Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-03-2023 20:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ede319c36ca8a447f51fe51b1e6c049398ed2a5abc37baa636be2f4064339465.exe

  • Size

    696KB

  • MD5

    c9922b38dddf2d3815af1b655d5cb24e

  • SHA1

    47d9e67204afa0f75da59de6d515c75e8d46c680

  • SHA256

    ede319c36ca8a447f51fe51b1e6c049398ed2a5abc37baa636be2f4064339465

  • SHA512

    9bb801848938c24324fd5962b3b1153faaf54ce94fee138d89d65af7f5c492b7b3cc68e7590e5426cb2e83944eae9a7952feccf84df116d5d0d77916d54d6a64

  • SSDEEP

    12288:VMrdy90yCM+7cuFcH7gVSa/hJkjaEEHL2Vdl/JzvHRJitEnqqrd6:Qy+I+nVjXEqId9Zvx2EX6

Score
10/10
redlinefromrosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

C2

176.113.115.145:4125

Attributes
  • auth_value

    8633e283485822a4a48f0a41d5397566

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 19 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ede319c36ca8a447f51fe51b1e6c049398ed2a5abc37baa636be2f4064339465.exe
    "C:\Users\Admin\AppData\Local\Temp\ede319c36ca8a447f51fe51b1e6c049398ed2a5abc37baa636be2f4064339465.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1924
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un713230.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un713230.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1432
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0619.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0619.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4656
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2695.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2695.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:912
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si015714.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si015714.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5116

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si015714.exe
    Filesize

    175KB

    MD5

    f350d16c9f0f3ac515c606c9772e9538

    SHA1

    261d8f4b513b9a46392bf64174290897c27c243e

    SHA256

    b6636eefc797135fc3d1a3345baeb0be6fd251f3390f708a1b24c602ad81b88d

    SHA512

    26f314cfff0bd0bbfe3937ead4902a03298a7587e61732424ded264782be38382b27465d948fce5038f29deb57659eb9802ddaadd86f43f29b23d3f79d500dfc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si015714.exe
    Filesize

    175KB

    MD5

    f350d16c9f0f3ac515c606c9772e9538

    SHA1

    261d8f4b513b9a46392bf64174290897c27c243e

    SHA256

    b6636eefc797135fc3d1a3345baeb0be6fd251f3390f708a1b24c602ad81b88d

    SHA512

    26f314cfff0bd0bbfe3937ead4902a03298a7587e61732424ded264782be38382b27465d948fce5038f29deb57659eb9802ddaadd86f43f29b23d3f79d500dfc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un713230.exe
    Filesize

    553KB

    MD5

    6c6b1facd67688a3b6a169a62245b7c2

    SHA1

    b3070fa3b72475efc57d7ca891469da4b796bd5f

    SHA256

    f8d20398c0237fd27032327f66408adcf79368f08573f48be481626c5974c3e1

    SHA512

    e32380a4600d898b8045d8fa2b154e92374a1e1fd4f85abe971b962aab04c1bfe82f2fbd5e892522215d53e9638dd88e368a9ff85a3c20c9e77e14d0ae753cc3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un713230.exe
    Filesize

    553KB

    MD5

    6c6b1facd67688a3b6a169a62245b7c2

    SHA1

    b3070fa3b72475efc57d7ca891469da4b796bd5f

    SHA256

    f8d20398c0237fd27032327f66408adcf79368f08573f48be481626c5974c3e1

    SHA512

    e32380a4600d898b8045d8fa2b154e92374a1e1fd4f85abe971b962aab04c1bfe82f2fbd5e892522215d53e9638dd88e368a9ff85a3c20c9e77e14d0ae753cc3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0619.exe
    Filesize

    308KB

    MD5

    6f379817230f034eb8b501e99ccdbe67

    SHA1

    8e8a65b1b7371726499a9a729066dd376c12c870

    SHA256

    3011ec88a65ab2e4f351587cca3a133b410242333e45eaa34e58c94b1f630482

    SHA512

    29d614279e3c6ac8ee056e34098b8de89df343eeae008f123d642190327c00f08fa49da908d655e973e528a6684357a2d452732e3159e5ee7aaf190a04565698

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0619.exe
    Filesize

    308KB

    MD5

    6f379817230f034eb8b501e99ccdbe67

    SHA1

    8e8a65b1b7371726499a9a729066dd376c12c870

    SHA256

    3011ec88a65ab2e4f351587cca3a133b410242333e45eaa34e58c94b1f630482

    SHA512

    29d614279e3c6ac8ee056e34098b8de89df343eeae008f123d642190327c00f08fa49da908d655e973e528a6684357a2d452732e3159e5ee7aaf190a04565698

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2695.exe
    Filesize

    366KB

    MD5

    9d6bf65bb895360fabd71a67aea6bfb3

    SHA1

    ca76c9eff92f0c847d1adff7c9ac5fdb2ab40845

    SHA256

    23b613328ebc081fe4da65b60ea03422796e549ab9d60457485aeede9fafa39f

    SHA512

    1707a21981b5075ce9a74b7467bccd7b07cf5a97ff0bad70d92649b68585f1273ff49d94934d03f1cc676da5ab161c63a8461065f371f65447da3360c0c78b97

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2695.exe
    Filesize

    366KB

    MD5

    9d6bf65bb895360fabd71a67aea6bfb3

    SHA1

    ca76c9eff92f0c847d1adff7c9ac5fdb2ab40845

    SHA256

    23b613328ebc081fe4da65b60ea03422796e549ab9d60457485aeede9fafa39f

    SHA512

    1707a21981b5075ce9a74b7467bccd7b07cf5a97ff0bad70d92649b68585f1273ff49d94934d03f1cc676da5ab161c63a8461065f371f65447da3360c0c78b97

    Download Submit

  • memory/912-1099-0x0000000005470000-0x0000000005A88000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/912-1102-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/912-1114-0x0000000006B00000-0x000000000702C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/912-1113-0x0000000006930000-0x0000000006AF2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/912-1112-0x00000000068B0000-0x0000000006900000-memory.dmp

    Filesize

    320KB

    Download

  • memory/912-1111-0x0000000006820000-0x0000000006896000-memory.dmp

    Filesize

    472KB

    Download

  • memory/912-1110-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/912-1109-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/912-1108-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/912-1107-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/912-1105-0x0000000005EB0000-0x0000000005F16000-memory.dmp

    Filesize

    408KB

    Download

  • memory/912-1104-0x0000000005E10000-0x0000000005EA2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/912-1103-0x0000000004E30000-0x0000000004E6C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/912-1101-0x0000000004E10000-0x0000000004E22000-memory.dmp

    Filesize

    72KB

    Download

  • memory/912-1100-0x0000000005A90000-0x0000000005B9A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/912-226-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-224-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-222-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-220-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-218-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-216-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-214-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-190-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-191-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-193-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-195-0x0000000000840000-0x000000000088B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/912-196-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/912-198-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/912-197-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-200-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-202-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-204-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-206-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-208-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-210-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-212-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4656-173-0x0000000002500000-0x0000000002512000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4656-185-0x0000000000400000-0x000000000070F000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4656-171-0x0000000002500000-0x0000000002512000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4656-169-0x0000000002500000-0x0000000002512000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4656-182-0x0000000004F20000-0x0000000004F30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4656-181-0x0000000004F20000-0x0000000004F30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4656-180-0x0000000000400000-0x000000000070F000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4656-150-0x0000000004F20000-0x0000000004F30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4656-179-0x0000000002500000-0x0000000002512000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4656-177-0x0000000002500000-0x0000000002512000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4656-153-0x0000000002500000-0x0000000002512000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4656-175-0x0000000002500000-0x0000000002512000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4656-151-0x0000000004F20000-0x0000000004F30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4656-152-0x0000000002500000-0x0000000002512000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4656-183-0x0000000004F20000-0x0000000004F30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4656-167-0x0000000002500000-0x0000000002512000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4656-165-0x0000000002500000-0x0000000002512000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4656-163-0x0000000002500000-0x0000000002512000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4656-161-0x0000000002500000-0x0000000002512000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4656-159-0x0000000002500000-0x0000000002512000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4656-157-0x0000000002500000-0x0000000002512000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4656-155-0x0000000002500000-0x0000000002512000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4656-149-0x00000000007E0000-0x000000000080D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/4656-148-0x0000000004F30000-0x00000000054D4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/5116-1120-0x00000000006D0000-0x0000000000702000-memory.dmp

    Filesize

    200KB

    Download

  • memory/5116-1121-0x0000000005250000-0x0000000005260000-memory.dmp

    Filesize

    64KB

    Download