Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    106s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-03-2023 00:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7b73a64ef1f6c3a2b2ceac9b85779a3c2187c67ce0b0d358c18adbb9e4655ac2.exe

  • Size

    699KB

  • MD5

    fdd5446cb2af9c891dfb46ff1d800b3c

  • SHA1

    fedfc754571dd757090dc2b7035f58cbe954b854

  • SHA256

    7b73a64ef1f6c3a2b2ceac9b85779a3c2187c67ce0b0d358c18adbb9e4655ac2

  • SHA512

    7dae2bb893e981cf8a1eb7ed37d31d65bc4959e059b65335ab69fe687d84bb05ea016ac048f635d34297effb97e69ad57179ed3c46d2f3d95776f4cd266ff909

  • SSDEEP

    12288:nMrUy90tVK8Qluk7PjRNILDlEANJ9jUlPaZ3bMhbK5j7hcdyt4wlAC:DycVKBlugPjRNILDqANjU0ZQZK5Hhcd

Score
10/10
redlinefromrosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

C2

176.113.115.145:4125

Attributes
  • auth_value

    8633e283485822a4a48f0a41d5397566

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 18 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7b73a64ef1f6c3a2b2ceac9b85779a3c2187c67ce0b0d358c18adbb9e4655ac2.exe
    "C:\Users\Admin\AppData\Local\Temp\7b73a64ef1f6c3a2b2ceac9b85779a3c2187c67ce0b0d358c18adbb9e4655ac2.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4028
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un994760.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un994760.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4100
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0697.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0697.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4812
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 1040
          4⤵
          • Program crash
          PID:4188
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2146.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2146.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5008
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 1368
          4⤵
          • Program crash
          PID:2376
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si035930.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si035930.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4368
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4812 -ip 4812
    1⤵
      PID:1840
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5008 -ip 5008
      1⤵
        PID:3204

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si035930.exe
        Filesize

        175KB

        MD5

        7b7f1b71d42c0100c017e04e39f224cf

        SHA1

        cb9ae69489b0632261bb8baf9071bda1876ba1d5

        SHA256

        dce98b704f728af8d88c17485d64e66d0edead12e48989970947dd7c7a012263

        SHA512

        d26b359bad08c65a051b5a99888859aea903183505428f289e8c69d06bd3fe7a7dbfafd89feb88f55b189f9dd8e1b8ef5b77cab4575f71ccc633c400606a6fb1

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si035930.exe
        Filesize

        175KB

        MD5

        7b7f1b71d42c0100c017e04e39f224cf

        SHA1

        cb9ae69489b0632261bb8baf9071bda1876ba1d5

        SHA256

        dce98b704f728af8d88c17485d64e66d0edead12e48989970947dd7c7a012263

        SHA512

        d26b359bad08c65a051b5a99888859aea903183505428f289e8c69d06bd3fe7a7dbfafd89feb88f55b189f9dd8e1b8ef5b77cab4575f71ccc633c400606a6fb1

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un994760.exe
        Filesize

        557KB

        MD5

        b5d061b86451f5332d8370da2303bd18

        SHA1

        2093433e687bd980eeb445e4b0e670dc73bdca42

        SHA256

        274c0c9475730326d707968d5e81f931d575078284561f987199943cfd1f8586

        SHA512

        8cc995c2ca15564948d3210aa10ea944f08896a056a0d964d05151e663106ce8e170cb41c2cf679af84c6a2ba5ef261c51ec558eb195b3749c02944090d52b72

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un994760.exe
        Filesize

        557KB

        MD5

        b5d061b86451f5332d8370da2303bd18

        SHA1

        2093433e687bd980eeb445e4b0e670dc73bdca42

        SHA256

        274c0c9475730326d707968d5e81f931d575078284561f987199943cfd1f8586

        SHA512

        8cc995c2ca15564948d3210aa10ea944f08896a056a0d964d05151e663106ce8e170cb41c2cf679af84c6a2ba5ef261c51ec558eb195b3749c02944090d52b72

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0697.exe
        Filesize

        307KB

        MD5

        a3901fb6b24f0ed152c20b86d83d05d9

        SHA1

        b65c8542a3e71f3251c847fa76f5dff7fcc6b2c6

        SHA256

        4df8123005b48d5d146d9d91ac14247268c68085bd3bbff271eaaaae10c19988

        SHA512

        8f44b9a73b89b16a4a9ad4a407bd26118fa542d3d003c923b9f616d2223e6c9a776a9d9a05fc86ba3aef62d872875aa66436adde41f6480e5378905afe3b54a8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0697.exe
        Filesize

        307KB

        MD5

        a3901fb6b24f0ed152c20b86d83d05d9

        SHA1

        b65c8542a3e71f3251c847fa76f5dff7fcc6b2c6

        SHA256

        4df8123005b48d5d146d9d91ac14247268c68085bd3bbff271eaaaae10c19988

        SHA512

        8f44b9a73b89b16a4a9ad4a407bd26118fa542d3d003c923b9f616d2223e6c9a776a9d9a05fc86ba3aef62d872875aa66436adde41f6480e5378905afe3b54a8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2146.exe
        Filesize

        365KB

        MD5

        2ec0d6f0c7de81ff0146772f9ddb097f

        SHA1

        0ac0bd553316a31d6442b1afce74016fd34c6455

        SHA256

        96871f11c6949176bcf54baca4a9950e88466f8037e7574081f3dc26be66b3af

        SHA512

        dfaa2e8ec911273bdd15912d62764c313ace8ff36b9c66803c012c4bca2a5283765d65ce408f6655614ecf85494a9848df5974965937fb5880daf1ed01923b75

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2146.exe
        Filesize

        365KB

        MD5

        2ec0d6f0c7de81ff0146772f9ddb097f

        SHA1

        0ac0bd553316a31d6442b1afce74016fd34c6455

        SHA256

        96871f11c6949176bcf54baca4a9950e88466f8037e7574081f3dc26be66b3af

        SHA512

        dfaa2e8ec911273bdd15912d62764c313ace8ff36b9c66803c012c4bca2a5283765d65ce408f6655614ecf85494a9848df5974965937fb5880daf1ed01923b75

        Download Submit

      • memory/4368-1121-0x00000000002F0000-0x0000000000322000-memory.dmp

        Filesize

        200KB

        Download

      • memory/4368-1122-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4812-157-0x0000000002890000-0x00000000028A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4812-167-0x0000000002890000-0x00000000028A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4812-151-0x0000000002620000-0x0000000002630000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4812-152-0x0000000002890000-0x00000000028A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4812-153-0x0000000002890000-0x00000000028A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4812-155-0x0000000002890000-0x00000000028A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4812-149-0x00000000007E0000-0x000000000080D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/4812-159-0x0000000002890000-0x00000000028A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4812-161-0x0000000002890000-0x00000000028A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4812-163-0x0000000002890000-0x00000000028A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4812-165-0x0000000002890000-0x00000000028A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4812-150-0x0000000002620000-0x0000000002630000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4812-169-0x0000000002890000-0x00000000028A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4812-171-0x0000000002890000-0x00000000028A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4812-173-0x0000000002890000-0x00000000028A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4812-175-0x0000000002890000-0x00000000028A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4812-177-0x0000000002890000-0x00000000028A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4812-179-0x0000000002890000-0x00000000028A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4812-180-0x0000000000400000-0x000000000070F000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/4812-181-0x0000000002620000-0x0000000002630000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4812-182-0x0000000002620000-0x0000000002630000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4812-183-0x0000000002620000-0x0000000002630000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4812-185-0x0000000000400000-0x000000000070F000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/4812-148-0x0000000004DA0000-0x0000000005344000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/5008-191-0x00000000028A0000-0x00000000028DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5008-225-0x00000000028A0000-0x00000000028DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5008-195-0x0000000000720000-0x000000000076B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/5008-197-0x00000000028A0000-0x00000000028DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5008-196-0x0000000004F20000-0x0000000004F30000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5008-199-0x0000000004F20000-0x0000000004F30000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5008-201-0x0000000004F20000-0x0000000004F30000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5008-200-0x00000000028A0000-0x00000000028DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5008-203-0x00000000028A0000-0x00000000028DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5008-205-0x00000000028A0000-0x00000000028DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5008-207-0x00000000028A0000-0x00000000028DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5008-209-0x00000000028A0000-0x00000000028DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5008-211-0x00000000028A0000-0x00000000028DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5008-213-0x00000000028A0000-0x00000000028DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5008-215-0x00000000028A0000-0x00000000028DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5008-217-0x00000000028A0000-0x00000000028DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5008-219-0x00000000028A0000-0x00000000028DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5008-221-0x00000000028A0000-0x00000000028DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5008-223-0x00000000028A0000-0x00000000028DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5008-193-0x00000000028A0000-0x00000000028DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5008-227-0x00000000028A0000-0x00000000028DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5008-1100-0x00000000054E0000-0x0000000005AF8000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/5008-1101-0x0000000005B00000-0x0000000005C0A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/5008-1102-0x0000000005C40000-0x0000000005C52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/5008-1103-0x0000000005C60000-0x0000000005C9C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/5008-1104-0x0000000004F20000-0x0000000004F30000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5008-1105-0x0000000005F50000-0x0000000005FE2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/5008-1106-0x0000000005FF0000-0x0000000006056000-memory.dmp

        Filesize

        408KB

        Download

      • memory/5008-1108-0x0000000004F20000-0x0000000004F30000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5008-1109-0x0000000004F20000-0x0000000004F30000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5008-1110-0x0000000004F20000-0x0000000004F30000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5008-1111-0x0000000006830000-0x00000000068A6000-memory.dmp

        Filesize

        472KB

        Download

      • memory/5008-1112-0x00000000068C0000-0x0000000006910000-memory.dmp

        Filesize

        320KB

        Download

      • memory/5008-190-0x00000000028A0000-0x00000000028DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5008-1113-0x0000000006A40000-0x0000000006C02000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/5008-1114-0x0000000006C50000-0x000000000717C000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/5008-1115-0x0000000004F20000-0x0000000004F30000-memory.dmp

        Filesize

        64KB

        Download