Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    147s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    15-03-2023 04:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a427caf1e2802878cdc41894f8202873b85fa9e1edaacd8169caf3e5a94f4beb.exe

  • Size

    790KB

  • MD5

    6f7422827e5dad6031a57881f4b66807

  • SHA1

    808afe3006c432444731191511efb7e727f1adcd

  • SHA256

    a427caf1e2802878cdc41894f8202873b85fa9e1edaacd8169caf3e5a94f4beb

  • SHA512

    93fcd9126ba63fd8a208a9e5bb81a6c28074bf060c43eb6ea97302fc6953f20049a2a00bb2f5857f954fb462ebfa0d05078fe01219a294dabe985b37c65b0d4e

  • SSDEEP

    24576:7ypGdZtAISONA04CYn77YXCwwpBZ4gR5W:uskISONRYnnw0

Score
10/10
redlinemangoritadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

mango

C2

193.233.20.28:4125

Attributes
  • auth_value

    ecf79d7f5227d998a3501c972d915d23

Extracted

Family

redline

Botnet

rita

C2

193.233.20.28:4125

Attributes
  • auth_value

    5cf1bcf41b0a2f3710619223451dfd3a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a427caf1e2802878cdc41894f8202873b85fa9e1edaacd8169caf3e5a94f4beb.exe
    "C:\Users\Admin\AppData\Local\Temp\a427caf1e2802878cdc41894f8202873b85fa9e1edaacd8169caf3e5a94f4beb.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2140
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8785.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8785.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2372
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice6418.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice6418.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2540
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7219UL.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7219UL.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2828
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c36FZ01.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c36FZ01.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4868
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dRsle30.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dRsle30.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2472
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e12YK83.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e12YK83.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4300

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e12YK83.exe
    Filesize

    175KB

    MD5

    8b0ea3120d3d291045b26bcea5ccef54

    SHA1

    07ed9587057ae936ca0610051142a4add4f7b6aa

    SHA256

    6659717ddb5d87d6dc4e3c9e1d582bc58778c633eb50c61e3bdc57b5d3be7690

    SHA512

    6d112c8621488b8ec6373ec6ab87b20cd07d33ea945d67a6aaa9ca043d9556b735b3c7b9d33c562e29c8e875c3a947a203a33ad27c2d2afe75e2f75873768244

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e12YK83.exe
    Filesize

    175KB

    MD5

    8b0ea3120d3d291045b26bcea5ccef54

    SHA1

    07ed9587057ae936ca0610051142a4add4f7b6aa

    SHA256

    6659717ddb5d87d6dc4e3c9e1d582bc58778c633eb50c61e3bdc57b5d3be7690

    SHA512

    6d112c8621488b8ec6373ec6ab87b20cd07d33ea945d67a6aaa9ca043d9556b735b3c7b9d33c562e29c8e875c3a947a203a33ad27c2d2afe75e2f75873768244

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8785.exe
    Filesize

    645KB

    MD5

    9cca2a55b276374790930c5328f29b02

    SHA1

    3d9782ee4cb51fdc4c5e049a0a0a25d53116ff9c

    SHA256

    77907bcce5453b65100e509de1db72725fe566f8d5e5ea3e7f0731b8e19e90e6

    SHA512

    d541cb6f055fe43c81666fbeacd33d7ab4cd1af19491a1b68e2ea40531dbdfad980a239fa1f31004d9a926aae388ca1811cdbeca4b77e4c621060dfe82708560

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8785.exe
    Filesize

    645KB

    MD5

    9cca2a55b276374790930c5328f29b02

    SHA1

    3d9782ee4cb51fdc4c5e049a0a0a25d53116ff9c

    SHA256

    77907bcce5453b65100e509de1db72725fe566f8d5e5ea3e7f0731b8e19e90e6

    SHA512

    d541cb6f055fe43c81666fbeacd33d7ab4cd1af19491a1b68e2ea40531dbdfad980a239fa1f31004d9a926aae388ca1811cdbeca4b77e4c621060dfe82708560

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dRsle30.exe
    Filesize

    296KB

    MD5

    88f1eb2a5ac78d81245e46f954de96e6

    SHA1

    f73af0ee5bcb6029f9b8fb7f562ac37d1286f042

    SHA256

    08f38c8907cd895807bdd7524234084612853d807aa2094d0a6a6638c136eeea

    SHA512

    cd008dcc2c6d827e4a4f34a0cf80416cff490a0fb88277997e9d1690b8e555cc3d21f66809afa7b8c836cadcf21d52c75f08e8b5808dcd2e8eaf6e58e1d43aad

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dRsle30.exe
    Filesize

    296KB

    MD5

    88f1eb2a5ac78d81245e46f954de96e6

    SHA1

    f73af0ee5bcb6029f9b8fb7f562ac37d1286f042

    SHA256

    08f38c8907cd895807bdd7524234084612853d807aa2094d0a6a6638c136eeea

    SHA512

    cd008dcc2c6d827e4a4f34a0cf80416cff490a0fb88277997e9d1690b8e555cc3d21f66809afa7b8c836cadcf21d52c75f08e8b5808dcd2e8eaf6e58e1d43aad

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice6418.exe
    Filesize

    323KB

    MD5

    ec46b6a23ce8d810a29afaff241a3d05

    SHA1

    174e310f87e0f3e9c392037949a2dc8e67c65ef0

    SHA256

    180ae074763804d194ba12c6d1e2e9a0895d68c36a807b1f022ec8b71723dee1

    SHA512

    2955b73fb9ce97fcea9a9bc995138189096c3fb6747a8c0f998aafef93262be4b7526555a8c2dec23aa25bb1e51c51b3bcb996471e4e046509b044f1bad35508

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice6418.exe
    Filesize

    323KB

    MD5

    ec46b6a23ce8d810a29afaff241a3d05

    SHA1

    174e310f87e0f3e9c392037949a2dc8e67c65ef0

    SHA256

    180ae074763804d194ba12c6d1e2e9a0895d68c36a807b1f022ec8b71723dee1

    SHA512

    2955b73fb9ce97fcea9a9bc995138189096c3fb6747a8c0f998aafef93262be4b7526555a8c2dec23aa25bb1e51c51b3bcb996471e4e046509b044f1bad35508

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7219UL.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7219UL.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c36FZ01.exe
    Filesize

    239KB

    MD5

    5df934a16e80676a9c964feb3135458f

    SHA1

    06ad20f806c987c2c02a0867f1f08f3d9e47ff1d

    SHA256

    f1283c7d0ff9fd30e8328cb701f54b7414c8c3b6c9c15e0930051a2a1c1f531d

    SHA512

    734135670cd653e46d9d3ff9e76a37877840fc8b087c1fb0ef6cd336e57bcab340838c1a9d70801ac3f57d69392e465833e80a1d5c182214832cfe30c130606e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c36FZ01.exe
    Filesize

    239KB

    MD5

    5df934a16e80676a9c964feb3135458f

    SHA1

    06ad20f806c987c2c02a0867f1f08f3d9e47ff1d

    SHA256

    f1283c7d0ff9fd30e8328cb701f54b7414c8c3b6c9c15e0930051a2a1c1f531d

    SHA512

    734135670cd653e46d9d3ff9e76a37877840fc8b087c1fb0ef6cd336e57bcab340838c1a9d70801ac3f57d69392e465833e80a1d5c182214832cfe30c130606e

    Download Submit

  • memory/2472-1103-0x0000000004FF0000-0x00000000055F6000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2472-1107-0x0000000005920000-0x000000000596B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2472-1121-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2472-1118-0x0000000006760000-0x0000000006C8C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/2472-1117-0x0000000006590000-0x0000000006752000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2472-1116-0x0000000006520000-0x0000000006570000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2472-1115-0x0000000006490000-0x0000000006506000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2472-1114-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2472-1113-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2472-1112-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2472-1111-0x0000000006170000-0x0000000006202000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2472-1110-0x0000000005AB0000-0x0000000005B16000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2472-1108-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2472-1106-0x00000000057D0000-0x000000000580E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2472-1105-0x00000000057B0000-0x00000000057C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2472-1104-0x0000000005670000-0x000000000577A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2472-303-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2472-299-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2472-302-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2472-298-0x00000000005A0000-0x00000000005EB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2472-226-0x0000000004A70000-0x0000000004AAE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2472-224-0x0000000004A70000-0x0000000004AAE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2472-222-0x0000000004A70000-0x0000000004AAE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2472-220-0x0000000004A70000-0x0000000004AAE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2472-191-0x00000000049F0000-0x0000000004A36000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2472-192-0x0000000004A70000-0x0000000004AB4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2472-193-0x0000000004A70000-0x0000000004AAE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2472-194-0x0000000004A70000-0x0000000004AAE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2472-196-0x0000000004A70000-0x0000000004AAE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2472-198-0x0000000004A70000-0x0000000004AAE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2472-200-0x0000000004A70000-0x0000000004AAE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2472-204-0x0000000004A70000-0x0000000004AAE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2472-206-0x0000000004A70000-0x0000000004AAE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2472-208-0x0000000004A70000-0x0000000004AAE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2472-202-0x0000000004A70000-0x0000000004AAE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2472-210-0x0000000004A70000-0x0000000004AAE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2472-212-0x0000000004A70000-0x0000000004AAE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2472-214-0x0000000004A70000-0x0000000004AAE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2472-216-0x0000000004A70000-0x0000000004AAE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2472-218-0x0000000004A70000-0x0000000004AAE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2828-142-0x0000000000F60000-0x0000000000F6A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4300-1127-0x00000000051D0000-0x00000000051E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4300-1126-0x00000000051E0000-0x000000000522B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4300-1125-0x0000000000920000-0x0000000000952000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4868-181-0x0000000002380000-0x0000000002392000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4868-165-0x0000000002380000-0x0000000002392000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4868-155-0x0000000002380000-0x0000000002392000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4868-169-0x0000000002380000-0x0000000002392000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4868-149-0x0000000004B30000-0x000000000502E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/4868-171-0x0000000002380000-0x0000000002392000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4868-173-0x0000000002380000-0x0000000002392000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4868-177-0x0000000002380000-0x0000000002392000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4868-151-0x0000000000590000-0x00000000005BD000-memory.dmp

    Filesize

    180KB

    Download

  • memory/4868-179-0x0000000002380000-0x0000000002392000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4868-150-0x0000000002380000-0x0000000002398000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4868-175-0x0000000002380000-0x0000000002392000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4868-157-0x0000000002380000-0x0000000002392000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4868-182-0x0000000000400000-0x00000000004BC000-memory.dmp

    Filesize

    752KB

    Download

  • memory/4868-167-0x0000000002380000-0x0000000002392000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4868-159-0x0000000002380000-0x0000000002392000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4868-163-0x0000000002380000-0x0000000002392000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4868-161-0x0000000002380000-0x0000000002392000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4868-154-0x0000000002380000-0x0000000002392000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4868-153-0x0000000004B20000-0x0000000004B30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4868-148-0x0000000001FD0000-0x0000000001FEA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4868-183-0x0000000004B20000-0x0000000004B30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4868-184-0x0000000004B20000-0x0000000004B30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4868-186-0x0000000000400000-0x00000000004BC000-memory.dmp

    Filesize

    752KB

    Download

  • memory/4868-152-0x0000000004B20000-0x0000000004B30000-memory.dmp

    Filesize

    64KB

    Download