Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    52s
  • max time network
    71s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    24-03-2023 07:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4068eadf0013392251b6f3052357f5d6df9aacf95009e75c12b0f246b8bf47a7.exe

  • Size

    540KB

  • MD5

    b49051d98fbc805defc50b5f1c891b0d

  • SHA1

    4e20e42293592441f5a0505697ea15f4f46114f8

  • SHA256

    4068eadf0013392251b6f3052357f5d6df9aacf95009e75c12b0f246b8bf47a7

  • SHA512

    aa5b0a55338017cd7a40d8b845d6dc8b4f76ee387d4edd86e7527025380ebbbfc1f137a0e066205cf12a81deb1b75b2f551a4cbc21d5ab738d2430ee21e7756f

  • SSDEEP

    12288:lMrCy9020GiSwnIKoVNl6JLnLLAr0De7M933qLVhX3v75T:by/0xNFoV2J7c0T33q7X3v75T

Score
10/10
redlinedownherodiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

down

C2

193.233.20.31:4125

Attributes
  • auth_value

    12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

hero

C2

193.233.20.31:4125

Attributes
  • auth_value

    11f3c75a88ca461bcc8d6bf60a1193e3

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4068eadf0013392251b6f3052357f5d6df9aacf95009e75c12b0f246b8bf47a7.exe
    "C:\Users\Admin\AppData\Local\Temp\4068eadf0013392251b6f3052357f5d6df9aacf95009e75c12b0f246b8bf47a7.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3076
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio8523.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio8523.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3276
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6238.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6238.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4168
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2845.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2845.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4140
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si587289.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si587289.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4608

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si587289.exe
    Filesize

    175KB

    MD5

    7c11dfe7837f2079d50113de0e973682

    SHA1

    fae072addd4d56ab67d08ab82da4aac5d7223960

    SHA256

    442d9cc0073a6d45abbed64eb9891912091d444fe4dd368924d1b8cf7c59e65b

    SHA512

    06085d23ead5955185736af64754c343a796af98b68c8013ba20b19a5c52eb92066698b86633d54438fe6ad5455c3c3c4625cf03d15439ab486e22388bd8cab7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si587289.exe
    Filesize

    175KB

    MD5

    7c11dfe7837f2079d50113de0e973682

    SHA1

    fae072addd4d56ab67d08ab82da4aac5d7223960

    SHA256

    442d9cc0073a6d45abbed64eb9891912091d444fe4dd368924d1b8cf7c59e65b

    SHA512

    06085d23ead5955185736af64754c343a796af98b68c8013ba20b19a5c52eb92066698b86633d54438fe6ad5455c3c3c4625cf03d15439ab486e22388bd8cab7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio8523.exe
    Filesize

    397KB

    MD5

    6c7704019024a5c213e516c89241df76

    SHA1

    0ca3bb34892e1854dd96c8af76dbd8261633cc1a

    SHA256

    87fb1a9a06d5985e59d43131b892a074ffd2b3ff61af5e11bfbca60af65b40ba

    SHA512

    1d56cfd712f6484ce24e99d8b6451e323799cc32cba9488865b2f496ccd69d6dc5e2a935ac78fec28ab0e23d89a9dded6039551d31078af3dc3e34d72831f95f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio8523.exe
    Filesize

    397KB

    MD5

    6c7704019024a5c213e516c89241df76

    SHA1

    0ca3bb34892e1854dd96c8af76dbd8261633cc1a

    SHA256

    87fb1a9a06d5985e59d43131b892a074ffd2b3ff61af5e11bfbca60af65b40ba

    SHA512

    1d56cfd712f6484ce24e99d8b6451e323799cc32cba9488865b2f496ccd69d6dc5e2a935ac78fec28ab0e23d89a9dded6039551d31078af3dc3e34d72831f95f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6238.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6238.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2845.exe
    Filesize

    355KB

    MD5

    ee122365f9e9360e5cfbfb1b3c44f353

    SHA1

    715d94c5d71011e27daa17c80b92b309998492c5

    SHA256

    da0ee13c264ee844f6c799d3f3407043f3c6f887ee25471cf3613a8264e6e4ca

    SHA512

    84de414758037e8df4022949ead7e36ca57c90209668d55b1c45268c0d795b4816b1324c5c194913a2565e04c113710ec8b37d0d45f826b6fcd9a255451db4a2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2845.exe
    Filesize

    355KB

    MD5

    ee122365f9e9360e5cfbfb1b3c44f353

    SHA1

    715d94c5d71011e27daa17c80b92b309998492c5

    SHA256

    da0ee13c264ee844f6c799d3f3407043f3c6f887ee25471cf3613a8264e6e4ca

    SHA512

    84de414758037e8df4022949ead7e36ca57c90209668d55b1c45268c0d795b4816b1324c5c194913a2565e04c113710ec8b37d0d45f826b6fcd9a255451db4a2

    Download Submit

  • memory/4140-140-0x0000000004C40000-0x0000000004C86000-memory.dmp

    Filesize

    280KB

    Download

  • memory/4140-141-0x00000000072F0000-0x00000000077EE000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/4140-142-0x0000000004CC0000-0x0000000004D04000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4140-143-0x0000000002BF0000-0x0000000002C3B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4140-145-0x00000000072E0000-0x00000000072F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4140-146-0x00000000072E0000-0x00000000072F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4140-144-0x00000000072E0000-0x00000000072F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4140-147-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4140-148-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4140-150-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4140-152-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4140-154-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4140-156-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4140-158-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4140-160-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4140-162-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4140-164-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4140-166-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4140-168-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4140-170-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4140-172-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4140-174-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4140-176-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4140-178-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4140-180-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4140-182-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4140-184-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4140-186-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4140-188-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4140-190-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4140-192-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4140-194-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4140-196-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4140-198-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4140-200-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4140-202-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4140-204-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4140-206-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4140-208-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4140-210-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4140-1053-0x0000000007E00000-0x0000000008406000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4140-1054-0x0000000007860000-0x000000000796A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4140-1055-0x00000000079A0000-0x00000000079B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4140-1056-0x00000000079C0000-0x00000000079FE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4140-1057-0x0000000007B10000-0x0000000007B5B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4140-1058-0x00000000072E0000-0x00000000072F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4140-1060-0x0000000007CA0000-0x0000000007D06000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4140-1061-0x00000000089A0000-0x0000000008A32000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4140-1062-0x00000000072E0000-0x00000000072F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4140-1063-0x00000000072E0000-0x00000000072F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4140-1064-0x00000000072E0000-0x00000000072F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4140-1065-0x0000000008BB0000-0x0000000008D72000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4140-1066-0x0000000008D80000-0x00000000092AC000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4140-1067-0x00000000093E0000-0x0000000009456000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4140-1068-0x0000000009460000-0x00000000094B0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4140-1069-0x00000000072E0000-0x00000000072F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4168-134-0x0000000000950000-0x000000000095A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4608-1075-0x0000000000350000-0x0000000000382000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4608-1076-0x0000000004D90000-0x0000000004DDB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4608-1077-0x0000000004BF0000-0x0000000004C00000-memory.dmp

    Filesize

    64KB

    Download