Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    55s
  • max time network
    60s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    28-03-2023 00:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8b539d02f4658dc80f89a69e2b355796f48d8d68b6174dff551b4ff29277523c.exe

  • Size

    700KB

  • MD5

    560438562e86acf69f02aeda2086968b

  • SHA1

    96d0dc3fd4d18e54f933109d75ac5807caa1cc77

  • SHA256

    8b539d02f4658dc80f89a69e2b355796f48d8d68b6174dff551b4ff29277523c

  • SHA512

    0e9047c7ca34da83dde4394846a060988af4c412e3025177775ad3deb5d95cae38a25d3cdbdadc3cc58c083855b87d427670edea6441ffb3bc75c70a6369674a

  • SSDEEP

    12288:WMrTy900GpXQD7JDgatv9DGIcA6GNPqO+0/XOAnDOju60hO0xfg:1yBHDVzX6wqE/XO4DOCzg

Score
10/10
redlinefromrosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

C2

176.113.115.145:4125

Attributes
  • auth_value

    8633e283485822a4a48f0a41d5397566

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 22 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8b539d02f4658dc80f89a69e2b355796f48d8d68b6174dff551b4ff29277523c.exe
    "C:\Users\Admin\AppData\Local\Temp\8b539d02f4658dc80f89a69e2b355796f48d8d68b6174dff551b4ff29277523c.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2472
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un253705.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un253705.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2556
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5627.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5627.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3080
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8658.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8658.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4720
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si931348.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si931348.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4740

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si931348.exe
    Filesize

    175KB

    MD5

    fa52d4790dd6c0b52d36161f70fe2152

    SHA1

    c723449883ff847e69b9e00e90d1dd1994c439a8

    SHA256

    4ce830cc27fba5272cbc66d90bb3018f6cbd911cf67edd9265861ff350cb09a2

    SHA512

    fc1636686c34f281b2ab7842cad8ec72519f464657084db6984c7542c26392c6919c6e36afca1c75baf3bad198583c7c9498012183cb026c6b4ac2119f0d044f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si931348.exe
    Filesize

    175KB

    MD5

    fa52d4790dd6c0b52d36161f70fe2152

    SHA1

    c723449883ff847e69b9e00e90d1dd1994c439a8

    SHA256

    4ce830cc27fba5272cbc66d90bb3018f6cbd911cf67edd9265861ff350cb09a2

    SHA512

    fc1636686c34f281b2ab7842cad8ec72519f464657084db6984c7542c26392c6919c6e36afca1c75baf3bad198583c7c9498012183cb026c6b4ac2119f0d044f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un253705.exe
    Filesize

    558KB

    MD5

    f714a682a4e5f9c53e6c2b3d7a3b978e

    SHA1

    1e5932682cd957a590b9316796f51745a077e8f9

    SHA256

    3d645c61609658bf1532f4c11e6a0448b30248ca542834971c30ee086ceb918d

    SHA512

    960ea3325cf75abc2b2847de22d347a500912b73d2dd112b7a382fb9c56e4ec4c5bd39340c0352002d95bb7149da4246b46926265ad768613fec4e6fe459581d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un253705.exe
    Filesize

    558KB

    MD5

    f714a682a4e5f9c53e6c2b3d7a3b978e

    SHA1

    1e5932682cd957a590b9316796f51745a077e8f9

    SHA256

    3d645c61609658bf1532f4c11e6a0448b30248ca542834971c30ee086ceb918d

    SHA512

    960ea3325cf75abc2b2847de22d347a500912b73d2dd112b7a382fb9c56e4ec4c5bd39340c0352002d95bb7149da4246b46926265ad768613fec4e6fe459581d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5627.exe
    Filesize

    307KB

    MD5

    f18c6b8db70568744924d51ae2849a71

    SHA1

    df11b10e0c96fe98703d78b607b8019fbb06a8af

    SHA256

    7022bc7431c6a6eab8f3ddfba314f0a796806f19deeda1b1c4b690e6bd750b3d

    SHA512

    0679bbab7a1104d75f0fa9685a8f9f66425858879955486dbf48cee76e14898ce2870099f1fa077df4d734cf07a4a859e5120805615c005693d7ccfb939df7d9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5627.exe
    Filesize

    307KB

    MD5

    f18c6b8db70568744924d51ae2849a71

    SHA1

    df11b10e0c96fe98703d78b607b8019fbb06a8af

    SHA256

    7022bc7431c6a6eab8f3ddfba314f0a796806f19deeda1b1c4b690e6bd750b3d

    SHA512

    0679bbab7a1104d75f0fa9685a8f9f66425858879955486dbf48cee76e14898ce2870099f1fa077df4d734cf07a4a859e5120805615c005693d7ccfb939df7d9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8658.exe
    Filesize

    365KB

    MD5

    3d9d6a5b41346391155be7d69dccb5a5

    SHA1

    c4a888e11cca99e4877b9579a295a9476a7be4db

    SHA256

    713bbe23141f6d05c44ad3c41d5586c5e8ae2d112386e687bef5cd277019fa65

    SHA512

    a184b5404c1b5e949005379f66ed074eb446ab671bc59191e548c0821080a7fc1c8b90573fea99d1f93fb86cb803a1cf6d4756fbcc66bc66a3785c9e322ddc99

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8658.exe
    Filesize

    365KB

    MD5

    3d9d6a5b41346391155be7d69dccb5a5

    SHA1

    c4a888e11cca99e4877b9579a295a9476a7be4db

    SHA256

    713bbe23141f6d05c44ad3c41d5586c5e8ae2d112386e687bef5cd277019fa65

    SHA512

    a184b5404c1b5e949005379f66ed074eb446ab671bc59191e548c0821080a7fc1c8b90573fea99d1f93fb86cb803a1cf6d4756fbcc66bc66a3785c9e322ddc99

    Download Submit

  • memory/3080-136-0x00000000001D0000-0x00000000001FD000-memory.dmp

    Filesize

    180KB

    Download

  • memory/3080-137-0x0000000002260000-0x000000000227A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3080-138-0x0000000004E80000-0x0000000004E90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3080-139-0x0000000004E80000-0x0000000004E90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3080-140-0x0000000004E80000-0x0000000004E90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3080-141-0x0000000004E90000-0x000000000538E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/3080-142-0x0000000002530000-0x0000000002548000-memory.dmp

    Filesize

    96KB

    Download

  • memory/3080-143-0x0000000002530000-0x0000000002542000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3080-144-0x0000000002530000-0x0000000002542000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3080-146-0x0000000002530000-0x0000000002542000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3080-148-0x0000000002530000-0x0000000002542000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3080-150-0x0000000002530000-0x0000000002542000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3080-152-0x0000000002530000-0x0000000002542000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3080-154-0x0000000002530000-0x0000000002542000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3080-156-0x0000000002530000-0x0000000002542000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3080-158-0x0000000002530000-0x0000000002542000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3080-160-0x0000000002530000-0x0000000002542000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3080-162-0x0000000002530000-0x0000000002542000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3080-164-0x0000000002530000-0x0000000002542000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3080-166-0x0000000002530000-0x0000000002542000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3080-168-0x0000000002530000-0x0000000002542000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3080-170-0x0000000002530000-0x0000000002542000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3080-171-0x0000000000400000-0x000000000070F000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/3080-173-0x0000000000400000-0x000000000070F000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4720-178-0x00000000020E0000-0x000000000212B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4720-179-0x0000000004BE0000-0x0000000004C26000-memory.dmp

    Filesize

    280KB

    Download

  • memory/4720-180-0x00000000051A0000-0x00000000051E4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4720-181-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4720-182-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4720-184-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4720-186-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4720-188-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4720-190-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4720-192-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4720-194-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4720-196-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4720-198-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4720-200-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4720-202-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4720-204-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4720-206-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4720-208-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4720-210-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4720-212-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4720-214-0x00000000051A0000-0x00000000051DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4720-413-0x0000000004C90000-0x0000000004CA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4720-417-0x0000000004C90000-0x0000000004CA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4720-415-0x0000000004C90000-0x0000000004CA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4720-1090-0x0000000005230000-0x0000000005836000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4720-1091-0x00000000058C0000-0x00000000059CA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4720-1092-0x0000000005A00000-0x0000000005A12000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4720-1093-0x0000000005A20000-0x0000000005A5E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4720-1094-0x0000000004C90000-0x0000000004CA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4720-1095-0x0000000005B70000-0x0000000005BBB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4720-1097-0x00000000020E0000-0x000000000212B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4720-1098-0x0000000004C90000-0x0000000004CA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4720-1099-0x0000000004C90000-0x0000000004CA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4720-1100-0x0000000004C90000-0x0000000004CA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4720-1101-0x0000000005D00000-0x0000000005D92000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4720-1102-0x0000000005DA0000-0x0000000005E06000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4720-1103-0x00000000064B0000-0x0000000006672000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4720-1104-0x0000000006680000-0x0000000006BAC000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4720-1105-0x0000000004C90000-0x0000000004CA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4720-1106-0x0000000006F20000-0x0000000006F96000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4720-1107-0x0000000006FB0000-0x0000000007000000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4740-1113-0x00000000001D0000-0x0000000000202000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4740-1114-0x0000000004C10000-0x0000000004C5B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4740-1115-0x0000000004D10000-0x0000000004D20000-memory.dmp

    Filesize

    64KB

    Download