Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    60s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-03-2023 21:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7bdfcd904e1dca1031feb664a0d7cf2a58162fbdde2100fa8231dcf7a59a2302.exe

  • Size

    696KB

  • MD5

    d2f2c2b3c76b086e06adc95b7b5c19e4

  • SHA1

    c0d62277b2ef94a862c98f6e9ea344bd01e1dfc7

  • SHA256

    7bdfcd904e1dca1031feb664a0d7cf2a58162fbdde2100fa8231dcf7a59a2302

  • SHA512

    ec9304b39014cbd4530a9d9af29132f8720ecb353b5b6b710d87e46b1e69bea21811e1d9e840547b809200a7a4b31fbcb293176675743bb657b5e7cca94e379e

  • SSDEEP

    12288:9Mrdy90OF6wJIFUXedABUtJjLcGuPlh3+L5WD7MNzB36JKHw/9G8qbj:wyNLKFUXe75LcGelhQ5W/WBqQwqbj

Score
10/10
redlinefromrosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

C2

176.113.115.145:4125

Attributes
  • auth_value

    8633e283485822a4a48f0a41d5397566

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 18 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7bdfcd904e1dca1031feb664a0d7cf2a58162fbdde2100fa8231dcf7a59a2302.exe
    "C:\Users\Admin\AppData\Local\Temp\7bdfcd904e1dca1031feb664a0d7cf2a58162fbdde2100fa8231dcf7a59a2302.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1168
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un729074.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un729074.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1216
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8515.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8515.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2152
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3281.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3281.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2844
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si974193.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si974193.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4036

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si974193.exe
    Filesize

    175KB

    MD5

    f27b1ddeec37f413ea872d35c4aa88dc

    SHA1

    8cfef5f2d7a55f9fe5785226feead7ce0fdc6cd5

    SHA256

    2ca3eecdb40d61bedd5ec3f6cf67e850f582187f00de262dc79765a9a28ab2a3

    SHA512

    a96ac5b5b328d8745a0813da3c6cdc680cb7c4b8912566f18c1fa87e538d336e4c3f97c71ef742ff44fce66f4abd0c5a634b0ce2a074e4bf5584bf0d1539c823

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si974193.exe
    Filesize

    175KB

    MD5

    f27b1ddeec37f413ea872d35c4aa88dc

    SHA1

    8cfef5f2d7a55f9fe5785226feead7ce0fdc6cd5

    SHA256

    2ca3eecdb40d61bedd5ec3f6cf67e850f582187f00de262dc79765a9a28ab2a3

    SHA512

    a96ac5b5b328d8745a0813da3c6cdc680cb7c4b8912566f18c1fa87e538d336e4c3f97c71ef742ff44fce66f4abd0c5a634b0ce2a074e4bf5584bf0d1539c823

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un729074.exe
    Filesize

    553KB

    MD5

    594e829bbd166b598f13c34a44819dec

    SHA1

    b990f2a26aecba50e33eb9c546e12930bf56505d

    SHA256

    c2ee5878fcd67fd3d5663a894bd6f3987a81b3aa38d672f708e55680794e22d6

    SHA512

    6e20f90549eb92e1ecf8c82a286a0af8e7f50f4d1f3582e66e415c2f74ee1b9c05528fcd9623371a9be696e61ba5209522fb44da2314479f0f8d648a596c9d0e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un729074.exe
    Filesize

    553KB

    MD5

    594e829bbd166b598f13c34a44819dec

    SHA1

    b990f2a26aecba50e33eb9c546e12930bf56505d

    SHA256

    c2ee5878fcd67fd3d5663a894bd6f3987a81b3aa38d672f708e55680794e22d6

    SHA512

    6e20f90549eb92e1ecf8c82a286a0af8e7f50f4d1f3582e66e415c2f74ee1b9c05528fcd9623371a9be696e61ba5209522fb44da2314479f0f8d648a596c9d0e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8515.exe
    Filesize

    308KB

    MD5

    c52775266429c930d5ad790e0e52d6e9

    SHA1

    2194cf01de5c2021391a9843347a22a9609b1c2d

    SHA256

    08ea6b109b4f2828686c8eb18db5496d4e8e3e695a2c913e6ced2623130e0f71

    SHA512

    f5ed76e1fdc6add71d9e59edcbba20de6198cfd3561a092b45dedd919e4ced24a40412cd607a206d39f66561d3ab90ed41face6deb0e7b4aea57821cf2c85bbf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8515.exe
    Filesize

    308KB

    MD5

    c52775266429c930d5ad790e0e52d6e9

    SHA1

    2194cf01de5c2021391a9843347a22a9609b1c2d

    SHA256

    08ea6b109b4f2828686c8eb18db5496d4e8e3e695a2c913e6ced2623130e0f71

    SHA512

    f5ed76e1fdc6add71d9e59edcbba20de6198cfd3561a092b45dedd919e4ced24a40412cd607a206d39f66561d3ab90ed41face6deb0e7b4aea57821cf2c85bbf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3281.exe
    Filesize

    366KB

    MD5

    e492938316c848883c7c120458c9ec57

    SHA1

    2708064940fcae8c4fd70bbdbfd6ece93babb27e

    SHA256

    b9bd3b5102cc9ec9e24135f60d1ca74e80d1c9c10c932d5927eabb4ae763f734

    SHA512

    b133ac852d0643330a2c1fb2a6f64e1f537309a364080703e861df6fb6cafe273e6a8f95578d9c0a3c0de0b6428180a9b6b4c2cded47cf286f657482525c3dd2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3281.exe
    Filesize

    366KB

    MD5

    e492938316c848883c7c120458c9ec57

    SHA1

    2708064940fcae8c4fd70bbdbfd6ece93babb27e

    SHA256

    b9bd3b5102cc9ec9e24135f60d1ca74e80d1c9c10c932d5927eabb4ae763f734

    SHA512

    b133ac852d0643330a2c1fb2a6f64e1f537309a364080703e861df6fb6cafe273e6a8f95578d9c0a3c0de0b6428180a9b6b4c2cded47cf286f657482525c3dd2

    Download Submit

  • memory/2152-148-0x0000000000810000-0x000000000083D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/2152-149-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2152-150-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2152-151-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2152-152-0x0000000004CE0000-0x0000000005284000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2152-153-0x0000000002930000-0x0000000002942000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2152-154-0x0000000002930000-0x0000000002942000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2152-156-0x0000000002930000-0x0000000002942000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2152-158-0x0000000002930000-0x0000000002942000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2152-160-0x0000000002930000-0x0000000002942000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2152-162-0x0000000002930000-0x0000000002942000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2152-164-0x0000000002930000-0x0000000002942000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2152-166-0x0000000002930000-0x0000000002942000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2152-168-0x0000000002930000-0x0000000002942000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2152-170-0x0000000002930000-0x0000000002942000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2152-172-0x0000000002930000-0x0000000002942000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2152-174-0x0000000002930000-0x0000000002942000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2152-176-0x0000000002930000-0x0000000002942000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2152-178-0x0000000002930000-0x0000000002942000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2152-180-0x0000000002930000-0x0000000002942000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2152-181-0x0000000000400000-0x000000000070F000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2152-182-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2152-183-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2152-185-0x0000000000400000-0x000000000070F000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2844-190-0x0000000002880000-0x00000000028BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2844-193-0x00000000007F0000-0x000000000083B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2844-191-0x0000000002880000-0x00000000028BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2844-196-0x00000000026D0000-0x00000000026E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2844-198-0x00000000026D0000-0x00000000026E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2844-194-0x00000000026D0000-0x00000000026E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2844-195-0x0000000002880000-0x00000000028BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2844-199-0x0000000002880000-0x00000000028BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2844-201-0x0000000002880000-0x00000000028BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2844-203-0x0000000002880000-0x00000000028BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2844-205-0x0000000002880000-0x00000000028BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2844-207-0x0000000002880000-0x00000000028BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2844-209-0x0000000002880000-0x00000000028BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2844-211-0x0000000002880000-0x00000000028BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2844-213-0x0000000002880000-0x00000000028BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2844-215-0x0000000002880000-0x00000000028BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2844-217-0x0000000002880000-0x00000000028BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2844-219-0x0000000002880000-0x00000000028BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2844-221-0x0000000002880000-0x00000000028BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2844-223-0x0000000002880000-0x00000000028BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2844-225-0x0000000002880000-0x00000000028BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2844-227-0x0000000002880000-0x00000000028BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2844-1100-0x0000000005460000-0x0000000005A78000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2844-1101-0x0000000005B00000-0x0000000005C0A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2844-1102-0x0000000005C40000-0x0000000005C52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2844-1104-0x0000000005C60000-0x0000000005C9C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2844-1103-0x00000000026D0000-0x00000000026E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2844-1105-0x0000000005F50000-0x0000000005FE2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2844-1106-0x0000000005FF0000-0x0000000006056000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2844-1108-0x00000000026D0000-0x00000000026E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2844-1109-0x00000000026D0000-0x00000000026E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2844-1110-0x00000000026D0000-0x00000000026E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2844-1111-0x00000000026D0000-0x00000000026E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2844-1112-0x0000000006960000-0x0000000006B22000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2844-1113-0x0000000006B40000-0x000000000706C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/2844-1114-0x0000000007190000-0x0000000007206000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2844-1115-0x0000000007230000-0x0000000007280000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4036-1121-0x0000000000F10000-0x0000000000F42000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4036-1122-0x0000000005B70000-0x0000000005B80000-memory.dmp

    Filesize

    64KB

    Download