Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    49s
  • max time network
    59s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    27-03-2023 23:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    420091b4de56268794bdaad3ba81e4e89e09f225365670accf09824eb05d0389.exe

  • Size

    700KB

  • MD5

    8f04e4cdfa690277625d061fad803b80

  • SHA1

    5a5676c5eeec7878483c005d6af3f37b643194f8

  • SHA256

    420091b4de56268794bdaad3ba81e4e89e09f225365670accf09824eb05d0389

  • SHA512

    7c8ac071139f89e7829ef11c6ab3dec3cf889e85a264297d378be90857fae9461c601c2a639bf8e0e88eede6baaa6164c41be17b0317676fbfd650b85dc52db9

  • SSDEEP

    12288:iMrTy90CCLkKmiTpd5kC9DVUcAwNCfXBTQs46uc47FywPnnMD:hyzuzK/f9m9pnMD

Score
10/10
redlinefromrosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

C2

176.113.115.145:4125

Attributes
  • auth_value

    8633e283485822a4a48f0a41d5397566

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 21 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\420091b4de56268794bdaad3ba81e4e89e09f225365670accf09824eb05d0389.exe
    "C:\Users\Admin\AppData\Local\Temp\420091b4de56268794bdaad3ba81e4e89e09f225365670accf09824eb05d0389.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3228
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un342580.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un342580.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3320
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2608.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2608.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3572
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2330.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2330.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1904
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si737830.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si737830.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4148

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si737830.exe
    Filesize

    175KB

    MD5

    1796b04e12fc1e39e653c3c5a99d5f7f

    SHA1

    85c8bcd3e4d7ae67d0d52b0841c47c9aee98d5f9

    SHA256

    f018865ad662bddac7465dd7f6220b988b01a66da11e32de73aa1f037a5e6613

    SHA512

    b8eaaaee94dcca0e8ef1f3d71b3839e0702b13221785bc2328df9627deb02b209e4fa8f927ee463527025995a4e0c8d88bf8c8fade7a7af37e3092f581655496

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si737830.exe
    Filesize

    175KB

    MD5

    1796b04e12fc1e39e653c3c5a99d5f7f

    SHA1

    85c8bcd3e4d7ae67d0d52b0841c47c9aee98d5f9

    SHA256

    f018865ad662bddac7465dd7f6220b988b01a66da11e32de73aa1f037a5e6613

    SHA512

    b8eaaaee94dcca0e8ef1f3d71b3839e0702b13221785bc2328df9627deb02b209e4fa8f927ee463527025995a4e0c8d88bf8c8fade7a7af37e3092f581655496

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un342580.exe
    Filesize

    558KB

    MD5

    ebaffb0805a3831d31e5be93a1f4a155

    SHA1

    0e7ef91cc5f63ef9eaf8c1d101174b78ecfeef1c

    SHA256

    63bd9d5a6aae247f56f68f3a1bedbae27d309ac92330c7c7ca627f631c1e3f77

    SHA512

    a367674a44dfffa447262ad428a74c4d8b4211b041aa6e275ef6e7c3901cab4028b6cc7d83cc0f42192e7d0e34b4b4585e92eefc13f1c4d07513ff076ea6b5fd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un342580.exe
    Filesize

    558KB

    MD5

    ebaffb0805a3831d31e5be93a1f4a155

    SHA1

    0e7ef91cc5f63ef9eaf8c1d101174b78ecfeef1c

    SHA256

    63bd9d5a6aae247f56f68f3a1bedbae27d309ac92330c7c7ca627f631c1e3f77

    SHA512

    a367674a44dfffa447262ad428a74c4d8b4211b041aa6e275ef6e7c3901cab4028b6cc7d83cc0f42192e7d0e34b4b4585e92eefc13f1c4d07513ff076ea6b5fd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2608.exe
    Filesize

    307KB

    MD5

    35549f470c522b726fc8fe30fdd29cc3

    SHA1

    9599fe86d89210cc8955ea44d1d93d6e0b921853

    SHA256

    b41ccaeaf477f2c55821a2663f0d8d8e2f945b451501534fc8bb02ed04929848

    SHA512

    0469bce55a298405870a99b83519131a00ac3df4a9f6127c00202361a38e44caa510b1ce1a1e26411f4659a12e3a173b835e67865764a0892c4c763738e4c957

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2608.exe
    Filesize

    307KB

    MD5

    35549f470c522b726fc8fe30fdd29cc3

    SHA1

    9599fe86d89210cc8955ea44d1d93d6e0b921853

    SHA256

    b41ccaeaf477f2c55821a2663f0d8d8e2f945b451501534fc8bb02ed04929848

    SHA512

    0469bce55a298405870a99b83519131a00ac3df4a9f6127c00202361a38e44caa510b1ce1a1e26411f4659a12e3a173b835e67865764a0892c4c763738e4c957

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2330.exe
    Filesize

    365KB

    MD5

    971f12acedb887471c0f82f92ca08313

    SHA1

    e0fe78c9c4d0c5aae5dad71b416799f5527869cd

    SHA256

    918e5d3fca3dc54c5046d127855f2020f0af586cb2b4b048e96c21e1de80a0ba

    SHA512

    254717dc1ef117d11663d46987bbd73a29d8554826b2d45d43e8eee1b28da4998dbdbfc745672c82a90ca146d7bf8c3aa8618a6a78a0b67c4817b6fa80769323

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2330.exe
    Filesize

    365KB

    MD5

    971f12acedb887471c0f82f92ca08313

    SHA1

    e0fe78c9c4d0c5aae5dad71b416799f5527869cd

    SHA256

    918e5d3fca3dc54c5046d127855f2020f0af586cb2b4b048e96c21e1de80a0ba

    SHA512

    254717dc1ef117d11663d46987bbd73a29d8554826b2d45d43e8eee1b28da4998dbdbfc745672c82a90ca146d7bf8c3aa8618a6a78a0b67c4817b6fa80769323

    Download Submit

  • memory/1904-1090-0x00000000052B0000-0x00000000053BA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1904-215-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1904-1104-0x0000000006E70000-0x0000000006EC0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1904-1103-0x0000000006DF0000-0x0000000006E66000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1904-1102-0x00000000022D0000-0x00000000022E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1904-193-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1904-1101-0x0000000006680000-0x0000000006BAC000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/1904-1100-0x00000000064B0000-0x0000000006672000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1904-1099-0x0000000005790000-0x00000000057F6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1904-1098-0x00000000056F0000-0x0000000005782000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1904-1097-0x00000000022D0000-0x00000000022E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1904-1096-0x00000000022D0000-0x00000000022E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1904-1094-0x00000000022D0000-0x00000000022E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1904-195-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1904-1093-0x0000000005560000-0x00000000055AB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1904-1092-0x0000000005410000-0x000000000544E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1904-1091-0x00000000053F0000-0x0000000005402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1904-1089-0x0000000005840000-0x0000000005E46000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/1904-375-0x00000000022D0000-0x00000000022E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1904-205-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1904-213-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1904-211-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1904-179-0x00000000026A0000-0x00000000026E6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/1904-180-0x00000000022D0000-0x00000000022E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1904-178-0x0000000000850000-0x000000000089B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1904-197-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1904-182-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1904-183-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1904-185-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1904-187-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1904-189-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1904-191-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1904-209-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1904-207-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1904-181-0x00000000051A0000-0x00000000051E4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/1904-199-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1904-201-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1904-203-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3572-170-0x0000000000400000-0x000000000070F000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/3572-163-0x0000000004C30000-0x0000000004C42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3572-147-0x0000000004C30000-0x0000000004C42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3572-139-0x0000000004CF0000-0x0000000004D00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3572-140-0x0000000004D00000-0x00000000051FE000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/3572-173-0x0000000000400000-0x000000000070F000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/3572-171-0x0000000004CF0000-0x0000000004D00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3572-141-0x0000000004C30000-0x0000000004C48000-memory.dmp

    Filesize

    96KB

    Download

  • memory/3572-138-0x0000000004CF0000-0x0000000004D00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3572-169-0x0000000004C30000-0x0000000004C42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3572-167-0x0000000004C30000-0x0000000004C42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3572-165-0x0000000004C30000-0x0000000004C42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3572-161-0x0000000004C30000-0x0000000004C42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3572-159-0x0000000004C30000-0x0000000004C42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3572-157-0x0000000004C30000-0x0000000004C42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3572-155-0x0000000004C30000-0x0000000004C42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3572-153-0x0000000004C30000-0x0000000004C42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3572-151-0x0000000004C30000-0x0000000004C42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3572-149-0x0000000004C30000-0x0000000004C42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3572-145-0x0000000004C30000-0x0000000004C42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3572-143-0x0000000004C30000-0x0000000004C42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3572-142-0x0000000004C30000-0x0000000004C42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3572-137-0x0000000002710000-0x000000000272A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3572-136-0x00000000001D0000-0x00000000001FD000-memory.dmp

    Filesize

    180KB

    Download

  • memory/4148-1110-0x00000000009A0000-0x00000000009D2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4148-1112-0x00000000053E0000-0x000000000542B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4148-1111-0x00000000051E0000-0x00000000051F0000-memory.dmp

    Filesize

    64KB

    Download