Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-03-2023 19:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7b73677a40d5ec0a2af9f23fef8356ea27683eee3d116da92d53ad70e9cb2bb5.exe

  • Size

    695KB

  • MD5

    0bdb50db27e3a582914deeffdb0db3d5

  • SHA1

    45489b92bf83cb236546cb59a7c6df00e33520ef

  • SHA256

    7b73677a40d5ec0a2af9f23fef8356ea27683eee3d116da92d53ad70e9cb2bb5

  • SHA512

    1f1267ce21bd8fe0d371a5b5045d419d7fd2539c2b985171bd2558762ce0ccc4f337c18619258a606352f3f8a25830a166bf3a63b54c44b0e76211dcd5c1449e

  • SSDEEP

    12288:vMrNy90oh3SvVPr4Fz79i6jjLPfQUMylWgz4W1IjzM7zskrJ186EZWPrr:CyxhC1r4d48zHMylW44W1WzAs0BEITr

Score
10/10
redlinefromrosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

C2

176.113.115.145:4125

Attributes
  • auth_value

    8633e283485822a4a48f0a41d5397566

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 19 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7b73677a40d5ec0a2af9f23fef8356ea27683eee3d116da92d53ad70e9cb2bb5.exe
    "C:\Users\Admin\AppData\Local\Temp\7b73677a40d5ec0a2af9f23fef8356ea27683eee3d116da92d53ad70e9cb2bb5.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1512
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un652832.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un652832.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1592
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3547.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3547.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1324
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4043.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4043.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1396
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si302681.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si302681.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3912

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si302681.exe
    Filesize

    175KB

    MD5

    efd1c0ec3b3f5d70e2d4fd43351c81a4

    SHA1

    ea2869b33807e1d01b8901bccf785e47598ed86f

    SHA256

    4b373fe4f094ac74db89698f1a1cce5c458810389206a43dbc33d4fe8e18d7c6

    SHA512

    16d0b6ffbabe01b97fcea2b94cc05907c89dbf4d7356f83ab1e5fdf621af5d3224ef1dfd17772a544c2895f25d3b4111afde9c5aebb856b0c8c04fcf2b3ff377

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si302681.exe
    Filesize

    175KB

    MD5

    efd1c0ec3b3f5d70e2d4fd43351c81a4

    SHA1

    ea2869b33807e1d01b8901bccf785e47598ed86f

    SHA256

    4b373fe4f094ac74db89698f1a1cce5c458810389206a43dbc33d4fe8e18d7c6

    SHA512

    16d0b6ffbabe01b97fcea2b94cc05907c89dbf4d7356f83ab1e5fdf621af5d3224ef1dfd17772a544c2895f25d3b4111afde9c5aebb856b0c8c04fcf2b3ff377

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un652832.exe
    Filesize

    553KB

    MD5

    3ed9295d62ed9e15d70636606e9ad158

    SHA1

    e7d292f620566346ccbce530a7ed05b17bf0d3b5

    SHA256

    181a043ee70c68fc9d1fe7d47fd98acadeefc1dd16cc24e61db9f272c91efb1f

    SHA512

    0cf51e1d21a79c69a7f27eb0176047a260b3ae0f17f199fcf0e70fec536fb09aac6266f38def2702ebd26582aa33d71da02fc3300ee555a727a395b4f8d0f9f8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un652832.exe
    Filesize

    553KB

    MD5

    3ed9295d62ed9e15d70636606e9ad158

    SHA1

    e7d292f620566346ccbce530a7ed05b17bf0d3b5

    SHA256

    181a043ee70c68fc9d1fe7d47fd98acadeefc1dd16cc24e61db9f272c91efb1f

    SHA512

    0cf51e1d21a79c69a7f27eb0176047a260b3ae0f17f199fcf0e70fec536fb09aac6266f38def2702ebd26582aa33d71da02fc3300ee555a727a395b4f8d0f9f8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3547.exe
    Filesize

    308KB

    MD5

    ac7558bfcc52f73a995f92f2b93afa5f

    SHA1

    b59e60bfcebf6e304b83569bf3f941b393eeb9b5

    SHA256

    9a0783fe18586014eb144f5d5b8c6f09575e818cc5d31ade5b2e16d9f34269eb

    SHA512

    150ae79e5120808f4b68b00cdaee3ca4065206e4986c57d3df07073eddf346dc80d1205d54004975562cac165b52f2ef97aecbce98c7bd46d3909d3375d06f86

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3547.exe
    Filesize

    308KB

    MD5

    ac7558bfcc52f73a995f92f2b93afa5f

    SHA1

    b59e60bfcebf6e304b83569bf3f941b393eeb9b5

    SHA256

    9a0783fe18586014eb144f5d5b8c6f09575e818cc5d31ade5b2e16d9f34269eb

    SHA512

    150ae79e5120808f4b68b00cdaee3ca4065206e4986c57d3df07073eddf346dc80d1205d54004975562cac165b52f2ef97aecbce98c7bd46d3909d3375d06f86

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4043.exe
    Filesize

    366KB

    MD5

    f09d659ca5ee4767333b59bfcac51de3

    SHA1

    36ab71983bdae700c39c469ef7b771f692c73712

    SHA256

    109d37259d7ea4a7449d479e3075381dea4ae40ab53b3fb1c3ae49ae7b44362f

    SHA512

    9d755db23da5c3198aac903181669fc3be5500bc66e11c755c7714917dea66079ee3cbfd8487546b6bab3408a5398dd4dc0d8eb6d316021fb93990825d97da51

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4043.exe
    Filesize

    366KB

    MD5

    f09d659ca5ee4767333b59bfcac51de3

    SHA1

    36ab71983bdae700c39c469ef7b771f692c73712

    SHA256

    109d37259d7ea4a7449d479e3075381dea4ae40ab53b3fb1c3ae49ae7b44362f

    SHA512

    9d755db23da5c3198aac903181669fc3be5500bc66e11c755c7714917dea66079ee3cbfd8487546b6bab3408a5398dd4dc0d8eb6d316021fb93990825d97da51

    Download Submit

  • memory/1324-148-0x0000000000710000-0x000000000073D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/1324-149-0x0000000004E50000-0x00000000053F4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1324-150-0x0000000004C70000-0x0000000004C82000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1324-151-0x0000000004C70000-0x0000000004C82000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1324-153-0x0000000004C70000-0x0000000004C82000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1324-155-0x0000000004C70000-0x0000000004C82000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1324-157-0x0000000004C70000-0x0000000004C82000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1324-159-0x0000000004C70000-0x0000000004C82000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1324-161-0x0000000004C70000-0x0000000004C82000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1324-163-0x0000000004E40000-0x0000000004E50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1324-167-0x0000000004E40000-0x0000000004E50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1324-165-0x0000000004E40000-0x0000000004E50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1324-164-0x0000000004C70000-0x0000000004C82000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1324-170-0x0000000004C70000-0x0000000004C82000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1324-168-0x0000000004C70000-0x0000000004C82000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1324-172-0x0000000004C70000-0x0000000004C82000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1324-174-0x0000000004C70000-0x0000000004C82000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1324-176-0x0000000004C70000-0x0000000004C82000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1324-178-0x0000000004C70000-0x0000000004C82000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1324-180-0x0000000004C70000-0x0000000004C82000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1324-181-0x0000000000400000-0x000000000070F000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/1324-184-0x0000000000400000-0x000000000070F000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/1324-183-0x0000000004E40000-0x0000000004E50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1324-185-0x0000000004E40000-0x0000000004E50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1396-190-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1396-191-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1396-193-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1396-195-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1396-197-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1396-199-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1396-201-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1396-203-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1396-205-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1396-207-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1396-209-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1396-211-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1396-213-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1396-215-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1396-217-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1396-219-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1396-221-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1396-223-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1396-250-0x0000000000820000-0x000000000086B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1396-252-0x0000000004E90000-0x0000000004EA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1396-254-0x0000000004E90000-0x0000000004EA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1396-256-0x0000000004E90000-0x0000000004EA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1396-1100-0x0000000005450000-0x0000000005A68000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1396-1101-0x0000000005A70000-0x0000000005B7A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1396-1102-0x0000000004E10000-0x0000000004E22000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1396-1103-0x0000000004E30000-0x0000000004E6C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1396-1104-0x0000000004E90000-0x0000000004EA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1396-1105-0x0000000005E10000-0x0000000005EA2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1396-1106-0x0000000005EB0000-0x0000000005F16000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1396-1108-0x00000000066D0000-0x0000000006892000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1396-1109-0x00000000068A0000-0x0000000006DCC000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/1396-1110-0x0000000004E90000-0x0000000004EA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1396-1111-0x0000000004E90000-0x0000000004EA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1396-1112-0x0000000006F00000-0x0000000006F76000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1396-1113-0x0000000006F90000-0x0000000006FE0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1396-1114-0x0000000004E90000-0x0000000004EA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3912-1120-0x0000000000D70000-0x0000000000DA2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/3912-1121-0x0000000005960000-0x0000000005970000-memory.dmp

    Filesize

    64KB

    Download