Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    54s
  • max time network
    146s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    27-03-2023 13:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8b0737959627942ed8175371b62d06e6965ebe9d300cf2457f6f148d8e70d6a4.exe

  • Size

    685KB

  • MD5

    ce05b6b8286d828e9ae8ddb548a0ea25

  • SHA1

    c9c364dfe0d14c3d5c80e8e7c0470a272311ad5b

  • SHA256

    8b0737959627942ed8175371b62d06e6965ebe9d300cf2457f6f148d8e70d6a4

  • SHA512

    e0d5f76d6d4039bfa04f28b825f912180cf11d51d80f24f40f34ba335d276d1752b715d1a495c2a4bc2fa621535ba6e937785f10d4c7ac636fb6367e9eceabd1

  • SSDEEP

    12288:WMriy909N0/O4tb0ZAw923Vsj7OkzjoXw/W41Im6wCqFAnBXh7EpNhNgiwuwXEiq:4yma90ZJ9z7bzjDOkXJe1h7EpVpx

Score
10/10
redlinenicesonydiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

sony

C2

193.233.20.33:4125

Attributes
  • auth_value

    1d93d1744381eeb4fcfd7c23ffe0f0b4

Extracted

Family

redline

Botnet

nice

C2

193.233.20.33:4125

Attributes
  • auth_value

    a7371b75699e8bc7c51fb960e8ac9e81

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8b0737959627942ed8175371b62d06e6965ebe9d300cf2457f6f148d8e70d6a4.exe
    "C:\Users\Admin\AppData\Local\Temp\8b0737959627942ed8175371b62d06e6965ebe9d300cf2457f6f148d8e70d6a4.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3044
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un078136.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un078136.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4324
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7940.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7940.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3684
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2880.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2880.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4688
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si259807.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si259807.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4668

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si259807.exe
    Filesize

    175KB

    MD5

    b1005b1b1de57eff200c7f350866f887

    SHA1

    aa47ee84921dec179fda2217861f59eba014a00b

    SHA256

    bde40cc7a5c572da982c2f7e42b79c167c16e28be4318e77e427063e79527462

    SHA512

    7a56cb3b015e2769caa225cf0e129f7552917601cd364a8b9dcf029b632e98373bcf46cde903b75a7defe7b3cef882feb0e1fd5a1604a60abec7b2d7743fae3a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si259807.exe
    Filesize

    175KB

    MD5

    b1005b1b1de57eff200c7f350866f887

    SHA1

    aa47ee84921dec179fda2217861f59eba014a00b

    SHA256

    bde40cc7a5c572da982c2f7e42b79c167c16e28be4318e77e427063e79527462

    SHA512

    7a56cb3b015e2769caa225cf0e129f7552917601cd364a8b9dcf029b632e98373bcf46cde903b75a7defe7b3cef882feb0e1fd5a1604a60abec7b2d7743fae3a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un078136.exe
    Filesize

    543KB

    MD5

    04ca892ae0e8effcd9e14faad1b0cb44

    SHA1

    270cbbe1e811c24fb35bcc7dd0f50ef38ff736bd

    SHA256

    d4db4bc7b26f2cd7f833d3ee9a99b739f71b1caa8cd63a95b3090307220be1c3

    SHA512

    c1517005b5b3010796556e1d17b6bb292a657ab8c1e46ff171d78811ed022c4bc38bf218af8d14a53b571364a14b56f85d978e9a9e740c58a29c02a7f94a056b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un078136.exe
    Filesize

    543KB

    MD5

    04ca892ae0e8effcd9e14faad1b0cb44

    SHA1

    270cbbe1e811c24fb35bcc7dd0f50ef38ff736bd

    SHA256

    d4db4bc7b26f2cd7f833d3ee9a99b739f71b1caa8cd63a95b3090307220be1c3

    SHA512

    c1517005b5b3010796556e1d17b6bb292a657ab8c1e46ff171d78811ed022c4bc38bf218af8d14a53b571364a14b56f85d978e9a9e740c58a29c02a7f94a056b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7940.exe
    Filesize

    292KB

    MD5

    d91e3ad8b5f84f1b9fd35d21e8c66a9e

    SHA1

    80521cc05f1fe72ab5030ca0d9ea5eac31408287

    SHA256

    cc9f1ede340ffb14e3cee920082991e68f47421d3c275cb824de544333fdcd26

    SHA512

    77d8172127e7cd522e747d75a110424456728312cb8553e5dfbfe007b3dce617121fa23806035537c5cb62773fd2633f70c81e7e7bd0c3c7b890d779c128e9b9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7940.exe
    Filesize

    292KB

    MD5

    d91e3ad8b5f84f1b9fd35d21e8c66a9e

    SHA1

    80521cc05f1fe72ab5030ca0d9ea5eac31408287

    SHA256

    cc9f1ede340ffb14e3cee920082991e68f47421d3c275cb824de544333fdcd26

    SHA512

    77d8172127e7cd522e747d75a110424456728312cb8553e5dfbfe007b3dce617121fa23806035537c5cb62773fd2633f70c81e7e7bd0c3c7b890d779c128e9b9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2880.exe
    Filesize

    350KB

    MD5

    fd00c540fa695e5a3d521d4819984d91

    SHA1

    05da368e92b19de9d808303f26ca322f49eb87fd

    SHA256

    df940f3838498bb735880836b7490b9dcdefd384e67473f2e3a1d8d216479af1

    SHA512

    1c1bc31944d805fa803d366c1c77139f4ebf996ea80efaebca30c05490404a253e4ab9fa9539ff81f83a04926545c37a223c5054e3fddab1a205570968554006

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2880.exe
    Filesize

    350KB

    MD5

    fd00c540fa695e5a3d521d4819984d91

    SHA1

    05da368e92b19de9d808303f26ca322f49eb87fd

    SHA256

    df940f3838498bb735880836b7490b9dcdefd384e67473f2e3a1d8d216479af1

    SHA512

    1c1bc31944d805fa803d366c1c77139f4ebf996ea80efaebca30c05490404a253e4ab9fa9539ff81f83a04926545c37a223c5054e3fddab1a205570968554006

    Download Submit

  • memory/3684-136-0x00000000007E0000-0x000000000080D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/3684-137-0x00000000021D0000-0x00000000021EA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3684-138-0x0000000004E40000-0x000000000533E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/3684-139-0x00000000026F0000-0x0000000002708000-memory.dmp

    Filesize

    96KB

    Download

  • memory/3684-142-0x0000000004E30000-0x0000000004E40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3684-141-0x0000000004E30000-0x0000000004E40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3684-140-0x0000000004E30000-0x0000000004E40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3684-143-0x00000000026F0000-0x0000000002702000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3684-144-0x00000000026F0000-0x0000000002702000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3684-146-0x00000000026F0000-0x0000000002702000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3684-148-0x00000000026F0000-0x0000000002702000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3684-150-0x00000000026F0000-0x0000000002702000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3684-152-0x00000000026F0000-0x0000000002702000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3684-154-0x00000000026F0000-0x0000000002702000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3684-156-0x00000000026F0000-0x0000000002702000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3684-158-0x00000000026F0000-0x0000000002702000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3684-160-0x00000000026F0000-0x0000000002702000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3684-162-0x00000000026F0000-0x0000000002702000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3684-164-0x00000000026F0000-0x0000000002702000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3684-166-0x00000000026F0000-0x0000000002702000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3684-168-0x00000000026F0000-0x0000000002702000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3684-170-0x00000000026F0000-0x0000000002702000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3684-171-0x0000000000400000-0x000000000070C000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/3684-172-0x0000000004E30000-0x0000000004E40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3684-173-0x0000000004E30000-0x0000000004E40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3684-174-0x0000000004E30000-0x0000000004E40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3684-176-0x0000000000400000-0x000000000070C000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/4668-1115-0x00000000001F0000-0x0000000000222000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4668-1117-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4668-1116-0x0000000004C30000-0x0000000004C7B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4688-186-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4688-190-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4688-184-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4688-183-0x0000000000920000-0x000000000096B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4688-198-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4688-204-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4688-206-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4688-212-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4688-210-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4688-216-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4688-218-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4688-220-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4688-214-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4688-208-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4688-202-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4688-200-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4688-196-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4688-194-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4688-192-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4688-185-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4688-188-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4688-187-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4688-1093-0x00000000053B0000-0x00000000059B6000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4688-1094-0x00000000059C0000-0x0000000005ACA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4688-1095-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4688-1096-0x0000000004DF0000-0x0000000004E2E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4688-1097-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4688-1098-0x0000000004E40000-0x0000000004E8B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4688-1100-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4688-1101-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4688-1102-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4688-1103-0x0000000005D00000-0x0000000005D92000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4688-1104-0x0000000005DA0000-0x0000000005E06000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4688-1105-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4688-1106-0x00000000064B0000-0x0000000006672000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4688-182-0x0000000004CB0000-0x0000000004CF4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4688-181-0x00000000023E0000-0x0000000002426000-memory.dmp

    Filesize

    280KB

    Download

  • memory/4688-1107-0x0000000006680000-0x0000000006BAC000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4688-1108-0x0000000006DF0000-0x0000000006E66000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4688-1109-0x0000000006E70000-0x0000000006EC0000-memory.dmp

    Filesize

    320KB

    Download