Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    56s
  • max time network
    147s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    23-03-2023 16:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    395e358ab8e7685f16c6858ff17359d5987db7cc71abf78ba5f8a4fffaf84846.exe

  • Size

    544KB

  • MD5

    e9cde2f39a3eb3d9573f06e83518a948

  • SHA1

    98cac3864f9c8b8d7e045bb1e591f7af3e14f443

  • SHA256

    395e358ab8e7685f16c6858ff17359d5987db7cc71abf78ba5f8a4fffaf84846

  • SHA512

    8f15634d9e33297b9a747a958b17156e7530cfacbfcd1443ba2a562a6c48e4926c32db2bce4e420c75d3280536f9faeeb0a236ed833cba8a4d327d9521f38326

  • SSDEEP

    12288:bMrIy90L3bHNmKe9Rx3jWLTCUa406JZqiV:HyupFepinC743qiV

Score
10/10
redlinedownlowndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

down

C2

193.233.20.31:4125

Attributes
  • auth_value

    12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

lown

C2

193.233.20.31:4125

Attributes
  • auth_value

    4cf836e062bcdc2a4fdbf410f5747ec7

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\395e358ab8e7685f16c6858ff17359d5987db7cc71abf78ba5f8a4fffaf84846.exe
    "C:\Users\Admin\AppData\Local\Temp\395e358ab8e7685f16c6858ff17359d5987db7cc71abf78ba5f8a4fffaf84846.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4036
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba0909.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba0909.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:8
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h12Aj03.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h12Aj03.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3988
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\idlrg24.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\idlrg24.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4596
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l31nS88.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l31nS88.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4392

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l31nS88.exe
    Filesize

    175KB

    MD5

    50809fe16d7c482c1f4a2ea19fdcbc0a

    SHA1

    11b6f69c06a724da15183b16039c5cbc86016158

    SHA256

    09917b67829de37b5d6be8115c8f8321f436554f426a24e079257a8368051cb1

    SHA512

    c35170e5eb6dabda9fd2d289153df829957ca8e9665178529a1ba36395155bb34f489372993ec694d10bea490c86cef2ae152e2df480288aca8e796ba135261f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l31nS88.exe
    Filesize

    175KB

    MD5

    50809fe16d7c482c1f4a2ea19fdcbc0a

    SHA1

    11b6f69c06a724da15183b16039c5cbc86016158

    SHA256

    09917b67829de37b5d6be8115c8f8321f436554f426a24e079257a8368051cb1

    SHA512

    c35170e5eb6dabda9fd2d289153df829957ca8e9665178529a1ba36395155bb34f489372993ec694d10bea490c86cef2ae152e2df480288aca8e796ba135261f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba0909.exe
    Filesize

    402KB

    MD5

    0770fbfcc17640734dc666e9930f1cca

    SHA1

    4ff70452e67d0e018553cd34c4a2dafe3096789c

    SHA256

    942dfac25dfc7afcb98dd7199fb5600c56a2a446179b32fb7168c3b8a5c1bb7f

    SHA512

    2835811c5e18a442d0dc821d8c047f2d7dd844e54e6ce1b62189aacec3ea19d88c0c53f6ffbbadb06c55f8a66ee75b9d9bc763250d5fa358550255be013086f1

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba0909.exe
    Filesize

    402KB

    MD5

    0770fbfcc17640734dc666e9930f1cca

    SHA1

    4ff70452e67d0e018553cd34c4a2dafe3096789c

    SHA256

    942dfac25dfc7afcb98dd7199fb5600c56a2a446179b32fb7168c3b8a5c1bb7f

    SHA512

    2835811c5e18a442d0dc821d8c047f2d7dd844e54e6ce1b62189aacec3ea19d88c0c53f6ffbbadb06c55f8a66ee75b9d9bc763250d5fa358550255be013086f1

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h12Aj03.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h12Aj03.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\idlrg24.exe
    Filesize

    349KB

    MD5

    1ea61ec22e19a5df3185c3c11c540fd0

    SHA1

    6040367f971b14016c1fa3aa9ac8d72a92e0e1ef

    SHA256

    5e2d90b74c5ba527da820df1262ce80824ee65fa234cde15778cc79cf8906982

    SHA512

    4c9100c2c8bf278a5bb4350624a8891089a2473e694575e1c71f24cdd31ea81b69f70149dee505a9cd7a2858b2194eba400160d1625abf700dc8d0bd25e111cf

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\idlrg24.exe
    Filesize

    349KB

    MD5

    1ea61ec22e19a5df3185c3c11c540fd0

    SHA1

    6040367f971b14016c1fa3aa9ac8d72a92e0e1ef

    SHA256

    5e2d90b74c5ba527da820df1262ce80824ee65fa234cde15778cc79cf8906982

    SHA512

    4c9100c2c8bf278a5bb4350624a8891089a2473e694575e1c71f24cdd31ea81b69f70149dee505a9cd7a2858b2194eba400160d1625abf700dc8d0bd25e111cf

    Download Submit
  • memory/3988-133-0x0000000000430000-0x000000000043A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4392-1073-0x0000000000350000-0x0000000000382000-memory.dmp
    Filesize

    200KB

    Download
  • memory/4392-1074-0x0000000004D90000-0x0000000004DDB000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4392-1075-0x0000000004E90000-0x0000000004EA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4596-173-0x0000000005190000-0x00000000051CE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4596-187-0x0000000005190000-0x00000000051CE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4596-142-0x0000000000720000-0x000000000076B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4596-143-0x0000000002830000-0x0000000002840000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4596-144-0x0000000002830000-0x0000000002840000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4596-145-0x0000000002830000-0x0000000002840000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4596-146-0x0000000005190000-0x00000000051CE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4596-147-0x0000000005190000-0x00000000051CE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4596-149-0x0000000005190000-0x00000000051CE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4596-151-0x0000000005190000-0x00000000051CE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4596-153-0x0000000005190000-0x00000000051CE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4596-155-0x0000000005190000-0x00000000051CE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4596-157-0x0000000005190000-0x00000000051CE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4596-159-0x0000000005190000-0x00000000051CE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4596-161-0x0000000005190000-0x00000000051CE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4596-163-0x0000000005190000-0x00000000051CE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4596-165-0x0000000005190000-0x00000000051CE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4596-167-0x0000000005190000-0x00000000051CE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4596-169-0x0000000005190000-0x00000000051CE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4596-171-0x0000000005190000-0x00000000051CE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4596-140-0x0000000004C90000-0x000000000518E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/4596-175-0x0000000005190000-0x00000000051CE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4596-177-0x0000000005190000-0x00000000051CE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4596-179-0x0000000005190000-0x00000000051CE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4596-181-0x0000000005190000-0x00000000051CE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4596-183-0x0000000005190000-0x00000000051CE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4596-185-0x0000000005190000-0x00000000051CE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4596-141-0x0000000005190000-0x00000000051D4000-memory.dmp
    Filesize

    272KB

    Download
  • memory/4596-189-0x0000000005190000-0x00000000051CE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4596-191-0x0000000005190000-0x00000000051CE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4596-193-0x0000000005190000-0x00000000051CE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4596-195-0x0000000005190000-0x00000000051CE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4596-197-0x0000000005190000-0x00000000051CE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4596-199-0x0000000005190000-0x00000000051CE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4596-201-0x0000000005190000-0x00000000051CE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4596-203-0x0000000005190000-0x00000000051CE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4596-205-0x0000000005190000-0x00000000051CE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4596-207-0x0000000005190000-0x00000000051CE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4596-209-0x0000000005190000-0x00000000051CE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4596-1052-0x0000000005980000-0x0000000005F86000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/4596-1053-0x00000000053F0000-0x00000000054FA000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/4596-1054-0x0000000005530000-0x0000000005542000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4596-1055-0x0000000005550000-0x000000000558E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4596-1056-0x0000000002830000-0x0000000002840000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4596-1057-0x00000000056A0000-0x00000000056EB000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4596-1059-0x0000000005830000-0x0000000005896000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4596-1060-0x0000000006530000-0x00000000065C2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4596-1061-0x0000000002830000-0x0000000002840000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4596-1062-0x0000000002830000-0x0000000002840000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4596-1063-0x0000000002830000-0x0000000002840000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4596-139-0x00000000025C0000-0x0000000002606000-memory.dmp
    Filesize

    280KB

    Download
  • memory/4596-1064-0x00000000066E0000-0x00000000068A2000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/4596-1065-0x00000000068D0000-0x0000000006DFC000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4596-1066-0x00000000071C0000-0x0000000007236000-memory.dmp
    Filesize

    472KB

    Download
  • memory/4596-1067-0x0000000007240000-0x0000000007290000-memory.dmp
    Filesize

    320KB

    Download