Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    87s
  • max time network
    90s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    27-03-2023 17:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d31a20d47acb6f78287e40f249f833dfc1ac7bfec8a16732d05088f17119d12f.exe

  • Size

    695KB

  • MD5

    f826ae85c3f2443448942633e7879db7

  • SHA1

    b364563cec1239db008ed414c31f590961bb4361

  • SHA256

    d31a20d47acb6f78287e40f249f833dfc1ac7bfec8a16732d05088f17119d12f

  • SHA512

    f961871b20628d1b6c2f6128dcbc94253146d99ba80dc1706aa2c779c51648bee83f790c1b913429723c400b250e54647ba613dee060e4afbdc04b8f612b38ba

  • SSDEEP

    12288:CMrTy90JuZdfNMVTmKf0A8qIxuIszeLzOS0nh/4Qs69IQ0iVvB+A:RyvnfNMRMNFh/ZKh/4QssIsgA

Score
10/10
redlinefromrosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

C2

176.113.115.145:4125

Attributes
  • auth_value

    8633e283485822a4a48f0a41d5397566

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 21 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d31a20d47acb6f78287e40f249f833dfc1ac7bfec8a16732d05088f17119d12f.exe
    "C:\Users\Admin\AppData\Local\Temp\d31a20d47acb6f78287e40f249f833dfc1ac7bfec8a16732d05088f17119d12f.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2456
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un230970.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un230970.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2804
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2592
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5157.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5157.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3560
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si837553.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si837553.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4728

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si837553.exe
    Filesize

    175KB

    MD5

    1a73e5a046c68aab510e0f287dc17ec7

    SHA1

    4b258df37f6c7a5e1e68b10e0afc54b834e732e5

    SHA256

    31b9d60c7ed2fe347a7c5ea919afa7b5028da1b24bc8d686171f3407fdea1b58

    SHA512

    2308b4369e8f0bbbbef49b063494a28f5051580245cd849dc1cca3947c39b87cd171675b601e5b084ff453f1302b0e7822ef428e25bf05ee87460c94e8122a08

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si837553.exe
    Filesize

    175KB

    MD5

    1a73e5a046c68aab510e0f287dc17ec7

    SHA1

    4b258df37f6c7a5e1e68b10e0afc54b834e732e5

    SHA256

    31b9d60c7ed2fe347a7c5ea919afa7b5028da1b24bc8d686171f3407fdea1b58

    SHA512

    2308b4369e8f0bbbbef49b063494a28f5051580245cd849dc1cca3947c39b87cd171675b601e5b084ff453f1302b0e7822ef428e25bf05ee87460c94e8122a08

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un230970.exe
    Filesize

    553KB

    MD5

    3306ef28dde2f70c9202ef7a7c3c5a86

    SHA1

    1e70820ebf5661ab2766028911e7b4337e176bfa

    SHA256

    7f94188629921da6a497df3c7ca7f53fae1530000eca4e0a9ab0983ccce0fcd8

    SHA512

    188cdedc5b4cdc59b18e017f8cef0d51557ead5a177a08315d6aa0ad9cffdaf2b2fe24a68d84596ce990babed64e5c1b5b4f3acc547dc90012f9c0e29681e892

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un230970.exe
    Filesize

    553KB

    MD5

    3306ef28dde2f70c9202ef7a7c3c5a86

    SHA1

    1e70820ebf5661ab2766028911e7b4337e176bfa

    SHA256

    7f94188629921da6a497df3c7ca7f53fae1530000eca4e0a9ab0983ccce0fcd8

    SHA512

    188cdedc5b4cdc59b18e017f8cef0d51557ead5a177a08315d6aa0ad9cffdaf2b2fe24a68d84596ce990babed64e5c1b5b4f3acc547dc90012f9c0e29681e892

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe
    Filesize

    308KB

    MD5

    e813a0d7a4fdaf3908ca0a281a7bbe1f

    SHA1

    7ecbb2a6e352137b3b482c251e15b24dd3f1f0e2

    SHA256

    431b4bc24e31c5f518dec79ba8c59b6f092cd9fcdb6ccdb0ae76ad6b2b48860d

    SHA512

    6e02a001c711bb7cf132c172df5c58ed8bb2e93ad11bac9ba498852b70ed35489bc49184c7bdbb3dc628d2b2e88c643d7ff66cd051528a2a05877a4f66f9a965

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe
    Filesize

    308KB

    MD5

    e813a0d7a4fdaf3908ca0a281a7bbe1f

    SHA1

    7ecbb2a6e352137b3b482c251e15b24dd3f1f0e2

    SHA256

    431b4bc24e31c5f518dec79ba8c59b6f092cd9fcdb6ccdb0ae76ad6b2b48860d

    SHA512

    6e02a001c711bb7cf132c172df5c58ed8bb2e93ad11bac9ba498852b70ed35489bc49184c7bdbb3dc628d2b2e88c643d7ff66cd051528a2a05877a4f66f9a965

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5157.exe
    Filesize

    366KB

    MD5

    d3411496b845daf5b5ab1c7c43b20624

    SHA1

    c9452812196ddca69da385cd2f17045b87b05d81

    SHA256

    64a82d2cea95238cb8c85861fe15980655622bb4e8eb63fddead1fb2194e2838

    SHA512

    9dd67ad7986d0db5caefaad59859e15d5350714d93ff1553e75ba27666bcd56e896eb21243b8e2aea33dba2caa132a3efe361b61fc8b37dec478dcf22fedd744

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5157.exe
    Filesize

    366KB

    MD5

    d3411496b845daf5b5ab1c7c43b20624

    SHA1

    c9452812196ddca69da385cd2f17045b87b05d81

    SHA256

    64a82d2cea95238cb8c85861fe15980655622bb4e8eb63fddead1fb2194e2838

    SHA512

    9dd67ad7986d0db5caefaad59859e15d5350714d93ff1553e75ba27666bcd56e896eb21243b8e2aea33dba2caa132a3efe361b61fc8b37dec478dcf22fedd744

    Download Submit

  • memory/2592-136-0x0000000002640000-0x000000000265A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2592-137-0x0000000004E70000-0x000000000536E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2592-138-0x00000000027D0000-0x00000000027E8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2592-139-0x00000000027D0000-0x00000000027E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2592-140-0x00000000027D0000-0x00000000027E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2592-142-0x00000000027D0000-0x00000000027E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2592-144-0x00000000027D0000-0x00000000027E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2592-146-0x00000000027D0000-0x00000000027E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2592-148-0x00000000027D0000-0x00000000027E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2592-151-0x0000000004E60000-0x0000000004E70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2592-153-0x0000000004E60000-0x0000000004E70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2592-154-0x0000000004E60000-0x0000000004E70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2592-152-0x00000000027D0000-0x00000000027E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2592-149-0x00000000001D0000-0x00000000001FD000-memory.dmp

    Filesize

    180KB

    Download

  • memory/2592-158-0x00000000027D0000-0x00000000027E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2592-156-0x00000000027D0000-0x00000000027E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2592-160-0x00000000027D0000-0x00000000027E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2592-162-0x00000000027D0000-0x00000000027E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2592-164-0x00000000027D0000-0x00000000027E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2592-166-0x00000000027D0000-0x00000000027E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2592-168-0x00000000027D0000-0x00000000027E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2592-170-0x00000000027D0000-0x00000000027E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2592-171-0x0000000000400000-0x0000000000710000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2592-172-0x0000000004E60000-0x0000000004E70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2592-173-0x0000000004E60000-0x0000000004E70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2592-174-0x0000000004E60000-0x0000000004E70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2592-176-0x0000000000400000-0x0000000000710000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/3560-181-0x00000000025D0000-0x0000000002616000-memory.dmp

    Filesize

    280KB

    Download

  • memory/3560-182-0x0000000004C80000-0x0000000004CC4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3560-183-0x0000000004C80000-0x0000000004CBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3560-184-0x0000000004C80000-0x0000000004CBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3560-186-0x0000000004C80000-0x0000000004CBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3560-188-0x0000000004C80000-0x0000000004CBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3560-190-0x0000000004C80000-0x0000000004CBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3560-192-0x0000000004C80000-0x0000000004CBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3560-194-0x0000000004C80000-0x0000000004CBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3560-196-0x0000000004C80000-0x0000000004CBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3560-198-0x0000000004C80000-0x0000000004CBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3560-200-0x0000000004C80000-0x0000000004CBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3560-203-0x0000000000800000-0x000000000084B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3560-206-0x0000000004C80000-0x0000000004CBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3560-205-0x0000000004D00000-0x0000000004D10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3560-208-0x0000000004D00000-0x0000000004D10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3560-209-0x0000000004C80000-0x0000000004CBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3560-211-0x0000000004D00000-0x0000000004D10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3560-212-0x0000000004C80000-0x0000000004CBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3560-202-0x0000000004C80000-0x0000000004CBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3560-214-0x0000000004C80000-0x0000000004CBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3560-216-0x0000000004C80000-0x0000000004CBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3560-218-0x0000000004C80000-0x0000000004CBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3560-220-0x0000000004C80000-0x0000000004CBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3560-1093-0x0000000005840000-0x0000000005E46000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/3560-1094-0x00000000052B0000-0x00000000053BA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3560-1095-0x00000000053F0000-0x0000000005402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3560-1096-0x0000000004D00000-0x0000000004D10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3560-1097-0x0000000005410000-0x000000000544E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3560-1098-0x0000000005560000-0x00000000055AB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3560-1100-0x00000000056F0000-0x0000000005782000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3560-1101-0x0000000005790000-0x00000000057F6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3560-1102-0x0000000004D00000-0x0000000004D10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3560-1103-0x0000000004D00000-0x0000000004D10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3560-1104-0x0000000004D00000-0x0000000004D10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3560-1105-0x00000000065A0000-0x0000000006762000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3560-1106-0x0000000006790000-0x0000000006CBC000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/3560-1107-0x0000000004D00000-0x0000000004D10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3560-1108-0x0000000006DF0000-0x0000000006E66000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3560-1109-0x0000000006E80000-0x0000000006ED0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4728-1115-0x00000000007D0000-0x0000000000802000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4728-1116-0x0000000005210000-0x000000000525B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4728-1117-0x0000000005400000-0x0000000005410000-memory.dmp

    Filesize

    64KB

    Download