Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    78s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-03-2023 08:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    36844749e5b97abd8f1e811d987596a8c20cc30e7f9689c9ca573c3afc1076cf.exe

  • Size

    555KB

  • MD5

    534830f3ec556573f8ecf373708f43a8

  • SHA1

    01c4f993ceeb52842ca27d6110827f2c57a9eb11

  • SHA256

    36844749e5b97abd8f1e811d987596a8c20cc30e7f9689c9ca573c3afc1076cf

  • SHA512

    f0828c5fb8e19ac8a665d386c9ce6aa8dc44bbb063a614b52fc870ba7a9253ac79e9377d682ebd6ef795802f27d02543801ac39789e7eaed8e8fff4f285f671b

  • SSDEEP

    12288:3MrSy90PhUVXO53DN2RNYwXVbwEc7Ge4F3d1MUbd2oXCD4eSZO:Zy5O53DNQfXVbjc7GjGoXCD4s

Score
10/10
redlineborisrotikdiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

boris

C2

193.233.20.32:4125

Attributes
  • auth_value

    766b5bdf6dbefcf7ca223351952fc38f

Extracted

Family

redline

Botnet

rotik

C2

193.233.20.32:4125

Attributes
  • auth_value

    74863478ae154e921eb729354d2bb4bd

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\36844749e5b97abd8f1e811d987596a8c20cc30e7f9689c9ca573c3afc1076cf.exe
    "C:\Users\Admin\AppData\Local\Temp\36844749e5b97abd8f1e811d987596a8c20cc30e7f9689c9ca573c3afc1076cf.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2164
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba0608.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba0608.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1140
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h00SM78.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h00SM78.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1548
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iPUzZ59.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iPUzZ59.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3428
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 1368
          4⤵
          • Program crash
          PID:3604
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l16ZH76.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l16ZH76.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1916
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3428 -ip 3428
    1⤵
      PID:2008

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l16ZH76.exe
      Filesize

      175KB

      MD5

      efc3b1703bec9a0e79d4a9fdcedf4a20

      SHA1

      d019bfe5fbf05fde5cae0029f9580dca9677a3b2

      SHA256

      1d9b391ee239469206cf31022b982e66c2ab463d3106a38526103e1c1b8be855

      SHA512

      f36bbf81fe3bb68c8c8a1fc19dd7c79b386cfdb13b1e5d5e617c4a5ef8a38ed4c4c717f466c9293e2e1067d0f94c9d1ebc1814919e5c572dc66365fdd6009b8a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l16ZH76.exe
      Filesize

      175KB

      MD5

      efc3b1703bec9a0e79d4a9fdcedf4a20

      SHA1

      d019bfe5fbf05fde5cae0029f9580dca9677a3b2

      SHA256

      1d9b391ee239469206cf31022b982e66c2ab463d3106a38526103e1c1b8be855

      SHA512

      f36bbf81fe3bb68c8c8a1fc19dd7c79b386cfdb13b1e5d5e617c4a5ef8a38ed4c4c717f466c9293e2e1067d0f94c9d1ebc1814919e5c572dc66365fdd6009b8a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba0608.exe
      Filesize

      413KB

      MD5

      44c4c1b94eb13a1b048050f8e9ae1953

      SHA1

      946cb6815ddd47fffbf7812b72e9d2c6aab1b0c2

      SHA256

      3ee7ca6a0d66471b9439c812d9922f3589b8a2e37f1a316007c5b4ee01068ada

      SHA512

      362cabe6a9f0e6a3073f5f4c2dc7be2b2923a6ea98f600ad6b1a1c77f26f96b15d8c24db34d8a7990631ad323fd1b6d0e0418b185f551440e1137a32ead31ec9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba0608.exe
      Filesize

      413KB

      MD5

      44c4c1b94eb13a1b048050f8e9ae1953

      SHA1

      946cb6815ddd47fffbf7812b72e9d2c6aab1b0c2

      SHA256

      3ee7ca6a0d66471b9439c812d9922f3589b8a2e37f1a316007c5b4ee01068ada

      SHA512

      362cabe6a9f0e6a3073f5f4c2dc7be2b2923a6ea98f600ad6b1a1c77f26f96b15d8c24db34d8a7990631ad323fd1b6d0e0418b185f551440e1137a32ead31ec9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h00SM78.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h00SM78.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iPUzZ59.exe
      Filesize

      385KB

      MD5

      9f6e2847432e402e35b284e1db9e1f34

      SHA1

      6d85fb02c3b156c8f73afa9c869bf52169b4a8f1

      SHA256

      f110a0ac28899648f28b41359e1abd97a3cc38f6210f66144e83c42f317f79f0

      SHA512

      3676983d3a4b3646c82156b97795a841445676ef9a04c19dd234cb909e931ee8ce764c66472a8a04bf78321b99c410e26e893ad07e66416988c5c45b4d40f2c7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iPUzZ59.exe
      Filesize

      385KB

      MD5

      9f6e2847432e402e35b284e1db9e1f34

      SHA1

      6d85fb02c3b156c8f73afa9c869bf52169b4a8f1

      SHA256

      f110a0ac28899648f28b41359e1abd97a3cc38f6210f66144e83c42f317f79f0

      SHA512

      3676983d3a4b3646c82156b97795a841445676ef9a04c19dd234cb909e931ee8ce764c66472a8a04bf78321b99c410e26e893ad07e66416988c5c45b4d40f2c7

      Download Submit

    • memory/1548-147-0x0000000000270000-0x000000000027A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1916-1085-0x0000000000E20000-0x0000000000E52000-memory.dmp

      Filesize

      200KB

      Download

    • memory/1916-1086-0x00000000059B0000-0x00000000059C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3428-189-0x0000000007270000-0x00000000072AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3428-201-0x0000000007270000-0x00000000072AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3428-155-0x0000000007270000-0x00000000072AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3428-157-0x0000000007270000-0x00000000072AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3428-158-0x0000000002B90000-0x0000000002BDB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3428-161-0x00000000072C0000-0x00000000072D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3428-162-0x0000000007270000-0x00000000072AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3428-163-0x00000000072C0000-0x00000000072D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3428-160-0x00000000072C0000-0x00000000072D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3428-165-0x0000000007270000-0x00000000072AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3428-167-0x0000000007270000-0x00000000072AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3428-169-0x0000000007270000-0x00000000072AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3428-171-0x0000000007270000-0x00000000072AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3428-173-0x0000000007270000-0x00000000072AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3428-175-0x0000000007270000-0x00000000072AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3428-177-0x0000000007270000-0x00000000072AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3428-179-0x0000000007270000-0x00000000072AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3428-183-0x0000000007270000-0x00000000072AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3428-181-0x0000000007270000-0x00000000072AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3428-185-0x0000000007270000-0x00000000072AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3428-187-0x0000000007270000-0x00000000072AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3428-153-0x00000000072D0000-0x0000000007874000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3428-191-0x0000000007270000-0x00000000072AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3428-193-0x0000000007270000-0x00000000072AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3428-195-0x0000000007270000-0x00000000072AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3428-197-0x0000000007270000-0x00000000072AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3428-199-0x0000000007270000-0x00000000072AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3428-154-0x0000000007270000-0x00000000072AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3428-203-0x0000000007270000-0x00000000072AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3428-205-0x0000000007270000-0x00000000072AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3428-207-0x0000000007270000-0x00000000072AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3428-209-0x0000000007270000-0x00000000072AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3428-211-0x0000000007270000-0x00000000072AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3428-213-0x0000000007270000-0x00000000072AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3428-215-0x0000000007270000-0x00000000072AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3428-217-0x0000000007270000-0x00000000072AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3428-219-0x0000000007270000-0x00000000072AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3428-221-0x0000000007270000-0x00000000072AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3428-1064-0x00000000078D0000-0x0000000007EE8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3428-1065-0x0000000007F70000-0x000000000807A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3428-1066-0x00000000080B0000-0x00000000080C2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3428-1067-0x00000000072C0000-0x00000000072D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3428-1068-0x00000000080D0000-0x000000000810C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3428-1070-0x00000000083C0000-0x0000000008426000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3428-1071-0x0000000008A80000-0x0000000008B12000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3428-1072-0x00000000072C0000-0x00000000072D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3428-1073-0x00000000072C0000-0x00000000072D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3428-1074-0x00000000072C0000-0x00000000072D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3428-1075-0x00000000072C0000-0x00000000072D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3428-1076-0x000000000A080000-0x000000000A0F6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/3428-1077-0x000000000A120000-0x000000000A170000-memory.dmp

      Filesize

      320KB

      Download

    • memory/3428-1078-0x000000000A1A0000-0x000000000A362000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3428-1079-0x000000000A370000-0x000000000A89C000-memory.dmp

      Filesize

      5.2MB

      Download