Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    54s
  • max time network
    139s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    27-03-2023 23:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d9eb127e0e96b4c0bd7f00433b99fe1c4163247371d62f32ccc49251b8a203c1.exe

  • Size

    700KB

  • MD5

    11c93979b7626ee27df4310f7ef4df9d

  • SHA1

    3b35d6484c166b2f43b5c71c1735b1b5850049b9

  • SHA256

    d9eb127e0e96b4c0bd7f00433b99fe1c4163247371d62f32ccc49251b8a203c1

  • SHA512

    34ba49d8336427e283a0beffffda7c9786549c7b8c8ac819c380f808ff610e2b3a48b45d9e1c764a512ed903176df807b57615a34423900a63ea02a1650eee3e

  • SSDEEP

    12288:bMr1y90JS2uvHkqpCTJGi9DzacAMO38F/wbo0pVvw0QoS6pi4tdwy+9dXLRMV:Kyq4HBkYMO38hwboLoS6Ft61C

Score
10/10
redlinefromrosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

C2

176.113.115.145:4125

Attributes
  • auth_value

    8633e283485822a4a48f0a41d5397566

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d9eb127e0e96b4c0bd7f00433b99fe1c4163247371d62f32ccc49251b8a203c1.exe
    "C:\Users\Admin\AppData\Local\Temp\d9eb127e0e96b4c0bd7f00433b99fe1c4163247371d62f32ccc49251b8a203c1.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4148
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un011361.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un011361.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3596
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5638.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5638.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2344
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7402.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7402.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2148
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si786777.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si786777.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1528

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si786777.exe
    Filesize

    175KB

    MD5

    38c3e32f9b358942b209e3661dd5aff4

    SHA1

    06d2d52ab5101520ab566f72907921ea88d99bc8

    SHA256

    1ae7b322d97cf03f054fa2fbdd814e5fd0ae4289a8b1faa867dc30136e6e568e

    SHA512

    e9e59bc9bf7fb3d77b3443af68c02df19d0a446fcc6eeda67e31bdb7ec798f36f3c9097333d6ffeb572e9eb8478b53fcd73581e68b02780a5067fca66e21d559

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si786777.exe
    Filesize

    175KB

    MD5

    38c3e32f9b358942b209e3661dd5aff4

    SHA1

    06d2d52ab5101520ab566f72907921ea88d99bc8

    SHA256

    1ae7b322d97cf03f054fa2fbdd814e5fd0ae4289a8b1faa867dc30136e6e568e

    SHA512

    e9e59bc9bf7fb3d77b3443af68c02df19d0a446fcc6eeda67e31bdb7ec798f36f3c9097333d6ffeb572e9eb8478b53fcd73581e68b02780a5067fca66e21d559

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un011361.exe
    Filesize

    558KB

    MD5

    e086247dfbdb54a8c69b976870a94712

    SHA1

    7030a31c58dfe5b60e93a07f547d6297918d4a90

    SHA256

    662fdd239d5da3f32aff551eb9f4930470aaff6fd2b1a2697919f1c058d4e6a4

    SHA512

    849f07f6df529a1623391d9a0762983b27fad8506e9e10993173235ceb4583fb09c7a2462fc569e23421859bb8c371e10d0ef75f8d3500300e577f0541cb5b91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un011361.exe
    Filesize

    558KB

    MD5

    e086247dfbdb54a8c69b976870a94712

    SHA1

    7030a31c58dfe5b60e93a07f547d6297918d4a90

    SHA256

    662fdd239d5da3f32aff551eb9f4930470aaff6fd2b1a2697919f1c058d4e6a4

    SHA512

    849f07f6df529a1623391d9a0762983b27fad8506e9e10993173235ceb4583fb09c7a2462fc569e23421859bb8c371e10d0ef75f8d3500300e577f0541cb5b91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5638.exe
    Filesize

    307KB

    MD5

    0ee8c5f85fd82c1a34fd0d2beb5d8b4f

    SHA1

    edf96c3380faa8dd728c457988a3c0b734047436

    SHA256

    693aacee8edd8d95e0f98a57503f69f8412ad7835a06c07259c9132940e59bd6

    SHA512

    97b8a6552d121df81e926813721fe8d3cbbce48e8812569433a448baf9915060517ae43713586bc57bdbdbb2ff755c5b0c6476273821dbf4d1c6e7536cbc031b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5638.exe
    Filesize

    307KB

    MD5

    0ee8c5f85fd82c1a34fd0d2beb5d8b4f

    SHA1

    edf96c3380faa8dd728c457988a3c0b734047436

    SHA256

    693aacee8edd8d95e0f98a57503f69f8412ad7835a06c07259c9132940e59bd6

    SHA512

    97b8a6552d121df81e926813721fe8d3cbbce48e8812569433a448baf9915060517ae43713586bc57bdbdbb2ff755c5b0c6476273821dbf4d1c6e7536cbc031b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7402.exe
    Filesize

    365KB

    MD5

    9532a321f5e22d861f59f6ac9c825199

    SHA1

    d5aba5bb5c7e139827b4eb6ccdefab4a1e15dd6b

    SHA256

    159dbc95234108d8a40232c2c975646835591a4ad5d92f3f5afb320375742971

    SHA512

    33cfe3e1166fc1274564d8a7bf41a7e8e700f789befcd99168dead0e040e5b429039f18f6e2b299376eb91ad9ee785f54692f6a1933e26b0784e3a9a4d189684

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7402.exe
    Filesize

    365KB

    MD5

    9532a321f5e22d861f59f6ac9c825199

    SHA1

    d5aba5bb5c7e139827b4eb6ccdefab4a1e15dd6b

    SHA256

    159dbc95234108d8a40232c2c975646835591a4ad5d92f3f5afb320375742971

    SHA512

    33cfe3e1166fc1274564d8a7bf41a7e8e700f789befcd99168dead0e040e5b429039f18f6e2b299376eb91ad9ee785f54692f6a1933e26b0784e3a9a4d189684

    Download Submit

  • memory/1528-1112-0x00000000056F0000-0x0000000005700000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1528-1111-0x0000000005580000-0x00000000055CB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1528-1110-0x0000000000B40000-0x0000000000B72000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2148-1088-0x0000000005350000-0x0000000005956000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2148-1091-0x0000000004DF0000-0x0000000004E2E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2148-1104-0x0000000004E40000-0x0000000004E50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2148-1103-0x0000000006E70000-0x0000000006EC0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2148-1102-0x0000000006DF0000-0x0000000006E66000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2148-1101-0x0000000004E40000-0x0000000004E50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2148-1100-0x0000000004E40000-0x0000000004E50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2148-1099-0x0000000004E40000-0x0000000004E50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2148-1097-0x0000000006670000-0x0000000006B9C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/2148-1096-0x00000000064A0000-0x0000000006662000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2148-1095-0x0000000005DA0000-0x0000000005E06000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2148-1094-0x0000000005D00000-0x0000000005D92000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2148-1093-0x0000000004E40000-0x0000000004E50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2148-1092-0x0000000005B70000-0x0000000005BBB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2148-1090-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2148-1089-0x0000000005960000-0x0000000005A6A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2148-215-0x0000000004C90000-0x0000000004CCF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-213-0x0000000004C90000-0x0000000004CCF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-211-0x0000000004C90000-0x0000000004CCF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-209-0x0000000004C90000-0x0000000004CCF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-207-0x0000000004C90000-0x0000000004CCF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-205-0x0000000004C90000-0x0000000004CCF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-176-0x00000000026F0000-0x0000000002736000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2148-177-0x0000000000830000-0x000000000087B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2148-180-0x0000000004C90000-0x0000000004CD4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2148-179-0x0000000004E40000-0x0000000004E50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2148-181-0x0000000004E40000-0x0000000004E50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2148-178-0x0000000004E40000-0x0000000004E50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2148-182-0x0000000004C90000-0x0000000004CCF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-183-0x0000000004C90000-0x0000000004CCF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-185-0x0000000004C90000-0x0000000004CCF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-187-0x0000000004C90000-0x0000000004CCF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-189-0x0000000004C90000-0x0000000004CCF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-191-0x0000000004C90000-0x0000000004CCF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-193-0x0000000004C90000-0x0000000004CCF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-195-0x0000000004C90000-0x0000000004CCF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-197-0x0000000004C90000-0x0000000004CCF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-199-0x0000000004C90000-0x0000000004CCF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-201-0x0000000004C90000-0x0000000004CCF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-203-0x0000000004C90000-0x0000000004CCF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2344-159-0x00000000025F0000-0x0000000002602000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2344-131-0x00000000021C0000-0x00000000021DA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2344-137-0x0000000002360000-0x0000000002370000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2344-169-0x0000000002360000-0x0000000002370000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2344-168-0x0000000002360000-0x0000000002370000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2344-167-0x0000000002360000-0x0000000002370000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2344-136-0x0000000002360000-0x0000000002370000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2344-166-0x0000000000400000-0x000000000070F000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2344-165-0x00000000025F0000-0x0000000002602000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2344-139-0x00000000025F0000-0x0000000002602000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2344-163-0x00000000025F0000-0x0000000002602000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2344-161-0x00000000025F0000-0x0000000002602000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2344-171-0x0000000000400000-0x000000000070F000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2344-138-0x00000000025F0000-0x0000000002602000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2344-141-0x00000000025F0000-0x0000000002602000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2344-153-0x00000000025F0000-0x0000000002602000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2344-151-0x00000000025F0000-0x0000000002602000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2344-149-0x00000000025F0000-0x0000000002602000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2344-147-0x00000000025F0000-0x0000000002602000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2344-145-0x00000000025F0000-0x0000000002602000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2344-143-0x00000000025F0000-0x0000000002602000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2344-157-0x00000000025F0000-0x0000000002602000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2344-135-0x0000000002360000-0x0000000002370000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2344-134-0x00000000001D0000-0x00000000001FD000-memory.dmp

    Filesize

    180KB

    Download

  • memory/2344-133-0x00000000025F0000-0x0000000002608000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2344-132-0x0000000004D90000-0x000000000528E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2344-155-0x00000000025F0000-0x0000000002602000-memory.dmp

    Filesize

    72KB

    Download