Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    61s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-03-2023 19:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    404ca2b2dd319a0ad8230285b16e4054f754188c3b1bf3a0ecce7de031b4b76a.exe

  • Size

    695KB

  • MD5

    e28ca4dbf89ec2417e4e6d177147fc84

  • SHA1

    5f0c23f0dd62c926ff7b8dfcece4ed5f2b9317d1

  • SHA256

    404ca2b2dd319a0ad8230285b16e4054f754188c3b1bf3a0ecce7de031b4b76a

  • SHA512

    92136ebf9a0743902551437a28d23fa27697affd2f5a8836e4d3c138d918d007b8c93d67bb5411272d5736a3ba32f015ff8a88bfc4c3ad90181780e7f41ff96b

  • SSDEEP

    12288:BMr7y90TfNx4Mwrbqa1UWfQq5AMylytMeO47k+vyZvzNr9JcXjx5:iyClehvbsMylyueN7TvqNxejx5

Score
10/10
redlinefromrosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

C2

176.113.115.145:4125

Attributes
  • auth_value

    8633e283485822a4a48f0a41d5397566

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\404ca2b2dd319a0ad8230285b16e4054f754188c3b1bf3a0ecce7de031b4b76a.exe
    "C:\Users\Admin\AppData\Local\Temp\404ca2b2dd319a0ad8230285b16e4054f754188c3b1bf3a0ecce7de031b4b76a.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4124
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un456702.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un456702.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2492
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9214.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9214.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1920
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8063.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8063.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3368
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si560228.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si560228.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1016

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si560228.exe
    Filesize

    175KB

    MD5

    738e66588507f88f42df8aa18183a17b

    SHA1

    152ec39362dd7014960e6a6f4b34069fad4baee4

    SHA256

    3397b86bee5dddbfb50313930711bf3dae950c20dcd2112165c839f60af06d4d

    SHA512

    7e9d78f700b2515ef0b0a63fcaf2d0af580256b6ff0e00d2359c7a5cbd11936c64fd9c3343a8be6a7ef3d028db0b83795ca891195753f4bff692f9cee17fb3d8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si560228.exe
    Filesize

    175KB

    MD5

    738e66588507f88f42df8aa18183a17b

    SHA1

    152ec39362dd7014960e6a6f4b34069fad4baee4

    SHA256

    3397b86bee5dddbfb50313930711bf3dae950c20dcd2112165c839f60af06d4d

    SHA512

    7e9d78f700b2515ef0b0a63fcaf2d0af580256b6ff0e00d2359c7a5cbd11936c64fd9c3343a8be6a7ef3d028db0b83795ca891195753f4bff692f9cee17fb3d8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un456702.exe
    Filesize

    553KB

    MD5

    4699a139de882aba0b2d3ebb9870d5df

    SHA1

    8b16c7ba67c0c5688879a5302df2a11906771dac

    SHA256

    98130baeb90844705b9fed7a93a07fdb7f3a09fdd113b670f01dedb9412327e7

    SHA512

    e98a0dc3856d26a03c4036dc28cbb017d3243098bc60c154e916861831d4c96dcbbc4118b66646514b3d093dd3797817196c2d0d2ea10191abaa908ff1bc0676

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un456702.exe
    Filesize

    553KB

    MD5

    4699a139de882aba0b2d3ebb9870d5df

    SHA1

    8b16c7ba67c0c5688879a5302df2a11906771dac

    SHA256

    98130baeb90844705b9fed7a93a07fdb7f3a09fdd113b670f01dedb9412327e7

    SHA512

    e98a0dc3856d26a03c4036dc28cbb017d3243098bc60c154e916861831d4c96dcbbc4118b66646514b3d093dd3797817196c2d0d2ea10191abaa908ff1bc0676

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9214.exe
    Filesize

    308KB

    MD5

    9c3a563510f85eaf115731f2de65dfd6

    SHA1

    1aed5374aac3275adace3b2939b104a2e0e6b59b

    SHA256

    a61a6d0f1b47f661646911ad05dd34f862a7d22c398eeac0842047e6472e862e

    SHA512

    f192a0c1de8af1cb6a5320277a0ebf0e9962fa9349b2bf7519d1dc0fc85c1a1763be957253315360541016e25a3967887d3307f98770ef28a79a43dce157f767

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9214.exe
    Filesize

    308KB

    MD5

    9c3a563510f85eaf115731f2de65dfd6

    SHA1

    1aed5374aac3275adace3b2939b104a2e0e6b59b

    SHA256

    a61a6d0f1b47f661646911ad05dd34f862a7d22c398eeac0842047e6472e862e

    SHA512

    f192a0c1de8af1cb6a5320277a0ebf0e9962fa9349b2bf7519d1dc0fc85c1a1763be957253315360541016e25a3967887d3307f98770ef28a79a43dce157f767

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8063.exe
    Filesize

    366KB

    MD5

    4a2243634c7ffe3eeb286a2b441ef662

    SHA1

    c9e2a48df6383e59fc5b05ef9c1904e97bf99c2a

    SHA256

    8bc8f719f985a325238046844b8f4eff620bb91e0a908f6bf1801dd0298c8cb9

    SHA512

    a8681ae8c8640b18ed32511d822c5c5acd50900b90a3ff516c065d8903dbe05c4637b01a08c74246f746abfde36af42a6f7294499337f0d7a89a2f22b5cabf18

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8063.exe
    Filesize

    366KB

    MD5

    4a2243634c7ffe3eeb286a2b441ef662

    SHA1

    c9e2a48df6383e59fc5b05ef9c1904e97bf99c2a

    SHA256

    8bc8f719f985a325238046844b8f4eff620bb91e0a908f6bf1801dd0298c8cb9

    SHA512

    a8681ae8c8640b18ed32511d822c5c5acd50900b90a3ff516c065d8903dbe05c4637b01a08c74246f746abfde36af42a6f7294499337f0d7a89a2f22b5cabf18

    Download Submit

  • memory/1016-1120-0x00000000007E0000-0x0000000000812000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1016-1121-0x00000000050B0000-0x00000000050C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1920-158-0x0000000002670000-0x0000000002682000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1920-168-0x0000000002670000-0x0000000002682000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1920-151-0x0000000002670000-0x0000000002682000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1920-152-0x0000000002670000-0x0000000002682000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1920-154-0x0000000002670000-0x0000000002682000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1920-156-0x0000000002670000-0x0000000002682000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1920-149-0x0000000004F30000-0x0000000004F40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1920-160-0x0000000002670000-0x0000000002682000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1920-162-0x0000000002670000-0x0000000002682000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1920-164-0x0000000002670000-0x0000000002682000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1920-166-0x0000000002670000-0x0000000002682000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1920-150-0x0000000004F40000-0x00000000054E4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1920-170-0x0000000002670000-0x0000000002682000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1920-172-0x0000000002670000-0x0000000002682000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1920-177-0x0000000004F30000-0x0000000004F40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1920-175-0x0000000004F30000-0x0000000004F40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1920-174-0x0000000002670000-0x0000000002682000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1920-178-0x0000000002670000-0x0000000002682000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1920-180-0x0000000002670000-0x0000000002682000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1920-181-0x0000000000400000-0x000000000070F000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/1920-182-0x0000000004F30000-0x0000000004F40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1920-184-0x0000000000400000-0x000000000070F000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/1920-148-0x00000000007E0000-0x000000000080D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/3368-192-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3368-262-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3368-194-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3368-196-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3368-198-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3368-200-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3368-202-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3368-204-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3368-206-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3368-208-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3368-210-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3368-212-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3368-214-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3368-216-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3368-218-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3368-220-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3368-222-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3368-258-0x00000000007F0000-0x000000000083B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3368-260-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3368-190-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3368-264-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3368-1099-0x0000000005480000-0x0000000005A98000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3368-1100-0x0000000005B00000-0x0000000005C0A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3368-1101-0x0000000005C40000-0x0000000005C52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3368-1102-0x0000000005C60000-0x0000000005C9C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3368-1103-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3368-1105-0x0000000005F50000-0x0000000005FB6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3368-1106-0x0000000006620000-0x00000000066B2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3368-1107-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3368-1108-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3368-1109-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3368-1110-0x0000000006710000-0x00000000068D2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3368-1111-0x00000000068F0000-0x0000000006E1C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/3368-189-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3368-1112-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3368-1113-0x0000000007190000-0x0000000007206000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3368-1114-0x0000000007420000-0x0000000007470000-memory.dmp

    Filesize

    320KB

    Download