Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    54s
  • max time network
    56s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    14-03-2023 19:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c6262420464058cb0ee82a667ca8ac5d9c6a696d49f6adf943752defd6ffe023.exe

  • Size

    641KB

  • MD5

    8682e89a0dfd61380fa2d9fa94fef61f

  • SHA1

    b0e0ea74189e4ae1362403c5c8c7afc8c083c9cd

  • SHA256

    c6262420464058cb0ee82a667ca8ac5d9c6a696d49f6adf943752defd6ffe023

  • SHA512

    6cecbb48ff2279cbc63748c393974c44ca827f4d7cf136b0b86c3b0f15704073b46a45611b0986b04bfabc0f31025c7c2fc35b62eea94f217ebd41766193a065

  • SSDEEP

    12288:IMrBy90ER1+7DfuqVaAEgU8jQjnWBg/KY5nRvjy1WUPdk:Zy5quUE7KYnEg/KYpNjy1WUVk

Score
10/10
redlinemangodiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

mango

C2

193.233.20.28:4125

Attributes
  • auth_value

    ecf79d7f5227d998a3501c972d915d23

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 22 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c6262420464058cb0ee82a667ca8ac5d9c6a696d49f6adf943752defd6ffe023.exe
    "C:\Users\Admin\AppData\Local\Temp\c6262420464058cb0ee82a667ca8ac5d9c6a696d49f6adf943752defd6ffe023.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3520
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice9357.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice9357.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:392
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1241YD.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1241YD.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4528
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c06qz67.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c06qz67.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5060
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dqVUG47.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dqVUG47.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4880

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dqVUG47.exe
    Filesize

    294KB

    MD5

    a02dc6d2ee2d4bf96967444441844905

    SHA1

    14d75f9949a4cfec6ee4130eaee1a2587a893ad2

    SHA256

    6fd66a2a82762701917cf7fd9cc0da7bc70a49b7ff0bc73e6cfcffe4d109fc5d

    SHA512

    ced6ab5d296678887b412581329891b3087b2cbc3cd7e27356a9f1845e560fd13de5875b0e1436a9f175daf4583bef1417c5faeade33213814730fa51db78824

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dqVUG47.exe
    Filesize

    294KB

    MD5

    a02dc6d2ee2d4bf96967444441844905

    SHA1

    14d75f9949a4cfec6ee4130eaee1a2587a893ad2

    SHA256

    6fd66a2a82762701917cf7fd9cc0da7bc70a49b7ff0bc73e6cfcffe4d109fc5d

    SHA512

    ced6ab5d296678887b412581329891b3087b2cbc3cd7e27356a9f1845e560fd13de5875b0e1436a9f175daf4583bef1417c5faeade33213814730fa51db78824

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice9357.exe
    Filesize

    321KB

    MD5

    a7125e6f12689077c3f53abe13b85ce6

    SHA1

    c0fc532cd18f346e6699e9b7703e7df0ac881363

    SHA256

    d81bbf5f627aaa3c507e9a6e86d477d4670baae6624eb86522efca1b5e113e9f

    SHA512

    ad7bf86d7362d2c3adcf71924b6ffebab464f737335c5d40fd6892072660add7b545a9b2a0b4652825e5b4362e37b29478edf48131948458b385fee4a13d2502

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice9357.exe
    Filesize

    321KB

    MD5

    a7125e6f12689077c3f53abe13b85ce6

    SHA1

    c0fc532cd18f346e6699e9b7703e7df0ac881363

    SHA256

    d81bbf5f627aaa3c507e9a6e86d477d4670baae6624eb86522efca1b5e113e9f

    SHA512

    ad7bf86d7362d2c3adcf71924b6ffebab464f737335c5d40fd6892072660add7b545a9b2a0b4652825e5b4362e37b29478edf48131948458b385fee4a13d2502

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1241YD.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1241YD.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c06qz67.exe
    Filesize

    237KB

    MD5

    3046f9f1a5a1a081022f2b90ac03b324

    SHA1

    ef8fe914f39e4478a05a599bee2c96bb13622095

    SHA256

    ad45579248f2993cb138f5bd9617d80232268c2acafb8b950f72df15ea7bb704

    SHA512

    5d659ac5d4d255b3138b410ef936e31b12703d1ce70d7c7be0f3e80803ab7029be64087b6baf4ddbe0e1388b5240aff880e917acbeb831bd8bb63864ecdbc086

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c06qz67.exe
    Filesize

    237KB

    MD5

    3046f9f1a5a1a081022f2b90ac03b324

    SHA1

    ef8fe914f39e4478a05a599bee2c96bb13622095

    SHA256

    ad45579248f2993cb138f5bd9617d80232268c2acafb8b950f72df15ea7bb704

    SHA512

    5d659ac5d4d255b3138b410ef936e31b12703d1ce70d7c7be0f3e80803ab7029be64087b6baf4ddbe0e1388b5240aff880e917acbeb831bd8bb63864ecdbc086

    Download Submit

  • memory/4528-133-0x0000000000A60000-0x0000000000A6A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4880-221-0x0000000004B60000-0x0000000004B70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4880-227-0x0000000004B60000-0x0000000004B70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4880-1108-0x0000000006EA0000-0x0000000006EF0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4880-1107-0x0000000006E20000-0x0000000006E96000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4880-1106-0x00000000066C0000-0x0000000006BEC000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4880-1105-0x00000000064E0000-0x00000000066A2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4880-1104-0x0000000004B60000-0x0000000004B70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4880-1103-0x0000000004B60000-0x0000000004B70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4880-1102-0x0000000004B60000-0x0000000004B70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4880-1100-0x0000000005680000-0x00000000056E6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4880-1099-0x00000000055E0000-0x0000000005672000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4880-1098-0x0000000005450000-0x000000000549B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4880-1097-0x0000000005300000-0x000000000533E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-1096-0x0000000004B60000-0x0000000004B70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4880-1095-0x00000000052E0000-0x00000000052F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4880-1094-0x00000000051A0000-0x00000000052AA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4880-1093-0x0000000005780000-0x0000000005D86000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4880-224-0x0000000004B60000-0x0000000004B70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4880-218-0x0000000002110000-0x000000000215B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4880-216-0x0000000004AA0000-0x0000000004ADE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-214-0x0000000004AA0000-0x0000000004ADE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-212-0x0000000004AA0000-0x0000000004ADE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-210-0x0000000004AA0000-0x0000000004ADE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-208-0x0000000004AA0000-0x0000000004ADE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-181-0x0000000002570000-0x00000000025B6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/4880-182-0x0000000004AA0000-0x0000000004AE4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4880-183-0x0000000004AA0000-0x0000000004ADE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-184-0x0000000004AA0000-0x0000000004ADE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-186-0x0000000004AA0000-0x0000000004ADE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-188-0x0000000004AA0000-0x0000000004ADE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-190-0x0000000004AA0000-0x0000000004ADE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-192-0x0000000004AA0000-0x0000000004ADE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-194-0x0000000004AA0000-0x0000000004ADE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-196-0x0000000004AA0000-0x0000000004ADE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-198-0x0000000004AA0000-0x0000000004ADE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-200-0x0000000004AA0000-0x0000000004ADE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-202-0x0000000004AA0000-0x0000000004ADE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-204-0x0000000004AA0000-0x0000000004ADE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-206-0x0000000004AA0000-0x0000000004ADE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5060-164-0x0000000005030000-0x0000000005042000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5060-146-0x0000000005030000-0x0000000005042000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5060-176-0x0000000000400000-0x00000000004BA000-memory.dmp

    Filesize

    744KB

    Download

  • memory/5060-174-0x0000000000400000-0x00000000004BA000-memory.dmp

    Filesize

    744KB

    Download

  • memory/5060-173-0x0000000000710000-0x0000000000720000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5060-172-0x0000000000710000-0x0000000000720000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5060-139-0x00000000001D0000-0x00000000001FD000-memory.dmp

    Filesize

    180KB

    Download

  • memory/5060-171-0x0000000000710000-0x0000000000720000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5060-142-0x0000000005030000-0x0000000005048000-memory.dmp

    Filesize

    96KB

    Download

  • memory/5060-170-0x0000000005030000-0x0000000005042000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5060-143-0x0000000005030000-0x0000000005042000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5060-141-0x0000000004B30000-0x000000000502E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/5060-160-0x0000000005030000-0x0000000005042000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5060-162-0x0000000005030000-0x0000000005042000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5060-140-0x00000000021D0000-0x00000000021EA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/5060-158-0x0000000005030000-0x0000000005042000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5060-156-0x0000000005030000-0x0000000005042000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5060-154-0x0000000005030000-0x0000000005042000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5060-152-0x0000000005030000-0x0000000005042000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5060-150-0x0000000005030000-0x0000000005042000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5060-148-0x0000000005030000-0x0000000005042000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5060-166-0x0000000005030000-0x0000000005042000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5060-144-0x0000000005030000-0x0000000005042000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5060-168-0x0000000005030000-0x0000000005042000-memory.dmp

    Filesize

    72KB

    Download