Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    148s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    27-03-2023 19:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    498495cd17341ed1e2e76d0d2376423351237895e05858748d162c67bdabee4e.exe

  • Size

    694KB

  • MD5

    14168cfc16760c81af1316d379f70773

  • SHA1

    0b5540b74ac7b89e39a8e42983545aee2fa307ae

  • SHA256

    498495cd17341ed1e2e76d0d2376423351237895e05858748d162c67bdabee4e

  • SHA512

    1e32ff4555a3469f4242b1eb756a6ff65fd07c77c7bc6842e1a067a640c2c52446d7d308c73fc7f4149acb0a8637da933ee0787ca29fbba7266f2746faeafd8a

  • SSDEEP

    12288:7Mr1y9053mGtvsFG0rAa3F7bBY7bsG+iEfvPStzoYCJERPrlk2m7nR:ayW3mGREdF7qv3+nydoV2Rjm7R

Score
10/10
redlinefromrosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

C2

176.113.115.145:4125

Attributes
  • auth_value

    8633e283485822a4a48f0a41d5397566

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\498495cd17341ed1e2e76d0d2376423351237895e05858748d162c67bdabee4e.exe
    "C:\Users\Admin\AppData\Local\Temp\498495cd17341ed1e2e76d0d2376423351237895e05858748d162c67bdabee4e.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:400
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un965028.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un965028.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4268
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2412.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2412.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2396
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1737.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1737.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3620
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si490091.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si490091.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2584

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si490091.exe
    Filesize

    175KB

    MD5

    afcc0fd394b1e52972d6191101c8fe18

    SHA1

    db7e0b7afb98c24716b2c34e225caf490fc86825

    SHA256

    0888de53ba34dd7bc01d8f867d023e2c0039459ceb499953137c029df153a8fb

    SHA512

    de173549360a0b50376be6eacc41c733bdbcc732925856a4cebd7b0ca59d22add9a46b0a80badbecb03b6d7ac89acbb0870031f826184d84ec6d4b87f0b7334b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si490091.exe
    Filesize

    175KB

    MD5

    afcc0fd394b1e52972d6191101c8fe18

    SHA1

    db7e0b7afb98c24716b2c34e225caf490fc86825

    SHA256

    0888de53ba34dd7bc01d8f867d023e2c0039459ceb499953137c029df153a8fb

    SHA512

    de173549360a0b50376be6eacc41c733bdbcc732925856a4cebd7b0ca59d22add9a46b0a80badbecb03b6d7ac89acbb0870031f826184d84ec6d4b87f0b7334b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un965028.exe
    Filesize

    553KB

    MD5

    2ef1ef4bdb4e804a9140d28d48a3587e

    SHA1

    d08667d143d22ce33482d49d75bd7faad3e5c03b

    SHA256

    6f1a3c8002beeb3c299ded9cf4f29b6bc95757e85a42b35d2ec2923c2573390d

    SHA512

    4f73f5d55bcbe677727fdd7af0d972d060346a04ad427c694b935548457ff96c6f98728ff0967348769e76702eb055d0b560dddf2e16bafe8b08314f70cf68de

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un965028.exe
    Filesize

    553KB

    MD5

    2ef1ef4bdb4e804a9140d28d48a3587e

    SHA1

    d08667d143d22ce33482d49d75bd7faad3e5c03b

    SHA256

    6f1a3c8002beeb3c299ded9cf4f29b6bc95757e85a42b35d2ec2923c2573390d

    SHA512

    4f73f5d55bcbe677727fdd7af0d972d060346a04ad427c694b935548457ff96c6f98728ff0967348769e76702eb055d0b560dddf2e16bafe8b08314f70cf68de

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2412.exe
    Filesize

    308KB

    MD5

    94db9d5e465dc08a4978b21a429d84d8

    SHA1

    2c710b76fb3392625303e8f7def255c209f3821e

    SHA256

    1b1e1b66e41ecead038a164f2d8a72c9d19dcd9fd4fc27ae69c41e08c2bffc4f

    SHA512

    20994ed132dd6545a1b441ddaf822febca38eb69a3796cc539b7720119a40e9b7e84dfd28473bc7538e35aea2f747841867a05916e38fc7d5d321e943cb6cbf8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2412.exe
    Filesize

    308KB

    MD5

    94db9d5e465dc08a4978b21a429d84d8

    SHA1

    2c710b76fb3392625303e8f7def255c209f3821e

    SHA256

    1b1e1b66e41ecead038a164f2d8a72c9d19dcd9fd4fc27ae69c41e08c2bffc4f

    SHA512

    20994ed132dd6545a1b441ddaf822febca38eb69a3796cc539b7720119a40e9b7e84dfd28473bc7538e35aea2f747841867a05916e38fc7d5d321e943cb6cbf8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1737.exe
    Filesize

    366KB

    MD5

    8f19af0596f062fb60b4befaf18665ec

    SHA1

    eda99b91167ee59baba594efcb74f3ba4bdce918

    SHA256

    35d920842dc0c7d898ff2a78e0620f082de41176983afd7d5d77cc448c463e40

    SHA512

    62f5702b31733e426c20c5d5c79f87682cb72459b997ecba316be05c99148451ee7ce2bd4855191ab8f62dfb7e3f9784814f2612c17ee308a7d13b07d7408d04

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1737.exe
    Filesize

    366KB

    MD5

    8f19af0596f062fb60b4befaf18665ec

    SHA1

    eda99b91167ee59baba594efcb74f3ba4bdce918

    SHA256

    35d920842dc0c7d898ff2a78e0620f082de41176983afd7d5d77cc448c463e40

    SHA512

    62f5702b31733e426c20c5d5c79f87682cb72459b997ecba316be05c99148451ee7ce2bd4855191ab8f62dfb7e3f9784814f2612c17ee308a7d13b07d7408d04

    Download Submit

  • memory/2396-136-0x00000000001D0000-0x00000000001FD000-memory.dmp

    Filesize

    180KB

    Download

  • memory/2396-137-0x0000000000940000-0x000000000095A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2396-138-0x0000000004DD0000-0x00000000052CE000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2396-139-0x0000000004C30000-0x0000000004C48000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2396-140-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2396-141-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2396-142-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2396-143-0x0000000004C30000-0x0000000004C42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2396-144-0x0000000004C30000-0x0000000004C42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2396-146-0x0000000004C30000-0x0000000004C42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2396-150-0x0000000004C30000-0x0000000004C42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2396-148-0x0000000004C30000-0x0000000004C42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2396-152-0x0000000004C30000-0x0000000004C42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2396-154-0x0000000004C30000-0x0000000004C42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2396-156-0x0000000004C30000-0x0000000004C42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2396-158-0x0000000004C30000-0x0000000004C42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2396-160-0x0000000004C30000-0x0000000004C42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2396-162-0x0000000004C30000-0x0000000004C42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2396-164-0x0000000004C30000-0x0000000004C42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2396-166-0x0000000004C30000-0x0000000004C42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2396-168-0x0000000004C30000-0x0000000004C42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2396-170-0x0000000004C30000-0x0000000004C42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2396-171-0x0000000000400000-0x000000000070F000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2396-172-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2396-173-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2396-174-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2396-176-0x0000000000400000-0x000000000070F000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2584-1115-0x0000000000600000-0x0000000000632000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2584-1117-0x0000000005190000-0x00000000051A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2584-1116-0x0000000005040000-0x000000000508B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3620-183-0x0000000002450000-0x0000000002460000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3620-216-0x00000000051C0000-0x00000000051FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3620-184-0x0000000002450000-0x0000000002460000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3620-186-0x0000000002450000-0x0000000002460000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3620-187-0x00000000051C0000-0x00000000051FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3620-188-0x00000000051C0000-0x00000000051FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3620-190-0x00000000051C0000-0x00000000051FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3620-192-0x00000000051C0000-0x00000000051FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3620-194-0x00000000051C0000-0x00000000051FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3620-196-0x00000000051C0000-0x00000000051FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3620-198-0x00000000051C0000-0x00000000051FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3620-200-0x00000000051C0000-0x00000000051FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3620-202-0x00000000051C0000-0x00000000051FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3620-206-0x00000000051C0000-0x00000000051FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3620-204-0x00000000051C0000-0x00000000051FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3620-208-0x00000000051C0000-0x00000000051FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3620-210-0x00000000051C0000-0x00000000051FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3620-212-0x00000000051C0000-0x00000000051FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3620-214-0x00000000051C0000-0x00000000051FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3620-185-0x00000000051C0000-0x0000000005204000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3620-218-0x00000000051C0000-0x00000000051FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3620-220-0x00000000051C0000-0x00000000051FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3620-1093-0x0000000005840000-0x0000000005E46000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/3620-1094-0x00000000052B0000-0x00000000053BA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3620-1095-0x00000000053F0000-0x0000000005402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3620-1096-0x0000000005410000-0x000000000544E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3620-1097-0x0000000002450000-0x0000000002460000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3620-1098-0x0000000005560000-0x00000000055AB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3620-1100-0x00000000056F0000-0x0000000005756000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3620-1101-0x00000000063D0000-0x0000000006462000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3620-1102-0x0000000006580000-0x00000000065F6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3620-1103-0x0000000006610000-0x0000000006660000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3620-1104-0x0000000002450000-0x0000000002460000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3620-1105-0x0000000002450000-0x0000000002460000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3620-1106-0x0000000002450000-0x0000000002460000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3620-182-0x00000000007F0000-0x000000000083B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3620-181-0x0000000004C40000-0x0000000004C86000-memory.dmp

    Filesize

    280KB

    Download

  • memory/3620-1107-0x0000000006920000-0x0000000006AE2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3620-1108-0x0000000006AF0000-0x000000000701C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/3620-1109-0x0000000002450000-0x0000000002460000-memory.dmp

    Filesize

    64KB

    Download