Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    106s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/03/2023, 19:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f573f2a4f944d2d2c377f80e2b672e94527ef9b3fb973af37b6b84ef4c1d1473.exe

  • Size

    794KB

  • MD5

    c5dfc2878fe3de48d25ca2e4b4be198b

  • SHA1

    90e1864ba1a4f1ff46c5e87f33edeef5132a2972

  • SHA256

    f573f2a4f944d2d2c377f80e2b672e94527ef9b3fb973af37b6b84ef4c1d1473

  • SHA512

    f0fa09245ae10a60a8749ad75913996c8b0630ebe4adfb11fa229d1113cc5914c44a3c46419ee05dd66367b3996035cf42f531840d0153bc98f659b78c9c1983

  • SSDEEP

    12288:8MrWy90krvSNs8qi/GQbTbDko0mHkPzLDu9xgXY3vKng87/sNrYkB25bf1K:6ylr6q8P/GQkorkPzPu8XYCZLs5Z2RU

Score
10/10
redlinelabamangodiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

mango

C2

193.233.20.28:4125

Attributes
  • auth_value

    ecf79d7f5227d998a3501c972d915d23

Extracted

Family

redline

Botnet

laba

C2

193.233.20.28:4125

Attributes
  • auth_value

    2cf01cffff9092a85ca7e106c547190b

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 19 IoCs
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f573f2a4f944d2d2c377f80e2b672e94527ef9b3fb973af37b6b84ef4c1d1473.exe
    "C:\Users\Admin\AppData\Local\Temp\f573f2a4f944d2d2c377f80e2b672e94527ef9b3fb973af37b6b84ef4c1d1473.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1256
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice3947.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice3947.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1888
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice8138.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice8138.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:5020
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3282od.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3282od.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4248
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c66yK80.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c66yK80.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4100
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 1080
            5⤵
            • Program crash
            PID:2536
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dIzVS95.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dIzVS95.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2784
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 1348
          4⤵
          • Program crash
          PID:3352
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e66qV70.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e66qV70.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1536
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4100 -ip 4100
    1⤵
      PID:3012
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2784 -ip 2784
      1⤵
        PID:4584
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe start wuauserv
        1⤵
        • Launches sc.exe
        PID:4916

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e66qV70.exe
        Filesize

        175KB

        MD5

        478e884952392c14b85cca1a6a4f3e35

        SHA1

        f3475db1427fec3eedf583f1b7b0f839b27f8d74

        SHA256

        bc576bf5f9a72ebbfbc11e59b8e384a1923eca8ec6c5234313c37865f74b7413

        SHA512

        b3a1c504d2a108049a5ee193da2f1bcdd99d269e75f08199c3fccedc0de298996418421b5e48d5c0f582bf775087537ff8f83c341ed2c0cbbcf38e956bffebe9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e66qV70.exe
        Filesize

        175KB

        MD5

        478e884952392c14b85cca1a6a4f3e35

        SHA1

        f3475db1427fec3eedf583f1b7b0f839b27f8d74

        SHA256

        bc576bf5f9a72ebbfbc11e59b8e384a1923eca8ec6c5234313c37865f74b7413

        SHA512

        b3a1c504d2a108049a5ee193da2f1bcdd99d269e75f08199c3fccedc0de298996418421b5e48d5c0f582bf775087537ff8f83c341ed2c0cbbcf38e956bffebe9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice3947.exe
        Filesize

        649KB

        MD5

        3408850cfdae8fe78a738ffc997e55af

        SHA1

        5de9cfd417c1b1c773fba87d8de84592176cfa6e

        SHA256

        cfd1d2a12b7be4f7654cf4a16b7fa240b2110bd5294903ef2e0056b875465de2

        SHA512

        3196a798093b7fec6b60cec6b7914e3ac0d35837164c91063af0361f4e3875276e8b75f0835bbd6e326ef319a0e2f1b2152aa7dc4a4970d7ef7d4e3cfcd527a1

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice3947.exe
        Filesize

        649KB

        MD5

        3408850cfdae8fe78a738ffc997e55af

        SHA1

        5de9cfd417c1b1c773fba87d8de84592176cfa6e

        SHA256

        cfd1d2a12b7be4f7654cf4a16b7fa240b2110bd5294903ef2e0056b875465de2

        SHA512

        3196a798093b7fec6b60cec6b7914e3ac0d35837164c91063af0361f4e3875276e8b75f0835bbd6e326ef319a0e2f1b2152aa7dc4a4970d7ef7d4e3cfcd527a1

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dIzVS95.exe
        Filesize

        284KB

        MD5

        0ae0ab5aa838cc32f1345b4e23710aec

        SHA1

        7fcd79cf17ee88e4a5e3a387b4a1aa34645e60c0

        SHA256

        a7490f1cc32c633da03b846f721b29f4096a89667342758298e5f5db59eadc23

        SHA512

        84e71511eac0292e695ab0b4c0271349496b8e8dd0d9b02feb4a5c2985b617011c85ad2edc200f7ad102f16f9da761974847104ba3909381c54c5c0cc7bf3531

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dIzVS95.exe
        Filesize

        284KB

        MD5

        0ae0ab5aa838cc32f1345b4e23710aec

        SHA1

        7fcd79cf17ee88e4a5e3a387b4a1aa34645e60c0

        SHA256

        a7490f1cc32c633da03b846f721b29f4096a89667342758298e5f5db59eadc23

        SHA512

        84e71511eac0292e695ab0b4c0271349496b8e8dd0d9b02feb4a5c2985b617011c85ad2edc200f7ad102f16f9da761974847104ba3909381c54c5c0cc7bf3531

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice8138.exe
        Filesize

        324KB

        MD5

        12a041db0da6790f6d697031f4a7f043

        SHA1

        647e4ef25b3e1b895772d9c0299369fc7ffecdcf

        SHA256

        88d2ecd5bcefd13fe43c4abf660f36b908cb501d7fa1d897f85dfdb1689a76ec

        SHA512

        839b8a497661f8fdac58eed8ac4d32f630f6209f59f23eac783bcc757f5763e5baa8f10cb8c4628ab0608d87bbfb3b2f9534b477e52ee23437c7d95863b4d1c1

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice8138.exe
        Filesize

        324KB

        MD5

        12a041db0da6790f6d697031f4a7f043

        SHA1

        647e4ef25b3e1b895772d9c0299369fc7ffecdcf

        SHA256

        88d2ecd5bcefd13fe43c4abf660f36b908cb501d7fa1d897f85dfdb1689a76ec

        SHA512

        839b8a497661f8fdac58eed8ac4d32f630f6209f59f23eac783bcc757f5763e5baa8f10cb8c4628ab0608d87bbfb3b2f9534b477e52ee23437c7d95863b4d1c1

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3282od.exe
        Filesize

        11KB

        MD5

        7e93bacbbc33e6652e147e7fe07572a0

        SHA1

        421a7167da01c8da4dc4d5234ca3dd84e319e762

        SHA256

        850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

        SHA512

        250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3282od.exe
        Filesize

        11KB

        MD5

        7e93bacbbc33e6652e147e7fe07572a0

        SHA1

        421a7167da01c8da4dc4d5234ca3dd84e319e762

        SHA256

        850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

        SHA512

        250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c66yK80.exe
        Filesize

        226KB

        MD5

        1aec0a362a69249469e6bc8c846334a8

        SHA1

        48b91ee15fb0373f35894aafaae046f51f22ae37

        SHA256

        7c39f5b54734fcb6f8b36411217d1757aebb7b4fb4934ea6752488d1241d2da3

        SHA512

        5994f0664922fbdf154cdf1c324ac96db58afda97884578550124868ae2bf92a068f73ec6280c7931b06163b37f125abeb157b47f2ab86556b731d713cb37f1f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c66yK80.exe
        Filesize

        226KB

        MD5

        1aec0a362a69249469e6bc8c846334a8

        SHA1

        48b91ee15fb0373f35894aafaae046f51f22ae37

        SHA256

        7c39f5b54734fcb6f8b36411217d1757aebb7b4fb4934ea6752488d1241d2da3

        SHA512

        5994f0664922fbdf154cdf1c324ac96db58afda97884578550124868ae2bf92a068f73ec6280c7931b06163b37f125abeb157b47f2ab86556b731d713cb37f1f

        Download Submit

      • memory/1536-1134-0x00000000057B0000-0x00000000057C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1536-1133-0x0000000000B80000-0x0000000000BB2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/2784-1112-0x0000000005320000-0x0000000005938000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/2784-1115-0x0000000004D60000-0x0000000004D70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2784-1127-0x0000000004D60000-0x0000000004D70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2784-1126-0x00000000069F0000-0x0000000006F1C000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/2784-1125-0x0000000006820000-0x00000000069E2000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2784-1124-0x0000000004D60000-0x0000000004D70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2784-1123-0x0000000004D60000-0x0000000004D70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2784-1122-0x0000000004D60000-0x0000000004D70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2784-1120-0x0000000006530000-0x0000000006580000-memory.dmp

        Filesize

        320KB

        Download

      • memory/2784-1119-0x00000000064A0000-0x0000000006516000-memory.dmp

        Filesize

        472KB

        Download

      • memory/2784-1118-0x0000000005DA0000-0x0000000005E06000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2784-1117-0x0000000005D00000-0x0000000005D92000-memory.dmp

        Filesize

        584KB

        Download

      • memory/2784-1116-0x0000000004D20000-0x0000000004D5C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/2784-1114-0x0000000004D00000-0x0000000004D12000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2784-1113-0x0000000005940000-0x0000000005A4A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/2784-426-0x0000000004D60000-0x0000000004D70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2784-424-0x0000000004D60000-0x0000000004D70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2784-423-0x0000000000A30000-0x0000000000A7B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/2784-236-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2784-234-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2784-232-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2784-230-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2784-203-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2784-204-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2784-206-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2784-208-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2784-210-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2784-212-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2784-214-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2784-216-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2784-218-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2784-220-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2784-222-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2784-224-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2784-226-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2784-228-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4100-186-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4100-163-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4100-198-0x0000000000400000-0x00000000004B8000-memory.dmp

        Filesize

        736KB

        Download

      • memory/4100-196-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4100-195-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4100-194-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4100-193-0x0000000000400000-0x00000000004B8000-memory.dmp

        Filesize

        736KB

        Download

      • memory/4100-162-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4100-192-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4100-190-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4100-166-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4100-188-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4100-165-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4100-164-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4100-174-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4100-180-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4100-178-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4100-176-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4100-182-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4100-172-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4100-170-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4100-168-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4100-184-0x0000000004A40000-0x0000000004A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4100-161-0x0000000000610000-0x000000000063D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/4100-160-0x0000000004AB0000-0x0000000005054000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4248-154-0x0000000000B60000-0x0000000000B6A000-memory.dmp

        Filesize

        40KB

        Download