Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    55s
  • max time network
    147s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    27-03-2023 21:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    128d8c84f073250cc24f194fb287ec70e74da1d0560e1f4741d9ec0dfd262878.exe

  • Size

    700KB

  • MD5

    459504d31915ebd972ac5f41fa3a8c54

  • SHA1

    137c15974bdce3ff852945faab32e1d2b5f20328

  • SHA256

    128d8c84f073250cc24f194fb287ec70e74da1d0560e1f4741d9ec0dfd262878

  • SHA512

    b41c824cf75b602db9b230a9189f08caf34e6b033310094d9f753f9fb6b8b6672c6243d90d8734df3ebe83d08ebe8c2928a0026d493f7c61942c70d1b0203e35

  • SSDEEP

    12288:LMr+y9004F9ltceHkc3eb6rc5SxMbXuLxlEGJEK7WPeuZDeBH:Byz47VkcHY5SxMbXWDf7WPeoqBH

Score
10/10
redlinefromrosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

C2

176.113.115.145:4125

Attributes
  • auth_value

    8633e283485822a4a48f0a41d5397566

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 21 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\128d8c84f073250cc24f194fb287ec70e74da1d0560e1f4741d9ec0dfd262878.exe
    "C:\Users\Admin\AppData\Local\Temp\128d8c84f073250cc24f194fb287ec70e74da1d0560e1f4741d9ec0dfd262878.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3480
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un531737.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un531737.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1656
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3744.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3744.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3444
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7876.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7876.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4764
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si637446.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si637446.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2568

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si637446.exe
    Filesize

    175KB

    MD5

    14718df1cfde802c41015f643e462cbc

    SHA1

    c3f70e857a955d7bda149c26c126aa8f87ad2152

    SHA256

    c36cf04b4b5928732c98e8e36feb1fe5c5dc15b0bb2e7bbfcca94f41c871e1f2

    SHA512

    6242c53ba119a31adaebbf116503d5d35c77920ac7427a2e27355b5fe47223f58f5a7a3e10c725882efe0325dff40bcb69c3133411f6341cf522975b33f35499

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si637446.exe
    Filesize

    175KB

    MD5

    14718df1cfde802c41015f643e462cbc

    SHA1

    c3f70e857a955d7bda149c26c126aa8f87ad2152

    SHA256

    c36cf04b4b5928732c98e8e36feb1fe5c5dc15b0bb2e7bbfcca94f41c871e1f2

    SHA512

    6242c53ba119a31adaebbf116503d5d35c77920ac7427a2e27355b5fe47223f58f5a7a3e10c725882efe0325dff40bcb69c3133411f6341cf522975b33f35499

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un531737.exe
    Filesize

    558KB

    MD5

    7aeff034e03e990d0e5439f5215b954c

    SHA1

    95ee9d47c9b1cdc5b46dd01e8392d298d1fdf829

    SHA256

    5efb81d3c5d0f184b32d045786d4e28b3e88bc2cb72cc994c701664800363037

    SHA512

    1482847e6788597f5cf261d6c4aacfc758aac162b9e4c5f7a05608b5aa8fc7df508220ecf9044ef4d989279d90bce5ac7c2e7ca484e37d7cd72e99dea33bd7fc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un531737.exe
    Filesize

    558KB

    MD5

    7aeff034e03e990d0e5439f5215b954c

    SHA1

    95ee9d47c9b1cdc5b46dd01e8392d298d1fdf829

    SHA256

    5efb81d3c5d0f184b32d045786d4e28b3e88bc2cb72cc994c701664800363037

    SHA512

    1482847e6788597f5cf261d6c4aacfc758aac162b9e4c5f7a05608b5aa8fc7df508220ecf9044ef4d989279d90bce5ac7c2e7ca484e37d7cd72e99dea33bd7fc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3744.exe
    Filesize

    307KB

    MD5

    252a1f8487e49751015faef51beb3317

    SHA1

    e701c3ae59cc23a29a1bfe1f9c1b672b6fa5af24

    SHA256

    7e87bf5ee342780205244ee5b77a99dfb8ad2cddf843792b5e3ca40be3046b7e

    SHA512

    e48d82a2e3b6933768835ecb6e5b5a8563f4c094b35633b5836528540779371a03420f9f6d995da7ddd30644b4c4c11e44d609c781b9a9abf5b515c2ed8f838d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3744.exe
    Filesize

    307KB

    MD5

    252a1f8487e49751015faef51beb3317

    SHA1

    e701c3ae59cc23a29a1bfe1f9c1b672b6fa5af24

    SHA256

    7e87bf5ee342780205244ee5b77a99dfb8ad2cddf843792b5e3ca40be3046b7e

    SHA512

    e48d82a2e3b6933768835ecb6e5b5a8563f4c094b35633b5836528540779371a03420f9f6d995da7ddd30644b4c4c11e44d609c781b9a9abf5b515c2ed8f838d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7876.exe
    Filesize

    365KB

    MD5

    80c2bbfb25ae207c9c363866d444de63

    SHA1

    bba13e2cb331b85e62bf4fd45d0d84988c8402ff

    SHA256

    db0c7d39ed5ff689da2a6f5bf36e148687cc407606b5c2e55f8f33fb14954ba1

    SHA512

    9c4a0f78ab4ef3ddbf9e44274d5b067ea467849a28bccaa85744d94977c12298498aed5f31db09f6ee3b6dae217b61a166ca150633f80e9322c7b793dbf5c725

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7876.exe
    Filesize

    365KB

    MD5

    80c2bbfb25ae207c9c363866d444de63

    SHA1

    bba13e2cb331b85e62bf4fd45d0d84988c8402ff

    SHA256

    db0c7d39ed5ff689da2a6f5bf36e148687cc407606b5c2e55f8f33fb14954ba1

    SHA512

    9c4a0f78ab4ef3ddbf9e44274d5b067ea467849a28bccaa85744d94977c12298498aed5f31db09f6ee3b6dae217b61a166ca150633f80e9322c7b793dbf5c725

    Download Submit

  • memory/2568-1109-0x0000000000D00000-0x0000000000D32000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2568-1110-0x0000000005740000-0x000000000578B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2568-1111-0x00000000058B0000-0x00000000058C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3444-142-0x0000000002660000-0x0000000002672000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3444-154-0x0000000002660000-0x0000000002672000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3444-136-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3444-137-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3444-138-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3444-139-0x0000000002660000-0x0000000002672000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3444-140-0x0000000002660000-0x0000000002672000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3444-134-0x0000000002660000-0x0000000002678000-memory.dmp

    Filesize

    96KB

    Download

  • memory/3444-144-0x0000000002660000-0x0000000002672000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3444-146-0x0000000002660000-0x0000000002672000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3444-148-0x0000000002660000-0x0000000002672000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3444-150-0x0000000002660000-0x0000000002672000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3444-152-0x0000000002660000-0x0000000002672000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3444-135-0x00000000007E0000-0x000000000080D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/3444-156-0x0000000002660000-0x0000000002672000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3444-158-0x0000000002660000-0x0000000002672000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3444-160-0x0000000002660000-0x0000000002672000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3444-162-0x0000000002660000-0x0000000002672000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3444-164-0x0000000002660000-0x0000000002672000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3444-166-0x0000000002660000-0x0000000002672000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3444-167-0x0000000000400000-0x000000000070F000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/3444-168-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3444-170-0x0000000000400000-0x000000000070F000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/3444-133-0x0000000004DB0000-0x00000000052AE000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/3444-132-0x00000000021F0000-0x000000000220A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4764-179-0x0000000002780000-0x00000000027C4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4764-211-0x0000000002780000-0x00000000027BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4764-177-0x0000000002770000-0x0000000002780000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4764-181-0x0000000002780000-0x00000000027BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4764-180-0x0000000002780000-0x00000000027BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4764-183-0x0000000002780000-0x00000000027BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4764-185-0x0000000002780000-0x00000000027BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4764-187-0x0000000002780000-0x00000000027BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4764-189-0x0000000002780000-0x00000000027BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4764-191-0x0000000002780000-0x00000000027BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4764-193-0x0000000002780000-0x00000000027BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4764-195-0x0000000002780000-0x00000000027BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4764-197-0x0000000002780000-0x00000000027BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4764-199-0x0000000002780000-0x00000000027BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4764-201-0x0000000002780000-0x00000000027BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4764-203-0x0000000002780000-0x00000000027BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4764-205-0x0000000002780000-0x00000000027BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4764-209-0x0000000002780000-0x00000000027BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4764-207-0x0000000002780000-0x00000000027BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4764-178-0x0000000002770000-0x0000000002780000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4764-213-0x0000000002780000-0x00000000027BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4764-479-0x0000000002770000-0x0000000002780000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4764-1087-0x00000000053F0000-0x00000000059F6000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4764-1088-0x0000000005A00000-0x0000000005B0A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4764-1089-0x0000000005B40000-0x0000000005B52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4764-1090-0x0000000002770000-0x0000000002780000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4764-1091-0x0000000005B60000-0x0000000005B9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4764-1092-0x0000000005CB0000-0x0000000005CFB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4764-1094-0x0000000002770000-0x0000000002780000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4764-1095-0x0000000005E40000-0x0000000005EA6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4764-1096-0x0000000006500000-0x0000000006592000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4764-1097-0x0000000002770000-0x0000000002780000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4764-1098-0x00000000065F0000-0x00000000067B2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4764-1099-0x00000000067C0000-0x0000000006CEC000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4764-1100-0x0000000002770000-0x0000000002780000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4764-176-0x0000000000920000-0x000000000096B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4764-175-0x0000000002590000-0x00000000025D6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/4764-1101-0x0000000002770000-0x0000000002780000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4764-1102-0x0000000006F20000-0x0000000006F96000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4764-1103-0x0000000006FA0000-0x0000000006FF0000-memory.dmp

    Filesize

    320KB

    Download