Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    55s
  • max time network
    72s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    28-03-2023 00:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    27666a4ab2eb84700b10d92a85367275f7e96eb7875a4d25a1284fefa97b5bd9.exe

  • Size

    690KB

  • MD5

    58b02770b7aadadd5e4accb4ff666ec4

  • SHA1

    e91bfabbb7eff336b0f0b100b007f0862e074b61

  • SHA256

    27666a4ab2eb84700b10d92a85367275f7e96eb7875a4d25a1284fefa97b5bd9

  • SHA512

    34151f64e50fb6e46cf03aa4e739741f7d53110aa2a0f3a1335f53c3d02ee6d6355280b050ad00989f9aca6c3b87313dc063a0f63a1d293b107d952e3ce46b34

  • SSDEEP

    12288:SMrQy90+mFV7e/wim++VdwvUivsjsYS1ctI/ppiLONiVmhhLbTpLWiuOJljp9+:2yFmnYwim+EywtKXhiAhhxWijA

Score
10/10
redlinefromrosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

C2

176.113.115.145:4125

Attributes
  • auth_value

    8633e283485822a4a48f0a41d5397566

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 21 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\27666a4ab2eb84700b10d92a85367275f7e96eb7875a4d25a1284fefa97b5bd9.exe
    "C:\Users\Admin\AppData\Local\Temp\27666a4ab2eb84700b10d92a85367275f7e96eb7875a4d25a1284fefa97b5bd9.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3240
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un963081.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un963081.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3372
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3392.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3392.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4168
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7444.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7444.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2032
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si086916.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si086916.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1500

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si086916.exe
    Filesize

    175KB

    MD5

    c8f6d396dbcd5c921c325ec9f4fc7bb2

    SHA1

    060d1104a88bb31544f61f941e1ea491ae40bbcb

    SHA256

    d4a96bdbb68b408143b8f9e9f2d9f0cbdf030318b0891e4a5f16c91b06e15a46

    SHA512

    865c9d80d25fbdacd202286abc2d3325e4b651d3b0a4bcd38d9bec5efb63f91a59b7d02d9bd45c51f32be6037f23b23dbf13573c227332dbca1acf11e17ab25c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si086916.exe
    Filesize

    175KB

    MD5

    c8f6d396dbcd5c921c325ec9f4fc7bb2

    SHA1

    060d1104a88bb31544f61f941e1ea491ae40bbcb

    SHA256

    d4a96bdbb68b408143b8f9e9f2d9f0cbdf030318b0891e4a5f16c91b06e15a46

    SHA512

    865c9d80d25fbdacd202286abc2d3325e4b651d3b0a4bcd38d9bec5efb63f91a59b7d02d9bd45c51f32be6037f23b23dbf13573c227332dbca1acf11e17ab25c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un963081.exe
    Filesize

    548KB

    MD5

    7c83bf29603a2066572f0ff864ee69a6

    SHA1

    4a63cdeecd8e667b19bda5d078d255999000150f

    SHA256

    4ad010d61d4d2ceb0725ccda3dbe95e8beca76150f9b9483d217542bb64b4926

    SHA512

    93845f1a65296250da068a7a2849d6fadec751c865d70115282a0ffe70c2de74df50f2e408e8fccc18c214a276ff6e00f88fe76b1a5495588062ef8f131560cc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un963081.exe
    Filesize

    548KB

    MD5

    7c83bf29603a2066572f0ff864ee69a6

    SHA1

    4a63cdeecd8e667b19bda5d078d255999000150f

    SHA256

    4ad010d61d4d2ceb0725ccda3dbe95e8beca76150f9b9483d217542bb64b4926

    SHA512

    93845f1a65296250da068a7a2849d6fadec751c865d70115282a0ffe70c2de74df50f2e408e8fccc18c214a276ff6e00f88fe76b1a5495588062ef8f131560cc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3392.exe
    Filesize

    291KB

    MD5

    20a2cde4dff76c567a50238cc26624b1

    SHA1

    b44fb852d8c4529ac9c33d855d0b33790b497dd4

    SHA256

    27ffe98df336082d4b0275afee871977e9b3c1a7e3801e90da85991527b7c635

    SHA512

    cc5c6355bc6941e6dfffe838cf51f1baecf5d00672155a7155d77f83ae64f7f50d31cfef059e40556d2a193335a03ac5b2f65586898c30d606da5ed2bd51b488

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3392.exe
    Filesize

    291KB

    MD5

    20a2cde4dff76c567a50238cc26624b1

    SHA1

    b44fb852d8c4529ac9c33d855d0b33790b497dd4

    SHA256

    27ffe98df336082d4b0275afee871977e9b3c1a7e3801e90da85991527b7c635

    SHA512

    cc5c6355bc6941e6dfffe838cf51f1baecf5d00672155a7155d77f83ae64f7f50d31cfef059e40556d2a193335a03ac5b2f65586898c30d606da5ed2bd51b488

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7444.exe
    Filesize

    350KB

    MD5

    1cf467f3da7d06cd6c45ee662269036a

    SHA1

    08dc9969ae984eb9de4a6cb660f02b05c086dc51

    SHA256

    a47a648499961cd98e02ab390e2c8b280c02c65d1551dea0ccf5f27c141286e3

    SHA512

    dc8185679c3c079bee8cc9ab4d14224fe65d900139ef8a3cefc773c30437a8e16971e639e91ffa02fe7232f18a10faa0115bdf38c92982c8e45025fc76b05404

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7444.exe
    Filesize

    350KB

    MD5

    1cf467f3da7d06cd6c45ee662269036a

    SHA1

    08dc9969ae984eb9de4a6cb660f02b05c086dc51

    SHA256

    a47a648499961cd98e02ab390e2c8b280c02c65d1551dea0ccf5f27c141286e3

    SHA512

    dc8185679c3c079bee8cc9ab4d14224fe65d900139ef8a3cefc773c30437a8e16971e639e91ffa02fe7232f18a10faa0115bdf38c92982c8e45025fc76b05404

    Download Submit

  • memory/1500-1114-0x00000000048D0000-0x00000000048E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1500-1113-0x0000000004AD0000-0x0000000004B1B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1500-1112-0x0000000000080000-0x00000000000B2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2032-1092-0x0000000005530000-0x0000000005542000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2032-1095-0x0000000004D70000-0x0000000004D80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2032-1106-0x0000000006FE0000-0x0000000007030000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2032-1105-0x0000000006F60000-0x0000000006FD6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2032-1104-0x0000000004D70000-0x0000000004D80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2032-1103-0x0000000004D70000-0x0000000004D80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2032-1102-0x0000000004D70000-0x0000000004D80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2032-1101-0x0000000004D70000-0x0000000004D80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2032-1099-0x00000000067B0000-0x0000000006CDC000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/2032-1098-0x00000000065E0000-0x00000000067A2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2032-1097-0x00000000058D0000-0x0000000005936000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2032-1096-0x0000000005830000-0x00000000058C2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2032-1094-0x00000000056A0000-0x00000000056EB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2032-1093-0x0000000005550000-0x000000000558E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2032-1091-0x00000000053F0000-0x00000000054FA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2032-1090-0x0000000005990000-0x0000000005F96000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2032-217-0x0000000004CA0000-0x0000000004CDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2032-215-0x0000000004CA0000-0x0000000004CDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2032-213-0x0000000004CA0000-0x0000000004CDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2032-211-0x0000000004CA0000-0x0000000004CDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2032-178-0x0000000002440000-0x0000000002486000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2032-179-0x0000000004CA0000-0x0000000004CE4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2032-181-0x0000000004CA0000-0x0000000004CDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2032-183-0x0000000004CA0000-0x0000000004CDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2032-180-0x0000000004CA0000-0x0000000004CDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2032-185-0x0000000004CA0000-0x0000000004CDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2032-187-0x0000000004CA0000-0x0000000004CDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2032-189-0x0000000004CA0000-0x0000000004CDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2032-191-0x0000000004CA0000-0x0000000004CDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2032-193-0x0000000004CA0000-0x0000000004CDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2032-195-0x0000000004CA0000-0x0000000004CDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2032-197-0x0000000004CA0000-0x0000000004CDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2032-198-0x0000000000770000-0x00000000007BB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2032-202-0x0000000004D70000-0x0000000004D80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2032-203-0x0000000004D70000-0x0000000004D80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2032-201-0x0000000004CA0000-0x0000000004CDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2032-199-0x0000000004D70000-0x0000000004D80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2032-205-0x0000000004CA0000-0x0000000004CDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2032-207-0x0000000004CA0000-0x0000000004CDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2032-209-0x0000000004CA0000-0x0000000004CDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4168-159-0x0000000002320000-0x0000000002332000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4168-170-0x0000000000400000-0x000000000070B000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/4168-141-0x0000000002320000-0x0000000002338000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4168-171-0x0000000004E30000-0x0000000004E40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4168-157-0x0000000002320000-0x0000000002332000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4168-169-0x0000000002320000-0x0000000002332000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4168-137-0x0000000004E30000-0x0000000004E40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4168-155-0x0000000002320000-0x0000000002332000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4168-165-0x0000000002320000-0x0000000002332000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4168-143-0x0000000002320000-0x0000000002332000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4168-163-0x0000000002320000-0x0000000002332000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4168-161-0x0000000002320000-0x0000000002332000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4168-173-0x0000000000400000-0x000000000070B000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/4168-142-0x0000000002320000-0x0000000002332000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4168-167-0x0000000002320000-0x0000000002332000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4168-153-0x0000000002320000-0x0000000002332000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4168-151-0x0000000002320000-0x0000000002332000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4168-149-0x0000000002320000-0x0000000002332000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4168-147-0x0000000002320000-0x0000000002332000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4168-145-0x0000000002320000-0x0000000002332000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4168-140-0x0000000004E30000-0x0000000004E40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4168-138-0x0000000004E30000-0x0000000004E40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4168-139-0x0000000004E40000-0x000000000533E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/4168-136-0x0000000000710000-0x000000000073D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/4168-135-0x0000000002280000-0x000000000229A000-memory.dmp

    Filesize

    104KB

    Download