Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    86s
  • max time network
    89s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    23-03-2023 20:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4761043cd3a5b7ff72232c297e06d26a4318841c9797b32b03bbe2ec69bfa3d4.exe

  • Size

    544KB

  • MD5

    552f0b59cbe0ef9b0c3ab4808349bcf0

  • SHA1

    f57f3273db19097a9340a458be7d0aad4c6cfdbb

  • SHA256

    4761043cd3a5b7ff72232c297e06d26a4318841c9797b32b03bbe2ec69bfa3d4

  • SHA512

    8b65a5433151219569cfa93ca88a1905c82fcfd684bd41b81bceea74f865a86562aa9386d754f408afee5a1bf8d9a1d76a679c299ae02df8faacc7cf9f023949

  • SSDEEP

    12288:wMrKy90Zg8dDhsJ7SbPSJuIjp8mqgU4MLjwJwO+Ull4fN:qywDmSbPlSlMvm+UUN

Score
10/10
redlinedownlowndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

down

C2

193.233.20.31:4125

Attributes
  • auth_value

    12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

lown

C2

193.233.20.31:4125

Attributes
  • auth_value

    4cf836e062bcdc2a4fdbf410f5747ec7

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 36 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4761043cd3a5b7ff72232c297e06d26a4318841c9797b32b03bbe2ec69bfa3d4.exe
    "C:\Users\Admin\AppData\Local\Temp\4761043cd3a5b7ff72232c297e06d26a4318841c9797b32b03bbe2ec69bfa3d4.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2272
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba1687.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba1687.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1008
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h59eg54.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h59eg54.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4252
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iNpcB47.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iNpcB47.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4292
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l97Ho96.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l97Ho96.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4428

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l97Ho96.exe
    Filesize

    175KB

    MD5

    50809fe16d7c482c1f4a2ea19fdcbc0a

    SHA1

    11b6f69c06a724da15183b16039c5cbc86016158

    SHA256

    09917b67829de37b5d6be8115c8f8321f436554f426a24e079257a8368051cb1

    SHA512

    c35170e5eb6dabda9fd2d289153df829957ca8e9665178529a1ba36395155bb34f489372993ec694d10bea490c86cef2ae152e2df480288aca8e796ba135261f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l97Ho96.exe
    Filesize

    175KB

    MD5

    50809fe16d7c482c1f4a2ea19fdcbc0a

    SHA1

    11b6f69c06a724da15183b16039c5cbc86016158

    SHA256

    09917b67829de37b5d6be8115c8f8321f436554f426a24e079257a8368051cb1

    SHA512

    c35170e5eb6dabda9fd2d289153df829957ca8e9665178529a1ba36395155bb34f489372993ec694d10bea490c86cef2ae152e2df480288aca8e796ba135261f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba1687.exe
    Filesize

    402KB

    MD5

    3fcda632f2f22f587f34cdfa1315b8ae

    SHA1

    9174917f3e4381b18dd61b09a5c187ce6b2c938b

    SHA256

    cd7559cdb1a8581ffbcdac3609c9d61afbe15f3ef53051419e3411631bc39a05

    SHA512

    853b8f15c78fb1b26543da51e59373d8e2ae18ce1d5a040f789c5c33e83c9bace092a440e98ea322f3073d0098973de2025e362c5926dc7bb6ffb9a341e78b6a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba1687.exe
    Filesize

    402KB

    MD5

    3fcda632f2f22f587f34cdfa1315b8ae

    SHA1

    9174917f3e4381b18dd61b09a5c187ce6b2c938b

    SHA256

    cd7559cdb1a8581ffbcdac3609c9d61afbe15f3ef53051419e3411631bc39a05

    SHA512

    853b8f15c78fb1b26543da51e59373d8e2ae18ce1d5a040f789c5c33e83c9bace092a440e98ea322f3073d0098973de2025e362c5926dc7bb6ffb9a341e78b6a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h59eg54.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h59eg54.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iNpcB47.exe
    Filesize

    349KB

    MD5

    0efe40cd309f890cf93035c90dee4c6b

    SHA1

    05df61032bc4740c12c98fa8330e5d1d81c2dedd

    SHA256

    f1be074ce779c2f395755f0cc5f1de62329174d61534490df307c7ee0eb1685d

    SHA512

    c972e438462855602e8cd8006d69c68ce7da8d312c94d1bf51ae1c76b5307e6126c9cdb84a4bbd2d5880554a7e224a6ad3789c62d1597f2b9f12f20f5d71ba23

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iNpcB47.exe
    Filesize

    349KB

    MD5

    0efe40cd309f890cf93035c90dee4c6b

    SHA1

    05df61032bc4740c12c98fa8330e5d1d81c2dedd

    SHA256

    f1be074ce779c2f395755f0cc5f1de62329174d61534490df307c7ee0eb1685d

    SHA512

    c972e438462855602e8cd8006d69c68ce7da8d312c94d1bf51ae1c76b5307e6126c9cdb84a4bbd2d5880554a7e224a6ad3789c62d1597f2b9f12f20f5d71ba23

    Download Submit
  • memory/4252-133-0x0000000000700000-0x000000000070A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4292-139-0x0000000002390000-0x00000000023D6000-memory.dmp
    Filesize

    280KB

    Download
  • memory/4292-140-0x0000000004F00000-0x00000000053FE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/4292-141-0x0000000000720000-0x000000000076B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4292-142-0x0000000004EF0000-0x0000000004F00000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4292-143-0x0000000002640000-0x0000000002684000-memory.dmp
    Filesize

    272KB

    Download
  • memory/4292-145-0x0000000004EF0000-0x0000000004F00000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4292-144-0x0000000004EF0000-0x0000000004F00000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4292-146-0x0000000002640000-0x000000000267E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4292-147-0x0000000002640000-0x000000000267E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4292-149-0x0000000002640000-0x000000000267E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4292-153-0x0000000002640000-0x000000000267E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4292-155-0x0000000002640000-0x000000000267E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4292-151-0x0000000002640000-0x000000000267E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4292-157-0x0000000002640000-0x000000000267E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4292-159-0x0000000002640000-0x000000000267E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4292-161-0x0000000002640000-0x000000000267E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4292-163-0x0000000002640000-0x000000000267E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4292-165-0x0000000002640000-0x000000000267E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4292-167-0x0000000002640000-0x000000000267E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4292-169-0x0000000002640000-0x000000000267E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4292-171-0x0000000002640000-0x000000000267E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4292-173-0x0000000002640000-0x000000000267E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4292-175-0x0000000002640000-0x000000000267E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4292-177-0x0000000002640000-0x000000000267E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4292-179-0x0000000002640000-0x000000000267E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4292-181-0x0000000002640000-0x000000000267E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4292-183-0x0000000002640000-0x000000000267E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4292-185-0x0000000002640000-0x000000000267E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4292-187-0x0000000002640000-0x000000000267E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4292-189-0x0000000002640000-0x000000000267E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4292-191-0x0000000002640000-0x000000000267E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4292-193-0x0000000002640000-0x000000000267E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4292-195-0x0000000002640000-0x000000000267E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4292-197-0x0000000002640000-0x000000000267E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4292-199-0x0000000002640000-0x000000000267E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4292-201-0x0000000002640000-0x000000000267E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4292-203-0x0000000002640000-0x000000000267E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4292-205-0x0000000002640000-0x000000000267E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4292-207-0x0000000002640000-0x000000000267E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4292-209-0x0000000002640000-0x000000000267E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4292-1052-0x0000000005400000-0x0000000005A06000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/4292-1053-0x0000000005A10000-0x0000000005B1A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/4292-1054-0x0000000005B40000-0x0000000005B52000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4292-1055-0x0000000005B60000-0x0000000005B9E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4292-1056-0x0000000005CB0000-0x0000000005CFB000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4292-1057-0x0000000004EF0000-0x0000000004F00000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4292-1059-0x0000000005E40000-0x0000000005EA6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4292-1060-0x0000000004EF0000-0x0000000004F00000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4292-1061-0x0000000004EF0000-0x0000000004F00000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4292-1062-0x00000000063E0000-0x0000000006472000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4292-1063-0x0000000006970000-0x00000000069E6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/4292-1064-0x00000000069F0000-0x0000000006A40000-memory.dmp
    Filesize

    320KB

    Download
  • memory/4292-1065-0x0000000004EF0000-0x0000000004F00000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4292-1066-0x0000000006BA0000-0x0000000006D62000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/4292-1067-0x0000000006D70000-0x000000000729C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4428-1073-0x0000000000650000-0x0000000000682000-memory.dmp
    Filesize

    200KB

    Download
  • memory/4428-1074-0x0000000005090000-0x00000000050DB000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4428-1075-0x0000000005270000-0x0000000005280000-memory.dmp
    Filesize

    64KB

    Download