Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    76s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/03/2023, 13:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9bdc25aa52b772392d96ea9402482a5f2e846e4adc7e15cbf341b2e7072f5010.exe

  • Size

    647KB

  • MD5

    f8705885b191e7a5b63c98f759fc196f

  • SHA1

    4a87ee51935ea7c13df2e8168313b4561429b18d

  • SHA256

    9bdc25aa52b772392d96ea9402482a5f2e846e4adc7e15cbf341b2e7072f5010

  • SHA512

    9a94e1f91891f4606dd8074eaefb211853e8e2be751f65c0273a7978832f6683a4f00114418af8995cc4c01cef579dddf2dbead4be4bb0ab55da5a4c4302eda7

  • SSDEEP

    12288:qMrwy90iV6nQqgx+G8SKN9pQ/dXcHE/FxgApgwUwchmZ6gKwqIRg:qyHV6Qj8NN6/sApgBHhmZ6gK1N

Score
10/10
redlinemangodiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

mango

C2

193.233.20.28:4125

Attributes
  • auth_value

    ecf79d7f5227d998a3501c972d915d23

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 18 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9bdc25aa52b772392d96ea9402482a5f2e846e4adc7e15cbf341b2e7072f5010.exe
    "C:\Users\Admin\AppData\Local\Temp\9bdc25aa52b772392d96ea9402482a5f2e846e4adc7e15cbf341b2e7072f5010.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice4942.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice4942.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1756
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3899VY.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3899VY.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3760
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c42CV15.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c42CV15.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1836
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 1080
          4⤵
          • Program crash
          PID:3468
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\drlic27.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\drlic27.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2440
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 1348
        3⤵
        • Program crash
        PID:1248
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1836 -ip 1836
    1⤵
      PID:5032
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2440 -ip 2440
      1⤵
        PID:4388

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\drlic27.exe
        Filesize

        305KB

        MD5

        8c53c5efa6a7c2fe75dfa66351266abe

        SHA1

        8869004fc2117b864c784e5fc1d7e3eaaadd0c77

        SHA256

        b572e15e0ce5ef20c6e31ea00ad49358e6aa78de27709a5a6ef407ee57dbef84

        SHA512

        6203ba81cb1f8f5a83702390279638e7e82d498d1c8f619c7dc1490e9a06a10dcfa8e157c95311afed770f85a01e2f0edecebcc753aa8d970ae870210a1d714a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\drlic27.exe
        Filesize

        305KB

        MD5

        8c53c5efa6a7c2fe75dfa66351266abe

        SHA1

        8869004fc2117b864c784e5fc1d7e3eaaadd0c77

        SHA256

        b572e15e0ce5ef20c6e31ea00ad49358e6aa78de27709a5a6ef407ee57dbef84

        SHA512

        6203ba81cb1f8f5a83702390279638e7e82d498d1c8f619c7dc1490e9a06a10dcfa8e157c95311afed770f85a01e2f0edecebcc753aa8d970ae870210a1d714a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice4942.exe
        Filesize

        324KB

        MD5

        71573c4585e5287fdccd655d59598fe0

        SHA1

        e9f43cb2462cc186cc19074fc1cc8831a57afd27

        SHA256

        18e49bf346973de33eda9da67e557294e19526a4dd74ceb591da61401b60fbe2

        SHA512

        a231ef0ffab020b39f53c9268aeb5f35868a0d38c9f607996479a86e76c3acbdcc640c2fd2aa288f18e63998d25e8a70249c5ba2cbd2f25b401ad7c563f2a789

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice4942.exe
        Filesize

        324KB

        MD5

        71573c4585e5287fdccd655d59598fe0

        SHA1

        e9f43cb2462cc186cc19074fc1cc8831a57afd27

        SHA256

        18e49bf346973de33eda9da67e557294e19526a4dd74ceb591da61401b60fbe2

        SHA512

        a231ef0ffab020b39f53c9268aeb5f35868a0d38c9f607996479a86e76c3acbdcc640c2fd2aa288f18e63998d25e8a70249c5ba2cbd2f25b401ad7c563f2a789

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3899VY.exe
        Filesize

        11KB

        MD5

        7e93bacbbc33e6652e147e7fe07572a0

        SHA1

        421a7167da01c8da4dc4d5234ca3dd84e319e762

        SHA256

        850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

        SHA512

        250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3899VY.exe
        Filesize

        11KB

        MD5

        7e93bacbbc33e6652e147e7fe07572a0

        SHA1

        421a7167da01c8da4dc4d5234ca3dd84e319e762

        SHA256

        850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

        SHA512

        250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c42CV15.exe
        Filesize

        247KB

        MD5

        91c8fa1425e65cf7ebaaace2c58e4a75

        SHA1

        b50a10a885bb51b7b7604bc6964169c9773753eb

        SHA256

        d20fe9afd6356e1815d357c92b1acba2d722e0ba0f335261d494dac324ff960e

        SHA512

        82a501eb01299fd6df4cfc5f0ad3df8ecbf31320bc7fd75834e3ffaae2b9ed2e6154b868708ca3fdeca2ef63c14cbd14b1930e71e9d1c4f8eb81739d0ddf1911

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c42CV15.exe
        Filesize

        247KB

        MD5

        91c8fa1425e65cf7ebaaace2c58e4a75

        SHA1

        b50a10a885bb51b7b7604bc6964169c9773753eb

        SHA256

        d20fe9afd6356e1815d357c92b1acba2d722e0ba0f335261d494dac324ff960e

        SHA512

        82a501eb01299fd6df4cfc5f0ad3df8ecbf31320bc7fd75834e3ffaae2b9ed2e6154b868708ca3fdeca2ef63c14cbd14b1930e71e9d1c4f8eb81739d0ddf1911

        Download Submit

      • memory/1836-153-0x0000000004C40000-0x00000000051E4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1836-154-0x0000000000540000-0x000000000056D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/1836-155-0x00000000024E0000-0x00000000024F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1836-156-0x00000000024E0000-0x00000000024F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1836-157-0x00000000024B0000-0x00000000024C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1836-158-0x00000000024B0000-0x00000000024C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1836-162-0x00000000024B0000-0x00000000024C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1836-168-0x00000000024B0000-0x00000000024C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1836-166-0x00000000024B0000-0x00000000024C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1836-174-0x00000000024B0000-0x00000000024C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1836-184-0x00000000024B0000-0x00000000024C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1836-182-0x00000000024B0000-0x00000000024C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1836-180-0x00000000024B0000-0x00000000024C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1836-178-0x00000000024B0000-0x00000000024C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1836-176-0x00000000024B0000-0x00000000024C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1836-172-0x00000000024B0000-0x00000000024C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1836-170-0x00000000024B0000-0x00000000024C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1836-164-0x00000000024B0000-0x00000000024C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1836-160-0x00000000024B0000-0x00000000024C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1836-185-0x0000000000400000-0x00000000004BD000-memory.dmp

        Filesize

        756KB

        Download

      • memory/1836-186-0x00000000024E0000-0x00000000024F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1836-188-0x0000000000400000-0x00000000004BD000-memory.dmp

        Filesize

        756KB

        Download

      • memory/2440-193-0x0000000000640000-0x000000000068B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/2440-194-0x0000000004CF0000-0x0000000004D00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2440-196-0x0000000002530000-0x000000000256E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2440-200-0x0000000002530000-0x000000000256E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2440-198-0x0000000004CF0000-0x0000000004D00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2440-197-0x0000000002530000-0x000000000256E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2440-195-0x0000000004CF0000-0x0000000004D00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2440-202-0x0000000002530000-0x000000000256E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2440-204-0x0000000002530000-0x000000000256E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2440-206-0x0000000002530000-0x000000000256E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2440-208-0x0000000002530000-0x000000000256E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2440-210-0x0000000002530000-0x000000000256E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2440-212-0x0000000002530000-0x000000000256E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2440-214-0x0000000002530000-0x000000000256E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2440-216-0x0000000002530000-0x000000000256E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2440-218-0x0000000002530000-0x000000000256E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2440-220-0x0000000002530000-0x000000000256E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2440-222-0x0000000002530000-0x000000000256E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2440-224-0x0000000002530000-0x000000000256E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2440-226-0x0000000002530000-0x000000000256E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2440-228-0x0000000002530000-0x000000000256E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2440-230-0x0000000002530000-0x000000000256E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2440-1103-0x00000000052B0000-0x00000000058C8000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/2440-1104-0x0000000004B90000-0x0000000004C9A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/2440-1105-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2440-1106-0x0000000004CF0000-0x0000000004D00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2440-1107-0x00000000058D0000-0x000000000590C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/2440-1109-0x0000000005BC0000-0x0000000005C26000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2440-1110-0x00000000063C0000-0x0000000006452000-memory.dmp

        Filesize

        584KB

        Download

      • memory/2440-1111-0x0000000004CF0000-0x0000000004D00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2440-1112-0x0000000004CF0000-0x0000000004D00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2440-1113-0x0000000004CF0000-0x0000000004D00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2440-1114-0x0000000007770000-0x00000000077E6000-memory.dmp

        Filesize

        472KB

        Download

      • memory/2440-1115-0x0000000007800000-0x0000000007850000-memory.dmp

        Filesize

        320KB

        Download

      • memory/2440-1116-0x0000000007860000-0x0000000007A22000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2440-1117-0x0000000004CF0000-0x0000000004D00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2440-1118-0x0000000007A40000-0x0000000007F6C000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/3760-147-0x0000000000740000-0x000000000074A000-memory.dmp

        Filesize

        40KB

        Download