Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    65s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-03-2023 08:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5975715aa48f80d94702f93c64e27d07b68345812dd2aa53d4d22e4aa411fa1d.exe

  • Size

    713KB

  • MD5

    6b054922153dbdc8e5a82dc96b0639b5

  • SHA1

    2181b7c3b85c639301d4ccba814d4c36092259c5

  • SHA256

    5975715aa48f80d94702f93c64e27d07b68345812dd2aa53d4d22e4aa411fa1d

  • SHA512

    1ad870131efd16ae5b924ebe101246ac6795b85f8ee65df5a664897eaf9832598584ed2b91f62a5fb9231b9b173e2f57a26b0cfbcac1005d7ace634e79b24243

  • SSDEEP

    12288:dSibsV1r1eXRKAaCwprt7hyU/+BGN95KKVLQFkW31fBBv409iS9uB:B4zr6EAaCurt9bGBGN95KlFJ39gc9u

Score
10/10
redlinefromrosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

C2

176.113.115.145:4125

Attributes
  • auth_value

    8633e283485822a4a48f0a41d5397566

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 32 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5975715aa48f80d94702f93c64e27d07b68345812dd2aa53d4d22e4aa411fa1d.exe
    "C:\Users\Admin\AppData\Local\Temp\5975715aa48f80d94702f93c64e27d07b68345812dd2aa53d4d22e4aa411fa1d.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3304
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zinW6705.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zinW6705.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4620
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr155826.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr155826.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4864
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku638698.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku638698.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3380
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 1940
          4⤵
          • Program crash
          PID:4080
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr892963.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr892963.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3768
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 484
      2⤵
      • Program crash
      PID:3040
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3380 -ip 3380
    1⤵
      PID:612
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3304 -ip 3304
      1⤵
        PID:3716

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr892963.exe
        Filesize

        175KB

        MD5

        c5dd023f8011ccb36487cbb5c9d0badf

        SHA1

        a67e24c344df3cefdd1dc924db45ca67e101e3d4

        SHA256

        7016afd4aa13923a95ff6fd67b2e42b91f55fd31e20930af14f289cd9b19ec0c

        SHA512

        2373e18ce0dc56b3067e3b989fc857e0b1c337dc3bf00e3066c082de5d4879f11d8d4d020473f2b56eeb67e1effb919e5af7442c762c273943a6fc25f58a5412

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr892963.exe
        Filesize

        175KB

        MD5

        c5dd023f8011ccb36487cbb5c9d0badf

        SHA1

        a67e24c344df3cefdd1dc924db45ca67e101e3d4

        SHA256

        7016afd4aa13923a95ff6fd67b2e42b91f55fd31e20930af14f289cd9b19ec0c

        SHA512

        2373e18ce0dc56b3067e3b989fc857e0b1c337dc3bf00e3066c082de5d4879f11d8d4d020473f2b56eeb67e1effb919e5af7442c762c273943a6fc25f58a5412

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zinW6705.exe
        Filesize

        407KB

        MD5

        cabb3463f51c332c467c2ff736fe05bb

        SHA1

        aadc455ffed9978efd77f729064bb0d4b178f595

        SHA256

        4fad65b6cabba38e0ec7b35cd8a81c916f5d73b24e5428a2107e115a1daad86d

        SHA512

        b4146c8234fdfcbf3fdceee02951896dc408f98ffc93a255239e1e6943a1a960c8f29ffaffd70e14fcd4d4c18f64b83603efef8e7615f330082880e6c0aff9d4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zinW6705.exe
        Filesize

        407KB

        MD5

        cabb3463f51c332c467c2ff736fe05bb

        SHA1

        aadc455ffed9978efd77f729064bb0d4b178f595

        SHA256

        4fad65b6cabba38e0ec7b35cd8a81c916f5d73b24e5428a2107e115a1daad86d

        SHA512

        b4146c8234fdfcbf3fdceee02951896dc408f98ffc93a255239e1e6943a1a960c8f29ffaffd70e14fcd4d4c18f64b83603efef8e7615f330082880e6c0aff9d4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr155826.exe
        Filesize

        11KB

        MD5

        5fa07e8ccf055edf11bd2372900432f0

        SHA1

        ddc5d6fc54d06df47d85955411b5036334f194a0

        SHA256

        81e8f55b18c82e85455874813ef9da8e01a50963ee05cf8a8763c05b146037c6

        SHA512

        353b21e2294e81b3b324e9e2ad7157fbe8ad0ad5e51f2020d1ab080783c20c11ee176240f8a06b37bfc70f694a272981c3fea65729415d7bd0ecd00a7ae272ea

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr155826.exe
        Filesize

        11KB

        MD5

        5fa07e8ccf055edf11bd2372900432f0

        SHA1

        ddc5d6fc54d06df47d85955411b5036334f194a0

        SHA256

        81e8f55b18c82e85455874813ef9da8e01a50963ee05cf8a8763c05b146037c6

        SHA512

        353b21e2294e81b3b324e9e2ad7157fbe8ad0ad5e51f2020d1ab080783c20c11ee176240f8a06b37bfc70f694a272981c3fea65729415d7bd0ecd00a7ae272ea

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku638698.exe
        Filesize

        380KB

        MD5

        6e32a72abf890a2c9a13c750398cc48d

        SHA1

        0e684f0273666a9129c94c15c7426dcf803928f4

        SHA256

        8e26a07ce5e3e1a02b7f5eb9f6c8ef802ebc58fb8b2d9c2dd03b63cedfb76082

        SHA512

        a52d4cb4d29f9c5d7029c168ca693b9b844525866eb6944ff72274ae6ba83a2657bade67028e15d16abc2e62a0b20f4470db769fa501ad34624790c9cc08aa77

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku638698.exe
        Filesize

        380KB

        MD5

        6e32a72abf890a2c9a13c750398cc48d

        SHA1

        0e684f0273666a9129c94c15c7426dcf803928f4

        SHA256

        8e26a07ce5e3e1a02b7f5eb9f6c8ef802ebc58fb8b2d9c2dd03b63cedfb76082

        SHA512

        a52d4cb4d29f9c5d7029c168ca693b9b844525866eb6944ff72274ae6ba83a2657bade67028e15d16abc2e62a0b20f4470db769fa501ad34624790c9cc08aa77

        Download Submit

      • memory/3304-149-0x00000000049F0000-0x0000000004A7B000-memory.dmp

        Filesize

        556KB

        Download

      • memory/3304-150-0x0000000000400000-0x0000000002BE0000-memory.dmp

        Filesize

        39.9MB

        Download

      • memory/3380-196-0x0000000007280000-0x00000000072BF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3380-206-0x0000000007280000-0x00000000072BF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3380-159-0x0000000007280000-0x00000000072BF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3380-161-0x0000000007280000-0x00000000072BF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3380-163-0x0000000007280000-0x00000000072BF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3380-165-0x0000000007280000-0x00000000072BF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3380-167-0x0000000007280000-0x00000000072BF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3380-169-0x0000000007280000-0x00000000072BF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3380-171-0x0000000007350000-0x0000000007360000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3380-173-0x0000000007350000-0x0000000007360000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3380-172-0x0000000007280000-0x00000000072BF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3380-176-0x0000000007280000-0x00000000072BF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3380-175-0x0000000007350000-0x0000000007360000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3380-178-0x0000000007280000-0x00000000072BF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3380-180-0x0000000007280000-0x00000000072BF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3380-182-0x0000000007280000-0x00000000072BF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3380-184-0x0000000007280000-0x00000000072BF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3380-186-0x0000000007280000-0x00000000072BF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3380-188-0x0000000007280000-0x00000000072BF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3380-190-0x0000000007280000-0x00000000072BF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3380-192-0x0000000007280000-0x00000000072BF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3380-194-0x0000000007280000-0x00000000072BF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3380-157-0x0000000007360000-0x0000000007904000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/3380-198-0x0000000007280000-0x00000000072BF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3380-200-0x0000000007280000-0x00000000072BF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3380-202-0x0000000007280000-0x00000000072BF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3380-204-0x0000000007280000-0x00000000072BF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3380-158-0x0000000007280000-0x00000000072BF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3380-208-0x0000000007280000-0x00000000072BF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3380-210-0x0000000007280000-0x00000000072BF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3380-212-0x0000000007280000-0x00000000072BF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3380-214-0x0000000007280000-0x00000000072BF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3380-216-0x0000000007280000-0x00000000072BF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3380-218-0x0000000007280000-0x00000000072BF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3380-220-0x0000000007280000-0x00000000072BF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3380-222-0x0000000007280000-0x00000000072BF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3380-1067-0x0000000007910000-0x0000000007F28000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/3380-1068-0x0000000007F70000-0x000000000807A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/3380-1069-0x00000000080B0000-0x00000000080C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3380-1070-0x00000000080D0000-0x000000000810C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/3380-1071-0x0000000007350000-0x0000000007360000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3380-1074-0x00000000083C0000-0x0000000008452000-memory.dmp

        Filesize

        584KB

        Download

      • memory/3380-1075-0x0000000008460000-0x00000000084C6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3380-1076-0x0000000007350000-0x0000000007360000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3380-1077-0x0000000007350000-0x0000000007360000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3380-1078-0x0000000007350000-0x0000000007360000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3380-1079-0x0000000008DC0000-0x0000000008E36000-memory.dmp

        Filesize

        472KB

        Download

      • memory/3380-1080-0x0000000008E60000-0x0000000008EB0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/3380-1081-0x0000000008EC0000-0x0000000009082000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/3380-1083-0x0000000009090000-0x00000000095BC000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/3380-156-0x0000000002C80000-0x0000000002CCB000-memory.dmp

        Filesize

        300KB

        Download

      • memory/3380-1082-0x0000000007350000-0x0000000007360000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3768-1090-0x00000000005C0000-0x00000000005F2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/3768-1091-0x0000000005150000-0x0000000005160000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4864-148-0x0000000000EC0000-0x0000000000ECA000-memory.dmp

        Filesize

        40KB

        Download