Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    54s
  • max time network
    75s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    28-03-2023 04:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    db65837b7e21c329ae2c245525f93f20eb0bce9bb5767b99f065e9331bc00191.exe

  • Size

    689KB

  • MD5

    cfd5d43d2d6289e4810c78d626c5346c

  • SHA1

    e08ebce2c880a0e32408e79f7f776635223b96fa

  • SHA256

    db65837b7e21c329ae2c245525f93f20eb0bce9bb5767b99f065e9331bc00191

  • SHA512

    9ce56fe663c2040e4a23e494352cb0525f9ce2def1a02abfd43d755fb10fab902c63ea230d1b6c2c8b97f0bd88f5880b75183782655d0a30d174e0a3dda940a7

  • SSDEEP

    12288:fMrIy90KwPOdKe0XVv6yC65hLuVBK3ruSB/XhmJ8v3F/bfig8Wz5z7CZhj5F:PyESPSV/RfazK7uoPhmJ8N/bag8G5yZh

Score
10/10
redlinefromrosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

C2

176.113.115.145:4125

Attributes
  • auth_value

    8633e283485822a4a48f0a41d5397566

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 22 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\db65837b7e21c329ae2c245525f93f20eb0bce9bb5767b99f065e9331bc00191.exe
    "C:\Users\Admin\AppData\Local\Temp\db65837b7e21c329ae2c245525f93f20eb0bce9bb5767b99f065e9331bc00191.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1616
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un621751.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un621751.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:5060
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2011.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2011.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:356
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9067.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9067.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3544
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si949045.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si949045.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si949045.exe
    Filesize

    175KB

    MD5

    2430448385e80c7bd6f3a4c836d56589

    SHA1

    43eef6cf6d0dcf12e6f978924d86752cdf7ecf59

    SHA256

    4bef2056486e62f775cf2f868aca3c764bc851d7ab3d009ba28fd808e10629e2

    SHA512

    9f7f6dd75c2a0e18ef8f0ad1ae88a0ec2b1103bd075ea0c70425f2ae5197d45fbf2d21416bd7a4cc36f4c7553ab363d4e10d3246ef6564fd0bf6abbc811c7ec3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si949045.exe
    Filesize

    175KB

    MD5

    2430448385e80c7bd6f3a4c836d56589

    SHA1

    43eef6cf6d0dcf12e6f978924d86752cdf7ecf59

    SHA256

    4bef2056486e62f775cf2f868aca3c764bc851d7ab3d009ba28fd808e10629e2

    SHA512

    9f7f6dd75c2a0e18ef8f0ad1ae88a0ec2b1103bd075ea0c70425f2ae5197d45fbf2d21416bd7a4cc36f4c7553ab363d4e10d3246ef6564fd0bf6abbc811c7ec3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un621751.exe
    Filesize

    547KB

    MD5

    cfa4dff2279ee6195932daf88de776af

    SHA1

    ad71d153b6cb9894a66a5f6a7063bc81e500ed8f

    SHA256

    3d8e1c580d2e9a0af09b31a7534c6ca91681c0ba764996a53a7512a5ae4d4754

    SHA512

    a34c53cb9e5f1b1502eac3e2fc48a28dca4ca9a63d5cf4d64f945d6d0e3b57b89f3fa8242be7004837b183d6b5fc9d2aeaef909a2f8478b08e285cf52dd8f0d0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un621751.exe
    Filesize

    547KB

    MD5

    cfa4dff2279ee6195932daf88de776af

    SHA1

    ad71d153b6cb9894a66a5f6a7063bc81e500ed8f

    SHA256

    3d8e1c580d2e9a0af09b31a7534c6ca91681c0ba764996a53a7512a5ae4d4754

    SHA512

    a34c53cb9e5f1b1502eac3e2fc48a28dca4ca9a63d5cf4d64f945d6d0e3b57b89f3fa8242be7004837b183d6b5fc9d2aeaef909a2f8478b08e285cf52dd8f0d0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2011.exe
    Filesize

    291KB

    MD5

    bf5a3e483bd8df14a6a717533475ed83

    SHA1

    a301217540082e9733da99de8bab11df6b92af17

    SHA256

    9722177d90ddf995a0390e2c5e57b2bc2269a139b7e3065b43ad56bb42c1f3f1

    SHA512

    776739961c8b510aa2a9a78b07d6700754c6d3e77450c7bfb913e40740fda5c02f5c30ad395cbd7be2ff2a54750e3f38a41e3a11af06e73d729d89b36e82d98a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2011.exe
    Filesize

    291KB

    MD5

    bf5a3e483bd8df14a6a717533475ed83

    SHA1

    a301217540082e9733da99de8bab11df6b92af17

    SHA256

    9722177d90ddf995a0390e2c5e57b2bc2269a139b7e3065b43ad56bb42c1f3f1

    SHA512

    776739961c8b510aa2a9a78b07d6700754c6d3e77450c7bfb913e40740fda5c02f5c30ad395cbd7be2ff2a54750e3f38a41e3a11af06e73d729d89b36e82d98a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9067.exe
    Filesize

    345KB

    MD5

    791d13ff3990f628b9a46951d4c1390d

    SHA1

    b6bb720e4dec7b2972b0b43058a4a3fabee8815d

    SHA256

    2277d5b483a093a438d3f68f9a6c05ffc733da921fd6ff56bdf8f8d5cc694bef

    SHA512

    fd60d254bbeeaa5edc400807de43578fd8331fcbb51a78d70e4cb43def6fd83d85a000cc0d9038f7444bee0e01238b04455a9bb9040c1bf9742fe26d815c137b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9067.exe
    Filesize

    345KB

    MD5

    791d13ff3990f628b9a46951d4c1390d

    SHA1

    b6bb720e4dec7b2972b0b43058a4a3fabee8815d

    SHA256

    2277d5b483a093a438d3f68f9a6c05ffc733da921fd6ff56bdf8f8d5cc694bef

    SHA512

    fd60d254bbeeaa5edc400807de43578fd8331fcbb51a78d70e4cb43def6fd83d85a000cc0d9038f7444bee0e01238b04455a9bb9040c1bf9742fe26d815c137b

    Download Submit
  • memory/356-136-0x00000000001D0000-0x00000000001FD000-memory.dmp
    Filesize

    180KB

    Download
  • memory/356-137-0x0000000002670000-0x000000000268A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/356-138-0x0000000004CA0000-0x000000000519E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/356-139-0x0000000004C30000-0x0000000004C48000-memory.dmp
    Filesize

    96KB

    Download
  • memory/356-140-0x0000000004C90000-0x0000000004CA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/356-142-0x0000000004C90000-0x0000000004CA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/356-141-0x0000000004C90000-0x0000000004CA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/356-143-0x0000000004C30000-0x0000000004C42000-memory.dmp
    Filesize

    72KB

    Download
  • memory/356-144-0x0000000004C30000-0x0000000004C42000-memory.dmp
    Filesize

    72KB

    Download
  • memory/356-146-0x0000000004C30000-0x0000000004C42000-memory.dmp
    Filesize

    72KB

    Download
  • memory/356-148-0x0000000004C30000-0x0000000004C42000-memory.dmp
    Filesize

    72KB

    Download
  • memory/356-150-0x0000000004C30000-0x0000000004C42000-memory.dmp
    Filesize

    72KB

    Download
  • memory/356-152-0x0000000004C30000-0x0000000004C42000-memory.dmp
    Filesize

    72KB

    Download
  • memory/356-154-0x0000000004C30000-0x0000000004C42000-memory.dmp
    Filesize

    72KB

    Download
  • memory/356-156-0x0000000004C30000-0x0000000004C42000-memory.dmp
    Filesize

    72KB

    Download
  • memory/356-158-0x0000000004C30000-0x0000000004C42000-memory.dmp
    Filesize

    72KB

    Download
  • memory/356-160-0x0000000004C30000-0x0000000004C42000-memory.dmp
    Filesize

    72KB

    Download
  • memory/356-162-0x0000000004C30000-0x0000000004C42000-memory.dmp
    Filesize

    72KB

    Download
  • memory/356-164-0x0000000004C30000-0x0000000004C42000-memory.dmp
    Filesize

    72KB

    Download
  • memory/356-166-0x0000000004C30000-0x0000000004C42000-memory.dmp
    Filesize

    72KB

    Download
  • memory/356-168-0x0000000004C30000-0x0000000004C42000-memory.dmp
    Filesize

    72KB

    Download
  • memory/356-170-0x0000000004C30000-0x0000000004C42000-memory.dmp
    Filesize

    72KB

    Download
  • memory/356-171-0x0000000000400000-0x000000000070B000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/356-172-0x0000000004C90000-0x0000000004CA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/356-173-0x0000000004C90000-0x0000000004CA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/356-174-0x0000000004C90000-0x0000000004CA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/356-176-0x0000000000400000-0x000000000070B000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/3544-181-0x0000000003610000-0x0000000003656000-memory.dmp
    Filesize

    280KB

    Download
  • memory/3544-182-0x00000000037A0000-0x00000000037E4000-memory.dmp
    Filesize

    272KB

    Download
  • memory/3544-183-0x00000000037A0000-0x00000000037DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3544-186-0x00000000037A0000-0x00000000037DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3544-184-0x00000000037A0000-0x00000000037DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3544-188-0x00000000037A0000-0x00000000037DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3544-190-0x00000000037A0000-0x00000000037DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3544-192-0x00000000037A0000-0x00000000037DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3544-194-0x00000000037A0000-0x00000000037DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3544-196-0x00000000037A0000-0x00000000037DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3544-198-0x00000000037A0000-0x00000000037DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3544-200-0x00000000037A0000-0x00000000037DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3544-202-0x00000000037A0000-0x00000000037DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3544-204-0x00000000037A0000-0x00000000037DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3544-206-0x00000000037A0000-0x00000000037DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3544-208-0x00000000037A0000-0x00000000037DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3544-210-0x00000000037A0000-0x00000000037DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3544-212-0x00000000037A0000-0x00000000037DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3544-214-0x00000000037A0000-0x00000000037DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3544-216-0x00000000037A0000-0x00000000037DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3544-219-0x0000000001A30000-0x0000000001A7B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/3544-223-0x00000000062D0000-0x00000000062E0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3544-221-0x00000000062D0000-0x00000000062E0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3544-224-0x00000000062D0000-0x00000000062E0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3544-1093-0x00000000067E0000-0x0000000006DE6000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/3544-1094-0x0000000006150000-0x000000000625A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/3544-1095-0x0000000003C90000-0x0000000003CA2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/3544-1096-0x0000000003CB0000-0x0000000003CEE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/3544-1097-0x00000000062D0000-0x00000000062E0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3544-1098-0x0000000006260000-0x00000000062AB000-memory.dmp
    Filesize

    300KB

    Download
  • memory/3544-1099-0x0000000007010000-0x0000000007076000-memory.dmp
    Filesize

    408KB

    Download
  • memory/3544-1101-0x00000000075B0000-0x0000000007642000-memory.dmp
    Filesize

    584KB

    Download
  • memory/3544-1102-0x00000000077C0000-0x0000000007836000-memory.dmp
    Filesize

    472KB

    Download
  • memory/3544-1103-0x0000000007840000-0x0000000007890000-memory.dmp
    Filesize

    320KB

    Download
  • memory/3544-1105-0x00000000062D0000-0x00000000062E0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3544-1106-0x00000000062D0000-0x00000000062E0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3544-1104-0x00000000062D0000-0x00000000062E0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3544-1107-0x0000000007990000-0x0000000007B52000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/3544-1108-0x0000000007B80000-0x00000000080AC000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/3544-1109-0x00000000062D0000-0x00000000062E0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3720-1115-0x0000000000910000-0x0000000000942000-memory.dmp
    Filesize

    200KB

    Download
  • memory/3720-1116-0x0000000005350000-0x000000000539B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/3720-1117-0x0000000005220000-0x0000000005230000-memory.dmp
    Filesize

    64KB

    Download