Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    148s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    23/03/2023, 04:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8218958e7f0108b30e117d1c097ba5c06bca4d6fa5d6605d25d8acc04fd1d70a.exe

  • Size

    540KB

  • MD5

    22ace072f29a8e24be6a619455b5d92e

  • SHA1

    5683f87ab4d07d4e789e5fd532a97f8c34d4863f

  • SHA256

    8218958e7f0108b30e117d1c097ba5c06bca4d6fa5d6605d25d8acc04fd1d70a

  • SHA512

    8333874ca1974ad6afb2d08fdc7c582d1e8d0fb565682d83e0bbb693cd35f4fac8d4217ce47919a718b0ae2c51df69db9f02cb27e8bea9231d37df6c0f88a7c9

  • SSDEEP

    12288:1Mriy90jHeiMY/iTNj4wuZ7ZiBcgOqLaBhtz0U3B6ZpuXn5uVp33:LySMYqZUw47s7OqLIiBEX5uVd3

Score
10/10
redlinedownlowndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

down

C2

193.233.20.31:4125

Attributes
  • auth_value

    12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

lown

C2

193.233.20.31:4125

Attributes
  • auth_value

    4cf836e062bcdc2a4fdbf410f5747ec7

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 36 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8218958e7f0108b30e117d1c097ba5c06bca4d6fa5d6605d25d8acc04fd1d70a.exe
    "C:\Users\Admin\AppData\Local\Temp\8218958e7f0108b30e117d1c097ba5c06bca4d6fa5d6605d25d8acc04fd1d70a.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba7448.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba7448.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2388
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h68oB03.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h68oB03.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2656
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iPsRP72.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iPsRP72.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2756
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l49Fd04.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l49Fd04.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4592

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l49Fd04.exe
    Filesize

    175KB

    MD5

    50809fe16d7c482c1f4a2ea19fdcbc0a

    SHA1

    11b6f69c06a724da15183b16039c5cbc86016158

    SHA256

    09917b67829de37b5d6be8115c8f8321f436554f426a24e079257a8368051cb1

    SHA512

    c35170e5eb6dabda9fd2d289153df829957ca8e9665178529a1ba36395155bb34f489372993ec694d10bea490c86cef2ae152e2df480288aca8e796ba135261f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l49Fd04.exe
    Filesize

    175KB

    MD5

    50809fe16d7c482c1f4a2ea19fdcbc0a

    SHA1

    11b6f69c06a724da15183b16039c5cbc86016158

    SHA256

    09917b67829de37b5d6be8115c8f8321f436554f426a24e079257a8368051cb1

    SHA512

    c35170e5eb6dabda9fd2d289153df829957ca8e9665178529a1ba36395155bb34f489372993ec694d10bea490c86cef2ae152e2df480288aca8e796ba135261f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba7448.exe
    Filesize

    397KB

    MD5

    a1873246e9eb5dfb2aced3d1ce210f0d

    SHA1

    4c3202259983d1aa2066d995f359366fb3b6c973

    SHA256

    69a93cfed125e9649838749c750b1f05f02854f308c2e643df2a9b67415b550b

    SHA512

    a0acd3929920342c338243ec1d11d597c4df3b77c8c0a6696dba88900d4211310af241ff55c2853c331359eb891d51d6cef7680ee4490d9462a4a58b258a9563

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba7448.exe
    Filesize

    397KB

    MD5

    a1873246e9eb5dfb2aced3d1ce210f0d

    SHA1

    4c3202259983d1aa2066d995f359366fb3b6c973

    SHA256

    69a93cfed125e9649838749c750b1f05f02854f308c2e643df2a9b67415b550b

    SHA512

    a0acd3929920342c338243ec1d11d597c4df3b77c8c0a6696dba88900d4211310af241ff55c2853c331359eb891d51d6cef7680ee4490d9462a4a58b258a9563

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h68oB03.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h68oB03.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iPsRP72.exe
    Filesize

    357KB

    MD5

    db22f63847db0588183d33e3a9da1651

    SHA1

    9dfde38ad7b2dcdf977a15ca90d7432a6256fcd4

    SHA256

    3eabbc0c963309b5a64095aaf3c9cdef789539ad64a62c3bd80202b7f122f240

    SHA512

    90c7e478437c70fc6edb0958faef040ec5d52825f3457ba8e25256f025f26bc8b39606f8f63d303122aa676bf1338ea6f2c9f92224efcbd1552056eb3b0dd6be

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iPsRP72.exe
    Filesize

    357KB

    MD5

    db22f63847db0588183d33e3a9da1651

    SHA1

    9dfde38ad7b2dcdf977a15ca90d7432a6256fcd4

    SHA256

    3eabbc0c963309b5a64095aaf3c9cdef789539ad64a62c3bd80202b7f122f240

    SHA512

    90c7e478437c70fc6edb0958faef040ec5d52825f3457ba8e25256f025f26bc8b39606f8f63d303122aa676bf1338ea6f2c9f92224efcbd1552056eb3b0dd6be

    Download Submit

  • memory/2656-135-0x0000000000CC0000-0x0000000000CCA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2756-141-0x0000000002B90000-0x0000000002BDB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2756-142-0x0000000004B30000-0x0000000004B76000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2756-143-0x0000000007370000-0x000000000786E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2756-144-0x0000000004CD0000-0x0000000004D14000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2756-145-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2756-146-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2756-150-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2756-148-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2756-152-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2756-154-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2756-156-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2756-158-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2756-160-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2756-162-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2756-168-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2756-172-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2756-170-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2756-174-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2756-166-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2756-164-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2756-178-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2756-182-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2756-184-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2756-180-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2756-186-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2756-189-0x0000000007360000-0x0000000007370000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2756-193-0x0000000007360000-0x0000000007370000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2756-191-0x0000000007360000-0x0000000007370000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2756-201-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2756-211-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2756-209-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2756-207-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2756-205-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2756-203-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2756-199-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2756-197-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2756-195-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2756-192-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2756-188-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2756-176-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2756-1054-0x0000000007E80000-0x0000000008486000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2756-1055-0x0000000007870000-0x000000000797A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2756-1056-0x00000000079A0000-0x00000000079B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2756-1057-0x00000000079C0000-0x00000000079FE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2756-1058-0x0000000007B10000-0x0000000007B5B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2756-1059-0x0000000007360000-0x0000000007370000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2756-1061-0x0000000007CA0000-0x0000000007D06000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2756-1062-0x00000000089A0000-0x0000000008A32000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2756-1063-0x0000000008B40000-0x0000000008BB6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2756-1064-0x0000000008BC0000-0x0000000008C10000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2756-1065-0x0000000008C50000-0x0000000008E12000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2756-1066-0x0000000008E20000-0x000000000934C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/2756-1067-0x0000000007360000-0x0000000007370000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2756-1068-0x0000000007360000-0x0000000007370000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2756-1069-0x0000000007360000-0x0000000007370000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4592-1075-0x0000000000980000-0x00000000009B2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4592-1076-0x00000000053C0000-0x000000000540B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4592-1077-0x0000000005210000-0x0000000005220000-memory.dmp

    Filesize

    64KB

    Download