Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    49s
  • max time network
    56s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    28-03-2023 05:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9fc3e40dd03947cb37635927e9e17e01f6106d41bba92c4216c088f0050902af.exe

  • Size

    689KB

  • MD5

    25e014b563258ffe04660d6d35cdc20b

  • SHA1

    06c8645472983ae6ea54169e47e1241b8e025cf3

  • SHA256

    9fc3e40dd03947cb37635927e9e17e01f6106d41bba92c4216c088f0050902af

  • SHA512

    44159ce0847c66eb1ea5094e79fc9cb73331737fc923535cfdd5d4da987bd7b2055578dea8035fabe5ed165ff86a2855fa4d23c9e1cfadfeb2401dee1d73f2a7

  • SSDEEP

    12288:CMr8y904Bz+CgYkNnMzyG1YDZH9Nyw65hLumrTTwDoay9Hzz3pHmJgvqFI7figlm:SyrByCgYGHGKEPfam4y9RmJgWI7aglBE

Score
10/10
redlinefromrosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

C2

176.113.115.145:4125

Attributes
  • auth_value

    8633e283485822a4a48f0a41d5397566

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 21 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9fc3e40dd03947cb37635927e9e17e01f6106d41bba92c4216c088f0050902af.exe
    "C:\Users\Admin\AppData\Local\Temp\9fc3e40dd03947cb37635927e9e17e01f6106d41bba92c4216c088f0050902af.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2076
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un565342.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un565342.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2328
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1885.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1885.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2572
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8325.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8325.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3932
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si557998.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si557998.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3552

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si557998.exe
    Filesize

    175KB

    MD5

    844d4c73195897dc967ad96b5f2418f4

    SHA1

    7b6884843f5aa40c3b38509d9edf4674d215c87a

    SHA256

    995c26cfd2dc2dd495e8552b885ccd4dcde06da346d2b23806e5e598de4fe574

    SHA512

    084c49b66747325fbe0c515ee190767810e5320c4723b999d58a43a85a4fb37e52a17d53b85e81eb9025972326dab5b6d51226c731517a37b2243662a83034c7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si557998.exe
    Filesize

    175KB

    MD5

    844d4c73195897dc967ad96b5f2418f4

    SHA1

    7b6884843f5aa40c3b38509d9edf4674d215c87a

    SHA256

    995c26cfd2dc2dd495e8552b885ccd4dcde06da346d2b23806e5e598de4fe574

    SHA512

    084c49b66747325fbe0c515ee190767810e5320c4723b999d58a43a85a4fb37e52a17d53b85e81eb9025972326dab5b6d51226c731517a37b2243662a83034c7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un565342.exe
    Filesize

    547KB

    MD5

    75dbc5ec2ec27b808d43569815b601c3

    SHA1

    e7b1f55f7df41514eb41d014cd69da7913a41264

    SHA256

    4bcd2fb27c47434946882e5403bb5010e0fa7fa5024528f139128f145e556311

    SHA512

    2c47679e9d56d221a8bc4a8f2795593c5ad004d176e0ecb81685b536e8231b8aecb9216d8d23735b4c0397964cf560a1fd2d46fcc90a7bb60e9a048a996716dd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un565342.exe
    Filesize

    547KB

    MD5

    75dbc5ec2ec27b808d43569815b601c3

    SHA1

    e7b1f55f7df41514eb41d014cd69da7913a41264

    SHA256

    4bcd2fb27c47434946882e5403bb5010e0fa7fa5024528f139128f145e556311

    SHA512

    2c47679e9d56d221a8bc4a8f2795593c5ad004d176e0ecb81685b536e8231b8aecb9216d8d23735b4c0397964cf560a1fd2d46fcc90a7bb60e9a048a996716dd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1885.exe
    Filesize

    291KB

    MD5

    9c35c5e553cf7b14cb5e5feb113abe07

    SHA1

    896cdcff57c16fd4bb461be96c551561696f568c

    SHA256

    7ef656a6c7bed065dec63b1b55d9bcf8874d39aaac03c94e1b405ad69a8a982a

    SHA512

    0d4b91420529027d12d84fda13f16981b7a2ce122a8f176b783051c4ee44c4ff3ead6967b2f9331481369c3482a5386759d403ef6a3ab03736c93c34afee0abf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1885.exe
    Filesize

    291KB

    MD5

    9c35c5e553cf7b14cb5e5feb113abe07

    SHA1

    896cdcff57c16fd4bb461be96c551561696f568c

    SHA256

    7ef656a6c7bed065dec63b1b55d9bcf8874d39aaac03c94e1b405ad69a8a982a

    SHA512

    0d4b91420529027d12d84fda13f16981b7a2ce122a8f176b783051c4ee44c4ff3ead6967b2f9331481369c3482a5386759d403ef6a3ab03736c93c34afee0abf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8325.exe
    Filesize

    345KB

    MD5

    a4953508f28a384d9b43c66d1b982a9f

    SHA1

    36cdb25bd7ca0215358de2551bc914234cbf70b4

    SHA256

    f02e08e93ae80339d0e62061736787985bd9114d814084614413b554c74e4023

    SHA512

    1bfce901957457c92d918cf4e28535e76a68aecdecff22c468d9bcb5bf3a79d79a5b6d0b8d69251c99159486aeb77c70fcdcb11d93fb3c8601d4ab4a242318d7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8325.exe
    Filesize

    345KB

    MD5

    a4953508f28a384d9b43c66d1b982a9f

    SHA1

    36cdb25bd7ca0215358de2551bc914234cbf70b4

    SHA256

    f02e08e93ae80339d0e62061736787985bd9114d814084614413b554c74e4023

    SHA512

    1bfce901957457c92d918cf4e28535e76a68aecdecff22c468d9bcb5bf3a79d79a5b6d0b8d69251c99159486aeb77c70fcdcb11d93fb3c8601d4ab4a242318d7

    Download Submit

  • memory/2572-136-0x0000000002380000-0x000000000239A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2572-138-0x0000000000A50000-0x0000000000A60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2572-137-0x00000000001D0000-0x00000000001FD000-memory.dmp

    Filesize

    180KB

    Download

  • memory/2572-139-0x0000000004CB0000-0x00000000051AE000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2572-140-0x0000000002530000-0x0000000002548000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2572-141-0x0000000002530000-0x0000000002542000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2572-142-0x0000000002530000-0x0000000002542000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2572-144-0x0000000002530000-0x0000000002542000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2572-146-0x0000000002530000-0x0000000002542000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2572-148-0x0000000002530000-0x0000000002542000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2572-150-0x0000000002530000-0x0000000002542000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2572-152-0x0000000002530000-0x0000000002542000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2572-154-0x0000000002530000-0x0000000002542000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2572-156-0x0000000002530000-0x0000000002542000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2572-158-0x0000000002530000-0x0000000002542000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2572-160-0x0000000002530000-0x0000000002542000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2572-162-0x0000000002530000-0x0000000002542000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2572-164-0x0000000002530000-0x0000000002542000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2572-166-0x0000000002530000-0x0000000002542000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2572-168-0x0000000002530000-0x0000000002542000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2572-169-0x0000000000A50000-0x0000000000A60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2572-170-0x0000000000A50000-0x0000000000A60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2572-171-0x0000000000400000-0x000000000070B000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2572-172-0x0000000000A50000-0x0000000000A60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2572-174-0x0000000000400000-0x000000000070B000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/3552-1113-0x0000000000620000-0x0000000000652000-memory.dmp

    Filesize

    200KB

    Download

  • memory/3552-1115-0x0000000004E60000-0x0000000004E70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3552-1114-0x0000000005060000-0x00000000050AB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3932-184-0x0000000003A80000-0x0000000003ABF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3932-217-0x0000000006070000-0x0000000006080000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3932-181-0x0000000003A80000-0x0000000003ABF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3932-186-0x0000000003A80000-0x0000000003ABF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3932-188-0x0000000003A80000-0x0000000003ABF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3932-190-0x0000000003A80000-0x0000000003ABF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3932-192-0x0000000003A80000-0x0000000003ABF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3932-194-0x0000000003A80000-0x0000000003ABF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3932-196-0x0000000003A80000-0x0000000003ABF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3932-198-0x0000000003A80000-0x0000000003ABF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3932-200-0x0000000003A80000-0x0000000003ABF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3932-202-0x0000000003A80000-0x0000000003ABF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3932-204-0x0000000003A80000-0x0000000003ABF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3932-206-0x0000000003A80000-0x0000000003ABF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3932-208-0x0000000003A80000-0x0000000003ABF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3932-210-0x0000000003A80000-0x0000000003ABF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3932-212-0x0000000006070000-0x0000000006080000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3932-215-0x0000000006070000-0x0000000006080000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3932-214-0x0000000003A80000-0x0000000003ABF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3932-182-0x0000000003A80000-0x0000000003ABF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3932-211-0x0000000001B00000-0x0000000001B4B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3932-218-0x0000000003A80000-0x0000000003ABF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3932-1091-0x0000000006580000-0x0000000006B86000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/3932-1092-0x0000000006BD0000-0x0000000006CDA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3932-1093-0x0000000006D10000-0x0000000006D22000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3932-1094-0x0000000006070000-0x0000000006080000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3932-1095-0x0000000006D30000-0x0000000006D6E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3932-1096-0x0000000006E80000-0x0000000006ECB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3932-1098-0x0000000007010000-0x00000000070A2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3932-1099-0x00000000070B0000-0x0000000007116000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3932-1100-0x0000000006070000-0x0000000006080000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3932-1101-0x0000000006070000-0x0000000006080000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3932-1102-0x0000000006070000-0x0000000006080000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3932-1103-0x00000000077C0000-0x0000000007982000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3932-1104-0x0000000007990000-0x0000000007EBC000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/3932-180-0x0000000003A80000-0x0000000003AC4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3932-179-0x0000000003790000-0x00000000037D6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/3932-1105-0x0000000008220000-0x0000000008296000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3932-1106-0x00000000082B0000-0x0000000008300000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3932-1107-0x0000000006070000-0x0000000006080000-memory.dmp

    Filesize

    64KB

    Download