Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    50s
  • max time network
    71s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    28/03/2023, 20:48

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    4da138de8bf9c95b25eed52e7738aa41d497fc1eb08ad6beb62de1309e09d36c.exe

  • Size

    696KB

  • MD5

    760db1c7e47f33fd7929f5cccf2a50cd

  • SHA1

    9a1afa6fb14608aeb26cc1e82bb33aaf22641ff0

  • SHA256

    4da138de8bf9c95b25eed52e7738aa41d497fc1eb08ad6beb62de1309e09d36c

  • SHA512

    3314022c16e9913fbbf8b2c22d738ca6a7fcfef65c8146797f27ad67d4acda5fcf9588fcb2b54896921304cd6991752873867c094a9924843028d61435fa74b4

  • SSDEEP

    12288:uMrwy90CfH0dLgueLtDm2itDWPz4V46tKIDdYM3WdSRXxCLvFHU3qba:+yZELheLtDmvtv66bDCaXGpUn

Score
10/10
redlinemuserosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

muse

C2

176.113.115.145:4125

Attributes
  • auth_value

    b91988a63a24940038d9262827a5320c

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 22 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4da138de8bf9c95b25eed52e7738aa41d497fc1eb08ad6beb62de1309e09d36c.exe
    "C:\Users\Admin\AppData\Local\Temp\4da138de8bf9c95b25eed52e7738aa41d497fc1eb08ad6beb62de1309e09d36c.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4124
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un209487.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un209487.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3924
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5617.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5617.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4960
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2655.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2655.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4864
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si463613.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si463613.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4480

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si463613.exe
          Filesize

          175KB

          MD5

          a31b15e7ca1f132e1dacf012b40a7158

          SHA1

          8cad184c36f058482b5cb92da1c87db39190c07c

          SHA256

          8a891980783ce59b1849c6b738ea91cef4bed2d7ead0b9a6b13623a5d425bcb0

          SHA512

          822fa1341bf22ff3e39135c718ea32aeaa0d5dc2764c0eda47a3b8eb9b8800df0f47dd1bae209030135ae6526a3c3bc6b1bd35c667429ca84db319153e7ed55a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si463613.exe
          Filesize

          175KB

          MD5

          a31b15e7ca1f132e1dacf012b40a7158

          SHA1

          8cad184c36f058482b5cb92da1c87db39190c07c

          SHA256

          8a891980783ce59b1849c6b738ea91cef4bed2d7ead0b9a6b13623a5d425bcb0

          SHA512

          822fa1341bf22ff3e39135c718ea32aeaa0d5dc2764c0eda47a3b8eb9b8800df0f47dd1bae209030135ae6526a3c3bc6b1bd35c667429ca84db319153e7ed55a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un209487.exe
          Filesize

          554KB

          MD5

          6babfbd0258ddcab1529ed21f6122237

          SHA1

          43d73550dd54ee07703ff4cae4a5fdbb4ee1f32f

          SHA256

          55ce5b6495d159f02afaddec5932fe2cfa6f23272aa6d50b28106dde5cb33199

          SHA512

          62b4e0c08d2bb9b29513a7e823d23b4fc5602d51d38f24914745ced9086d563d70dcba1ecc4e1650b7eff5e89c7444db418f4a031e8ee40a1bddda7cad7f094b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un209487.exe
          Filesize

          554KB

          MD5

          6babfbd0258ddcab1529ed21f6122237

          SHA1

          43d73550dd54ee07703ff4cae4a5fdbb4ee1f32f

          SHA256

          55ce5b6495d159f02afaddec5932fe2cfa6f23272aa6d50b28106dde5cb33199

          SHA512

          62b4e0c08d2bb9b29513a7e823d23b4fc5602d51d38f24914745ced9086d563d70dcba1ecc4e1650b7eff5e89c7444db418f4a031e8ee40a1bddda7cad7f094b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5617.exe
          Filesize

          345KB

          MD5

          010d718cf36cd555ba2fc1d903beb629

          SHA1

          029bb78a52158f746aedb04d903ced4d0cb0245f

          SHA256

          72cd57d29876562186985c100c2654f7109febbe26dee238050ee5adce405cbd

          SHA512

          85e52ed555155ff3d64b99cf127a3dd305b531350ea4c7d0639b8650374031c6d05d39fff3adb31a2ffd59cd211dd63406651f732235be6232e75d1e8f5ebf47

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5617.exe
          Filesize

          345KB

          MD5

          010d718cf36cd555ba2fc1d903beb629

          SHA1

          029bb78a52158f746aedb04d903ced4d0cb0245f

          SHA256

          72cd57d29876562186985c100c2654f7109febbe26dee238050ee5adce405cbd

          SHA512

          85e52ed555155ff3d64b99cf127a3dd305b531350ea4c7d0639b8650374031c6d05d39fff3adb31a2ffd59cd211dd63406651f732235be6232e75d1e8f5ebf47

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2655.exe
          Filesize

          403KB

          MD5

          00c084651522511143ffaa5899512069

          SHA1

          547fd2d1016fdc54caa4af10e4e0021f26a4fad1

          SHA256

          5b2f7272f44d62aa47bca92f5a9b36eab466b765f4a30bb55ffe0aef582e18c4

          SHA512

          c783fe5115ae449f76305e8e858c5621280a7029ae9a192eabd333d34dded512151010de983cac2de5e3bc2a9b64bd946b743e7cbba1eb7252daa6872d78fbcf

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2655.exe
          Filesize

          403KB

          MD5

          00c084651522511143ffaa5899512069

          SHA1

          547fd2d1016fdc54caa4af10e4e0021f26a4fad1

          SHA256

          5b2f7272f44d62aa47bca92f5a9b36eab466b765f4a30bb55ffe0aef582e18c4

          SHA512

          c783fe5115ae449f76305e8e858c5621280a7029ae9a192eabd333d34dded512151010de983cac2de5e3bc2a9b64bd946b743e7cbba1eb7252daa6872d78fbcf

          Download Submit

        • memory/4480-1111-0x0000000005960000-0x0000000005970000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4480-1110-0x0000000005960000-0x0000000005970000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4480-1109-0x00000000057B0000-0x00000000057FB000-memory.dmp

          Filesize

          300KB

          Download

        • memory/4480-1108-0x0000000000D70000-0x0000000000DA2000-memory.dmp

          Filesize

          200KB

          Download

        • memory/4864-1088-0x0000000007F10000-0x000000000801A000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/4864-1092-0x0000000008130000-0x000000000817B000-memory.dmp

          Filesize

          300KB

          Download

        • memory/4864-1102-0x0000000009570000-0x00000000095C0000-memory.dmp

          Filesize

          320KB

          Download

        • memory/4864-1101-0x00000000094F0000-0x0000000009566000-memory.dmp

          Filesize

          472KB

          Download

        • memory/4864-1100-0x00000000073F0000-0x0000000007400000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4864-1099-0x00000000073F0000-0x0000000007400000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4864-1098-0x00000000073F0000-0x0000000007400000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4864-1097-0x0000000008E80000-0x00000000093AC000-memory.dmp

          Filesize

          5.2MB

          Download

        • memory/4864-1096-0x0000000008CA0000-0x0000000008E62000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/4864-1095-0x0000000008980000-0x0000000008A12000-memory.dmp

          Filesize

          584KB

          Download

        • memory/4864-1094-0x00000000082C0000-0x0000000008326000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4864-1091-0x00000000073B0000-0x00000000073EE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4864-1089-0x0000000007390000-0x00000000073A2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4864-1090-0x00000000073F0000-0x0000000007400000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4864-1087-0x0000000007900000-0x0000000007F06000-memory.dmp

          Filesize

          6.0MB

          Download

        • memory/4864-210-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/4864-214-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/4864-212-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/4864-204-0x00000000073F0000-0x0000000007400000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4864-209-0x00000000073F0000-0x0000000007400000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4864-175-0x0000000004A80000-0x0000000004AC6000-memory.dmp

          Filesize

          280KB

          Download

        • memory/4864-176-0x0000000004CF0000-0x0000000004D34000-memory.dmp

          Filesize

          272KB

          Download

        • memory/4864-178-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/4864-177-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/4864-182-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/4864-184-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/4864-180-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/4864-186-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/4864-188-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/4864-190-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/4864-192-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/4864-194-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/4864-198-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/4864-196-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/4864-200-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/4864-202-0x0000000002C70000-0x0000000002CBB000-memory.dmp

          Filesize

          300KB

          Download

        • memory/4864-203-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/4864-206-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/4864-207-0x00000000073F0000-0x0000000007400000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4960-157-0x0000000004C70000-0x0000000004C82000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4960-134-0x00000000001D0000-0x00000000001FD000-memory.dmp

          Filesize

          180KB

          Download

        • memory/4960-170-0x0000000000400000-0x0000000002B83000-memory.dmp

          Filesize

          39.5MB

          Download

        • memory/4960-168-0x0000000007140000-0x0000000007150000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4960-167-0x0000000007140000-0x0000000007150000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4960-166-0x0000000000400000-0x0000000002B83000-memory.dmp

          Filesize

          39.5MB

          Download

        • memory/4960-137-0x0000000007140000-0x0000000007150000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4960-165-0x0000000004C70000-0x0000000004C82000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4960-163-0x0000000004C70000-0x0000000004C82000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4960-161-0x0000000004C70000-0x0000000004C82000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4960-141-0x0000000004C70000-0x0000000004C82000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4960-159-0x0000000004C70000-0x0000000004C82000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4960-139-0x0000000004C70000-0x0000000004C82000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4960-138-0x0000000004C70000-0x0000000004C82000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4960-145-0x0000000004C70000-0x0000000004C82000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4960-151-0x0000000004C70000-0x0000000004C82000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4960-149-0x0000000004C70000-0x0000000004C82000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4960-147-0x0000000004C70000-0x0000000004C82000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4960-153-0x0000000004C70000-0x0000000004C82000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4960-143-0x0000000004C70000-0x0000000004C82000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4960-136-0x0000000007140000-0x0000000007150000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4960-135-0x0000000007140000-0x0000000007150000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4960-155-0x0000000004C70000-0x0000000004C82000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4960-133-0x0000000004C70000-0x0000000004C88000-memory.dmp

          Filesize

          96KB

          Download

        • memory/4960-132-0x0000000007150000-0x000000000764E000-memory.dmp

          Filesize

          5.0MB

          Download

        • memory/4960-131-0x0000000004770000-0x000000000478A000-memory.dmp

          Filesize

          104KB

          Download