Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    57s
  • max time network
    64s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    28-03-2023 00:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8bc66754a8c727c41d1aa8e684765fc315ebe33cb506b4ae4d004332a44f1a1c.exe

  • Size

    691KB

  • MD5

    13d87c218f65dc9007841c6ddb091c6a

  • SHA1

    11b3f0dd6fe7a8c50d94ef1f15981a7c8e6b376e

  • SHA256

    8bc66754a8c727c41d1aa8e684765fc315ebe33cb506b4ae4d004332a44f1a1c

  • SHA512

    fa88ee99cab4f1424f2123699b86498cfe8e65ea911aa145c0db9ec1a956935069c7ccaa976bf01be2e12d57e4ec5d8243e0b0d5be992a873f510302ba10c175

  • SSDEEP

    12288:qMr3y903E9mhwLsXCg/XpdxAqcyVve/UugY1zTZnlKoQdsqV7x:JysEBQXJAIte/5gYZFlKqqVd

Score
10/10
redlinefromrosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

C2

176.113.115.145:4125

Attributes
  • auth_value

    8633e283485822a4a48f0a41d5397566

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8bc66754a8c727c41d1aa8e684765fc315ebe33cb506b4ae4d004332a44f1a1c.exe
    "C:\Users\Admin\AppData\Local\Temp\8bc66754a8c727c41d1aa8e684765fc315ebe33cb506b4ae4d004332a44f1a1c.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4256
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un582013.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un582013.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4732
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1589.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1589.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5108
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8815.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8815.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4476
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si350751.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si350751.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2216

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si350751.exe
    Filesize

    175KB

    MD5

    9ef6bda691470c0ec8baa772453ab0b6

    SHA1

    169d4f697d4c1795bced47b3ddbb834299166c21

    SHA256

    fe8f8d06c2284e0f147f4464bf3c8a2539ac5f95014547e631a6c2be007fb750

    SHA512

    12915b477d0b098cf294608468b842ddcac9f4db345ab3733229a63194b3f8a224587647fb4838c8f545c1cc609656a7ea7f230def14628f31b12d7e2b4732a4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si350751.exe
    Filesize

    175KB

    MD5

    9ef6bda691470c0ec8baa772453ab0b6

    SHA1

    169d4f697d4c1795bced47b3ddbb834299166c21

    SHA256

    fe8f8d06c2284e0f147f4464bf3c8a2539ac5f95014547e631a6c2be007fb750

    SHA512

    12915b477d0b098cf294608468b842ddcac9f4db345ab3733229a63194b3f8a224587647fb4838c8f545c1cc609656a7ea7f230def14628f31b12d7e2b4732a4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un582013.exe
    Filesize

    549KB

    MD5

    3e3e845ba22ffc64f6b5e36dd1da296f

    SHA1

    be229d37dda2ed2799d0ece0ce7c3a0bf95074a2

    SHA256

    ca12b5b4376923a4bf7ea97ecaf41f5aa37bdbf199938109a49f9fc8f0ad2603

    SHA512

    6a3b0e3f10e6001e87734121b44dda703b5997760edb48acf40d9195a20e97095a1751b7280e8fa539903b19cfe7ec855c755ecdd6681eb547ed4a8bb6bd8826

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un582013.exe
    Filesize

    549KB

    MD5

    3e3e845ba22ffc64f6b5e36dd1da296f

    SHA1

    be229d37dda2ed2799d0ece0ce7c3a0bf95074a2

    SHA256

    ca12b5b4376923a4bf7ea97ecaf41f5aa37bdbf199938109a49f9fc8f0ad2603

    SHA512

    6a3b0e3f10e6001e87734121b44dda703b5997760edb48acf40d9195a20e97095a1751b7280e8fa539903b19cfe7ec855c755ecdd6681eb547ed4a8bb6bd8826

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1589.exe
    Filesize

    291KB

    MD5

    18f04b95ccea77ef33e75121a4951977

    SHA1

    ec34491951830e676731ed5aba487edaaa354f1c

    SHA256

    cef82789c20ce86508972b5404b092c081f1b1bb27ab1d6c3435c03a801ee373

    SHA512

    7b111b2b8421acc9f6771cfd93ebdf78d1f0e7c328f4d929a1e766072c5898c736f98afbb34d2432f2e8b185b7983187c0ed6a00b039656090711f55e491fcd6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1589.exe
    Filesize

    291KB

    MD5

    18f04b95ccea77ef33e75121a4951977

    SHA1

    ec34491951830e676731ed5aba487edaaa354f1c

    SHA256

    cef82789c20ce86508972b5404b092c081f1b1bb27ab1d6c3435c03a801ee373

    SHA512

    7b111b2b8421acc9f6771cfd93ebdf78d1f0e7c328f4d929a1e766072c5898c736f98afbb34d2432f2e8b185b7983187c0ed6a00b039656090711f55e491fcd6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8815.exe
    Filesize

    350KB

    MD5

    05942ce30d78635515f0c68edd904de5

    SHA1

    bc922c8ac08700219fb8dfe941332dd48914d180

    SHA256

    dd60be4a12f0e6721a19565264eebe263bbffd11bcfdd4802d67dbd6fe76a237

    SHA512

    42a61b66240203c639c83fcaae88e7b0deb3a0f6ad53b3f7a68ac904ce8353deccfcce1ab97f81d0d575383af68f65ad23a87c6ede7695a67cbbb62f98128b39

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8815.exe
    Filesize

    350KB

    MD5

    05942ce30d78635515f0c68edd904de5

    SHA1

    bc922c8ac08700219fb8dfe941332dd48914d180

    SHA256

    dd60be4a12f0e6721a19565264eebe263bbffd11bcfdd4802d67dbd6fe76a237

    SHA512

    42a61b66240203c639c83fcaae88e7b0deb3a0f6ad53b3f7a68ac904ce8353deccfcce1ab97f81d0d575383af68f65ad23a87c6ede7695a67cbbb62f98128b39

    Download Submit

  • memory/2216-1116-0x0000000004E50000-0x0000000004E60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2216-1115-0x0000000005010000-0x000000000505B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2216-1114-0x00000000005D0000-0x0000000000602000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4476-1092-0x0000000005370000-0x0000000005976000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4476-1095-0x0000000005B60000-0x0000000005B9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4476-1108-0x0000000004D00000-0x0000000004D10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4476-1107-0x0000000006EB0000-0x0000000006F00000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4476-1106-0x0000000006E30000-0x0000000006EA6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4476-1105-0x0000000004D00000-0x0000000004D10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4476-1104-0x0000000004D00000-0x0000000004D10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4476-1103-0x0000000004D00000-0x0000000004D10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4476-1102-0x00000000067C0000-0x0000000006CEC000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4476-1101-0x00000000065F0000-0x00000000067B2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4476-1099-0x00000000063E0000-0x0000000006472000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4476-1098-0x0000000005E40000-0x0000000005EA6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4476-1097-0x0000000004D00000-0x0000000004D10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4476-1096-0x0000000005CB0000-0x0000000005CFB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4476-1094-0x0000000005B40000-0x0000000005B52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4476-1093-0x0000000005A00000-0x0000000005B0A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4476-219-0x0000000004C80000-0x0000000004CBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4476-217-0x0000000004C80000-0x0000000004CBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4476-215-0x0000000004C80000-0x0000000004CBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4476-213-0x0000000004C80000-0x0000000004CBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4476-212-0x0000000004D00000-0x0000000004D10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4476-208-0x0000000004D00000-0x0000000004D10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4476-180-0x00000000026A0000-0x00000000026E6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/4476-181-0x0000000004C80000-0x0000000004CC4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4476-182-0x0000000004C80000-0x0000000004CBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4476-183-0x0000000004C80000-0x0000000004CBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4476-185-0x0000000004C80000-0x0000000004CBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4476-187-0x0000000004C80000-0x0000000004CBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4476-189-0x0000000004C80000-0x0000000004CBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4476-191-0x0000000004C80000-0x0000000004CBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4476-195-0x0000000004C80000-0x0000000004CBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4476-197-0x0000000004C80000-0x0000000004CBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4476-193-0x0000000004C80000-0x0000000004CBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4476-199-0x0000000004C80000-0x0000000004CBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4476-201-0x0000000004C80000-0x0000000004CBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4476-203-0x0000000004C80000-0x0000000004CBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4476-206-0x0000000000840000-0x000000000088B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4476-209-0x0000000004D00000-0x0000000004D10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4476-205-0x0000000004C80000-0x0000000004CBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4476-210-0x0000000004C80000-0x0000000004CBF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/5108-163-0x00000000026E0000-0x00000000026F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5108-135-0x00000000023A0000-0x00000000023BA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/5108-141-0x0000000002720000-0x0000000002730000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5108-173-0x0000000002720000-0x0000000002730000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5108-172-0x0000000002720000-0x0000000002730000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5108-171-0x0000000002720000-0x0000000002730000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5108-140-0x0000000002720000-0x0000000002730000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5108-170-0x0000000000400000-0x000000000070B000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/5108-169-0x00000000026E0000-0x00000000026F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5108-143-0x00000000026E0000-0x00000000026F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5108-167-0x00000000026E0000-0x00000000026F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5108-165-0x00000000026E0000-0x00000000026F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5108-175-0x0000000000400000-0x000000000070B000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/5108-142-0x00000000026E0000-0x00000000026F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5108-145-0x00000000026E0000-0x00000000026F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5108-157-0x00000000026E0000-0x00000000026F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5108-155-0x00000000026E0000-0x00000000026F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5108-153-0x00000000026E0000-0x00000000026F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5108-151-0x00000000026E0000-0x00000000026F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5108-149-0x00000000026E0000-0x00000000026F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5108-147-0x00000000026E0000-0x00000000026F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5108-159-0x00000000026E0000-0x00000000026F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5108-139-0x0000000002720000-0x0000000002730000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5108-138-0x00000000001D0000-0x00000000001FD000-memory.dmp

    Filesize

    180KB

    Download

  • memory/5108-137-0x00000000026E0000-0x00000000026F8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/5108-136-0x0000000004CB0000-0x00000000051AE000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/5108-161-0x00000000026E0000-0x00000000026F2000-memory.dmp

    Filesize

    72KB

    Download