Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    54s
  • max time network
    69s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    24-03-2023 11:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    76c6b17af7555279c0e79ade40e867fdcf04343f555958620c4eb0986ce165dc.exe

  • Size

    539KB

  • MD5

    fac4dffb6f3be1371b56c6c6329d9112

  • SHA1

    c4a6a25817d5adf5d9e7b093abf1348f8ac28e4f

  • SHA256

    76c6b17af7555279c0e79ade40e867fdcf04343f555958620c4eb0986ce165dc

  • SHA512

    7c0272b82a0342d02746f91824da2e8e59bd5039d3afbfe63e38c0ae3b537a59a6f4fd9dce0b03f63af700ea28e96f7144f51150dce9bab5e7c9329eb9bc9dd8

  • SSDEEP

    12288:+MrKy901MGwJcJhGLuZUNOJmgssxgmLspj+jbeImi2:AyUDGLsOOJmc6mgpqPeImi2

Score
10/10
redlinedownherodiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

down

C2

193.233.20.31:4125

Attributes
  • auth_value

    12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

hero

C2

193.233.20.31:4125

Attributes
  • auth_value

    11f3c75a88ca461bcc8d6bf60a1193e3

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 36 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\76c6b17af7555279c0e79ade40e867fdcf04343f555958620c4eb0986ce165dc.exe
    "C:\Users\Admin\AppData\Local\Temp\76c6b17af7555279c0e79ade40e867fdcf04343f555958620c4eb0986ce165dc.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio5552.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio5552.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2176
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6612.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6612.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2300
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5979.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5979.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2500
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si585716.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si585716.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4512

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si585716.exe
    Filesize

    175KB

    MD5

    7c11dfe7837f2079d50113de0e973682

    SHA1

    fae072addd4d56ab67d08ab82da4aac5d7223960

    SHA256

    442d9cc0073a6d45abbed64eb9891912091d444fe4dd368924d1b8cf7c59e65b

    SHA512

    06085d23ead5955185736af64754c343a796af98b68c8013ba20b19a5c52eb92066698b86633d54438fe6ad5455c3c3c4625cf03d15439ab486e22388bd8cab7

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si585716.exe
    Filesize

    175KB

    MD5

    7c11dfe7837f2079d50113de0e973682

    SHA1

    fae072addd4d56ab67d08ab82da4aac5d7223960

    SHA256

    442d9cc0073a6d45abbed64eb9891912091d444fe4dd368924d1b8cf7c59e65b

    SHA512

    06085d23ead5955185736af64754c343a796af98b68c8013ba20b19a5c52eb92066698b86633d54438fe6ad5455c3c3c4625cf03d15439ab486e22388bd8cab7

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio5552.exe
    Filesize

    397KB

    MD5

    46ffaf5a2f830ad87cf6341810ebc8e4

    SHA1

    507becd92f35a4805a8cfdde1c318852a237a9aa

    SHA256

    d31d4459521ae0f66a96dc9a2e1a08a557c83033a369a1838e0ea4fb3abc6c79

    SHA512

    a6360a6797c323d80270d9106907a3caffe40213d6969f6691cf9eee6166fbf81301454ef7b86c816b086e893774891ddc1138806eed54cf8c5d7b57e8eae139

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio5552.exe
    Filesize

    397KB

    MD5

    46ffaf5a2f830ad87cf6341810ebc8e4

    SHA1

    507becd92f35a4805a8cfdde1c318852a237a9aa

    SHA256

    d31d4459521ae0f66a96dc9a2e1a08a557c83033a369a1838e0ea4fb3abc6c79

    SHA512

    a6360a6797c323d80270d9106907a3caffe40213d6969f6691cf9eee6166fbf81301454ef7b86c816b086e893774891ddc1138806eed54cf8c5d7b57e8eae139

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6612.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6612.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5979.exe
    Filesize

    356KB

    MD5

    4a0366929360520c35a617c886a11e90

    SHA1

    2dd930df65e727a1cce33f1880ef307bb004af8c

    SHA256

    099d03b06e00889299bd4be6dbfbe8c44034f248bb152a7d3e93d055f94f9a03

    SHA512

    53775de77b685031ba5789e29d022ccfec9b249a28394c0d8bc2962da08e8d3c53d9dbc7897b426cefcf5f96a3da997e0a89b54e746cd796f46a71a595ce10b9

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5979.exe
    Filesize

    356KB

    MD5

    4a0366929360520c35a617c886a11e90

    SHA1

    2dd930df65e727a1cce33f1880ef307bb004af8c

    SHA256

    099d03b06e00889299bd4be6dbfbe8c44034f248bb152a7d3e93d055f94f9a03

    SHA512

    53775de77b685031ba5789e29d022ccfec9b249a28394c0d8bc2962da08e8d3c53d9dbc7897b426cefcf5f96a3da997e0a89b54e746cd796f46a71a595ce10b9

    Download Submit
  • memory/2300-135-0x0000000000F80000-0x0000000000F8A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2500-141-0x0000000002C90000-0x0000000002CDB000-memory.dmp
    Filesize

    300KB

    Download
  • memory/2500-142-0x0000000004850000-0x0000000004896000-memory.dmp
    Filesize

    280KB

    Download
  • memory/2500-143-0x0000000007210000-0x000000000770E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2500-144-0x0000000004CF0000-0x0000000004D34000-memory.dmp
    Filesize

    272KB

    Download
  • memory/2500-145-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2500-146-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2500-150-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2500-148-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2500-152-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2500-154-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2500-156-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2500-158-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2500-160-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2500-162-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2500-164-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2500-168-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2500-166-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2500-170-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2500-172-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2500-174-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2500-176-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2500-178-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2500-182-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2500-184-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2500-180-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2500-186-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2500-189-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2500-187-0x0000000004DB0000-0x0000000004DC0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2500-190-0x0000000004DB0000-0x0000000004DC0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2500-192-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2500-193-0x0000000004DB0000-0x0000000004DC0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2500-195-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2500-197-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2500-199-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2500-203-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2500-205-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2500-211-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2500-209-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2500-207-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2500-201-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2500-1054-0x0000000007E20000-0x0000000008426000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/2500-1055-0x0000000007860000-0x000000000796A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/2500-1056-0x00000000079A0000-0x00000000079B2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2500-1057-0x0000000004DB0000-0x0000000004DC0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2500-1058-0x00000000079C0000-0x00000000079FE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2500-1059-0x0000000007B10000-0x0000000007B5B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/2500-1061-0x0000000007CA0000-0x0000000007D32000-memory.dmp
    Filesize

    584KB

    Download
  • memory/2500-1062-0x0000000007D40000-0x0000000007DA6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2500-1063-0x0000000004DB0000-0x0000000004DC0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2500-1064-0x0000000004DB0000-0x0000000004DC0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2500-1065-0x0000000004DB0000-0x0000000004DC0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2500-1066-0x0000000009D00000-0x0000000009D76000-memory.dmp
    Filesize

    472KB

    Download
  • memory/2500-1067-0x0000000009D80000-0x0000000009DD0000-memory.dmp
    Filesize

    320KB

    Download
  • memory/2500-1068-0x0000000009DE0000-0x0000000009FA2000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2500-1069-0x0000000009FC0000-0x000000000A4EC000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/2500-1070-0x0000000004DB0000-0x0000000004DC0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4512-1076-0x0000000000D30000-0x0000000000D62000-memory.dmp
    Filesize

    200KB

    Download
  • memory/4512-1077-0x0000000005770000-0x00000000057BB000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4512-1078-0x0000000005960000-0x0000000005970000-memory.dmp
    Filesize

    64KB

    Download