Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-03-2023 20:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    63193bf557ecf54d331b25b030ae9267640197701af06d4d47e66f5f4fb15dbd.exe

  • Size

    695KB

  • MD5

    5837af1bdc881085c939f2a713ad9ad0

  • SHA1

    506e9b2dbbe28eb3eea9cd25b459af6ce22ee660

  • SHA256

    63193bf557ecf54d331b25b030ae9267640197701af06d4d47e66f5f4fb15dbd

  • SHA512

    039944f3dd933199a6d8b5064b6c6cf20184a4f94a8a2f1bc5dafd52ecaaef61d910ba0ea4fe59eaddff53d7283441ecc158d086a2c1ed902ca713f697a2ecd1

  • SSDEEP

    12288:OMrfy90jAfyqUleFsn1pg4q/44GulfuMylW45jDDg1K+NzB6JJonKWkNWr:xypfyqUcsY4OdJuMylWO3EMSBmDNQ

Score
10/10
redlinefromrosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

C2

176.113.115.145:4125

Attributes
  • auth_value

    8633e283485822a4a48f0a41d5397566

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 19 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\63193bf557ecf54d331b25b030ae9267640197701af06d4d47e66f5f4fb15dbd.exe
    "C:\Users\Admin\AppData\Local\Temp\63193bf557ecf54d331b25b030ae9267640197701af06d4d47e66f5f4fb15dbd.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2516
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un260713.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un260713.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2132
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3067.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3067.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2160
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9502.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9502.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1920
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si619547.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si619547.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1632

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si619547.exe
    Filesize

    175KB

    MD5

    43796136a76398c309e4d35951e9b550

    SHA1

    848c5d205545444937d00b2fdd4d66523cf8300a

    SHA256

    422eafef49c35b527f9a6fcc7f6258699b354c244b77b24c42e0df04a8a9adf5

    SHA512

    12d8e35808a662c2108d39b5c03b5b6f8c506f0de8cb713d98b716cd53419a4cc5ee93fc45f00257853ca0375740b885ff5351f4828428086894602243246d18

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si619547.exe
    Filesize

    175KB

    MD5

    43796136a76398c309e4d35951e9b550

    SHA1

    848c5d205545444937d00b2fdd4d66523cf8300a

    SHA256

    422eafef49c35b527f9a6fcc7f6258699b354c244b77b24c42e0df04a8a9adf5

    SHA512

    12d8e35808a662c2108d39b5c03b5b6f8c506f0de8cb713d98b716cd53419a4cc5ee93fc45f00257853ca0375740b885ff5351f4828428086894602243246d18

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un260713.exe
    Filesize

    553KB

    MD5

    608fca90a9556886c1d1cf4111938fd7

    SHA1

    826f97efdbfe2d14d5789c506a1bf519659b5a14

    SHA256

    5483bc63d6d987da53d3a4e74db5ad4407c79a93c201da0887444e865dfa5455

    SHA512

    2a7ed3ec80d83ee45effd64dc038b4b89968ccc291028874881fed9417c67a76bf126a2247124a1084cbd7683196ebf5b0f5be0bedc338c27d4464c0160568ef

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un260713.exe
    Filesize

    553KB

    MD5

    608fca90a9556886c1d1cf4111938fd7

    SHA1

    826f97efdbfe2d14d5789c506a1bf519659b5a14

    SHA256

    5483bc63d6d987da53d3a4e74db5ad4407c79a93c201da0887444e865dfa5455

    SHA512

    2a7ed3ec80d83ee45effd64dc038b4b89968ccc291028874881fed9417c67a76bf126a2247124a1084cbd7683196ebf5b0f5be0bedc338c27d4464c0160568ef

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3067.exe
    Filesize

    308KB

    MD5

    9304731f9ed4a3e0843c80e1600dc380

    SHA1

    0e926a477698d9a8b28299b02b0f64b0341d27a7

    SHA256

    c69aec68aa38449700009ea4280502f3ff15a78347f25b1fa0e8ec4df6edbd9e

    SHA512

    fb4ce4c194c377f9ef2794e135ea1d5f263d59ccf990440cbe86757bc39281fe289ddc3762c8284ab177652ba5e447cd1a6703848b53412e5775c8f32618e6c3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3067.exe
    Filesize

    308KB

    MD5

    9304731f9ed4a3e0843c80e1600dc380

    SHA1

    0e926a477698d9a8b28299b02b0f64b0341d27a7

    SHA256

    c69aec68aa38449700009ea4280502f3ff15a78347f25b1fa0e8ec4df6edbd9e

    SHA512

    fb4ce4c194c377f9ef2794e135ea1d5f263d59ccf990440cbe86757bc39281fe289ddc3762c8284ab177652ba5e447cd1a6703848b53412e5775c8f32618e6c3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9502.exe
    Filesize

    366KB

    MD5

    0cd8bb50e83fe34ee51bb71339c0e550

    SHA1

    91fdbbe84998e0b60cf9b87ab795cb264f08bce2

    SHA256

    c1c9b46cb2067a9a03162a3d982e73027e58189865c70733b9cef38c8dc6d03c

    SHA512

    b21165f339096b6ce432f61e73a2be934251610439aacfdeea158014f3839ef8eef0ad268e5226d0efdb2e35091da73b0a592e2c517719207dcb38b0de9e54a0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9502.exe
    Filesize

    366KB

    MD5

    0cd8bb50e83fe34ee51bb71339c0e550

    SHA1

    91fdbbe84998e0b60cf9b87ab795cb264f08bce2

    SHA256

    c1c9b46cb2067a9a03162a3d982e73027e58189865c70733b9cef38c8dc6d03c

    SHA512

    b21165f339096b6ce432f61e73a2be934251610439aacfdeea158014f3839ef8eef0ad268e5226d0efdb2e35091da73b0a592e2c517719207dcb38b0de9e54a0

    Download Submit

  • memory/1632-1124-0x0000000005A20000-0x0000000005A30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1632-1123-0x0000000005A20000-0x0000000005A30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1632-1122-0x0000000000EA0000-0x0000000000ED2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1920-1102-0x0000000005AC0000-0x0000000005BCA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1920-1105-0x0000000002690000-0x00000000026A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1920-1116-0x0000000006E20000-0x000000000734C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/1920-1115-0x0000000006A50000-0x0000000006C12000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1920-1114-0x0000000002690000-0x00000000026A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1920-1113-0x0000000006740000-0x0000000006790000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1920-1112-0x00000000066B0000-0x0000000006726000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1920-1111-0x0000000002690000-0x00000000026A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1920-1110-0x0000000002690000-0x00000000026A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1920-1109-0x0000000002690000-0x00000000026A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1920-1108-0x00000000065E0000-0x0000000006672000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1920-1106-0x0000000005F10000-0x0000000005F76000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1920-1104-0x0000000005C20000-0x0000000005C5C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1920-1103-0x0000000005C00000-0x0000000005C12000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1920-1101-0x0000000005420000-0x0000000005A38000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1920-228-0x00000000026F0000-0x000000000272F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1920-226-0x00000000026F0000-0x000000000272F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1920-224-0x00000000026F0000-0x000000000272F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1920-222-0x00000000026F0000-0x000000000272F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1920-220-0x00000000026F0000-0x000000000272F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1920-191-0x00000000026F0000-0x000000000272F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1920-192-0x00000000026F0000-0x000000000272F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1920-194-0x00000000026F0000-0x000000000272F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1920-196-0x00000000026F0000-0x000000000272F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1920-198-0x00000000026F0000-0x000000000272F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1920-200-0x00000000026F0000-0x000000000272F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1920-202-0x00000000026F0000-0x000000000272F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1920-204-0x00000000026F0000-0x000000000272F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1920-207-0x00000000026F0000-0x000000000272F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1920-208-0x0000000002690000-0x00000000026A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1920-209-0x0000000002690000-0x00000000026A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1920-206-0x00000000007F0000-0x000000000083B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1920-212-0x0000000002690000-0x00000000026A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1920-211-0x00000000026F0000-0x000000000272F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1920-214-0x00000000026F0000-0x000000000272F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1920-216-0x00000000026F0000-0x000000000272F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1920-218-0x00000000026F0000-0x000000000272F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2160-174-0x0000000002730000-0x0000000002742000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2160-183-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2160-150-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2160-184-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2160-172-0x0000000002730000-0x0000000002742000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2160-182-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2160-154-0x0000000002730000-0x0000000002742000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2160-170-0x0000000002730000-0x0000000002742000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2160-180-0x0000000002730000-0x0000000002742000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2160-158-0x0000000002730000-0x0000000002742000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2160-178-0x0000000002730000-0x0000000002742000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2160-176-0x0000000002730000-0x0000000002742000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2160-186-0x0000000000400000-0x000000000070F000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2160-156-0x0000000002730000-0x0000000002742000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2160-181-0x0000000000400000-0x000000000070F000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2160-168-0x0000000002730000-0x0000000002742000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2160-166-0x0000000002730000-0x0000000002742000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2160-164-0x0000000002730000-0x0000000002742000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2160-162-0x0000000002730000-0x0000000002742000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2160-160-0x0000000002730000-0x0000000002742000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2160-153-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2160-152-0x0000000002730000-0x0000000002742000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2160-151-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2160-149-0x0000000000710000-0x000000000073D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/2160-148-0x0000000004EB0000-0x0000000005454000-memory.dmp

    Filesize

    5.6MB

    Download