Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-03-2023 01:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8565599f5b0a1116e27d91eef13fa6b80f18b54acd33d980bf932d0a99f5ac54.exe

  • Size

    690KB

  • MD5

    0bbe5f3fae01b4cad81f3d3663514b9c

  • SHA1

    3ff8d1d3f2aa63321d152e3ef4012a6b30c9cbb3

  • SHA256

    8565599f5b0a1116e27d91eef13fa6b80f18b54acd33d980bf932d0a99f5ac54

  • SHA512

    b3689cb7351f4c6fbd757a8bce7b65b1d32921524791e8da03bd45826b28a570c48ec643432ced66e10d07543536139f3b5376387f853368ca749fba80434fba

  • SSDEEP

    12288:LMrGy90V2jBw4kHhZyxdpNELyV65hLudz5uK3Wb2eWbo7xUYvOFrOfigSMA/0j+K:NyEBgxdpNjIfadQKe2X4yYKrOagSUyK

Score
10/10
redlinefromrosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

C2

176.113.115.145:4125

Attributes
  • auth_value

    8633e283485822a4a48f0a41d5397566

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 19 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8565599f5b0a1116e27d91eef13fa6b80f18b54acd33d980bf932d0a99f5ac54.exe
    "C:\Users\Admin\AppData\Local\Temp\8565599f5b0a1116e27d91eef13fa6b80f18b54acd33d980bf932d0a99f5ac54.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3180
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un275890.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un275890.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3816
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9411.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9411.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1416
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 968
          4⤵
          • Program crash
          PID:3752
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8600.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8600.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4188
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 1184
          4⤵
          • Program crash
          PID:2604
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si923890.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si923890.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1012
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1416 -ip 1416
    1⤵
      PID:656
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4188 -ip 4188
      1⤵
        PID:1112

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si923890.exe
        Filesize

        175KB

        MD5

        f0ca1c81f565fa71c16f415bdcc25a39

        SHA1

        74596c488cf3bc12ae921b6d328ef5130437e095

        SHA256

        70445446cb66dd6e2736b0ec763af1c4ffa0b34bd3394e7eb79478152658ef79

        SHA512

        63559c399cd566c47d3eaf2587e37bc69b12ddb329314e3d518188a8515feadfe9847997d79ec2834586fefddc91a88f9fc514a581fd62950671782ce2e0584a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si923890.exe
        Filesize

        175KB

        MD5

        f0ca1c81f565fa71c16f415bdcc25a39

        SHA1

        74596c488cf3bc12ae921b6d328ef5130437e095

        SHA256

        70445446cb66dd6e2736b0ec763af1c4ffa0b34bd3394e7eb79478152658ef79

        SHA512

        63559c399cd566c47d3eaf2587e37bc69b12ddb329314e3d518188a8515feadfe9847997d79ec2834586fefddc91a88f9fc514a581fd62950671782ce2e0584a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un275890.exe
        Filesize

        548KB

        MD5

        205ad7e179647aa31d34490129e8d3c9

        SHA1

        75e59751c0a55214a3da0aede2dc9aa7e85447f0

        SHA256

        12eef8b2a311d4025c5747a27d05db68dc01f70084ab69150c0fc667fc154d0d

        SHA512

        61258ea508ae3f06a8c7f45c869e585d334a1b625c36681b91408326939da54f2d678118ba1631ebbb2af60ada55d30e3a01ad0be3bc4e54e570d15d6d876f28

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un275890.exe
        Filesize

        548KB

        MD5

        205ad7e179647aa31d34490129e8d3c9

        SHA1

        75e59751c0a55214a3da0aede2dc9aa7e85447f0

        SHA256

        12eef8b2a311d4025c5747a27d05db68dc01f70084ab69150c0fc667fc154d0d

        SHA512

        61258ea508ae3f06a8c7f45c869e585d334a1b625c36681b91408326939da54f2d678118ba1631ebbb2af60ada55d30e3a01ad0be3bc4e54e570d15d6d876f28

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9411.exe
        Filesize

        291KB

        MD5

        a2dab5c5b7b9c18333a10ac461adf9d5

        SHA1

        64490507cb31209e13e4691ec08e1766ffe21f9e

        SHA256

        05a7d632a668a5bb86985bcec1f2c7c41b9397e4a825e3857bf41291a3914dc7

        SHA512

        36f48b69472162f63e2fcd8de94444c722ff3e5208d9825d67e820bcd8c799e6a60d42d372b707f9bac8aa49c9d5026bfc4876a4ab83a4fb92f3e2440fa8110d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9411.exe
        Filesize

        291KB

        MD5

        a2dab5c5b7b9c18333a10ac461adf9d5

        SHA1

        64490507cb31209e13e4691ec08e1766ffe21f9e

        SHA256

        05a7d632a668a5bb86985bcec1f2c7c41b9397e4a825e3857bf41291a3914dc7

        SHA512

        36f48b69472162f63e2fcd8de94444c722ff3e5208d9825d67e820bcd8c799e6a60d42d372b707f9bac8aa49c9d5026bfc4876a4ab83a4fb92f3e2440fa8110d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8600.exe
        Filesize

        345KB

        MD5

        e0edf7cf3ac00e8bdc9cbeb4b83e6022

        SHA1

        74c7c0b9b71a4434390fe7f91200df716b7e5cdd

        SHA256

        1d54ebb2e6082384d33d22d29e56f8bb9774047c67c541487e4322b4db457e90

        SHA512

        40f6f601a79c8ad0cb36da4ad955bda6ac6634e30973dcbb8d14966fd7681d56e3f4c05bc4836784771bb5d50a658c4a46346a297d53aaba92ac6ba8c8c0b90e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8600.exe
        Filesize

        345KB

        MD5

        e0edf7cf3ac00e8bdc9cbeb4b83e6022

        SHA1

        74c7c0b9b71a4434390fe7f91200df716b7e5cdd

        SHA256

        1d54ebb2e6082384d33d22d29e56f8bb9774047c67c541487e4322b4db457e90

        SHA512

        40f6f601a79c8ad0cb36da4ad955bda6ac6634e30973dcbb8d14966fd7681d56e3f4c05bc4836784771bb5d50a658c4a46346a297d53aaba92ac6ba8c8c0b90e

        Download Submit

      • memory/1012-1117-0x0000000000AB0000-0x0000000000AE2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/1012-1118-0x0000000005360000-0x0000000005370000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1416-156-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1416-166-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1416-152-0x0000000004EB0000-0x0000000005454000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1416-151-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1416-153-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1416-154-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1416-149-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1416-158-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1416-160-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1416-162-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1416-164-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1416-150-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1416-168-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1416-170-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1416-172-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1416-174-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1416-176-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1416-178-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1416-180-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1416-181-0x0000000000400000-0x000000000070B000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/1416-183-0x0000000000400000-0x000000000070B000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/1416-148-0x0000000000710000-0x000000000073D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/4188-189-0x00000000065A0000-0x00000000065DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4188-317-0x0000000001B70000-0x0000000001BBB000-memory.dmp

        Filesize

        300KB

        Download

      • memory/4188-193-0x00000000065A0000-0x00000000065DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4188-195-0x00000000065A0000-0x00000000065DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4188-197-0x00000000065A0000-0x00000000065DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4188-199-0x00000000065A0000-0x00000000065DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4188-201-0x00000000065A0000-0x00000000065DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4188-203-0x00000000065A0000-0x00000000065DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4188-205-0x00000000065A0000-0x00000000065DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4188-207-0x00000000065A0000-0x00000000065DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4188-209-0x00000000065A0000-0x00000000065DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4188-211-0x00000000065A0000-0x00000000065DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4188-219-0x00000000065A0000-0x00000000065DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4188-217-0x00000000065A0000-0x00000000065DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4188-215-0x00000000065A0000-0x00000000065DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4188-213-0x00000000065A0000-0x00000000065DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4188-221-0x00000000065A0000-0x00000000065DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4188-191-0x00000000065A0000-0x00000000065DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4188-319-0x0000000005F60000-0x0000000005F70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4188-321-0x0000000005F60000-0x0000000005F70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4188-1097-0x0000000006630000-0x0000000006C48000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/4188-1098-0x0000000006CD0000-0x0000000006DDA000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/4188-1099-0x0000000006E10000-0x0000000006E22000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4188-1100-0x0000000006E30000-0x0000000006E6C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/4188-1101-0x0000000005F60000-0x0000000005F70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4188-1102-0x0000000007120000-0x00000000071B2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4188-1103-0x00000000071C0000-0x0000000007226000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4188-1105-0x00000000079E0000-0x0000000007BA2000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/4188-1106-0x0000000007BC0000-0x00000000080EC000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/4188-1107-0x0000000005F60000-0x0000000005F70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4188-1108-0x0000000005F60000-0x0000000005F70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4188-188-0x00000000065A0000-0x00000000065DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4188-1109-0x0000000008240000-0x00000000082B6000-memory.dmp

        Filesize

        472KB

        Download

      • memory/4188-1110-0x00000000082C0000-0x0000000008310000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4188-1111-0x0000000005F60000-0x0000000005F70000-memory.dmp

        Filesize

        64KB

        Download