Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    56s
  • max time network
    71s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    31/03/2023, 22:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    507e20a361c5a775a5b083145d08cf974aeb90ab7a7150ccfe84d837d2130de1.exe

  • Size

    534KB

  • MD5

    b5e1fdd201eb3309bf21fbce68bd2f10

  • SHA1

    a9dc00c8fcd276583eb4f6b73deb05adc048ce03

  • SHA256

    507e20a361c5a775a5b083145d08cf974aeb90ab7a7150ccfe84d837d2130de1

  • SHA512

    91cba63b40a1b2d00f3a0e6456464c96ebd894e10dfd43fb1fc490e155a1e1f40c3fe418a21df976a9093cc864f37dc9eb4a97ab310c0f86cae2a24af3f7b4ec

  • SSDEEP

    12288:sMrCy90Mx4Xet2CE/hr2O4y8C1zAbKWfZm21VZ3c:2ywJ/n8C1zoKCZVVNc

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\507e20a361c5a775a5b083145d08cf974aeb90ab7a7150ccfe84d837d2130de1.exe
    "C:\Users\Admin\AppData\Local\Temp\507e20a361c5a775a5b083145d08cf974aeb90ab7a7150ccfe84d837d2130de1.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1764
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidz1842.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidz1842.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2060
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr740258.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr740258.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5108
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku032069.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku032069.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4244
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr692522.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr692522.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4572

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr692522.exe
    Filesize

    175KB

    MD5

    bd6ed8938c427887b8a9db7c58aab298

    SHA1

    fdea0b7ac665e5ec277718ce9dbe3d260ae621c2

    SHA256

    1e36b983fc9f0faf868e1b5a598f5663149b1f48f5febeedba92068d6bf1a235

    SHA512

    a4d453f69b7fb3ed9f11bff463dd2dbb063ff8f9a8b041e45bb19b37e9d405dcb8d9cae96f253024c1c015e96bf2c7061e9cb0bbcb4da61123e9c826504a9827

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr692522.exe
    Filesize

    175KB

    MD5

    bd6ed8938c427887b8a9db7c58aab298

    SHA1

    fdea0b7ac665e5ec277718ce9dbe3d260ae621c2

    SHA256

    1e36b983fc9f0faf868e1b5a598f5663149b1f48f5febeedba92068d6bf1a235

    SHA512

    a4d453f69b7fb3ed9f11bff463dd2dbb063ff8f9a8b041e45bb19b37e9d405dcb8d9cae96f253024c1c015e96bf2c7061e9cb0bbcb4da61123e9c826504a9827

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidz1842.exe
    Filesize

    392KB

    MD5

    6dfc0beb25f7a74486824c7276559f6a

    SHA1

    7709f84fc0bc8f2c0d42cd4d92886ed0fed6a468

    SHA256

    b2448dd87309a1828de5f5b996ff3159f570a96a79bb17c23184230d479853cc

    SHA512

    d8dfbac1d77e5f332c67f1528bd4cc023e4a68c1b7b14f8ea362a2354522175ca3bd561a6979328578a97c06f5068fc8784f885bcb8c8ad3f64fb70c3745ccb8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidz1842.exe
    Filesize

    392KB

    MD5

    6dfc0beb25f7a74486824c7276559f6a

    SHA1

    7709f84fc0bc8f2c0d42cd4d92886ed0fed6a468

    SHA256

    b2448dd87309a1828de5f5b996ff3159f570a96a79bb17c23184230d479853cc

    SHA512

    d8dfbac1d77e5f332c67f1528bd4cc023e4a68c1b7b14f8ea362a2354522175ca3bd561a6979328578a97c06f5068fc8784f885bcb8c8ad3f64fb70c3745ccb8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr740258.exe
    Filesize

    11KB

    MD5

    dfa33e52c8fb0b869e73632601d85960

    SHA1

    c410103bc4831833c3f0fbce00d372716f770ff2

    SHA256

    67ebb846ad907b39d427410a9cecf07f8139e3d7f1097e8f2c72b17554b3b60f

    SHA512

    ca3458bab1086f64bb83a8cdf1ea6fd009ee1849445ebbc3ec6bd77ebf8f794f901a862e1ea0811cc8ec7df377deae13a0ec7d42a6e07a1c1b9564d03d3254e2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr740258.exe
    Filesize

    11KB

    MD5

    dfa33e52c8fb0b869e73632601d85960

    SHA1

    c410103bc4831833c3f0fbce00d372716f770ff2

    SHA256

    67ebb846ad907b39d427410a9cecf07f8139e3d7f1097e8f2c72b17554b3b60f

    SHA512

    ca3458bab1086f64bb83a8cdf1ea6fd009ee1849445ebbc3ec6bd77ebf8f794f901a862e1ea0811cc8ec7df377deae13a0ec7d42a6e07a1c1b9564d03d3254e2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku032069.exe
    Filesize

    319KB

    MD5

    e7f73104d6eeea78f22c26a59a979acd

    SHA1

    491c3f2cfb81663f793e7c4fb5883ad1a4e181f3

    SHA256

    62c2f7ff02e181172f32300d4b3cf95ce15b9adf44f4598f89e1b73d896ede4b

    SHA512

    602905b5319ca80e31f5bde1fc2cad2262bc4398352456221d79074076ba881ca4d70b6a3487a3a9a90ff932b729b4ca6a28c47a8c2e463b5cd059789ecd9633

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku032069.exe
    Filesize

    319KB

    MD5

    e7f73104d6eeea78f22c26a59a979acd

    SHA1

    491c3f2cfb81663f793e7c4fb5883ad1a4e181f3

    SHA256

    62c2f7ff02e181172f32300d4b3cf95ce15b9adf44f4598f89e1b73d896ede4b

    SHA512

    602905b5319ca80e31f5bde1fc2cad2262bc4398352456221d79074076ba881ca4d70b6a3487a3a9a90ff932b729b4ca6a28c47a8c2e463b5cd059789ecd9633

    Download Submit

  • memory/4244-141-0x0000000002270000-0x00000000022B6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/4244-142-0x0000000004BD0000-0x00000000050CE000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/4244-143-0x0000000004A30000-0x0000000004A74000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4244-144-0x0000000000500000-0x000000000054B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4244-145-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4244-146-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4244-147-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4244-148-0x0000000004A30000-0x0000000004A6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4244-149-0x0000000004A30000-0x0000000004A6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4244-151-0x0000000004A30000-0x0000000004A6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4244-153-0x0000000004A30000-0x0000000004A6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4244-155-0x0000000004A30000-0x0000000004A6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4244-157-0x0000000004A30000-0x0000000004A6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4244-159-0x0000000004A30000-0x0000000004A6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4244-161-0x0000000004A30000-0x0000000004A6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4244-163-0x0000000004A30000-0x0000000004A6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4244-165-0x0000000004A30000-0x0000000004A6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4244-167-0x0000000004A30000-0x0000000004A6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4244-169-0x0000000004A30000-0x0000000004A6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4244-171-0x0000000004A30000-0x0000000004A6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4244-173-0x0000000004A30000-0x0000000004A6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4244-175-0x0000000004A30000-0x0000000004A6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4244-177-0x0000000004A30000-0x0000000004A6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4244-179-0x0000000004A30000-0x0000000004A6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4244-181-0x0000000004A30000-0x0000000004A6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4244-183-0x0000000004A30000-0x0000000004A6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4244-185-0x0000000004A30000-0x0000000004A6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4244-187-0x0000000004A30000-0x0000000004A6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4244-189-0x0000000004A30000-0x0000000004A6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4244-191-0x0000000004A30000-0x0000000004A6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4244-195-0x0000000004A30000-0x0000000004A6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4244-197-0x0000000004A30000-0x0000000004A6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4244-193-0x0000000004A30000-0x0000000004A6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4244-199-0x0000000004A30000-0x0000000004A6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4244-201-0x0000000004A30000-0x0000000004A6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4244-203-0x0000000004A30000-0x0000000004A6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4244-205-0x0000000004A30000-0x0000000004A6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4244-209-0x0000000004A30000-0x0000000004A6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4244-207-0x0000000004A30000-0x0000000004A6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4244-211-0x0000000004A30000-0x0000000004A6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4244-1054-0x00000000050D0000-0x00000000056D6000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4244-1055-0x00000000056E0000-0x00000000057EA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4244-1056-0x0000000004B70000-0x0000000004B82000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4244-1057-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4244-1058-0x00000000057F0000-0x000000000582E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4244-1059-0x0000000005930000-0x000000000597B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4244-1061-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4244-1062-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4244-1063-0x0000000005AA0000-0x0000000005B32000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4244-1064-0x0000000005B40000-0x0000000005BA6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4244-1065-0x00000000074E0000-0x0000000007556000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4244-1066-0x0000000007570000-0x00000000075C0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4244-1067-0x00000000075C0000-0x0000000007782000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4244-1068-0x0000000007790000-0x0000000007CBC000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4244-1069-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4572-1075-0x0000000000590000-0x00000000005C2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4572-1076-0x0000000004FD0000-0x000000000501B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4572-1077-0x00000000051A0000-0x00000000051B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5108-135-0x0000000000540000-0x000000000054A000-memory.dmp

    Filesize

    40KB

    Download