Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    54s
  • max time network
    69s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    27-03-2023 14:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8bbe1a2d422737d3221a92d79d2ee2491fc1cd23a70a45bbf5b3df1cf4a8f9a1.exe

  • Size

    685KB

  • MD5

    ad15acdf392a4201debebbc63ffe61e7

  • SHA1

    6528da395b830aa2a2d7ebccea63b2c5d20e7497

  • SHA256

    8bbe1a2d422737d3221a92d79d2ee2491fc1cd23a70a45bbf5b3df1cf4a8f9a1

  • SHA512

    83d6bf918dec111dc9bc9fe493f376a2c48692e461d6066462f1560c73354470e2572e75c7fb364da73a28810dba3d042dc114f974cd657971a63367c224a21a

  • SSDEEP

    12288:7MrZy90E/ON35FWiztJOkAYD/W5pN172KBT/WEi7LGWBJd0:Oym35k89W77vd/WEuGWXd0

Score
10/10
redlinenicesonydiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

sony

C2

193.233.20.33:4125

Attributes
  • auth_value

    1d93d1744381eeb4fcfd7c23ffe0f0b4

Extracted

Family

redline

Botnet

nice

C2

193.233.20.33:4125

Attributes
  • auth_value

    a7371b75699e8bc7c51fb960e8ac9e81

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 22 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8bbe1a2d422737d3221a92d79d2ee2491fc1cd23a70a45bbf5b3df1cf4a8f9a1.exe
    "C:\Users\Admin\AppData\Local\Temp\8bbe1a2d422737d3221a92d79d2ee2491fc1cd23a70a45bbf5b3df1cf4a8f9a1.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1436
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un780062.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un780062.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1592
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4649.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4649.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1972
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0542.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0542.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4556
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si045073.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si045073.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3680

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si045073.exe
    Filesize

    175KB

    MD5

    7f76b727432f30debe45d7ce6cd23764

    SHA1

    6373548e941294da52ff1a6521b0830fa2d8436d

    SHA256

    c19f1f1b5949ef86306d9fda49e4f863dd969a667db72a904633d756fcd84e7e

    SHA512

    9cdec82580ed96bd846901cb4bd4e7a876bb9b0fc5db194a3497e5f3f341c0949d4f9b909fd8d400674f52bb13a256fe66289e8b1b127f537002ea8e63cff7f9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si045073.exe
    Filesize

    175KB

    MD5

    7f76b727432f30debe45d7ce6cd23764

    SHA1

    6373548e941294da52ff1a6521b0830fa2d8436d

    SHA256

    c19f1f1b5949ef86306d9fda49e4f863dd969a667db72a904633d756fcd84e7e

    SHA512

    9cdec82580ed96bd846901cb4bd4e7a876bb9b0fc5db194a3497e5f3f341c0949d4f9b909fd8d400674f52bb13a256fe66289e8b1b127f537002ea8e63cff7f9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un780062.exe
    Filesize

    543KB

    MD5

    c4d54132642126effe6f992652a74f2e

    SHA1

    d9c0d744b49b1c3908a2e6ab373c73f56b31a2de

    SHA256

    608e515d35a23bfa2a78905025d3e79131636e8f72e7506a5e6d8a636f70ef4f

    SHA512

    89fbcea17f073b9065c5d2df701e8dcb39bc56c89a90afc386058386e3ce37a9b6f235ad586c808cf73b03b0fc46dad01b5bc979c1c8d5417586f289eba17e73

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un780062.exe
    Filesize

    543KB

    MD5

    c4d54132642126effe6f992652a74f2e

    SHA1

    d9c0d744b49b1c3908a2e6ab373c73f56b31a2de

    SHA256

    608e515d35a23bfa2a78905025d3e79131636e8f72e7506a5e6d8a636f70ef4f

    SHA512

    89fbcea17f073b9065c5d2df701e8dcb39bc56c89a90afc386058386e3ce37a9b6f235ad586c808cf73b03b0fc46dad01b5bc979c1c8d5417586f289eba17e73

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4649.exe
    Filesize

    292KB

    MD5

    17f216efdebe7c2ea35cafaac5a99d41

    SHA1

    e08d699f99c5ea7d16eea7d27ec389755162385f

    SHA256

    199eb693504703cf421b794e9ec609b22ca16ddddf790ece5857d82a23b228d6

    SHA512

    f9add6e25b1bb72e72bd9f46f9cee4c46687da2048c63e75b3e4f5b0f477e4dc33c8a64b3649efe3c99f6a4b3392891b8f236b22b52d14bfc9769a0fda7635cb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4649.exe
    Filesize

    292KB

    MD5

    17f216efdebe7c2ea35cafaac5a99d41

    SHA1

    e08d699f99c5ea7d16eea7d27ec389755162385f

    SHA256

    199eb693504703cf421b794e9ec609b22ca16ddddf790ece5857d82a23b228d6

    SHA512

    f9add6e25b1bb72e72bd9f46f9cee4c46687da2048c63e75b3e4f5b0f477e4dc33c8a64b3649efe3c99f6a4b3392891b8f236b22b52d14bfc9769a0fda7635cb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0542.exe
    Filesize

    350KB

    MD5

    e33587c9c2b495afebaab9fbe2df2420

    SHA1

    0725fd007d37c520ae9e436130d5b9b95891d46f

    SHA256

    48e411f9708e8350a73b7ca4f9c345301c2be42e1d0e87e11badfd75bc55b47f

    SHA512

    a20096f1dbf27b3ba030534248f60d3c066bbefe0b2f4a2113cc106d0e5daf8368365a419a64eaad44bc9369a12a88273209f42345d3a9ba8c9944d2f52b0de2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0542.exe
    Filesize

    350KB

    MD5

    e33587c9c2b495afebaab9fbe2df2420

    SHA1

    0725fd007d37c520ae9e436130d5b9b95891d46f

    SHA256

    48e411f9708e8350a73b7ca4f9c345301c2be42e1d0e87e11badfd75bc55b47f

    SHA512

    a20096f1dbf27b3ba030534248f60d3c066bbefe0b2f4a2113cc106d0e5daf8368365a419a64eaad44bc9369a12a88273209f42345d3a9ba8c9944d2f52b0de2

    Download Submit

  • memory/1972-136-0x0000000002230000-0x000000000224A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1972-137-0x0000000004E00000-0x00000000052FE000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/1972-138-0x00000000023F0000-0x0000000002408000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1972-141-0x00000000001D0000-0x00000000001FD000-memory.dmp

    Filesize

    180KB

    Download

  • memory/1972-140-0x00000000023F0000-0x0000000002402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1972-144-0x00000000023F0000-0x0000000002402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1972-146-0x0000000004DF0000-0x0000000004E00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1972-145-0x0000000004DF0000-0x0000000004E00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1972-143-0x0000000004DF0000-0x0000000004E00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1972-139-0x00000000023F0000-0x0000000002402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1972-148-0x00000000023F0000-0x0000000002402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1972-150-0x00000000023F0000-0x0000000002402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1972-152-0x00000000023F0000-0x0000000002402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1972-154-0x00000000023F0000-0x0000000002402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1972-156-0x00000000023F0000-0x0000000002402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1972-158-0x00000000023F0000-0x0000000002402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1972-160-0x00000000023F0000-0x0000000002402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1972-162-0x00000000023F0000-0x0000000002402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1972-164-0x00000000023F0000-0x0000000002402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1972-166-0x00000000023F0000-0x0000000002402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1972-168-0x00000000023F0000-0x0000000002402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1972-170-0x00000000023F0000-0x0000000002402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1972-171-0x0000000000400000-0x000000000070C000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/1972-173-0x0000000004DF0000-0x0000000004E00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1972-175-0x0000000004DF0000-0x0000000004E00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1972-176-0x0000000000400000-0x000000000070C000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/1972-174-0x0000000004DF0000-0x0000000004E00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3680-1115-0x0000000000600000-0x0000000000632000-memory.dmp

    Filesize

    200KB

    Download

  • memory/3680-1117-0x0000000005210000-0x0000000005220000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3680-1116-0x0000000005040000-0x000000000508B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4556-183-0x0000000004C80000-0x0000000004CBE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4556-252-0x0000000004E30000-0x0000000004E40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4556-186-0x0000000004C80000-0x0000000004CBE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4556-188-0x0000000004C80000-0x0000000004CBE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4556-190-0x0000000004C80000-0x0000000004CBE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4556-192-0x0000000004C80000-0x0000000004CBE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4556-194-0x0000000004C80000-0x0000000004CBE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4556-196-0x0000000004C80000-0x0000000004CBE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4556-198-0x0000000004C80000-0x0000000004CBE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4556-200-0x0000000004C80000-0x0000000004CBE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4556-202-0x0000000004C80000-0x0000000004CBE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4556-204-0x0000000004C80000-0x0000000004CBE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4556-206-0x0000000004C80000-0x0000000004CBE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4556-208-0x0000000004C80000-0x0000000004CBE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4556-210-0x0000000004C80000-0x0000000004CBE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4556-212-0x0000000004C80000-0x0000000004CBE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4556-214-0x0000000004C80000-0x0000000004CBE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4556-216-0x0000000004C80000-0x0000000004CBE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4556-250-0x0000000004E30000-0x0000000004E40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4556-184-0x0000000004C80000-0x0000000004CBE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4556-248-0x00000000020E0000-0x000000000212B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4556-253-0x0000000004E30000-0x0000000004E40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4556-1093-0x0000000005340000-0x0000000005946000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4556-1094-0x0000000005950000-0x0000000005A5A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4556-1095-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4556-1096-0x0000000004DF0000-0x0000000004E2E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4556-1097-0x0000000005B70000-0x0000000005BBB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4556-1098-0x0000000004E30000-0x0000000004E40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4556-1099-0x0000000005D00000-0x0000000005D92000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4556-1100-0x0000000005DA0000-0x0000000005E06000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4556-1102-0x0000000004E30000-0x0000000004E40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4556-1103-0x0000000004E30000-0x0000000004E40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4556-1104-0x0000000004E30000-0x0000000004E40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4556-1105-0x00000000065A0000-0x0000000006762000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4556-1106-0x0000000006790000-0x0000000006CBC000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4556-182-0x0000000004C80000-0x0000000004CC4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4556-181-0x00000000026B0000-0x00000000026F6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/4556-1107-0x0000000006DE0000-0x0000000006E56000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4556-1108-0x0000000006E70000-0x0000000006EC0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4556-1109-0x0000000004E30000-0x0000000004E40000-memory.dmp

    Filesize

    64KB

    Download