Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    09/03/2023, 19:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f5cf9b7173241a9f75856f387ac243f5c344bc903ca339fc096cfebeaf6b84f4.exe

  • Size

    551KB

  • MD5

    7391ea3ac365085ed45a94b6c801abe1

  • SHA1

    b3088b6b3c622a42b482bd360184e28a67495f27

  • SHA256

    f5cf9b7173241a9f75856f387ac243f5c344bc903ca339fc096cfebeaf6b84f4

  • SHA512

    3f21991e2128f193e501ff69bd85d6000412e5269b77329475617b9cf82d9c8d09f0be90fefa8410288531e5ed058b5587e88aca2e8bc38fbfa5e42279c60fef

  • SSDEEP

    12288:xMrWy90hGyVQD6asU+ejCWMJPWFAy7hiIz5D7:ny4V0N+KPMJOFZii

Score
10/10
redlinedezikmangodiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

mango

C2

193.233.20.28:4125

Attributes
  • auth_value

    ecf79d7f5227d998a3501c972d915d23

Extracted

Family

redline

Botnet

dezik

C2

193.56.146.220:4174

Attributes
  • auth_value

    d39f21dca8edc10800b036ab83f4d75e

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f5cf9b7173241a9f75856f387ac243f5c344bc903ca339fc096cfebeaf6b84f4.exe
    "C:\Users\Admin\AppData\Local\Temp\f5cf9b7173241a9f75856f387ac243f5c344bc903ca339fc096cfebeaf6b84f4.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4108
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice5932.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice5932.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4152
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1269oT.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1269oT.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4456
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c16LC26.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c16LC26.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4888
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dgiPP10.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dgiPP10.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1340

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dgiPP10.exe
    Filesize

    175KB

    MD5

    92f2a148b8f701e50e2f838f73d4d7b7

    SHA1

    324d8546e35d4f4285cac15b21620299ba5cb023

    SHA256

    9ad66388140ef3b4a7c2918eb3c9083dd80396949f385dd6d17c28f97cf14f04

    SHA512

    3300c7606f872e75deaff924ee77fcd975e515a0dbca907ddd16b25910f250c6b8c46c6cabda3ac4780a8dce5fb9a70bd0c4c184f649cd5375fb6278b2a0ea6c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dgiPP10.exe
    Filesize

    175KB

    MD5

    92f2a148b8f701e50e2f838f73d4d7b7

    SHA1

    324d8546e35d4f4285cac15b21620299ba5cb023

    SHA256

    9ad66388140ef3b4a7c2918eb3c9083dd80396949f385dd6d17c28f97cf14f04

    SHA512

    3300c7606f872e75deaff924ee77fcd975e515a0dbca907ddd16b25910f250c6b8c46c6cabda3ac4780a8dce5fb9a70bd0c4c184f649cd5375fb6278b2a0ea6c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice5932.exe
    Filesize

    406KB

    MD5

    ed0de9d0e92b75f4b14c960c5b126a49

    SHA1

    2f68ba84568177708dd1458fd6ee9eedd4ff09fb

    SHA256

    3bec89b47244e60281dbd65b68e7a58ada9f9cd5d94bd0e2747cd626d54a3f6c

    SHA512

    d6845ba188ff3936cc1fff25137f8d3b37d388e16e9cc90b41bce7de53b146acd7da430919434c00d37e1ac2c1f3e75136918890fd52cc1f65fceb869ec547e5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice5932.exe
    Filesize

    406KB

    MD5

    ed0de9d0e92b75f4b14c960c5b126a49

    SHA1

    2f68ba84568177708dd1458fd6ee9eedd4ff09fb

    SHA256

    3bec89b47244e60281dbd65b68e7a58ada9f9cd5d94bd0e2747cd626d54a3f6c

    SHA512

    d6845ba188ff3936cc1fff25137f8d3b37d388e16e9cc90b41bce7de53b146acd7da430919434c00d37e1ac2c1f3e75136918890fd52cc1f65fceb869ec547e5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1269oT.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1269oT.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c16LC26.exe
    Filesize

    373KB

    MD5

    09d802dae8cc774b0aa7fea0c9a271bd

    SHA1

    e2e71100eefc6a88da7016a6d21f5187b9119a7e

    SHA256

    6ddd461d8d914589cae721431b01c29540771dc1becc5092af70e1c18308e7a3

    SHA512

    2fb75630e1d70955afe05500ef846e2b60c98e13799b7d1db2b753b2a7a5e72edcef54bfdbde0e984d41efda571969c044cb1d4a007e18f053b18fcb9f119b88

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c16LC26.exe
    Filesize

    373KB

    MD5

    09d802dae8cc774b0aa7fea0c9a271bd

    SHA1

    e2e71100eefc6a88da7016a6d21f5187b9119a7e

    SHA256

    6ddd461d8d914589cae721431b01c29540771dc1becc5092af70e1c18308e7a3

    SHA512

    2fb75630e1d70955afe05500ef846e2b60c98e13799b7d1db2b753b2a7a5e72edcef54bfdbde0e984d41efda571969c044cb1d4a007e18f053b18fcb9f119b88

    Download Submit

  • memory/1340-1072-0x0000000000BD0000-0x0000000000C02000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1340-1073-0x0000000005610000-0x000000000565B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1340-1074-0x0000000005720000-0x0000000005730000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4456-133-0x0000000000C80000-0x0000000000C8A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4888-175-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4888-189-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4888-142-0x0000000004AF0000-0x0000000004FEE000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/4888-143-0x0000000004A40000-0x0000000004A84000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4888-144-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4888-145-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4888-147-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4888-149-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4888-151-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4888-153-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4888-155-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4888-157-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4888-159-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4888-161-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4888-163-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4888-165-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4888-167-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4888-169-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4888-171-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4888-173-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4888-140-0x00000000004E0000-0x000000000052B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4888-177-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4888-179-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4888-181-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4888-183-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4888-186-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4888-185-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4888-141-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4888-188-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4888-191-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4888-193-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4888-195-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4888-197-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4888-199-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4888-201-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4888-203-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4888-205-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4888-207-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4888-209-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4888-1052-0x0000000005130000-0x0000000005736000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4888-1053-0x00000000057C0000-0x00000000058CA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4888-1054-0x0000000005900000-0x0000000005912000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4888-1055-0x0000000005920000-0x000000000595E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4888-1056-0x0000000005A70000-0x0000000005ABB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4888-1057-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4888-1058-0x0000000005C00000-0x0000000005C92000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4888-1059-0x0000000005CA0000-0x0000000005D06000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4888-1061-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4888-1062-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4888-139-0x0000000002480000-0x00000000024C6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/4888-1063-0x00000000064A0000-0x0000000006516000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4888-1064-0x0000000006530000-0x0000000006580000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4888-1065-0x00000000065A0000-0x0000000006762000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4888-1066-0x0000000006770000-0x0000000006C9C000-memory.dmp

    Filesize

    5.2MB

    Download