab25b61a2b4c598d2e0ff5683e23fe59a7c60fa7ecfecc.exe
    "C:\Users\Admin\AppData\Local\Temp\0b9e27416b5a34c7b7ab25b61a2b4c598d2e0ff5683e23fe59a7c60fa7ecfecc.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1272
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice7817.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice7817.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1688
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1163pI.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1163pI.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4736
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c84WG97.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c84WG97.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4224
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 1344
          4⤵
          • Program crash
          PID:3768
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dFuRP83.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dFuRP83.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1112
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4224 -ip 4224
    1⤵
      PID:2084

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dFuRP83.exe
            Filesize

            175KB

            MD5

            92f2a148b8f701e50e2f838f73d4d7b7

            SHA1

            324d8546e35d4f4285cac15b21620299ba5cb023

            SHA256

            9ad66388140ef3b4a7c2918eb3c9083dd80396949f385dd6d17c28f97cf14f04

            SHA512

            3300c7606f872e75deaff924ee77fcd975e515a0dbca907ddd16b25910f250c6b8c46c6cabda3ac4780a8dce5fb9a70bd0c4c184f649cd5375fb6278b2a0ea6c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dFuRP83.exe
            Filesize

            175KB

            MD5

            92f2a148b8f701e50e2f838f73d4d7b7

            SHA1

            324d8546e35d4f4285cac15b21620299ba5cb023

            SHA256

            9ad66388140ef3b4a7c2918eb3c9083dd80396949f385dd6d17c28f97cf14f04

            SHA512

            3300c7606f872e75deaff924ee77fcd975e515a0dbca907ddd16b25910f250c6b8c46c6cabda3ac4780a8dce5fb9a70bd0c4c184f649cd5375fb6278b2a0ea6c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice7817.exe
            Filesize

            406KB

            MD5

            6d71f9388acecd60554cf4817e1bbd2a

            SHA1

            ca40b04f3b5f50a015d697882de08dd8ff00532b

            SHA256

            9db10788ffa62dedce8030529edf9d7d80a102f3c994b244a0e842d2b3ba07d4

            SHA512

            fc7160003015796614c6c13abda78eb84fbdd48f4ccc11b58c030d16883c1eff59a336d3de61f1259237fabaa3cddbc2c0cce8f83ade7625f78be08d54a64945

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice7817.exe
            Filesize

            406KB

            MD5

            6d71f9388acecd60554cf4817e1bbd2a

            SHA1

            ca40b04f3b5f50a015d697882de08dd8ff00532b

            SHA256

            9db10788ffa62dedce8030529edf9d7d80a102f3c994b244a0e842d2b3ba07d4

            SHA512

            fc7160003015796614c6c13abda78eb84fbdd48f4ccc11b58c030d16883c1eff59a336d3de61f1259237fabaa3cddbc2c0cce8f83ade7625f78be08d54a64945

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1163pI.exe
            Filesize

            11KB

            MD5

            7e93bacbbc33e6652e147e7fe07572a0

            SHA1

            421a7167da01c8da4dc4d5234ca3dd84e319e762

            SHA256

            850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

            SHA512

            250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1163pI.exe
            Filesize

            11KB

            MD5

            7e93bacbbc33e6652e147e7fe07572a0

            SHA1

            421a7167da01c8da4dc4d5234ca3dd84e319e762

            SHA256

            850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

            SHA512

            250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c84WG97.exe
            Filesize

            373KB

            MD5

            dd7930d20da878defc3aafb3245b959d

            SHA1

            231d425066fdcab6a39deec4da1137562c137377

            SHA256

            3be662de8c33cc9ba26027c8fedde6cf95366f8c69dbb7eb1d1eac7820421144

            SHA512

            d0c9dc313c444a8a8fbc8fc5dc5f67dded8b7bc6997affecda16cde59b799b6ffa9730436002191fc1ad0663cf8fafeac3d1c992c5f793153f280a97565132e0

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c84WG97.exe
            Filesize

            373KB

            MD5

            dd7930d20da878defc3aafb3245b959d

            SHA1

            231d425066fdcab6a39deec4da1137562c137377

            SHA256

            3be662de8c33cc9ba26027c8fedde6cf95366f8c69dbb7eb1d1eac7820421144

            SHA512

            d0c9dc313c444a8a8fbc8fc5dc5f67dded8b7bc6997affecda16cde59b799b6ffa9730436002191fc1ad0663cf8fafeac3d1c992c5f793153f280a97565132e0

            Download Submit

          • memory/1112-1085-0x0000000000590000-0x00000000005C2000-memory.dmp

            Filesize

            200KB

            Download

          • memory/1112-1087-0x0000000004E70000-0x0000000004E80000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1112-1086-0x0000000004E70000-0x0000000004E80000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4224-193-0x0000000004A80000-0x0000000004ABE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4224-205-0x0000000004A80000-0x0000000004ABE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4224-158-0x0000000004A80000-0x0000000004ABE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4224-160-0x0000000004A80000-0x0000000004ABE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4224-162-0x0000000004A80000-0x0000000004ABE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4224-166-0x0000000004A80000-0x0000000004ABE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4224-164-0x0000000004A80000-0x0000000004ABE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4224-168-0x0000000004A80000-0x0000000004ABE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4224-170-0x0000000004A80000-0x0000000004ABE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4224-172-0x0000000004A80000-0x0000000004ABE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4224-174-0x0000000004A80000-0x0000000004ABE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4224-176-0x0000000004B70000-0x0000000004B80000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4224-178-0x0000000004B70000-0x0000000004B80000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4224-181-0x0000000004A80000-0x0000000004ABE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4224-180-0x0000000004B70000-0x0000000004B80000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4224-177-0x0000000004A80000-0x0000000004ABE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4224-183-0x0000000004A80000-0x0000000004ABE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4224-185-0x0000000004A80000-0x0000000004ABE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4224-187-0x0000000004A80000-0x0000000004ABE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4224-189-0x0000000004A80000-0x0000000004ABE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4224-191-0x0000000004A80000-0x0000000004ABE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4224-155-0x0000000004A80000-0x0000000004ABE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4224-195-0x0000000004A80000-0x0000000004ABE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4224-197-0x0000000004A80000-0x0000000004ABE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4224-199-0x0000000004A80000-0x0000000004ABE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4224-201-0x0000000004A80000-0x0000000004ABE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4224-203-0x0000000004A80000-0x0000000004ABE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4224-156-0x0000000004A80000-0x0000000004ABE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4224-207-0x0000000004A80000-0x0000000004ABE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4224-209-0x0000000004A80000-0x0000000004ABE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4224-211-0x0000000004A80000-0x0000000004ABE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4224-213-0x0000000004A80000-0x0000000004ABE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4224-215-0x0000000004A80000-0x0000000004ABE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4224-217-0x0000000004A80000-0x0000000004ABE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4224-219-0x0000000004A80000-0x0000000004ABE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4224-221-0x0000000004A80000-0x0000000004ABE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4224-1064-0x0000000005230000-0x0000000005848000-memory.dmp

            Filesize

            6.1MB

            Download

          • memory/4224-1065-0x00000000058C0000-0x00000000059CA000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/4224-1066-0x0000000005A00000-0x0000000005A12000-memory.dmp

            Filesize

            72KB

            Download

          • memory/4224-1067-0x0000000005A20000-0x0000000005A5C000-memory.dmp

            Filesize

            240KB

            Download

          • memory/4224-1068-0x0000000004B70000-0x0000000004B80000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4224-1069-0x0000000005D10000-0x0000000005DA2000-memory.dmp

            Filesize

            584KB

            Download

          • memory/4224-1070-0x0000000005DB0000-0x0000000005E16000-memory.dmp

            Filesize

            408KB

            Download

          • memory/4224-1072-0x0000000004B70000-0x0000000004B80000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4224-1073-0x0000000004B70000-0x0000000004B80000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4224-1074-0x0000000004B70000-0x0000000004B80000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4224-1075-0x00000000065B0000-0x0000000006626000-memory.dmp

            Filesize

            472KB

            Download

          • memory/4224-1076-0x0000000006640000-0x0000000006690000-memory.dmp

            Filesize

            320KB

            Download

          • memory/4224-154-0x0000000004B80000-0x0000000005124000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/4224-153-0x0000000001E80000-0x0000000001ECB000-memory.dmp

            Filesize

            300KB

            Download

          • memory/4224-1077-0x00000000066C0000-0x0000000006882000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/4224-1078-0x0000000006890000-0x0000000006DBC000-memory.dmp

            Filesize

            5.2MB

            Download

          • memory/4224-1079-0x0000000004B70000-0x0000000004B80000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4736-147-0x00000000004B0000-0x00000000004BA000-memory.dmp

            Filesize

            40KB

            Download