Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-03-2023 00:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    49c2e881052b93ba70e12008918cd3055f87fe7bdb1fab1ead89ec5d1302563c.exe

  • Size

    690KB

  • MD5

    2ed9f520c1d4d29c50ddbb7f142049ce

  • SHA1

    80aa4fca4c979a38d1cd5b1bc6e3ea79503effda

  • SHA256

    49c2e881052b93ba70e12008918cd3055f87fe7bdb1fab1ead89ec5d1302563c

  • SHA512

    7a7ce9a8002eba7158f0fc16e4eaade9feed5177439a0e63283fef67fd48ed1ad8f099fdcae5813c8a05dbb3fc28f90b67df3b50f3ca492b95b1f03002989324

  • SSDEEP

    12288:qMrWy90V4c4Jk1ZF0KuH9UG8OM3KInzSM/8IzPL8rHXF5oLI4jwecU:Iych4Juox9UmMrSa8ILKF5oMucU

Score
10/10
redlinerosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\49c2e881052b93ba70e12008918cd3055f87fe7bdb1fab1ead89ec5d1302563c.exe
    "C:\Users\Admin\AppData\Local\Temp\49c2e881052b93ba70e12008918cd3055f87fe7bdb1fab1ead89ec5d1302563c.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:800
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un201103.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un201103.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4216
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8899.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8899.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1604
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 1076
          4⤵
          • Program crash
          PID:4116
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2667.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2667.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1380
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1604 -ip 1604
    1⤵
      PID:3360

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un201103.exe
      Filesize

      548KB

      MD5

      3e52cebbd65cae8b4f38bc280d82abcd

      SHA1

      c6c67c2bf6378b3ae2778a657f3b7116008b1bf4

      SHA256

      fd61391bf30cdcbbaacb2ac78658fe14b1e067f8cf1a66f7f989993af08c2a7e

      SHA512

      3466132e1334c0aa0d5b02f1f2477707b08ffd801d0f4669869d43e94eb6a787289d7533538acea3b16764061fdbac2ed5990b3396ff412697246ceec73d4271

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un201103.exe
      Filesize

      548KB

      MD5

      3e52cebbd65cae8b4f38bc280d82abcd

      SHA1

      c6c67c2bf6378b3ae2778a657f3b7116008b1bf4

      SHA256

      fd61391bf30cdcbbaacb2ac78658fe14b1e067f8cf1a66f7f989993af08c2a7e

      SHA512

      3466132e1334c0aa0d5b02f1f2477707b08ffd801d0f4669869d43e94eb6a787289d7533538acea3b16764061fdbac2ed5990b3396ff412697246ceec73d4271

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8899.exe
      Filesize

      291KB

      MD5

      628a4f7a047cc1c84725d2095ffb2d2d

      SHA1

      4709f38b6df551f42c6352cf73524aba51ec1649

      SHA256

      889806864dfc1c5d962cc064ac2ece81cf90d8912ff092cd22d89bbeac1429c8

      SHA512

      ce55c7be8f2e16e39e2ca5eb1e43a3236497d703938d0d96d7e6b9840ccf98dcf1d67446a4bc06a4b081a099a1408f0d7441b7adde33f28ef3d518154f9a014f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8899.exe
      Filesize

      291KB

      MD5

      628a4f7a047cc1c84725d2095ffb2d2d

      SHA1

      4709f38b6df551f42c6352cf73524aba51ec1649

      SHA256

      889806864dfc1c5d962cc064ac2ece81cf90d8912ff092cd22d89bbeac1429c8

      SHA512

      ce55c7be8f2e16e39e2ca5eb1e43a3236497d703938d0d96d7e6b9840ccf98dcf1d67446a4bc06a4b081a099a1408f0d7441b7adde33f28ef3d518154f9a014f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2667.exe
      Filesize

      350KB

      MD5

      1d100fe104af17211acea59264978bbc

      SHA1

      7dd0f277da14785b80744420264e497d9489bbcb

      SHA256

      7ca32b0fa90ff657528870048271675e62b21ec7cd32b29841723a5425646d97

      SHA512

      d7b0c62215c6aa81e419297976592d81571834820d6854b0de6fcd924f68b1aca07cfa394e5b65056c305a5420a56f4977206b14a1fd93ebe4102cc54649d91c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2667.exe
      Filesize

      350KB

      MD5

      1d100fe104af17211acea59264978bbc

      SHA1

      7dd0f277da14785b80744420264e497d9489bbcb

      SHA256

      7ca32b0fa90ff657528870048271675e62b21ec7cd32b29841723a5425646d97

      SHA512

      d7b0c62215c6aa81e419297976592d81571834820d6854b0de6fcd924f68b1aca07cfa394e5b65056c305a5420a56f4977206b14a1fd93ebe4102cc54649d91c

      Download Submit

    • memory/1380-279-0x00000000007F0000-0x000000000083B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/1380-1102-0x00000000053F0000-0x0000000005A08000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1380-199-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1380-1116-0x0000000004E30000-0x0000000004E40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1380-203-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1380-1115-0x0000000006C20000-0x000000000714C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/1380-1114-0x0000000006A50000-0x0000000006C12000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/1380-1113-0x00000000068A0000-0x00000000068F0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/1380-201-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1380-1111-0x0000000004E30000-0x0000000004E40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1380-1110-0x0000000004E30000-0x0000000004E40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1380-1109-0x00000000064D0000-0x0000000006562000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1380-1108-0x0000000005E10000-0x0000000005E76000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1380-1105-0x0000000004E30000-0x0000000004E40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1380-1106-0x0000000005B20000-0x0000000005B5C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1380-1104-0x0000000004E10000-0x0000000004E22000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1380-1103-0x0000000005A10000-0x0000000005B1A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1380-211-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1380-284-0x0000000004E30000-0x0000000004E40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1380-283-0x0000000004E30000-0x0000000004E40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1380-280-0x0000000004E30000-0x0000000004E40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1380-225-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1380-223-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1380-221-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1380-219-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1380-217-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1380-192-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1380-193-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1380-195-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1380-197-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1380-215-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1380-1112-0x0000000006810000-0x0000000006886000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1380-213-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1380-205-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1380-207-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1380-209-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1604-178-0x0000000004C70000-0x0000000004C82000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1604-154-0x0000000004C70000-0x0000000004C82000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1604-152-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1604-149-0x0000000004CB0000-0x0000000005254000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1604-150-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1604-187-0x0000000000400000-0x000000000070B000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/1604-185-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1604-184-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1604-183-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1604-148-0x0000000000960000-0x000000000098D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/1604-182-0x0000000000960000-0x000000000098D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/1604-181-0x0000000000400000-0x000000000070B000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/1604-180-0x0000000004C70000-0x0000000004C82000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1604-151-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1604-176-0x0000000004C70000-0x0000000004C82000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1604-174-0x0000000004C70000-0x0000000004C82000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1604-172-0x0000000004C70000-0x0000000004C82000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1604-170-0x0000000004C70000-0x0000000004C82000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1604-168-0x0000000004C70000-0x0000000004C82000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1604-166-0x0000000004C70000-0x0000000004C82000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1604-164-0x0000000004C70000-0x0000000004C82000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1604-162-0x0000000004C70000-0x0000000004C82000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1604-160-0x0000000004C70000-0x0000000004C82000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1604-158-0x0000000004C70000-0x0000000004C82000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1604-156-0x0000000004C70000-0x0000000004C82000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1604-153-0x0000000004C70000-0x0000000004C82000-memory.dmp

      Filesize

      72KB

      Download