Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    56s
  • max time network
    147s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    21-03-2023 22:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0594fbb5bb3359d8f4f25a151f0c85b30ff39fba49f2b0a4c18ee850016c4afd.exe

  • Size

    907KB

  • MD5

    21d71058ee2e7f4cc0654f28dc1eba85

  • SHA1

    816e03b129d489b1d823a887701b7fe06851f07b

  • SHA256

    0594fbb5bb3359d8f4f25a151f0c85b30ff39fba49f2b0a4c18ee850016c4afd

  • SHA512

    ab3b48b2cb6fc6a5999166a25724eea5e8d0bc4be37d748b633b4e40aedb74631220ad5a011c0afcc21c4f03f808fc8fe58370ce4ad8b3d4b5169fc9da5be4e0

  • SSDEEP

    24576:cyZ9i9rJdCW66dDd4YLAqezT4jl0uKlngTAQMi0c:LEJdCNsd4/TWyuTln0

Score
10/10
redlinedownpolodiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

down

C2

193.233.20.31:4125

Attributes
  • auth_value

    12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

polo

C2

193.233.20.31:4125

Attributes
  • auth_value

    f1a1b1041a864e0f1f788d42ececa8b3

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0594fbb5bb3359d8f4f25a151f0c85b30ff39fba49f2b0a4c18ee850016c4afd.exe
    "C:\Users\Admin\AppData\Local\Temp\0594fbb5bb3359d8f4f25a151f0c85b30ff39fba49f2b0a4c18ee850016c4afd.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2928
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio7819.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio7819.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3784
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio7296.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio7296.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3688
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro8079.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro8079.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4140
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu9496.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu9496.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4336
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rtf78s06.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rtf78s06.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1924
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si196361.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si196361.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3500

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si196361.exe
    Filesize

    175KB

    MD5

    44a26d7004f8b65e1a8bac0ccac86d6a

    SHA1

    30b583c2c04c1167703ae255b4d44b96b411c8ff

    SHA256

    37384f1bfb6d2193e4ece0ed1f6989f9ebd238e7b4582e1aedfa136cdfd07eb9

    SHA512

    17788355a5190ca17ead744cad71ebb7cfc7ceb84625310d31a469af0fbd50b2c304ce969530e99effeb0d23b0530b57a001f02fe918abc40ea68ad336fa187b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si196361.exe
    Filesize

    175KB

    MD5

    44a26d7004f8b65e1a8bac0ccac86d6a

    SHA1

    30b583c2c04c1167703ae255b4d44b96b411c8ff

    SHA256

    37384f1bfb6d2193e4ece0ed1f6989f9ebd238e7b4582e1aedfa136cdfd07eb9

    SHA512

    17788355a5190ca17ead744cad71ebb7cfc7ceb84625310d31a469af0fbd50b2c304ce969530e99effeb0d23b0530b57a001f02fe918abc40ea68ad336fa187b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio7819.exe
    Filesize

    765KB

    MD5

    d778c7595ad0c4dadca7a71dcc7f4bc9

    SHA1

    61fcc7ee5b6bcfb7f067e4987c72714f0a0fec7c

    SHA256

    19a9cdf327f7f3fb5f661c4f43bee98c2fb6d5c29cc9d428697e9f4124af8df4

    SHA512

    a3b02c3a85222e7113cba52ac54a13104fb009658da26feed255859f6f1f0f53b51dec86445efe07357013da1c5f88a528c60299d5a457accae3fb13eac41e22

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio7819.exe
    Filesize

    765KB

    MD5

    d778c7595ad0c4dadca7a71dcc7f4bc9

    SHA1

    61fcc7ee5b6bcfb7f067e4987c72714f0a0fec7c

    SHA256

    19a9cdf327f7f3fb5f661c4f43bee98c2fb6d5c29cc9d428697e9f4124af8df4

    SHA512

    a3b02c3a85222e7113cba52ac54a13104fb009658da26feed255859f6f1f0f53b51dec86445efe07357013da1c5f88a528c60299d5a457accae3fb13eac41e22

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rtf78s06.exe
    Filesize

    457KB

    MD5

    d16496a878f7f1571b21e70381978c63

    SHA1

    dfb7502a948f45a40a8a89acc38d075c9f727477

    SHA256

    ee0fd4f066c93f1278d0c099fd991f3cb95b71e3d53ee9708c41814434295a0d

    SHA512

    68b714d24735f9da0cfaa589d3a09aa64e9d9d81181e7fa403c659de54e56e9956c43b16c1ef8c3db7db7351537c0f1a9459f8da76a4261898ae0c7f2b6f9833

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rtf78s06.exe
    Filesize

    457KB

    MD5

    d16496a878f7f1571b21e70381978c63

    SHA1

    dfb7502a948f45a40a8a89acc38d075c9f727477

    SHA256

    ee0fd4f066c93f1278d0c099fd991f3cb95b71e3d53ee9708c41814434295a0d

    SHA512

    68b714d24735f9da0cfaa589d3a09aa64e9d9d81181e7fa403c659de54e56e9956c43b16c1ef8c3db7db7351537c0f1a9459f8da76a4261898ae0c7f2b6f9833

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio7296.exe
    Filesize

    379KB

    MD5

    e0fc79bed6f6e44769fd954e98f5d960

    SHA1

    89f010e3f623c019c079bc6e9a4954bfd2eb082a

    SHA256

    d42c381eb442a376b00c42a1bfd89b8bd9423648152b99340b220066448ba371

    SHA512

    09e666ba5a710f56879395dce11362d3fdef751810a5ddd6b17ff659b6e8a42f8c3377cf5c5098595d9e2d46c2972a098acd8b78d55e185f7cab55eff8eae991

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio7296.exe
    Filesize

    379KB

    MD5

    e0fc79bed6f6e44769fd954e98f5d960

    SHA1

    89f010e3f623c019c079bc6e9a4954bfd2eb082a

    SHA256

    d42c381eb442a376b00c42a1bfd89b8bd9423648152b99340b220066448ba371

    SHA512

    09e666ba5a710f56879395dce11362d3fdef751810a5ddd6b17ff659b6e8a42f8c3377cf5c5098595d9e2d46c2972a098acd8b78d55e185f7cab55eff8eae991

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro8079.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro8079.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu9496.exe
    Filesize

    399KB

    MD5

    1b0907bbaaa35c3c5e0d6437425e249d

    SHA1

    055862d37c9c24aff51db7aa4ef63900e4f16e3b

    SHA256

    3efcff0d93860d36f0a973a41590c26770c8b4c230305dc8ffcc13b207966a64

    SHA512

    550154cf6678449e209d79f313e8d4ffda0a45fc799601238250259740ae21236a4cef19c523808e1666b2d11ad4e1bd568f9e8a93137e33da1dacb18e054f9f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu9496.exe
    Filesize

    399KB

    MD5

    1b0907bbaaa35c3c5e0d6437425e249d

    SHA1

    055862d37c9c24aff51db7aa4ef63900e4f16e3b

    SHA256

    3efcff0d93860d36f0a973a41590c26770c8b4c230305dc8ffcc13b207966a64

    SHA512

    550154cf6678449e209d79f313e8d4ffda0a45fc799601238250259740ae21236a4cef19c523808e1666b2d11ad4e1bd568f9e8a93137e33da1dacb18e054f9f

    Download Submit

  • memory/1924-1100-0x0000000005370000-0x0000000005976000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/1924-1102-0x0000000004DF0000-0x0000000004E02000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1924-1114-0x0000000004E60000-0x0000000004E70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1924-1113-0x0000000006790000-0x0000000006CBC000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/1924-1112-0x0000000004E60000-0x0000000004E70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1924-1111-0x00000000065C0000-0x0000000006782000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1924-1110-0x0000000006550000-0x00000000065A0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1924-1109-0x00000000064D0000-0x0000000006546000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1924-1108-0x00000000062C0000-0x0000000006352000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1924-1107-0x0000000005D20000-0x0000000005D86000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1924-1105-0x0000000005B90000-0x0000000005BDB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1924-1104-0x0000000004E10000-0x0000000004E4E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1924-1103-0x0000000004E60000-0x0000000004E70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1924-1101-0x0000000005980000-0x0000000005A8A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1924-227-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1924-225-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1924-223-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1924-221-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1924-219-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1924-217-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1924-215-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1924-213-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1924-211-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1924-190-0x00000000023C0000-0x0000000002406000-memory.dmp

    Filesize

    280KB

    Download

  • memory/1924-191-0x0000000000810000-0x000000000085B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1924-193-0x0000000002650000-0x0000000002694000-memory.dmp

    Filesize

    272KB

    Download

  • memory/1924-192-0x0000000004E60000-0x0000000004E70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1924-194-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1924-197-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1924-195-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1924-199-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1924-201-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1924-203-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1924-205-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1924-207-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1924-209-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3500-1122-0x0000000005570000-0x00000000055BB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3500-1121-0x0000000005740000-0x0000000005750000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3500-1120-0x0000000000B30000-0x0000000000B62000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4140-142-0x0000000000850000-0x000000000085A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4336-158-0x0000000005170000-0x0000000005182000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4336-168-0x0000000005170000-0x0000000005182000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4336-180-0x0000000002270000-0x0000000002280000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4336-179-0x00000000001D0000-0x00000000001FD000-memory.dmp

    Filesize

    180KB

    Download

  • memory/4336-178-0x0000000005170000-0x0000000005182000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4336-149-0x0000000004C30000-0x000000000512E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/4336-176-0x0000000005170000-0x0000000005182000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4336-152-0x0000000005170000-0x0000000005182000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4336-172-0x0000000005170000-0x0000000005182000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4336-174-0x0000000005170000-0x0000000005182000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4336-150-0x0000000005170000-0x0000000005188000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4336-181-0x0000000002270000-0x0000000002280000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4336-170-0x0000000005170000-0x0000000005182000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4336-164-0x0000000005170000-0x0000000005182000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4336-166-0x0000000005170000-0x0000000005182000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4336-160-0x0000000005170000-0x0000000005182000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4336-162-0x0000000005170000-0x0000000005182000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4336-151-0x0000000005170000-0x0000000005182000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4336-156-0x0000000005170000-0x0000000005182000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4336-148-0x0000000002250000-0x000000000226A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4336-182-0x0000000002270000-0x0000000002280000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4336-183-0x0000000000400000-0x0000000000726000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4336-185-0x0000000000400000-0x0000000000726000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4336-154-0x0000000005170000-0x0000000005182000-memory.dmp

    Filesize

    72KB

    Download