Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    147s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    27-03-2023 20:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0b54ae49df72411a273b7809d43291eabd83f3b8bc14dd158701a0eb9ea70565.exe

  • Size

    695KB

  • MD5

    94e734b4c07fb565b50a0acccfc4a14d

  • SHA1

    ee5f060ae62732d1d42b92520734fb185f3d2dae

  • SHA256

    0b54ae49df72411a273b7809d43291eabd83f3b8bc14dd158701a0eb9ea70565

  • SHA512

    b7f1300b96286ccb9d0865d82a823dfd0cbf1ef6b3b89e1c4c855dcdab0efbc838809eeaf3e72b9b6c601e205b7405030bfc830460e12f4d86bfe87453ee3359

  • SSDEEP

    12288:oMrJy90cTMTyfD1exzYE+v3D0fqhiIPsRciKwvPSrzFJmJCeAbQt:RyjqYozYpD0fqhiIPsOiKwynFcHt

Score
10/10
redlinefromrosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

C2

176.113.115.145:4125

Attributes
  • auth_value

    8633e283485822a4a48f0a41d5397566

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 21 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b54ae49df72411a273b7809d43291eabd83f3b8bc14dd158701a0eb9ea70565.exe
    "C:\Users\Admin\AppData\Local\Temp\0b54ae49df72411a273b7809d43291eabd83f3b8bc14dd158701a0eb9ea70565.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5096
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un276916.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un276916.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4108
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1078.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1078.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4124
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9326.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9326.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3880
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si980574.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si980574.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3952

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si980574.exe
    Filesize

    175KB

    MD5

    ffb1be551157d869bb69a9603a8cb2c3

    SHA1

    46ed8655382534c060a176a1bd5e8a9044e733f2

    SHA256

    1b19f89aec41cc1658e1cee1fff164d6f6e11c5420ff3194d547f45e7b09ab74

    SHA512

    36dfa56c4ada78173b442f45422f6d58e2f8bbd66df3ff08f69bc5ac20e86ecfc45517a0b176910f5daad3b188c3b233ab25698cabb737df69f926ec2020bbb0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si980574.exe
    Filesize

    175KB

    MD5

    ffb1be551157d869bb69a9603a8cb2c3

    SHA1

    46ed8655382534c060a176a1bd5e8a9044e733f2

    SHA256

    1b19f89aec41cc1658e1cee1fff164d6f6e11c5420ff3194d547f45e7b09ab74

    SHA512

    36dfa56c4ada78173b442f45422f6d58e2f8bbd66df3ff08f69bc5ac20e86ecfc45517a0b176910f5daad3b188c3b233ab25698cabb737df69f926ec2020bbb0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un276916.exe
    Filesize

    553KB

    MD5

    4a1d7274e1e1d73d051b42a9dfcadbc0

    SHA1

    c2d83db616f213abe996998c1188e4a655b9d2e0

    SHA256

    558e61a34d990602b7990aed6d77fb9d465bdac86f1ff83af7e69726b24f9446

    SHA512

    824511b92291ed76e3acd5fa6127e5f813a237c1b000e5a3ca28464e0e7fe14b68b0f32b582059ff88637e2c6412ef5cf4853a80635dee44073e5be56471a254

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un276916.exe
    Filesize

    553KB

    MD5

    4a1d7274e1e1d73d051b42a9dfcadbc0

    SHA1

    c2d83db616f213abe996998c1188e4a655b9d2e0

    SHA256

    558e61a34d990602b7990aed6d77fb9d465bdac86f1ff83af7e69726b24f9446

    SHA512

    824511b92291ed76e3acd5fa6127e5f813a237c1b000e5a3ca28464e0e7fe14b68b0f32b582059ff88637e2c6412ef5cf4853a80635dee44073e5be56471a254

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1078.exe
    Filesize

    308KB

    MD5

    b21be4b1d98b992edc89f82fa93fdc39

    SHA1

    a4366e322bf95cc655f9287c627c5c9183d1bc71

    SHA256

    a53d938635dd87772c3c9bd7b8ab2024c18c5c3cb5e6ba4cd451094e0baec626

    SHA512

    829b56411d4d368625589788ee07371dfaacc541f095ba7597ab955458a4986955b23bf3f0e8b10a286c78f0384772058422a0e53ba6a8e71754221174fbab44

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1078.exe
    Filesize

    308KB

    MD5

    b21be4b1d98b992edc89f82fa93fdc39

    SHA1

    a4366e322bf95cc655f9287c627c5c9183d1bc71

    SHA256

    a53d938635dd87772c3c9bd7b8ab2024c18c5c3cb5e6ba4cd451094e0baec626

    SHA512

    829b56411d4d368625589788ee07371dfaacc541f095ba7597ab955458a4986955b23bf3f0e8b10a286c78f0384772058422a0e53ba6a8e71754221174fbab44

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9326.exe
    Filesize

    366KB

    MD5

    c95f96630211639f2f9497534b3c66ab

    SHA1

    fe225b635b3a7b1dd4cfeae1808bfc02a822c216

    SHA256

    19edd77a0a3cf31d94f9b2e237c05efe88829579f7c824055d09356919568cec

    SHA512

    2432651a9a2c1158488a57fa1150faea2262f143f71a6f74b5f951876cba8af46aac9b9ec11b8003917388618fb88b79e09c6be1eae68e34bcdcf760a1d2e966

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9326.exe
    Filesize

    366KB

    MD5

    c95f96630211639f2f9497534b3c66ab

    SHA1

    fe225b635b3a7b1dd4cfeae1808bfc02a822c216

    SHA256

    19edd77a0a3cf31d94f9b2e237c05efe88829579f7c824055d09356919568cec

    SHA512

    2432651a9a2c1158488a57fa1150faea2262f143f71a6f74b5f951876cba8af46aac9b9ec11b8003917388618fb88b79e09c6be1eae68e34bcdcf760a1d2e966

    Download Submit

  • memory/3880-1091-0x0000000005840000-0x0000000005E46000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/3880-1094-0x0000000005410000-0x000000000544E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3880-211-0x0000000004D20000-0x0000000004D30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3880-194-0x0000000004CA0000-0x0000000004CDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3880-210-0x0000000004CA0000-0x0000000004CDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3880-198-0x0000000004CA0000-0x0000000004CDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3880-207-0x0000000000850000-0x000000000089B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3880-206-0x0000000004CA0000-0x0000000004CDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3880-1107-0x0000000007C50000-0x000000000817C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/3880-1106-0x0000000007A80000-0x0000000007C42000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3880-1105-0x0000000007A10000-0x0000000007A60000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3880-1104-0x0000000007980000-0x00000000079F6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3880-1103-0x0000000004D20000-0x0000000004D30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3880-1102-0x0000000004D20000-0x0000000004D30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3880-1101-0x0000000004D20000-0x0000000004D30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3880-1100-0x0000000004D20000-0x0000000004D30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3880-1098-0x0000000005790000-0x00000000057F6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3880-1097-0x00000000056F0000-0x0000000005782000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3880-200-0x0000000004CA0000-0x0000000004CDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3880-1096-0x0000000004D20000-0x0000000004D30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3880-1095-0x0000000005560000-0x00000000055AB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3880-209-0x0000000004D20000-0x0000000004D30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3880-1093-0x00000000053F0000-0x0000000005402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3880-1092-0x00000000052B0000-0x00000000053BA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3880-218-0x0000000004CA0000-0x0000000004CDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3880-179-0x0000000004C20000-0x0000000004C66000-memory.dmp

    Filesize

    280KB

    Download

  • memory/3880-180-0x0000000004CA0000-0x0000000004CE4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3880-182-0x0000000004CA0000-0x0000000004CDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3880-181-0x0000000004CA0000-0x0000000004CDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3880-184-0x0000000004CA0000-0x0000000004CDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3880-186-0x0000000004CA0000-0x0000000004CDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3880-188-0x0000000004CA0000-0x0000000004CDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3880-190-0x0000000004CA0000-0x0000000004CDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3880-192-0x0000000004CA0000-0x0000000004CDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3880-214-0x0000000004CA0000-0x0000000004CDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3880-216-0x0000000004CA0000-0x0000000004CDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3880-213-0x0000000004D20000-0x0000000004D30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3880-196-0x0000000004CA0000-0x0000000004CDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3880-202-0x0000000004CA0000-0x0000000004CDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3880-204-0x0000000004CA0000-0x0000000004CDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3952-1113-0x0000000000FC0000-0x0000000000FF2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/3952-1114-0x0000000005840000-0x000000000588B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3952-1115-0x00000000058A0000-0x00000000058B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3952-1116-0x00000000058A0000-0x00000000058B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4124-169-0x0000000000400000-0x000000000070F000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4124-139-0x0000000004C90000-0x0000000004CA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4124-144-0x0000000004C30000-0x0000000004C42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4124-141-0x0000000004C30000-0x0000000004C42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4124-137-0x00000000001D0000-0x00000000001FD000-memory.dmp

    Filesize

    180KB

    Download

  • memory/4124-136-0x0000000004C30000-0x0000000004C48000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4124-138-0x0000000004C90000-0x0000000004CA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4124-174-0x0000000000400000-0x000000000070F000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4124-172-0x0000000004C90000-0x0000000004CA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4124-171-0x0000000004C90000-0x0000000004CA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4124-170-0x0000000004C90000-0x0000000004CA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4124-168-0x0000000004C30000-0x0000000004C42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4124-166-0x0000000004C30000-0x0000000004C42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4124-164-0x0000000004C30000-0x0000000004C42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4124-162-0x0000000004C30000-0x0000000004C42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4124-160-0x0000000004C30000-0x0000000004C42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4124-158-0x0000000004C30000-0x0000000004C42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4124-156-0x0000000004C30000-0x0000000004C42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4124-154-0x0000000004C30000-0x0000000004C42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4124-152-0x0000000004C30000-0x0000000004C42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4124-150-0x0000000004C30000-0x0000000004C42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4124-135-0x0000000004CA0000-0x000000000519E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/4124-134-0x0000000002490000-0x00000000024AA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4124-148-0x0000000004C30000-0x0000000004C42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4124-146-0x0000000004C30000-0x0000000004C42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4124-142-0x0000000004C30000-0x0000000004C42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4124-140-0x0000000004C90000-0x0000000004CA0000-memory.dmp

    Filesize

    64KB

    Download