Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    71s
  • max time network
    143s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    24-03-2023 08:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f921bf5f937e2ecbb872a001b944dc082294c3d004c149e8e4363f4539695124.exe

  • Size

    539KB

  • MD5

    092f2e02c114e3343185de3ca6c94b9b

  • SHA1

    f20ba641f5d76c20f3144549ef1efedaf297e782

  • SHA256

    f921bf5f937e2ecbb872a001b944dc082294c3d004c149e8e4363f4539695124

  • SHA512

    e9a9fd40de5f787f483201ef0ded0af87824fdeaef4bd728e8d7f9328aed0efdcc32f344d857019e1027fd708b43054f4627cc02f9c91145728101fb42464173

  • SSDEEP

    12288:wMrIy90stdgHPj4Mtzk7+h29GYYxOI4+6CLLU4zl0SgqJjI:oyNq4M9k7+h+GYInJHU9dAjI

Score
10/10
redlineboltdowndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

down

C2

193.233.20.31:4125

Attributes
  • auth_value

    12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

bolt

C2

193.233.20.31:4125

Attributes
  • auth_value

    29540c7bf0277243e2faf6601e15a754

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f921bf5f937e2ecbb872a001b944dc082294c3d004c149e8e4363f4539695124.exe
    "C:\Users\Admin\AppData\Local\Temp\f921bf5f937e2ecbb872a001b944dc082294c3d004c149e8e4363f4539695124.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3640
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba2740.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba2740.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3644
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h14Tr50.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h14Tr50.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4348
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ixHBm37.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ixHBm37.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4880
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l11QN22.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l11QN22.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4848

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l11QN22.exe
    Filesize

    175KB

    MD5

    78efaf7292c2027da40635ca1aae855a

    SHA1

    686227a48e23b382a06c74f17d9b6f36e76042fd

    SHA256

    2f1381bbe319ee3d19b3e07704205a3d31a7ffb7b5b7c282b9d884682bc892ab

    SHA512

    19e22ec7ad2295a1a3f4cbabb2e005df674ff3731cc33b74e175e10fcc4e482c8f0ce9c8722a8d14a0f9f9ad6e37360ce6816215512bea8324cd87a9fefc852a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l11QN22.exe
    Filesize

    175KB

    MD5

    78efaf7292c2027da40635ca1aae855a

    SHA1

    686227a48e23b382a06c74f17d9b6f36e76042fd

    SHA256

    2f1381bbe319ee3d19b3e07704205a3d31a7ffb7b5b7c282b9d884682bc892ab

    SHA512

    19e22ec7ad2295a1a3f4cbabb2e005df674ff3731cc33b74e175e10fcc4e482c8f0ce9c8722a8d14a0f9f9ad6e37360ce6816215512bea8324cd87a9fefc852a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba2740.exe
    Filesize

    397KB

    MD5

    4d2a905a143206c91e6e3f06f851727a

    SHA1

    ccd782512b550fa3dce9968817dfa13177f4d479

    SHA256

    abebb88703fd0eadcdcce5e9a19d6564ef16d9dfc1d7dd80da0f9520451aba30

    SHA512

    933c94b5a5e3922ba21bb278df36527d0b9e0dbe7c457315b4d564d0baef307b0286f28f6859b192f1bd676b97f182cea99a4d68366d781d59de3c3c23d44e70

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba2740.exe
    Filesize

    397KB

    MD5

    4d2a905a143206c91e6e3f06f851727a

    SHA1

    ccd782512b550fa3dce9968817dfa13177f4d479

    SHA256

    abebb88703fd0eadcdcce5e9a19d6564ef16d9dfc1d7dd80da0f9520451aba30

    SHA512

    933c94b5a5e3922ba21bb278df36527d0b9e0dbe7c457315b4d564d0baef307b0286f28f6859b192f1bd676b97f182cea99a4d68366d781d59de3c3c23d44e70

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h14Tr50.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h14Tr50.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ixHBm37.exe
    Filesize

    355KB

    MD5

    5106c90c14027fbb8e7065d57f65d8cd

    SHA1

    f1ed7ace126748aef10470c7239c5c49e6bfb141

    SHA256

    6f20343a9b9026219f997e6091541d325a9ef57b59c9ace9653cc6fc8b3692e2

    SHA512

    a3f4668ae85044c1d48233736a15dd9c595fc53f67dbe7d86ecd9e0cfd127f0808c652e0bbf6b744821334da9870ce8c7aca3128735208d9b25cc27a95672fdd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ixHBm37.exe
    Filesize

    355KB

    MD5

    5106c90c14027fbb8e7065d57f65d8cd

    SHA1

    f1ed7ace126748aef10470c7239c5c49e6bfb141

    SHA256

    6f20343a9b9026219f997e6091541d325a9ef57b59c9ace9653cc6fc8b3692e2

    SHA512

    a3f4668ae85044c1d48233736a15dd9c595fc53f67dbe7d86ecd9e0cfd127f0808c652e0bbf6b744821334da9870ce8c7aca3128735208d9b25cc27a95672fdd

    Download Submit

  • memory/4348-133-0x0000000000780000-0x000000000078A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4848-1072-0x00000000004A0000-0x00000000004D2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4848-1073-0x0000000004EE0000-0x0000000004F2B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4848-1074-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4880-173-0x0000000007120000-0x000000000715E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-187-0x0000000007120000-0x000000000715E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-143-0x00000000071B0000-0x00000000076AE000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/4880-144-0x00000000071A0000-0x00000000071B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4880-142-0x00000000071A0000-0x00000000071B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4880-145-0x0000000007120000-0x0000000007164000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4880-146-0x0000000007120000-0x000000000715E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-147-0x0000000007120000-0x000000000715E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-149-0x0000000007120000-0x000000000715E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-151-0x0000000007120000-0x000000000715E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-153-0x0000000007120000-0x000000000715E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-155-0x0000000007120000-0x000000000715E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-157-0x0000000007120000-0x000000000715E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-159-0x0000000007120000-0x000000000715E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-161-0x0000000007120000-0x000000000715E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-163-0x0000000007120000-0x000000000715E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-165-0x0000000007120000-0x000000000715E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-167-0x0000000007120000-0x000000000715E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-169-0x0000000007120000-0x000000000715E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-171-0x0000000007120000-0x000000000715E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-140-0x0000000002B90000-0x0000000002BDB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4880-175-0x0000000007120000-0x000000000715E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-179-0x0000000007120000-0x000000000715E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-181-0x0000000007120000-0x000000000715E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-177-0x0000000007120000-0x000000000715E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-183-0x0000000007120000-0x000000000715E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-185-0x0000000007120000-0x000000000715E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-141-0x00000000071A0000-0x00000000071B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4880-189-0x0000000007120000-0x000000000715E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-191-0x0000000007120000-0x000000000715E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-193-0x0000000007120000-0x000000000715E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-195-0x0000000007120000-0x000000000715E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-197-0x0000000007120000-0x000000000715E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-199-0x0000000007120000-0x000000000715E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-201-0x0000000007120000-0x000000000715E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-203-0x0000000007120000-0x000000000715E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-205-0x0000000007120000-0x000000000715E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-207-0x0000000007120000-0x000000000715E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-209-0x0000000007120000-0x000000000715E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-1052-0x0000000007CC0000-0x00000000082C6000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4880-1053-0x0000000007720000-0x000000000782A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4880-1054-0x0000000007860000-0x0000000007872000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4880-1055-0x0000000007880000-0x00000000078BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4880-1056-0x00000000079D0000-0x0000000007A1B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4880-1057-0x00000000071A0000-0x00000000071B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4880-1059-0x0000000007B60000-0x0000000007BF2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4880-1060-0x0000000007C00000-0x0000000007C66000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4880-1061-0x00000000088E0000-0x0000000008956000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4880-1062-0x0000000008970000-0x00000000089C0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4880-139-0x0000000004BB0000-0x0000000004BF6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/4880-1063-0x00000000071A0000-0x00000000071B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4880-1064-0x0000000008B50000-0x0000000008D12000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4880-1065-0x0000000008D20000-0x000000000924C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4880-1066-0x00000000071A0000-0x00000000071B0000-memory.dmp

    Filesize

    64KB

    Download