Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    61s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-03-2023 18:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    362d1b3eb9ddadf7b534418afe3b697772bba6d36b08b3aa0831f6e206fda449.exe

  • Size

    695KB

  • MD5

    c6b2bb2bb922457cf0b8c447301a70d3

  • SHA1

    6216e634adcb3c7439bf8fb2c0e5300fc2b7020a

  • SHA256

    362d1b3eb9ddadf7b534418afe3b697772bba6d36b08b3aa0831f6e206fda449

  • SHA512

    eb523913fdf02693e04b6b6d2b048cbe36722a650d1ef34796908c62e14997807da82db0b782916e62a20bf9157a4f8ad6dc2dbdcdd12b21a97bdea92c51cdeb

  • SSDEEP

    12288:1Mrpy90C5NnVsMn6tdRvSUV4ewFr2oLjdRvPSJzpQ3JSJ9LeCEhEe2DCH0OS:4y/ahShvNbjdRyZpKqU5hEPuS

Score
10/10
redlinefromrosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

C2

176.113.115.145:4125

Attributes
  • auth_value

    8633e283485822a4a48f0a41d5397566

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 18 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\362d1b3eb9ddadf7b534418afe3b697772bba6d36b08b3aa0831f6e206fda449.exe
    "C:\Users\Admin\AppData\Local\Temp\362d1b3eb9ddadf7b534418afe3b697772bba6d36b08b3aa0831f6e206fda449.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4320
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un803726.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un803726.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3684
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9828.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9828.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1472
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3808.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3808.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4996
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si803599.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si803599.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:388

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si803599.exe
    Filesize

    175KB

    MD5

    7b4fb415401933f220d191b0c5f963ac

    SHA1

    6b86bca2a0c5ba49f83f5c4edf54340adcb21288

    SHA256

    8f95e4d4ebc412d2fecd3d212b41ec021c01a29c7c58e181de367d0a747e078c

    SHA512

    0a1f42d4441581e3def3e86ddf9bc11b9ea0ce676f6a640192379b03f6cc735719bc512942088dbfde8eefe9a3530d05e4b7b0e1a17b11b0358481370eb06928

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si803599.exe
    Filesize

    175KB

    MD5

    7b4fb415401933f220d191b0c5f963ac

    SHA1

    6b86bca2a0c5ba49f83f5c4edf54340adcb21288

    SHA256

    8f95e4d4ebc412d2fecd3d212b41ec021c01a29c7c58e181de367d0a747e078c

    SHA512

    0a1f42d4441581e3def3e86ddf9bc11b9ea0ce676f6a640192379b03f6cc735719bc512942088dbfde8eefe9a3530d05e4b7b0e1a17b11b0358481370eb06928

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un803726.exe
    Filesize

    553KB

    MD5

    91df1e73960f4578b1366c06e306edae

    SHA1

    47602d788245a6f1a7ce0281d5968206e9688a5d

    SHA256

    d712f545f5b04affcc0f344c20823a0e333fdd8526a82008572c41f622ebe624

    SHA512

    3b187d16a9bba1475d902c482327e9f356a2a4ccc23992e8c09c057739603a307784bcdd9021d7d86f3c8ea15ae4a906bdab15bfb6bcb7c703b12906283a6cf7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un803726.exe
    Filesize

    553KB

    MD5

    91df1e73960f4578b1366c06e306edae

    SHA1

    47602d788245a6f1a7ce0281d5968206e9688a5d

    SHA256

    d712f545f5b04affcc0f344c20823a0e333fdd8526a82008572c41f622ebe624

    SHA512

    3b187d16a9bba1475d902c482327e9f356a2a4ccc23992e8c09c057739603a307784bcdd9021d7d86f3c8ea15ae4a906bdab15bfb6bcb7c703b12906283a6cf7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9828.exe
    Filesize

    308KB

    MD5

    d4f8c029d7bc66f468c897f29661181e

    SHA1

    15855c72492bd0e4ea745373395eecd79794273d

    SHA256

    bd7e637086693d1c38aca4b090edc6a29a86c311348e1b1002f1145fb87bfef4

    SHA512

    c2ca1dc1326dbf29354ee2b3ce58d7be64e19ea61baf6f5d43ea56529921b644ce5ac2c4bdc32184e8eaed64b2adf164e63fe81fc6eac5edadbc59024dda8090

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9828.exe
    Filesize

    308KB

    MD5

    d4f8c029d7bc66f468c897f29661181e

    SHA1

    15855c72492bd0e4ea745373395eecd79794273d

    SHA256

    bd7e637086693d1c38aca4b090edc6a29a86c311348e1b1002f1145fb87bfef4

    SHA512

    c2ca1dc1326dbf29354ee2b3ce58d7be64e19ea61baf6f5d43ea56529921b644ce5ac2c4bdc32184e8eaed64b2adf164e63fe81fc6eac5edadbc59024dda8090

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3808.exe
    Filesize

    366KB

    MD5

    99720e0c2952704c8d07cf2a4b560a72

    SHA1

    3e6de64cbaa0b4227b5e409016747c29cf2cf03f

    SHA256

    fbe0a647a42996ad4342bf2efd8dab79d4bb6c30c5ddad5a460c48a516d153d4

    SHA512

    745b7135ff0a12ba4b64e6aa9601d628879a9915d261078602ffeb1d4d0701598a40086ae126bf783be99236ba4e61ae8a25955a4b3a6b53e19d274db109129d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3808.exe
    Filesize

    366KB

    MD5

    99720e0c2952704c8d07cf2a4b560a72

    SHA1

    3e6de64cbaa0b4227b5e409016747c29cf2cf03f

    SHA256

    fbe0a647a42996ad4342bf2efd8dab79d4bb6c30c5ddad5a460c48a516d153d4

    SHA512

    745b7135ff0a12ba4b64e6aa9601d628879a9915d261078602ffeb1d4d0701598a40086ae126bf783be99236ba4e61ae8a25955a4b3a6b53e19d274db109129d

    Download Submit

  • memory/388-1122-0x0000000000B80000-0x0000000000BB2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/388-1123-0x0000000005700000-0x0000000005710000-memory.dmp

    Filesize

    64KB

    Download

  • memory/388-1124-0x0000000005700000-0x0000000005710000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1472-162-0x0000000002620000-0x0000000002632000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1472-174-0x0000000002620000-0x0000000002632000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1472-154-0x0000000002620000-0x0000000002632000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1472-153-0x0000000002620000-0x0000000002632000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1472-156-0x0000000002620000-0x0000000002632000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1472-158-0x0000000002620000-0x0000000002632000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1472-160-0x0000000002620000-0x0000000002632000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1472-151-0x0000000004D60000-0x0000000004D70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1472-164-0x0000000002620000-0x0000000002632000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1472-166-0x0000000002620000-0x0000000002632000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1472-168-0x0000000002620000-0x0000000002632000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1472-170-0x0000000002620000-0x0000000002632000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1472-172-0x0000000002620000-0x0000000002632000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1472-152-0x0000000004D60000-0x0000000004D70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1472-176-0x0000000002620000-0x0000000002632000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1472-178-0x0000000002620000-0x0000000002632000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1472-180-0x0000000002620000-0x0000000002632000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1472-181-0x0000000000400000-0x000000000070F000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/1472-182-0x0000000004D60000-0x0000000004D70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1472-183-0x0000000004D60000-0x0000000004D70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1472-184-0x0000000004D60000-0x0000000004D70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1472-186-0x0000000000400000-0x000000000070F000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/1472-150-0x0000000004D60000-0x0000000004D70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1472-149-0x0000000000710000-0x000000000073D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/1472-148-0x0000000004D70000-0x0000000005314000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4996-196-0x00000000027A0000-0x00000000027DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4996-1101-0x0000000005410000-0x0000000005A28000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4996-200-0x00000000027A0000-0x00000000027DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4996-202-0x00000000027A0000-0x00000000027DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4996-204-0x00000000027A0000-0x00000000027DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4996-206-0x00000000027A0000-0x00000000027DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4996-208-0x00000000027A0000-0x00000000027DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4996-210-0x00000000027A0000-0x00000000027DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4996-212-0x00000000027A0000-0x00000000027DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4996-213-0x0000000000720000-0x000000000076B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4996-215-0x0000000004E50000-0x0000000004E60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4996-216-0x00000000027A0000-0x00000000027DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4996-217-0x0000000004E50000-0x0000000004E60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4996-219-0x0000000004E50000-0x0000000004E60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4996-220-0x00000000027A0000-0x00000000027DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4996-222-0x00000000027A0000-0x00000000027DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4996-224-0x00000000027A0000-0x00000000027DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4996-226-0x00000000027A0000-0x00000000027DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4996-228-0x00000000027A0000-0x00000000027DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4996-198-0x00000000027A0000-0x00000000027DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4996-1102-0x0000000005A30000-0x0000000005B3A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4996-1103-0x0000000004E10000-0x0000000004E22000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4996-1104-0x0000000005B40000-0x0000000005B7C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4996-1105-0x0000000004E50000-0x0000000004E60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4996-1106-0x0000000005E10000-0x0000000005EA2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4996-1107-0x0000000005EB0000-0x0000000005F16000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4996-1109-0x00000000066C0000-0x0000000006736000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4996-1110-0x0000000006740000-0x0000000006790000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4996-1111-0x0000000004E50000-0x0000000004E60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4996-1112-0x0000000004E50000-0x0000000004E60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4996-1113-0x0000000004E50000-0x0000000004E60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4996-1114-0x00000000067C0000-0x0000000006982000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4996-194-0x00000000027A0000-0x00000000027DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4996-192-0x00000000027A0000-0x00000000027DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4996-191-0x00000000027A0000-0x00000000027DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4996-1115-0x00000000069D0000-0x0000000006EFC000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4996-1116-0x0000000004E50000-0x0000000004E60000-memory.dmp

    Filesize

    64KB

    Download