Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    57s
  • max time network
    147s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    24-03-2023 07:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b783d5e0cd087a6d5452dbe00f019cdb6963d7c57f007fabe343689ddd135484.exe

  • Size

    539KB

  • MD5

    40466192f9a263edc5618d17b4f4899a

  • SHA1

    2103ae06c34f1c287e801fc00155fc7d128c1451

  • SHA256

    b783d5e0cd087a6d5452dbe00f019cdb6963d7c57f007fabe343689ddd135484

  • SHA512

    917df2f09d810e35e7e292108a27bff2265c73a71edcef84fad8780e1e568fc4438e0656e085933d7e02ad4d456bbd9abdfb3ba1fe4f583bb99d0c6b21f01ebc

  • SSDEEP

    12288:BMriy90YEJzlZPkZQxhE1TzQDZMWrPrQd4Hxmu/o/iDO/r:bym4Qx0/QVrPrQ+xme2ia/r

Score
10/10
redlinedownherodiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

down

C2

193.233.20.31:4125

Attributes
  • auth_value

    12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

hero

C2

193.233.20.31:4125

Attributes
  • auth_value

    11f3c75a88ca461bcc8d6bf60a1193e3

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b783d5e0cd087a6d5452dbe00f019cdb6963d7c57f007fabe343689ddd135484.exe
    "C:\Users\Admin\AppData\Local\Temp\b783d5e0cd087a6d5452dbe00f019cdb6963d7c57f007fabe343689ddd135484.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio7645.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio7645.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4548
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2588.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2588.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1420
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2466.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2466.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4644
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si966928.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si966928.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3796

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si966928.exe
    Filesize

    175KB

    MD5

    7c11dfe7837f2079d50113de0e973682

    SHA1

    fae072addd4d56ab67d08ab82da4aac5d7223960

    SHA256

    442d9cc0073a6d45abbed64eb9891912091d444fe4dd368924d1b8cf7c59e65b

    SHA512

    06085d23ead5955185736af64754c343a796af98b68c8013ba20b19a5c52eb92066698b86633d54438fe6ad5455c3c3c4625cf03d15439ab486e22388bd8cab7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si966928.exe
    Filesize

    175KB

    MD5

    7c11dfe7837f2079d50113de0e973682

    SHA1

    fae072addd4d56ab67d08ab82da4aac5d7223960

    SHA256

    442d9cc0073a6d45abbed64eb9891912091d444fe4dd368924d1b8cf7c59e65b

    SHA512

    06085d23ead5955185736af64754c343a796af98b68c8013ba20b19a5c52eb92066698b86633d54438fe6ad5455c3c3c4625cf03d15439ab486e22388bd8cab7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio7645.exe
    Filesize

    397KB

    MD5

    ab5de4630d50ac6a376e6fffa970afa0

    SHA1

    fc1e6e51aa27752386c786e389af1f2f6d43098e

    SHA256

    e00d3d8c95153bfb732055524776adae7b00509faf9b232f21eb1e09094d817d

    SHA512

    f4f4db940e3fd5dd53061fcd9eebb5aa0b808b3d6b0d6257c204cb45137fa73543deec27c3144bc5946bb0272700a9cae8a2ec8063a76e8f14e7118c0a00132b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio7645.exe
    Filesize

    397KB

    MD5

    ab5de4630d50ac6a376e6fffa970afa0

    SHA1

    fc1e6e51aa27752386c786e389af1f2f6d43098e

    SHA256

    e00d3d8c95153bfb732055524776adae7b00509faf9b232f21eb1e09094d817d

    SHA512

    f4f4db940e3fd5dd53061fcd9eebb5aa0b808b3d6b0d6257c204cb45137fa73543deec27c3144bc5946bb0272700a9cae8a2ec8063a76e8f14e7118c0a00132b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2588.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2588.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2466.exe
    Filesize

    355KB

    MD5

    398fb3b9345e57a4a123d897f22ce8a5

    SHA1

    d243e1bd3dc88a59a53bd7b74611a89eebfe3ca5

    SHA256

    1c6e045014535124181a33d4a2fa59b24a78e97ee7201510c0bab7435da73ed5

    SHA512

    a1764a0261cb99e53ef06d69e7cc145ea111c1838222dfb356be364a4b3e8ceb3ba8441a151b320aa921329a3c14a70a61c6726c027c9f2c6b1f5a2b7e8b8ea0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2466.exe
    Filesize

    355KB

    MD5

    398fb3b9345e57a4a123d897f22ce8a5

    SHA1

    d243e1bd3dc88a59a53bd7b74611a89eebfe3ca5

    SHA256

    1c6e045014535124181a33d4a2fa59b24a78e97ee7201510c0bab7435da73ed5

    SHA512

    a1764a0261cb99e53ef06d69e7cc145ea111c1838222dfb356be364a4b3e8ceb3ba8441a151b320aa921329a3c14a70a61c6726c027c9f2c6b1f5a2b7e8b8ea0

    Download Submit

  • memory/1420-134-0x0000000000800000-0x000000000080A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3796-1074-0x0000000000130000-0x0000000000162000-memory.dmp

    Filesize

    200KB

    Download

  • memory/3796-1075-0x00000000049F0000-0x0000000004A3B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3796-1076-0x00000000049E0000-0x00000000049F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4644-174-0x00000000070F0000-0x000000000712E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4644-188-0x00000000070F0000-0x000000000712E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4644-144-0x00000000071A0000-0x00000000071B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4644-142-0x00000000071A0000-0x00000000071B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4644-145-0x00000000071A0000-0x00000000071B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4644-146-0x00000000070F0000-0x0000000007134000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4644-147-0x00000000070F0000-0x000000000712E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4644-150-0x00000000070F0000-0x000000000712E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4644-148-0x00000000070F0000-0x000000000712E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4644-152-0x00000000070F0000-0x000000000712E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4644-154-0x00000000070F0000-0x000000000712E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4644-156-0x00000000070F0000-0x000000000712E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4644-158-0x00000000070F0000-0x000000000712E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4644-160-0x00000000070F0000-0x000000000712E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4644-162-0x00000000070F0000-0x000000000712E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4644-164-0x00000000070F0000-0x000000000712E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4644-166-0x00000000070F0000-0x000000000712E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4644-168-0x00000000070F0000-0x000000000712E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4644-170-0x00000000070F0000-0x000000000712E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4644-172-0x00000000070F0000-0x000000000712E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4644-141-0x0000000002CC0000-0x0000000002D0B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4644-176-0x00000000070F0000-0x000000000712E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4644-178-0x00000000070F0000-0x000000000712E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4644-180-0x00000000070F0000-0x000000000712E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4644-182-0x00000000070F0000-0x000000000712E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4644-184-0x00000000070F0000-0x000000000712E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4644-186-0x00000000070F0000-0x000000000712E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4644-143-0x00000000071B0000-0x00000000076AE000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/4644-190-0x00000000070F0000-0x000000000712E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4644-192-0x00000000070F0000-0x000000000712E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4644-194-0x00000000070F0000-0x000000000712E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4644-196-0x00000000070F0000-0x000000000712E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4644-198-0x00000000070F0000-0x000000000712E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4644-200-0x00000000070F0000-0x000000000712E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4644-202-0x00000000070F0000-0x000000000712E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4644-204-0x00000000070F0000-0x000000000712E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4644-206-0x00000000070F0000-0x000000000712E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4644-208-0x00000000070F0000-0x000000000712E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4644-210-0x00000000070F0000-0x000000000712E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4644-1053-0x0000000007CC0000-0x00000000082C6000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4644-1054-0x0000000007720000-0x000000000782A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4644-1055-0x0000000007860000-0x0000000007872000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4644-1056-0x0000000007880000-0x00000000078BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4644-1057-0x00000000079D0000-0x0000000007A1B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4644-1058-0x00000000071A0000-0x00000000071B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4644-1060-0x0000000007B60000-0x0000000007BC6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4644-1061-0x0000000008860000-0x00000000088F2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4644-1062-0x0000000008900000-0x0000000008976000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4644-1063-0x0000000008980000-0x00000000089D0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4644-1064-0x00000000071A0000-0x00000000071B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4644-140-0x0000000007060000-0x00000000070A6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/4644-1065-0x00000000071A0000-0x00000000071B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4644-1066-0x0000000008D90000-0x0000000008F52000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4644-1067-0x0000000008F60000-0x000000000948C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4644-1068-0x00000000071A0000-0x00000000071B0000-memory.dmp

    Filesize

    64KB

    Download