Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    68s
  • max time network
    131s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    24-03-2023 08:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8129fea56679121b853f9c9a3d4800da3f40d3d2aab73f25d52cded26fed890d.exe

  • Size

    539KB

  • MD5

    b7ab238a1a4ed1722425a87fffecddcb

  • SHA1

    28822eaca7e28825c6d80b9693c3d155af7719a6

  • SHA256

    8129fea56679121b853f9c9a3d4800da3f40d3d2aab73f25d52cded26fed890d

  • SHA512

    d66788852d66c41b2dd83af03250602846981cf64da6cc72b2a85ab3c5c482bf6407e1999229cc3bd4abbab7d6e072ba83383054ac0562671978ac5ba6884abc

  • SSDEEP

    12288:KMrvy909WiCyRNP7S6evYZxrI4+gZ5DHezfqY:hyf8z7SlvYLWE5DHezfqY

Score
10/10
redlinedownherodiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

down

C2

193.233.20.31:4125

Attributes
  • auth_value

    12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

hero

C2

193.233.20.31:4125

Attributes
  • auth_value

    11f3c75a88ca461bcc8d6bf60a1193e3

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8129fea56679121b853f9c9a3d4800da3f40d3d2aab73f25d52cded26fed890d.exe
    "C:\Users\Admin\AppData\Local\Temp\8129fea56679121b853f9c9a3d4800da3f40d3d2aab73f25d52cded26fed890d.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2056
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio0225.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio0225.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2364
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7980.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7980.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2664
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5091.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5091.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2788
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si317704.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si317704.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2328

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si317704.exe
    Filesize

    175KB

    MD5

    7c11dfe7837f2079d50113de0e973682

    SHA1

    fae072addd4d56ab67d08ab82da4aac5d7223960

    SHA256

    442d9cc0073a6d45abbed64eb9891912091d444fe4dd368924d1b8cf7c59e65b

    SHA512

    06085d23ead5955185736af64754c343a796af98b68c8013ba20b19a5c52eb92066698b86633d54438fe6ad5455c3c3c4625cf03d15439ab486e22388bd8cab7

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si317704.exe
    Filesize

    175KB

    MD5

    7c11dfe7837f2079d50113de0e973682

    SHA1

    fae072addd4d56ab67d08ab82da4aac5d7223960

    SHA256

    442d9cc0073a6d45abbed64eb9891912091d444fe4dd368924d1b8cf7c59e65b

    SHA512

    06085d23ead5955185736af64754c343a796af98b68c8013ba20b19a5c52eb92066698b86633d54438fe6ad5455c3c3c4625cf03d15439ab486e22388bd8cab7

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio0225.exe
    Filesize

    397KB

    MD5

    f0a6f32c9774be27c347640a00e6149d

    SHA1

    87ceee74f82e5469ac6899b4ecbffd385a2cb61c

    SHA256

    6e1ff82d1344e26125e6a035cddbe7a6af29d490b3ef0bd3d63448e75dc9b72a

    SHA512

    71d2207ffeb1ab09d9e9143879f5875d318f18038905a31b6e0f01eec2d02a1cfe0250db7ceeed0cbe34d968956b00d8b8771815e13b2114c1c55b188682c58f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio0225.exe
    Filesize

    397KB

    MD5

    f0a6f32c9774be27c347640a00e6149d

    SHA1

    87ceee74f82e5469ac6899b4ecbffd385a2cb61c

    SHA256

    6e1ff82d1344e26125e6a035cddbe7a6af29d490b3ef0bd3d63448e75dc9b72a

    SHA512

    71d2207ffeb1ab09d9e9143879f5875d318f18038905a31b6e0f01eec2d02a1cfe0250db7ceeed0cbe34d968956b00d8b8771815e13b2114c1c55b188682c58f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7980.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7980.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5091.exe
    Filesize

    355KB

    MD5

    c8fc4361a3696e05223e28cea388e941

    SHA1

    76e5eb0ab6108ca1ff7c187a839d4f7b165c450f

    SHA256

    9cec59843466643b0d14d135774b99c30ede5f9688797aa6437955e3aa2a9696

    SHA512

    be543acb6bc0c2cc4098c1e3f9dfc825934c5060256be59efc6ddbe5025c5ec2aea8bfab2ab3653d2f00fc9e6b3d90e2de5e001ae9762ac5f622f3064acb76dc

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5091.exe
    Filesize

    355KB

    MD5

    c8fc4361a3696e05223e28cea388e941

    SHA1

    76e5eb0ab6108ca1ff7c187a839d4f7b165c450f

    SHA256

    9cec59843466643b0d14d135774b99c30ede5f9688797aa6437955e3aa2a9696

    SHA512

    be543acb6bc0c2cc4098c1e3f9dfc825934c5060256be59efc6ddbe5025c5ec2aea8bfab2ab3653d2f00fc9e6b3d90e2de5e001ae9762ac5f622f3064acb76dc

    Download Submit
  • memory/2328-1073-0x0000000000740000-0x0000000000772000-memory.dmp
    Filesize

    200KB

    Download
  • memory/2328-1074-0x0000000004FC0000-0x000000000500B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/2328-1075-0x0000000005030000-0x0000000005040000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2664-135-0x0000000000AA0000-0x0000000000AAA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2788-187-0x0000000007600000-0x000000000763E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2788-211-0x0000000007600000-0x000000000763E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2788-144-0x0000000007600000-0x000000000763E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2788-145-0x0000000007600000-0x000000000763E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2788-147-0x0000000007600000-0x000000000763E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2788-149-0x0000000007600000-0x000000000763E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2788-151-0x0000000007600000-0x000000000763E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2788-153-0x0000000007600000-0x000000000763E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2788-155-0x0000000007600000-0x000000000763E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2788-161-0x0000000007600000-0x000000000763E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2788-159-0x0000000007600000-0x000000000763E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2788-165-0x0000000007600000-0x000000000763E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2788-168-0x0000000002C90000-0x0000000002CDB000-memory.dmp
    Filesize

    300KB

    Download
  • memory/2788-167-0x0000000007600000-0x000000000763E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2788-170-0x0000000004820000-0x0000000004830000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2788-172-0x0000000004820000-0x0000000004830000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2788-174-0x0000000004820000-0x0000000004830000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2788-175-0x0000000007600000-0x000000000763E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2788-177-0x0000000007600000-0x000000000763E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2788-183-0x0000000007600000-0x000000000763E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2788-142-0x00000000070A0000-0x000000000759E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2788-195-0x0000000007600000-0x000000000763E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2788-197-0x0000000007600000-0x000000000763E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2788-193-0x0000000007600000-0x000000000763E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2788-199-0x0000000007600000-0x000000000763E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2788-191-0x0000000007600000-0x000000000763E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2788-201-0x0000000007600000-0x000000000763E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2788-143-0x0000000007600000-0x0000000007644000-memory.dmp
    Filesize

    272KB

    Download
  • memory/2788-209-0x0000000007600000-0x000000000763E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2788-207-0x0000000007600000-0x000000000763E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2788-205-0x0000000007600000-0x000000000763E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2788-203-0x0000000007600000-0x000000000763E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2788-189-0x0000000007600000-0x000000000763E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2788-185-0x0000000007600000-0x000000000763E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2788-181-0x0000000007600000-0x000000000763E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2788-179-0x0000000007600000-0x000000000763E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2788-171-0x0000000007600000-0x000000000763E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2788-163-0x0000000007600000-0x000000000763E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2788-157-0x0000000007600000-0x000000000763E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2788-1054-0x00000000076A0000-0x0000000007CA6000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/2788-1055-0x0000000007D30000-0x0000000007E3A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/2788-1056-0x0000000007E70000-0x0000000007E82000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2788-1057-0x0000000004820000-0x0000000004830000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2788-1058-0x0000000007E90000-0x0000000007ECE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2788-1059-0x0000000007FE0000-0x000000000802B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/2788-1061-0x0000000008170000-0x0000000008202000-memory.dmp
    Filesize

    584KB

    Download
  • memory/2788-1062-0x0000000008210000-0x0000000008276000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2788-1063-0x0000000004820000-0x0000000004830000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2788-141-0x0000000007040000-0x0000000007086000-memory.dmp
    Filesize

    280KB

    Download
  • memory/2788-1064-0x0000000008CE0000-0x0000000008EA2000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2788-1065-0x0000000008EC0000-0x00000000093EC000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/2788-1067-0x00000000096A0000-0x00000000096F0000-memory.dmp
    Filesize

    320KB

    Download
  • memory/2788-1066-0x0000000009610000-0x0000000009686000-memory.dmp
    Filesize

    472KB

    Download