Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    57s
  • max time network
    59s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    23/03/2023, 20:37 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9a4de5508379fd1a3879217b02bff52b64c556a08d86a54979340a0ae3ed731e.exe

  • Size

    544KB

  • MD5

    bd05df9bbce1d69c9605755ddf7af88b

  • SHA1

    855746685a67cf1198136f175adaf7d1385cc62e

  • SHA256

    9a4de5508379fd1a3879217b02bff52b64c556a08d86a54979340a0ae3ed731e

  • SHA512

    2934f265f953af8b8235afa8e915a009bc37c57c997ee58bb07e7be532fba16b669a4d53312f22af80c26d213c75dc5c1fa3987e628ad40e799918124a5aa452

  • SSDEEP

    12288:DMrIy90bfj36Qkdo65Mryt8j/GcEqgUHMLqwhK+pPHK:fyg76NG6S+G/ACMe6pPq

Score
10/10
redlinedownrealdiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

down

C2

193.233.20.31:4125

Attributes
  • auth_value

    12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

real

C2

193.233.20.31:4125

Attributes
  • auth_value

    bb22a50228754849387d5f4d1611e71b

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 36 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9a4de5508379fd1a3879217b02bff52b64c556a08d86a54979340a0ae3ed731e.exe
    "C:\Users\Admin\AppData\Local\Temp\9a4de5508379fd1a3879217b02bff52b64c556a08d86a54979340a0ae3ed731e.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4332
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio3036.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio3036.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4120
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7637.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7637.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3468
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7562.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7562.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4928
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si097466.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si097466.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2152

Network

  • flag-us
    DNS
    31.20.233.193.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    31.20.233.193.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    203.151.224.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    203.151.224.20.in-addr.arpa
    IN PTR
    Response
  • 193.233.20.31:4125
    qu7562.exe
    4.2MB
     54.0kB
     3018
    1196
  • 20.50.201.195:443
    322 B
     7
  • 88.221.25.155:80
    322 B
     7
  • 193.233.20.31:4125
    si097466.exe
    4.2MB
     55.3kB
     3013
    1229
  • 8.8.8.8:53
    31.20.233.193.in-addr.arpa
    dns
    72 B
     127 B
     1
    1

    DNS Request

    31.20.233.193.in-addr.arpa

  • 8.8.8.8:53
    203.151.224.20.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    203.151.224.20.in-addr.arpa

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si097466.exe
    Filesize

    175KB

    MD5

    41707338e1e2d868aa699ac0dd2e77b0

    SHA1

    36e0dfba09f9fb409faf0f9a99217d0d0c524b82

    SHA256

    8d2a5ba6ae16aa5ee13382edb585c480b6bf2db098427ffe5f8d55323ded7557

    SHA512

    80c66cbf19f6b2cc2e979b1fd1769cf45957761fa3f94b33fc194f88379b57ec9327a86ce374c6dc25334b44e4e8aa518a5d0d03ddb4f4eddfdfe8ddfc9fb6f2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si097466.exe
    Filesize

    175KB

    MD5

    41707338e1e2d868aa699ac0dd2e77b0

    SHA1

    36e0dfba09f9fb409faf0f9a99217d0d0c524b82

    SHA256

    8d2a5ba6ae16aa5ee13382edb585c480b6bf2db098427ffe5f8d55323ded7557

    SHA512

    80c66cbf19f6b2cc2e979b1fd1769cf45957761fa3f94b33fc194f88379b57ec9327a86ce374c6dc25334b44e4e8aa518a5d0d03ddb4f4eddfdfe8ddfc9fb6f2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio3036.exe
    Filesize

    402KB

    MD5

    8e2004f13d056ac0fcb6e7e5bfd1b6c6

    SHA1

    6ffc51af6349c0e8b27fee720f8ff18e2519c0c8

    SHA256

    bfa68a410323d7bbb01ccaab23630431562e62a3064fa3a133ebe115fb7cf15d

    SHA512

    3b0737aaba991e828eae4df8c2bdcb7d41bd9432945ccd15e3b02b4b6e57cbad5fdd7a824d37c62736cd1b29612864ed9c2d540eb3cbd01afe4608b0f91f1c4b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio3036.exe
    Filesize

    402KB

    MD5

    8e2004f13d056ac0fcb6e7e5bfd1b6c6

    SHA1

    6ffc51af6349c0e8b27fee720f8ff18e2519c0c8

    SHA256

    bfa68a410323d7bbb01ccaab23630431562e62a3064fa3a133ebe115fb7cf15d

    SHA512

    3b0737aaba991e828eae4df8c2bdcb7d41bd9432945ccd15e3b02b4b6e57cbad5fdd7a824d37c62736cd1b29612864ed9c2d540eb3cbd01afe4608b0f91f1c4b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7637.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7637.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7562.exe
    Filesize

    349KB

    MD5

    8f0e2e16185c0ae19a6757f478c95180

    SHA1

    f5f19b962dd23bb3988b2bf1cf1a49035fa1b2cb

    SHA256

    282b26b6b3ba7190e068d55702c46fa501f20846217c0e91f3faaf186266c548

    SHA512

    504d7927d0e7628b4c8598c1ba1badbca56b346efa53a4032759505adc56c81983e5aa52371c3a81f4b73d12bfb014b4cd245187abbaaab4b75da0fb6783aaa6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7562.exe
    Filesize

    349KB

    MD5

    8f0e2e16185c0ae19a6757f478c95180

    SHA1

    f5f19b962dd23bb3988b2bf1cf1a49035fa1b2cb

    SHA256

    282b26b6b3ba7190e068d55702c46fa501f20846217c0e91f3faaf186266c548

    SHA512

    504d7927d0e7628b4c8598c1ba1badbca56b346efa53a4032759505adc56c81983e5aa52371c3a81f4b73d12bfb014b4cd245187abbaaab4b75da0fb6783aaa6

    Download Submit

  • memory/2152-1074-0x0000000000380000-0x00000000003B2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2152-1075-0x0000000004DC0000-0x0000000004E0B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2152-1076-0x0000000004F50000-0x0000000004F60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3468-135-0x0000000000020000-0x000000000002A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4928-175-0x0000000002740000-0x000000000277E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4928-189-0x0000000002740000-0x000000000277E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4928-144-0x0000000004E60000-0x000000000535E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/4928-145-0x0000000002740000-0x0000000002784000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4928-146-0x00000000027F0000-0x0000000002800000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4928-147-0x00000000027F0000-0x0000000002800000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4928-148-0x0000000002740000-0x000000000277E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4928-149-0x0000000002740000-0x000000000277E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4928-151-0x0000000002740000-0x000000000277E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4928-153-0x0000000002740000-0x000000000277E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4928-155-0x0000000002740000-0x000000000277E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4928-157-0x0000000002740000-0x000000000277E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4928-159-0x0000000002740000-0x000000000277E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4928-161-0x0000000002740000-0x000000000277E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4928-163-0x0000000002740000-0x000000000277E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4928-165-0x0000000002740000-0x000000000277E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4928-167-0x0000000002740000-0x000000000277E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4928-169-0x0000000002740000-0x000000000277E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4928-171-0x0000000002740000-0x000000000277E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4928-173-0x0000000002740000-0x000000000277E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4928-142-0x0000000002350000-0x0000000002396000-memory.dmp

    Filesize

    280KB

    Download

  • memory/4928-177-0x0000000002740000-0x000000000277E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4928-179-0x0000000002740000-0x000000000277E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4928-181-0x0000000002740000-0x000000000277E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4928-183-0x0000000002740000-0x000000000277E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4928-185-0x0000000002740000-0x000000000277E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4928-187-0x0000000002740000-0x000000000277E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4928-143-0x00000000027F0000-0x0000000002800000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4928-191-0x0000000002740000-0x000000000277E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4928-193-0x0000000002740000-0x000000000277E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4928-195-0x0000000002740000-0x000000000277E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4928-197-0x0000000002740000-0x000000000277E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4928-199-0x0000000002740000-0x000000000277E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4928-201-0x0000000002740000-0x000000000277E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4928-203-0x0000000002740000-0x000000000277E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4928-205-0x0000000002740000-0x000000000277E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4928-207-0x0000000002740000-0x000000000277E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4928-209-0x0000000002740000-0x000000000277E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4928-211-0x0000000002740000-0x000000000277E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4928-1054-0x0000000005360000-0x0000000005966000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4928-1055-0x0000000005970000-0x0000000005A7A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4928-1056-0x0000000002890000-0x00000000028A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4928-1057-0x00000000028B0000-0x00000000028EE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4928-1058-0x0000000005B80000-0x0000000005BCB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4928-1060-0x00000000027F0000-0x0000000002800000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4928-1061-0x00000000027F0000-0x0000000002800000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4928-1062-0x0000000005D00000-0x0000000005D66000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4928-1063-0x00000000063F0000-0x0000000006482000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4928-141-0x0000000000820000-0x000000000086B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4928-1064-0x00000000065B0000-0x0000000006772000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4928-1065-0x0000000006780000-0x0000000006CAC000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4928-1067-0x00000000081E0000-0x0000000008256000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4928-1068-0x0000000008270000-0x00000000082C0000-memory.dmp

    Filesize

    320KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.