Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    82s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-03-2023 18:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    303d536e87936354e87ca2f8599428fd84aae43879ef54f5a1c99376b7a609dd.exe

  • Size

    700KB

  • MD5

    47db839edd9c5c1e53d4102c76f96b80

  • SHA1

    9473027d827e5f81922a7230047693a503557114

  • SHA256

    303d536e87936354e87ca2f8599428fd84aae43879ef54f5a1c99376b7a609dd

  • SHA512

    3e3e3ade00dab07d9dfe6b035378d0e6f68463cb8342aca65700ceec5af615128ae2932954e914fc7c8ad4da1e5da25c85d1061ef81980f102bdf0900122e2c6

  • SSDEEP

    12288:yMrFy90EnOgCiAJy5H8qr96jWAPMLYhxX5MqvAio8rMuNwP2vLDPWZRiw:/yUJJ/mqwKX5MqIwrMuNA2D4sw

Score
10/10
redlinefromrosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

C2

176.113.115.145:4125

Attributes
  • auth_value

    8633e283485822a4a48f0a41d5397566

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 19 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\303d536e87936354e87ca2f8599428fd84aae43879ef54f5a1c99376b7a609dd.exe
    "C:\Users\Admin\AppData\Local\Temp\303d536e87936354e87ca2f8599428fd84aae43879ef54f5a1c99376b7a609dd.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un312906.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un312906.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3160
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4994.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4994.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1772
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 1080
          4⤵
          • Program crash
          PID:4264
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8157.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8157.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2792
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 1808
          4⤵
          • Program crash
          PID:4100
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si387461.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si387461.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4820
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1772 -ip 1772
    1⤵
      PID:408
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2792 -ip 2792
      1⤵
        PID:4648

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si387461.exe
        Filesize

        175KB

        MD5

        0b6f242a39067ae095616614d6e5a2cf

        SHA1

        a2ce971885f1bd2cdf6c92aa7315605464d29a84

        SHA256

        a6a15687c84005a920ee269eb28e6b0fea1348a93fdb0368e3552732101117e0

        SHA512

        65da8847e829c61fdb140c0b441abf2d3ff8584339d4bf8e3a99f4283243d20fcd7f03de666218182686f38b07c8977193d1e10a80e1ff83b6d9b358efd786ee

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si387461.exe
        Filesize

        175KB

        MD5

        0b6f242a39067ae095616614d6e5a2cf

        SHA1

        a2ce971885f1bd2cdf6c92aa7315605464d29a84

        SHA256

        a6a15687c84005a920ee269eb28e6b0fea1348a93fdb0368e3552732101117e0

        SHA512

        65da8847e829c61fdb140c0b441abf2d3ff8584339d4bf8e3a99f4283243d20fcd7f03de666218182686f38b07c8977193d1e10a80e1ff83b6d9b358efd786ee

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un312906.exe
        Filesize

        557KB

        MD5

        9c33498828379ceb2b9d114f769f8b35

        SHA1

        1fcd6ed2042fab2bb66138452dbec8e3be874e00

        SHA256

        46663db020e2630c0ede3ec82b0db824a7ea5d980556eba56547aa30fba2740e

        SHA512

        62d00f0d97c5ce6b65d48120ac39f9b48b83f4f5b1e3a623e044f2e147751b7d43b3173567b8526fdcd00d6570842d701bf3406f8fd56617c0aad0f56f98f7e4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un312906.exe
        Filesize

        557KB

        MD5

        9c33498828379ceb2b9d114f769f8b35

        SHA1

        1fcd6ed2042fab2bb66138452dbec8e3be874e00

        SHA256

        46663db020e2630c0ede3ec82b0db824a7ea5d980556eba56547aa30fba2740e

        SHA512

        62d00f0d97c5ce6b65d48120ac39f9b48b83f4f5b1e3a623e044f2e147751b7d43b3173567b8526fdcd00d6570842d701bf3406f8fd56617c0aad0f56f98f7e4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4994.exe
        Filesize

        307KB

        MD5

        4140e0d33f1b5ace05d37879b393d554

        SHA1

        6c08023c588c96f5536a3059270781a40efbcf98

        SHA256

        08e9316a1fd6d05f646502335ac46dbcd9652f7e3a84133dbb4bc511e0e45ffd

        SHA512

        24835d0ea8b80b4b6c6cb8504b96b3cb97d98caf4a3f699584713823a548ba7be50716a1ae6e2db8a8e4bbe25e1f57f1b5b90ec494d0a61368f980d8e3311047

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4994.exe
        Filesize

        307KB

        MD5

        4140e0d33f1b5ace05d37879b393d554

        SHA1

        6c08023c588c96f5536a3059270781a40efbcf98

        SHA256

        08e9316a1fd6d05f646502335ac46dbcd9652f7e3a84133dbb4bc511e0e45ffd

        SHA512

        24835d0ea8b80b4b6c6cb8504b96b3cb97d98caf4a3f699584713823a548ba7be50716a1ae6e2db8a8e4bbe25e1f57f1b5b90ec494d0a61368f980d8e3311047

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8157.exe
        Filesize

        366KB

        MD5

        fb6f9b4f29305e38d14aecdbed519500

        SHA1

        c1cc139417a83e80a1199437dafc0ec32260fca8

        SHA256

        6e6300db40ed633b634d4ab9266271abb853c9451c7c2badd2ad7b792810098b

        SHA512

        bded25bcfae86cc60c54c46cf7d8ce5f95c834e619261c776e43bb7dc271e70fc55ad055e39f9358dd0158ed23cfc7478369a401af9e8b3f44e03d2bd03d54c7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8157.exe
        Filesize

        366KB

        MD5

        fb6f9b4f29305e38d14aecdbed519500

        SHA1

        c1cc139417a83e80a1199437dafc0ec32260fca8

        SHA256

        6e6300db40ed633b634d4ab9266271abb853c9451c7c2badd2ad7b792810098b

        SHA512

        bded25bcfae86cc60c54c46cf7d8ce5f95c834e619261c776e43bb7dc271e70fc55ad055e39f9358dd0158ed23cfc7478369a401af9e8b3f44e03d2bd03d54c7

        Download Submit

      • memory/1772-148-0x0000000004E90000-0x0000000005434000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1772-149-0x00000000008F0000-0x000000000091D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/1772-150-0x0000000004E80000-0x0000000004E90000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1772-151-0x0000000004E80000-0x0000000004E90000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1772-152-0x0000000004E80000-0x0000000004E90000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1772-154-0x0000000002920000-0x0000000002932000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1772-153-0x0000000002920000-0x0000000002932000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1772-156-0x0000000002920000-0x0000000002932000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1772-158-0x0000000002920000-0x0000000002932000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1772-160-0x0000000002920000-0x0000000002932000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1772-162-0x0000000002920000-0x0000000002932000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1772-164-0x0000000002920000-0x0000000002932000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1772-166-0x0000000002920000-0x0000000002932000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1772-168-0x0000000002920000-0x0000000002932000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1772-170-0x0000000002920000-0x0000000002932000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1772-172-0x0000000002920000-0x0000000002932000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1772-174-0x0000000002920000-0x0000000002932000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1772-176-0x0000000002920000-0x0000000002932000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1772-178-0x0000000002920000-0x0000000002932000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1772-180-0x0000000002920000-0x0000000002932000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1772-181-0x0000000000400000-0x0000000000710000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/1772-182-0x0000000004E80000-0x0000000004E90000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1772-183-0x0000000004E80000-0x0000000004E90000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1772-185-0x0000000000400000-0x0000000000710000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/2792-190-0x00000000029A0000-0x00000000029DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2792-193-0x00000000029A0000-0x00000000029DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2792-191-0x00000000029A0000-0x00000000029DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2792-197-0x00000000029A0000-0x00000000029DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2792-196-0x0000000002A70000-0x0000000002A80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2792-198-0x0000000002A70000-0x0000000002A80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2792-200-0x0000000002A70000-0x0000000002A80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2792-201-0x00000000029A0000-0x00000000029DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2792-194-0x0000000000720000-0x000000000076B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/2792-203-0x00000000029A0000-0x00000000029DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2792-205-0x00000000029A0000-0x00000000029DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2792-207-0x00000000029A0000-0x00000000029DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2792-209-0x00000000029A0000-0x00000000029DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2792-211-0x00000000029A0000-0x00000000029DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2792-215-0x00000000029A0000-0x00000000029DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2792-217-0x00000000029A0000-0x00000000029DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2792-213-0x00000000029A0000-0x00000000029DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2792-219-0x00000000029A0000-0x00000000029DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2792-221-0x00000000029A0000-0x00000000029DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2792-223-0x00000000029A0000-0x00000000029DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2792-225-0x00000000029A0000-0x00000000029DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2792-227-0x00000000029A0000-0x00000000029DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2792-1100-0x0000000005560000-0x0000000005B78000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/2792-1101-0x0000000005B80000-0x0000000005C8A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/2792-1102-0x0000000002B10000-0x0000000002B22000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2792-1103-0x0000000005C90000-0x0000000005CCC000-memory.dmp

        Filesize

        240KB

        Download

      • memory/2792-1104-0x0000000002A70000-0x0000000002A80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2792-1105-0x0000000005F50000-0x0000000005FE2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/2792-1106-0x0000000005FF0000-0x0000000006056000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2792-1108-0x0000000002A70000-0x0000000002A80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2792-1110-0x0000000002A70000-0x0000000002A80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2792-1109-0x0000000002A70000-0x0000000002A80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2792-1111-0x0000000006960000-0x0000000006B22000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2792-1112-0x0000000006B30000-0x000000000705C000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/2792-1113-0x0000000002A70000-0x0000000002A80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2792-1114-0x0000000002600000-0x0000000002676000-memory.dmp

        Filesize

        472KB

        Download

      • memory/2792-1115-0x0000000008310000-0x0000000008360000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4820-1121-0x0000000000330000-0x0000000000362000-memory.dmp

        Filesize

        200KB

        Download

      • memory/4820-1122-0x0000000004C10000-0x0000000004C20000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4820-1123-0x0000000004C10000-0x0000000004C20000-memory.dmp

        Filesize

        64KB

        Download