Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    68s
  • max time network
    131s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    28-03-2023 11:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b13f1f5004cb9d7f74ba653f0df9d4811f38b835e8e7a63f5232e90bca1714f8.exe

  • Size

    697KB

  • MD5

    ee9f2750f53a9df4f0901d31a2af5e61

  • SHA1

    d976bb0879fae0e7827def0b5ba5983b25cd3e97

  • SHA256

    b13f1f5004cb9d7f74ba653f0df9d4811f38b835e8e7a63f5232e90bca1714f8

  • SHA512

    3d8dda145ba5cc0a3c074fac8b99daafe3f7eb59e40641f39fd512b23ba1f1c036f164bb6f06d314a812363b2b10874985263cdf5330192b02eb3bee9f4d7407

  • SSDEEP

    12288:CMrby90yrBO2Xc0EavH42ZZhrp/Ybx8PEYsJsFjlvYL6LaGj0AxI9gz+PvRQ3:pyf3Aaw2ZHQxh8jlmTGjNI9mYu

Score
10/10
redlinemuserosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

muse

C2

176.113.115.145:4125

Attributes
  • auth_value

    b91988a63a24940038d9262827a5320c

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b13f1f5004cb9d7f74ba653f0df9d4811f38b835e8e7a63f5232e90bca1714f8.exe
    "C:\Users\Admin\AppData\Local\Temp\b13f1f5004cb9d7f74ba653f0df9d4811f38b835e8e7a63f5232e90bca1714f8.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2056
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un330660.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un330660.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2368
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3297.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3297.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2664
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2634.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2634.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2540
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si500607.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si500607.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3548

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si500607.exe
    Filesize

    175KB

    MD5

    7afe4c4f01bc100d83fd3f8a9ca12260

    SHA1

    a4a62bfa80be8d33b3d8687af21cd91d470e3265

    SHA256

    293cfaa68c6d30b6300aee7d8d1eb8d791697242e9298d45268d9dd1713b302e

    SHA512

    ea37ad9481fa8d6e41dfcd4ccee7931d82623a64187fcccbf89e9b5e4b27a4d5238455308bdcfb00eebd88a7b9e9cdae9171aac858b316aa0eac4a5440383f7f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si500607.exe
    Filesize

    175KB

    MD5

    7afe4c4f01bc100d83fd3f8a9ca12260

    SHA1

    a4a62bfa80be8d33b3d8687af21cd91d470e3265

    SHA256

    293cfaa68c6d30b6300aee7d8d1eb8d791697242e9298d45268d9dd1713b302e

    SHA512

    ea37ad9481fa8d6e41dfcd4ccee7931d82623a64187fcccbf89e9b5e4b27a4d5238455308bdcfb00eebd88a7b9e9cdae9171aac858b316aa0eac4a5440383f7f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un330660.exe
    Filesize

    555KB

    MD5

    5bded277801edea2f94db5d6785f7502

    SHA1

    bca4d72597cd33b965458bcf51d1c66520e9ee1e

    SHA256

    4fd87a5c16e7463d12af425223e109ddca50ba7421938b630c66248a1d90fb87

    SHA512

    431dc355b69424720563252052cd718a2bfed8be6e110e889da84b9f3f9fd222556c02359021847c27b601228ea046354d12aff9456c137c03aab4c043d5a414

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un330660.exe
    Filesize

    555KB

    MD5

    5bded277801edea2f94db5d6785f7502

    SHA1

    bca4d72597cd33b965458bcf51d1c66520e9ee1e

    SHA256

    4fd87a5c16e7463d12af425223e109ddca50ba7421938b630c66248a1d90fb87

    SHA512

    431dc355b69424720563252052cd718a2bfed8be6e110e889da84b9f3f9fd222556c02359021847c27b601228ea046354d12aff9456c137c03aab4c043d5a414

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3297.exe
    Filesize

    347KB

    MD5

    c15011ad43fb1496ec58472b49c31830

    SHA1

    c06378d1ce32e20b001d46ebba1ffa2ec1c76569

    SHA256

    ea1840e8ab38ff18699ced89e329f0989f2e61b0804ad4c8dc4fc6ab575d3237

    SHA512

    f6da15e9c26604dd7be16289e7ae7c77e2cfb42469a4e777eefa313c823c991bee3ea273681d5f8c52eaf1860067f344f986aa4d2073a4758faa112905486ebb

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3297.exe
    Filesize

    347KB

    MD5

    c15011ad43fb1496ec58472b49c31830

    SHA1

    c06378d1ce32e20b001d46ebba1ffa2ec1c76569

    SHA256

    ea1840e8ab38ff18699ced89e329f0989f2e61b0804ad4c8dc4fc6ab575d3237

    SHA512

    f6da15e9c26604dd7be16289e7ae7c77e2cfb42469a4e777eefa313c823c991bee3ea273681d5f8c52eaf1860067f344f986aa4d2073a4758faa112905486ebb

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2634.exe
    Filesize

    406KB

    MD5

    5faaa1dbad087c3914893b74b3e0b265

    SHA1

    cd6afa3ac75e389e3f9fb0d954aa22c3c7b03083

    SHA256

    dbb1648b12566051d4dfb778dd23f6cc4f41965e85439088bef04768b951a668

    SHA512

    e56095be9d34ef0ebc8a739902d8e9209402f13cd4ff072f6f3539079206aace92eae38343ef1f32fcf288cad713970c9335baa47378564abb332181ce63f8f5

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2634.exe
    Filesize

    406KB

    MD5

    5faaa1dbad087c3914893b74b3e0b265

    SHA1

    cd6afa3ac75e389e3f9fb0d954aa22c3c7b03083

    SHA256

    dbb1648b12566051d4dfb778dd23f6cc4f41965e85439088bef04768b951a668

    SHA512

    e56095be9d34ef0ebc8a739902d8e9209402f13cd4ff072f6f3539079206aace92eae38343ef1f32fcf288cad713970c9335baa47378564abb332181ce63f8f5

    Download Submit
  • memory/2540-1090-0x0000000007880000-0x0000000007E86000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/2540-1091-0x0000000007220000-0x000000000732A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/2540-1106-0x0000000007370000-0x0000000007380000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2540-1105-0x0000000008F70000-0x000000000949C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/2540-1104-0x0000000008D80000-0x0000000008F42000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2540-1103-0x0000000008AF0000-0x0000000008B40000-memory.dmp
    Filesize

    320KB

    Download
  • memory/2540-1102-0x0000000008A60000-0x0000000008AD6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/2540-199-0x0000000004CE0000-0x0000000004D1F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2540-1101-0x0000000008840000-0x00000000088D2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/2540-1100-0x0000000008180000-0x00000000081E6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2540-1099-0x0000000007370000-0x0000000007380000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2540-1098-0x0000000007370000-0x0000000007380000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2540-1097-0x0000000007370000-0x0000000007380000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2540-189-0x0000000004CE0000-0x0000000004D1F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2540-1095-0x0000000007370000-0x0000000007380000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2540-1094-0x0000000007FF0000-0x000000000803B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/2540-1093-0x0000000007EB0000-0x0000000007EEE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2540-187-0x0000000004CE0000-0x0000000004D1F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2540-1092-0x0000000007E90000-0x0000000007EA2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2540-209-0x0000000004CE0000-0x0000000004D1F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2540-256-0x0000000007370000-0x0000000007380000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2540-252-0x0000000007370000-0x0000000007380000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2540-178-0x0000000004A20000-0x0000000004A66000-memory.dmp
    Filesize

    280KB

    Download
  • memory/2540-179-0x0000000004CE0000-0x0000000004D24000-memory.dmp
    Filesize

    272KB

    Download
  • memory/2540-180-0x0000000004CE0000-0x0000000004D1F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2540-181-0x0000000004CE0000-0x0000000004D1F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2540-183-0x0000000004CE0000-0x0000000004D1F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2540-185-0x0000000004CE0000-0x0000000004D1F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2540-193-0x0000000004CE0000-0x0000000004D1F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2540-191-0x0000000004CE0000-0x0000000004D1F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2540-195-0x0000000004CE0000-0x0000000004D1F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2540-197-0x0000000004CE0000-0x0000000004D1F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2540-255-0x0000000007370000-0x0000000007380000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2540-251-0x0000000002C70000-0x0000000002CBB000-memory.dmp
    Filesize

    300KB

    Download
  • memory/2540-205-0x0000000004CE0000-0x0000000004D1F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2540-201-0x0000000004CE0000-0x0000000004D1F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2540-203-0x0000000004CE0000-0x0000000004D1F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2540-207-0x0000000004CE0000-0x0000000004D1F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2540-213-0x0000000004CE0000-0x0000000004D1F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2540-211-0x0000000004CE0000-0x0000000004D1F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2664-169-0x0000000000400000-0x0000000002B84000-memory.dmp
    Filesize

    39.5MB

    Download
  • memory/2664-170-0x0000000007200000-0x0000000007210000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2664-164-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2664-152-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2664-139-0x0000000004AC0000-0x0000000004AD8000-memory.dmp
    Filesize

    96KB

    Download
  • memory/2664-140-0x0000000007200000-0x0000000007210000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2664-138-0x0000000007210000-0x000000000770E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2664-173-0x0000000000400000-0x0000000002B84000-memory.dmp
    Filesize

    39.5MB

    Download
  • memory/2664-171-0x0000000007200000-0x0000000007210000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2664-141-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2664-168-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2664-166-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2664-162-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2664-160-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2664-158-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2664-156-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2664-154-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2664-150-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2664-148-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2664-146-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2664-144-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2664-142-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2664-137-0x0000000002F10000-0x0000000002F2A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2664-136-0x00000000001D0000-0x00000000001FD000-memory.dmp
    Filesize

    180KB

    Download
  • memory/3548-1112-0x0000000000BD0000-0x0000000000C02000-memory.dmp
    Filesize

    200KB

    Download
  • memory/3548-1113-0x0000000005610000-0x000000000565B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/3548-1114-0x00000000057B0000-0x00000000057C0000-memory.dmp
    Filesize

    64KB

    Download