Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    90s
  • max time network
    142s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    24-03-2023 08:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fa17bccaaf909484936cd1ba19676e5338bf92162a0d942a1b47d88496b3691e.exe

  • Size

    539KB

  • MD5

    6219d4ad6f81abe710ea474c0466a12a

  • SHA1

    f84a0a6612b33c078f8887df30a57fa6b64e1258

  • SHA256

    fa17bccaaf909484936cd1ba19676e5338bf92162a0d942a1b47d88496b3691e

  • SHA512

    83a1f4fe47e29500de4f5ea3f3b94bf45f22bd51bcd8e76c5f65f0ffa76dd5fe6f7c529bfbcbdc740b2bf09c83075ae4a14678e14148ef36a29009557b54f35b

  • SSDEEP

    12288:lMrqy90kzG08MZ6gf5T/PQS6+bYrx5I4+6ro4xa8Y:DyrGc6yhQSFbY1QcxaZ

Score
10/10
redlinedownherodiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

down

C2

193.233.20.31:4125

Attributes
  • auth_value

    12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

hero

C2

193.233.20.31:4125

Attributes
  • auth_value

    11f3c75a88ca461bcc8d6bf60a1193e3

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fa17bccaaf909484936cd1ba19676e5338bf92162a0d942a1b47d88496b3691e.exe
    "C:\Users\Admin\AppData\Local\Temp\fa17bccaaf909484936cd1ba19676e5338bf92162a0d942a1b47d88496b3691e.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2896
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio5998.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio5998.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2112
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7205.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7205.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5008
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6811.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6811.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3656
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si004936.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si004936.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4092

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si004936.exe
    Filesize

    175KB

    MD5

    7c11dfe7837f2079d50113de0e973682

    SHA1

    fae072addd4d56ab67d08ab82da4aac5d7223960

    SHA256

    442d9cc0073a6d45abbed64eb9891912091d444fe4dd368924d1b8cf7c59e65b

    SHA512

    06085d23ead5955185736af64754c343a796af98b68c8013ba20b19a5c52eb92066698b86633d54438fe6ad5455c3c3c4625cf03d15439ab486e22388bd8cab7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si004936.exe
    Filesize

    175KB

    MD5

    7c11dfe7837f2079d50113de0e973682

    SHA1

    fae072addd4d56ab67d08ab82da4aac5d7223960

    SHA256

    442d9cc0073a6d45abbed64eb9891912091d444fe4dd368924d1b8cf7c59e65b

    SHA512

    06085d23ead5955185736af64754c343a796af98b68c8013ba20b19a5c52eb92066698b86633d54438fe6ad5455c3c3c4625cf03d15439ab486e22388bd8cab7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio5998.exe
    Filesize

    397KB

    MD5

    c6ac54dfea0ba9ff3214fb9ffa8776e2

    SHA1

    c3bf309353618009213857615bae3f6d0da1c6c7

    SHA256

    b30e8a3f4b7c7b82d182088ebe9dd97eec9d11359c3942c9ac78dbe1d59f810d

    SHA512

    5d00a07cc3f2baf4f3cd97662bad894f1e84095efd9fc84250f455c7f1aeb186b40a9d17f236bd92dcd848b97a6cb5289affa6ba5f7b9aed349cbe17f12d79bd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio5998.exe
    Filesize

    397KB

    MD5

    c6ac54dfea0ba9ff3214fb9ffa8776e2

    SHA1

    c3bf309353618009213857615bae3f6d0da1c6c7

    SHA256

    b30e8a3f4b7c7b82d182088ebe9dd97eec9d11359c3942c9ac78dbe1d59f810d

    SHA512

    5d00a07cc3f2baf4f3cd97662bad894f1e84095efd9fc84250f455c7f1aeb186b40a9d17f236bd92dcd848b97a6cb5289affa6ba5f7b9aed349cbe17f12d79bd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7205.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7205.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6811.exe
    Filesize

    355KB

    MD5

    1cd72817b5d3d05acf48ed395fd29534

    SHA1

    7cd20fec1f6e591d3717a2ec8da091d5344fa12e

    SHA256

    a71561ea74863521d4eb9584a915a6376a4905a43e3206bdbf90d45ac50e683b

    SHA512

    ac626105fd9da492d56d78569624f6ebb43e85cd3d25dae5c3fb18f0627006c9b6af71248699049738399b24bb43b696eda4cf856859d39d539fd09861a1bd73

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6811.exe
    Filesize

    355KB

    MD5

    1cd72817b5d3d05acf48ed395fd29534

    SHA1

    7cd20fec1f6e591d3717a2ec8da091d5344fa12e

    SHA256

    a71561ea74863521d4eb9584a915a6376a4905a43e3206bdbf90d45ac50e683b

    SHA512

    ac626105fd9da492d56d78569624f6ebb43e85cd3d25dae5c3fb18f0627006c9b6af71248699049738399b24bb43b696eda4cf856859d39d539fd09861a1bd73

    Download Submit

  • memory/3656-141-0x0000000004990000-0x00000000049D6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/3656-142-0x00000000072F0000-0x00000000077EE000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/3656-143-0x0000000007180000-0x00000000071C4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3656-144-0x0000000007180000-0x00000000071BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3656-145-0x0000000007180000-0x00000000071BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3656-149-0x0000000007180000-0x00000000071BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3656-147-0x0000000007180000-0x00000000071BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3656-151-0x0000000007180000-0x00000000071BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3656-153-0x0000000007180000-0x00000000071BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3656-155-0x0000000007180000-0x00000000071BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3656-157-0x0000000007180000-0x00000000071BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3656-159-0x0000000007180000-0x00000000071BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3656-161-0x0000000002B90000-0x0000000002BDB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3656-163-0x00000000072E0000-0x00000000072F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3656-162-0x0000000007180000-0x00000000071BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3656-166-0x0000000007180000-0x00000000071BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3656-165-0x00000000072E0000-0x00000000072F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3656-167-0x00000000072E0000-0x00000000072F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3656-169-0x0000000007180000-0x00000000071BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3656-171-0x0000000007180000-0x00000000071BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3656-173-0x0000000007180000-0x00000000071BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3656-175-0x0000000007180000-0x00000000071BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3656-177-0x0000000007180000-0x00000000071BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3656-179-0x0000000007180000-0x00000000071BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3656-181-0x0000000007180000-0x00000000071BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3656-183-0x0000000007180000-0x00000000071BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3656-185-0x0000000007180000-0x00000000071BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3656-187-0x0000000007180000-0x00000000071BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3656-189-0x0000000007180000-0x00000000071BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3656-191-0x0000000007180000-0x00000000071BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3656-193-0x0000000007180000-0x00000000071BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3656-195-0x0000000007180000-0x00000000071BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3656-197-0x0000000007180000-0x00000000071BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3656-199-0x0000000007180000-0x00000000071BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3656-201-0x0000000007180000-0x00000000071BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3656-203-0x0000000007180000-0x00000000071BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3656-205-0x0000000007180000-0x00000000071BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3656-207-0x0000000007180000-0x00000000071BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3656-209-0x0000000007180000-0x00000000071BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3656-211-0x0000000007180000-0x00000000071BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3656-1054-0x0000000007E00000-0x0000000008406000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/3656-1055-0x00000000077F0000-0x00000000078FA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3656-1056-0x0000000007240000-0x0000000007252000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3656-1057-0x0000000007260000-0x000000000729E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3656-1058-0x0000000007A00000-0x0000000007A4B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3656-1059-0x00000000072E0000-0x00000000072F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3656-1061-0x0000000007B60000-0x0000000007BF2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3656-1062-0x0000000007C00000-0x0000000007C66000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3656-1063-0x00000000072E0000-0x00000000072F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3656-1064-0x00000000072E0000-0x00000000072F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3656-1065-0x00000000072E0000-0x00000000072F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3656-1066-0x0000000008B60000-0x0000000008D22000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3656-1067-0x0000000008D40000-0x000000000926C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/3656-1068-0x00000000093A0000-0x0000000009416000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3656-1069-0x0000000009420000-0x0000000009470000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4092-1075-0x0000000000EA0000-0x0000000000ED2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4092-1076-0x00000000058E0000-0x000000000592B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4092-1077-0x0000000005A10000-0x0000000005A20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-135-0x0000000000520000-0x000000000052A000-memory.dmp

    Filesize

    40KB

    Download