Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    56s
  • max time network
    73s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    28-03-2023 07:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f17c431956300a0d846a7bc8bd98031282b7b7720480f62ca7b9e3e5d3a39792.exe

  • Size

    687KB

  • MD5

    9299d187c6ad98aeb0ec053ad1384426

  • SHA1

    3fa074f5f2a0f4a912dff112cbdb9a34a16a55f9

  • SHA256

    f17c431956300a0d846a7bc8bd98031282b7b7720480f62ca7b9e3e5d3a39792

  • SHA512

    c4ab7a046ddf45bd4a4529355d7e038941343c82658822b50cb61d13dd5a0ff928c7bde763df1469cb6f2f6695ec8425f95bde4c120b1e88f7b5e15848da4aa6

  • SSDEEP

    12288:yMrzy9097ZkKjsy3x4cvThxwCzs6yjeBwP5Ojk9MlJgLUqWuXXaCz7bPT:9yqVLYy3x3r5z8jek5Qk9kgLUuXKCzfL

Score
10/10
redlinefromrosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

C2

176.113.115.145:4125

Attributes
  • auth_value

    8633e283485822a4a48f0a41d5397566

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 21 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f17c431956300a0d846a7bc8bd98031282b7b7720480f62ca7b9e3e5d3a39792.exe
    "C:\Users\Admin\AppData\Local\Temp\f17c431956300a0d846a7bc8bd98031282b7b7720480f62ca7b9e3e5d3a39792.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:8
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un037752.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un037752.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:5032
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0065.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0065.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2080
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5894.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5894.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3928
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si075145.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si075145.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4784

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si075145.exe
    Filesize

    175KB

    MD5

    e5182e210a28ceba907defafe9496c6d

    SHA1

    c2e03ffd58f207d026875b0ec93ea7b4e90968c4

    SHA256

    ce05122d4a087af7b2b1b4caea0f7865392dfd88062697b044e26b7b5431c779

    SHA512

    166757281bbf95b088e2f9e13adc498a50edce6bad08d179748eeb6265c45c1cc43df2de8264f578f9c77fa4c3fdd39ae2909b37b3c1c2cf8dfd7852a6479935

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si075145.exe
    Filesize

    175KB

    MD5

    e5182e210a28ceba907defafe9496c6d

    SHA1

    c2e03ffd58f207d026875b0ec93ea7b4e90968c4

    SHA256

    ce05122d4a087af7b2b1b4caea0f7865392dfd88062697b044e26b7b5431c779

    SHA512

    166757281bbf95b088e2f9e13adc498a50edce6bad08d179748eeb6265c45c1cc43df2de8264f578f9c77fa4c3fdd39ae2909b37b3c1c2cf8dfd7852a6479935

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un037752.exe
    Filesize

    545KB

    MD5

    504e8c763cd3adb79c9468f56473d46a

    SHA1

    9d1a05cf2be3d8ac2d02ba7d84cbbb36271b329a

    SHA256

    91771b5583f66fc2c4ea37273fda23741d56b4deaa4e2fe60215001bcf88a256

    SHA512

    0ba10f31085992ea62df9524ee33df0332fa5d6d792df20c45b28d98466d12faf7b900aa9e13040db89ec64846c051ea7dfc5eac59310483dbc6307189a8b58c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un037752.exe
    Filesize

    545KB

    MD5

    504e8c763cd3adb79c9468f56473d46a

    SHA1

    9d1a05cf2be3d8ac2d02ba7d84cbbb36271b329a

    SHA256

    91771b5583f66fc2c4ea37273fda23741d56b4deaa4e2fe60215001bcf88a256

    SHA512

    0ba10f31085992ea62df9524ee33df0332fa5d6d792df20c45b28d98466d12faf7b900aa9e13040db89ec64846c051ea7dfc5eac59310483dbc6307189a8b58c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0065.exe
    Filesize

    321KB

    MD5

    a66e4a6c58d649bcd96a7279ad9171f8

    SHA1

    f8aabc310de0defd6c205d153d4daa4ad37af251

    SHA256

    bb533bb6740906a68bd72dac2fd95cb88e04173eb9f03c79cde4591abd71d21c

    SHA512

    473624413e0d1a467a22d4a82c6ac6459e9f8ca35033363913bc8ef0b311be52fb5c117c209d6dece62f1d649fb4222c8dba64ae879234f6b1ca159a5c0c0c5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0065.exe
    Filesize

    321KB

    MD5

    a66e4a6c58d649bcd96a7279ad9171f8

    SHA1

    f8aabc310de0defd6c205d153d4daa4ad37af251

    SHA256

    bb533bb6740906a68bd72dac2fd95cb88e04173eb9f03c79cde4591abd71d21c

    SHA512

    473624413e0d1a467a22d4a82c6ac6459e9f8ca35033363913bc8ef0b311be52fb5c117c209d6dece62f1d649fb4222c8dba64ae879234f6b1ca159a5c0c0c5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5894.exe
    Filesize

    380KB

    MD5

    53b87629e7c6444816e6e624fdbcd232

    SHA1

    cc5ca9bbcbb53903839ec72b028a9c87ccb5ba9b

    SHA256

    7aff6bc3738c04b84fe8a38086152074050bd5ac79c2d3ef23dd09b86526d0ec

    SHA512

    5a2e6414d5d4bf8dda6710e57585c043240e5a3d79fb4085900a53c09bfa8499994913664bff09ec85f746997413d43803b854b7eaddde55d0e5ef5bec306e15

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5894.exe
    Filesize

    380KB

    MD5

    53b87629e7c6444816e6e624fdbcd232

    SHA1

    cc5ca9bbcbb53903839ec72b028a9c87ccb5ba9b

    SHA256

    7aff6bc3738c04b84fe8a38086152074050bd5ac79c2d3ef23dd09b86526d0ec

    SHA512

    5a2e6414d5d4bf8dda6710e57585c043240e5a3d79fb4085900a53c09bfa8499994913664bff09ec85f746997413d43803b854b7eaddde55d0e5ef5bec306e15

    Download Submit

  • memory/2080-132-0x00000000001D0000-0x00000000001FD000-memory.dmp

    Filesize

    180KB

    Download

  • memory/2080-133-0x0000000002DA0000-0x0000000002DBA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2080-135-0x00000000073B0000-0x00000000078AE000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2080-134-0x00000000073A0000-0x00000000073B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2080-136-0x00000000073A0000-0x00000000073B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2080-137-0x00000000073A0000-0x00000000073B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2080-138-0x0000000004780000-0x0000000004798000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2080-139-0x0000000004780000-0x0000000004792000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2080-140-0x0000000004780000-0x0000000004792000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2080-142-0x0000000004780000-0x0000000004792000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2080-144-0x0000000004780000-0x0000000004792000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2080-146-0x0000000004780000-0x0000000004792000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2080-148-0x0000000004780000-0x0000000004792000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2080-150-0x0000000004780000-0x0000000004792000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2080-152-0x0000000004780000-0x0000000004792000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2080-154-0x0000000004780000-0x0000000004792000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2080-156-0x0000000004780000-0x0000000004792000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2080-158-0x0000000004780000-0x0000000004792000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2080-160-0x0000000004780000-0x0000000004792000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2080-162-0x0000000004780000-0x0000000004792000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2080-164-0x0000000004780000-0x0000000004792000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2080-166-0x0000000004780000-0x0000000004792000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2080-167-0x0000000000400000-0x0000000002B7E000-memory.dmp

    Filesize

    39.5MB

    Download

  • memory/2080-168-0x00000000073A0000-0x00000000073B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2080-169-0x00000000073A0000-0x00000000073B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2080-170-0x00000000073A0000-0x00000000073B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2080-172-0x0000000000400000-0x0000000002B7E000-memory.dmp

    Filesize

    39.5MB

    Download

  • memory/3928-177-0x00000000047E0000-0x0000000004826000-memory.dmp

    Filesize

    280KB

    Download

  • memory/3928-178-0x0000000002DD0000-0x0000000002E1B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3928-179-0x0000000002E60000-0x0000000002E70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3928-180-0x00000000049A0000-0x00000000049E4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3928-182-0x00000000049A0000-0x00000000049DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3928-181-0x00000000049A0000-0x00000000049DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3928-184-0x00000000049A0000-0x00000000049DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3928-185-0x0000000002E60000-0x0000000002E70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3928-189-0x00000000049A0000-0x00000000049DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3928-191-0x00000000049A0000-0x00000000049DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3928-187-0x00000000049A0000-0x00000000049DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3928-193-0x00000000049A0000-0x00000000049DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3928-195-0x00000000049A0000-0x00000000049DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3928-197-0x00000000049A0000-0x00000000049DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3928-201-0x00000000049A0000-0x00000000049DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3928-199-0x00000000049A0000-0x00000000049DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3928-203-0x00000000049A0000-0x00000000049DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3928-205-0x00000000049A0000-0x00000000049DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3928-207-0x00000000049A0000-0x00000000049DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3928-211-0x00000000049A0000-0x00000000049DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3928-209-0x00000000049A0000-0x00000000049DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3928-213-0x00000000049A0000-0x00000000049DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3928-215-0x00000000049A0000-0x00000000049DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3928-1088-0x0000000007D30000-0x0000000008336000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/3928-1089-0x0000000007720000-0x000000000782A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3928-1090-0x0000000007860000-0x0000000007872000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3928-1091-0x0000000007880000-0x00000000078BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3928-1092-0x00000000079D0000-0x0000000007A1B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3928-1094-0x0000000007B60000-0x0000000007BF2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3928-1095-0x0000000007C00000-0x0000000007C66000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3928-1096-0x0000000002E60000-0x0000000002E70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3928-1097-0x0000000002E60000-0x0000000002E70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3928-1098-0x0000000008C90000-0x0000000008E52000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3928-1099-0x0000000008E80000-0x00000000093AC000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/3928-1100-0x000000000A660000-0x000000000A6D6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3928-1101-0x000000000A6F0000-0x000000000A740000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4784-1107-0x0000000000920000-0x0000000000952000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4784-1108-0x0000000005360000-0x00000000053AB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4784-1109-0x0000000005150000-0x0000000005160000-memory.dmp

    Filesize

    64KB

    Download