Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    86s
  • max time network
    90s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    28-03-2023 12:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    516bc7e07e9d356b143958e8184f5c8d0ea35eb20aad6d4169f446393e9cd2c5.exe

  • Size

    698KB

  • MD5

    016d5f790e7af894e49a30f874f8948b

  • SHA1

    b4be5faa0eb0b47e62de358115b045ee095f6de5

  • SHA256

    516bc7e07e9d356b143958e8184f5c8d0ea35eb20aad6d4169f446393e9cd2c5

  • SHA512

    52e79c5090a8256eb5ce29ff609f269d75f03fd539587afdf3161daa722732a2e9459686f9220ce77dcdd74213dc535b0e3b4b2238bfe3968385718ab60036a5

  • SSDEEP

    12288:/Mrzy90BopzSYjfjJmwvp9Hj8/gS/YWxjuckBjXL5dL65BGjEAxI9g0pIEnU:My0zYjfjp3HjKfxjuckRXL5B2GjdI9HS

Score
10/10
redlinemuserosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

muse

C2

176.113.115.145:4125

Attributes
  • auth_value

    b91988a63a24940038d9262827a5320c

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\516bc7e07e9d356b143958e8184f5c8d0ea35eb20aad6d4169f446393e9cd2c5.exe
    "C:\Users\Admin\AppData\Local\Temp\516bc7e07e9d356b143958e8184f5c8d0ea35eb20aad6d4169f446393e9cd2c5.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2468
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un600106.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un600106.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2504
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1969.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1969.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2960
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6896.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6896.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3540
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si485958.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si485958.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4092

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si485958.exe
    Filesize

    175KB

    MD5

    78806c4f634ec4b8facd1680e783e502

    SHA1

    73ee47702711f903af07a29380d39f77da707682

    SHA256

    3eeda1137a64bc0c67312ad9f8f6cbfad1e9548fec9120ad16fcd3a1a0bab2a1

    SHA512

    4234302e29284e4f3fd47eeb70299f039d2c614b7657e46f8765651e39c205483e854a9361cd59484118e870ae5eb1866125deddd364f28cca2f5d7fbbbd97f1

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si485958.exe
    Filesize

    175KB

    MD5

    78806c4f634ec4b8facd1680e783e502

    SHA1

    73ee47702711f903af07a29380d39f77da707682

    SHA256

    3eeda1137a64bc0c67312ad9f8f6cbfad1e9548fec9120ad16fcd3a1a0bab2a1

    SHA512

    4234302e29284e4f3fd47eeb70299f039d2c614b7657e46f8765651e39c205483e854a9361cd59484118e870ae5eb1866125deddd364f28cca2f5d7fbbbd97f1

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un600106.exe
    Filesize

    556KB

    MD5

    5e4ad518f2a3401f403dd07e5bad90f4

    SHA1

    2bd3e86588b5714fd045665cec697369e2b85e15

    SHA256

    3b3a6d5e1480087f626f92500ea7024cfc331803e2bda09f473c166be0398e7a

    SHA512

    e8f59cc0970abe35c09d1270bbdfc301b50eb62a35b8f5dd97a173d41b54c3d5c8848fd12aeecb02c344f17c44b413d3be97c6cc9d5b0bc142f1b7b2a12fb1fe

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un600106.exe
    Filesize

    556KB

    MD5

    5e4ad518f2a3401f403dd07e5bad90f4

    SHA1

    2bd3e86588b5714fd045665cec697369e2b85e15

    SHA256

    3b3a6d5e1480087f626f92500ea7024cfc331803e2bda09f473c166be0398e7a

    SHA512

    e8f59cc0970abe35c09d1270bbdfc301b50eb62a35b8f5dd97a173d41b54c3d5c8848fd12aeecb02c344f17c44b413d3be97c6cc9d5b0bc142f1b7b2a12fb1fe

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1969.exe
    Filesize

    347KB

    MD5

    6835a97c94a4ff34f50740a97c973fd2

    SHA1

    240e1c5c60a971b1ad246e56d58ac7e6bb3daf2f

    SHA256

    34cfb1d25dff6cc8db9b8a85507b687de672fbed3a5be9230a9ae5dec52ee2a7

    SHA512

    fa6056c011df133bf220cc74be8bbe0bef8f04d9f837ade05a4bd1ff2fbcf24330769c757bcd1febc7c621bd922ed826b8f6b7dea8aaa249024158037f7a5b65

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1969.exe
    Filesize

    347KB

    MD5

    6835a97c94a4ff34f50740a97c973fd2

    SHA1

    240e1c5c60a971b1ad246e56d58ac7e6bb3daf2f

    SHA256

    34cfb1d25dff6cc8db9b8a85507b687de672fbed3a5be9230a9ae5dec52ee2a7

    SHA512

    fa6056c011df133bf220cc74be8bbe0bef8f04d9f837ade05a4bd1ff2fbcf24330769c757bcd1febc7c621bd922ed826b8f6b7dea8aaa249024158037f7a5b65

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6896.exe
    Filesize

    406KB

    MD5

    1e59b9eb470d8125b670c8ef5dab9f47

    SHA1

    f99c5c0bb50a41efde499dd2f7f6a954081e07bf

    SHA256

    eb8c136c1a433979126aeee3059e0680a9a02ab2a9b1b0f2eaf4feff9cd28205

    SHA512

    596493afd575123c2d5fb8f3e80c1b32db4f37ea82d023f27eae6e1c4e0090a2aba8566ff7c62d703990ead149105bf14ac38a591829f4ae84320e1401542497

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6896.exe
    Filesize

    406KB

    MD5

    1e59b9eb470d8125b670c8ef5dab9f47

    SHA1

    f99c5c0bb50a41efde499dd2f7f6a954081e07bf

    SHA256

    eb8c136c1a433979126aeee3059e0680a9a02ab2a9b1b0f2eaf4feff9cd28205

    SHA512

    596493afd575123c2d5fb8f3e80c1b32db4f37ea82d023f27eae6e1c4e0090a2aba8566ff7c62d703990ead149105bf14ac38a591829f4ae84320e1401542497

    Download Submit
  • memory/2960-136-0x00000000001D0000-0x00000000001FD000-memory.dmp
    Filesize

    180KB

    Download
  • memory/2960-137-0x0000000004770000-0x000000000478A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2960-138-0x00000000072F0000-0x00000000077EE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2960-139-0x0000000004B60000-0x0000000004B78000-memory.dmp
    Filesize

    96KB

    Download
  • memory/2960-140-0x0000000004B60000-0x0000000004B72000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2960-141-0x0000000004B60000-0x0000000004B72000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2960-143-0x0000000004B60000-0x0000000004B72000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2960-153-0x0000000004B60000-0x0000000004B72000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2960-159-0x0000000004B60000-0x0000000004B72000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2960-163-0x0000000004B60000-0x0000000004B72000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2960-165-0x0000000004B60000-0x0000000004B72000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2960-161-0x0000000004B60000-0x0000000004B72000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2960-167-0x0000000004B60000-0x0000000004B72000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2960-157-0x0000000004B60000-0x0000000004B72000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2960-155-0x0000000004B60000-0x0000000004B72000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2960-151-0x0000000004B60000-0x0000000004B72000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2960-149-0x0000000004B60000-0x0000000004B72000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2960-147-0x0000000004B60000-0x0000000004B72000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2960-145-0x0000000004B60000-0x0000000004B72000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2960-168-0x00000000072E0000-0x00000000072F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2960-169-0x00000000072E0000-0x00000000072F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2960-170-0x00000000072E0000-0x00000000072F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2960-171-0x0000000000400000-0x0000000002B84000-memory.dmp
    Filesize

    39.5MB

    Download
  • memory/2960-173-0x0000000000400000-0x0000000002B84000-memory.dmp
    Filesize

    39.5MB

    Download
  • memory/3540-178-0x0000000004930000-0x0000000004976000-memory.dmp
    Filesize

    280KB

    Download
  • memory/3540-179-0x0000000004CC0000-0x0000000004D04000-memory.dmp
    Filesize

    272KB

    Download
  • memory/3540-180-0x00000000045E0000-0x000000000462B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/3540-182-0x0000000007300000-0x0000000007310000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3540-183-0x0000000004CC0000-0x0000000004CFF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3540-184-0x0000000007300000-0x0000000007310000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3540-181-0x0000000004CC0000-0x0000000004CFF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3540-186-0x0000000007300000-0x0000000007310000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3540-187-0x0000000004CC0000-0x0000000004CFF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3540-189-0x0000000004CC0000-0x0000000004CFF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3540-191-0x0000000004CC0000-0x0000000004CFF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3540-193-0x0000000004CC0000-0x0000000004CFF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3540-195-0x0000000004CC0000-0x0000000004CFF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3540-197-0x0000000004CC0000-0x0000000004CFF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3540-199-0x0000000004CC0000-0x0000000004CFF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3540-201-0x0000000004CC0000-0x0000000004CFF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3540-205-0x0000000004CC0000-0x0000000004CFF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3540-203-0x0000000004CC0000-0x0000000004CFF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3540-207-0x0000000004CC0000-0x0000000004CFF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3540-209-0x0000000004CC0000-0x0000000004CFF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3540-211-0x0000000004CC0000-0x0000000004CFF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3540-213-0x0000000004CC0000-0x0000000004CFF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3540-217-0x0000000004CC0000-0x0000000004CFF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3540-215-0x0000000004CC0000-0x0000000004CFF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3540-1090-0x0000000007E20000-0x0000000008426000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/3540-1091-0x0000000007810000-0x000000000791A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/3540-1092-0x0000000007250000-0x0000000007262000-memory.dmp
    Filesize

    72KB

    Download
  • memory/3540-1093-0x0000000007300000-0x0000000007310000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3540-1094-0x0000000007270000-0x00000000072AE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/3540-1095-0x0000000007A20000-0x0000000007A6B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/3540-1097-0x0000000007300000-0x0000000007310000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3540-1098-0x0000000007300000-0x0000000007310000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3540-1099-0x0000000007300000-0x0000000007310000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3540-1100-0x0000000007B70000-0x0000000007BD6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/3540-1101-0x0000000008840000-0x00000000088D2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/3540-1102-0x0000000008A20000-0x0000000008BE2000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/3540-1103-0x0000000008C10000-0x000000000913C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/3540-1104-0x0000000009270000-0x00000000092E6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/3540-1106-0x0000000007300000-0x0000000007310000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3540-1105-0x00000000092F0000-0x0000000009340000-memory.dmp
    Filesize

    320KB

    Download
  • memory/4092-1112-0x0000000000940000-0x0000000000972000-memory.dmp
    Filesize

    200KB

    Download
  • memory/4092-1113-0x0000000005220000-0x000000000526B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4092-1114-0x00000000051B0000-0x00000000051C0000-memory.dmp
    Filesize

    64KB

    Download