Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    142s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    31/03/2023, 22:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e47eee5ce753aefa0a93d0fdd00940ed64b48fb74e9074e5a9ac36a275aae2ea.exe

  • Size

    534KB

  • MD5

    e6ecd82722f6f07bee953fefa12997f0

  • SHA1

    c9f22e1236c7dcf2e7563043af5f4c93ec9670fd

  • SHA256

    e47eee5ce753aefa0a93d0fdd00940ed64b48fb74e9074e5a9ac36a275aae2ea

  • SHA512

    5b6b5e0a6e1b685e8a082e9219a48a1a1cd3128a6ed885c795e169cc2abc0251b2447b4a96c93e04f75be9a40173651a2c12f4e4ffd785469e3e18af01f9c3f6

  • SSDEEP

    12288:fMrey90O55EsYZdE6uvPNTIxn7b3LN4ifYmMMAwDBL0y:ty9TYfE6oPNTIBP3x4ifYdMTDBgy

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e47eee5ce753aefa0a93d0fdd00940ed64b48fb74e9074e5a9ac36a275aae2ea.exe
    "C:\Users\Admin\AppData\Local\Temp\e47eee5ce753aefa0a93d0fdd00940ed64b48fb74e9074e5a9ac36a275aae2ea.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2900
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitq0924.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitq0924.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2112
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr979904.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr979904.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5008
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku792883.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku792883.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3656
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr718179.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr718179.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1204

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr718179.exe
    Filesize

    175KB

    MD5

    a0cb5488b9ff831627b51554054a8c35

    SHA1

    918d503e6eedf93e7544cb17314a5e736719139e

    SHA256

    90a45c6a5a0a78a10c00e8b235ba8752b35ad0cda2a6205c231a2b0fc1a925f0

    SHA512

    f8a8d53a61d89e583cf7f912971b655cacc3e817934533cc052965df118b11bbb7706922e35d63f622bec8199275bc30ef13d37eef0a7bb66df5f476b24785b1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr718179.exe
    Filesize

    175KB

    MD5

    a0cb5488b9ff831627b51554054a8c35

    SHA1

    918d503e6eedf93e7544cb17314a5e736719139e

    SHA256

    90a45c6a5a0a78a10c00e8b235ba8752b35ad0cda2a6205c231a2b0fc1a925f0

    SHA512

    f8a8d53a61d89e583cf7f912971b655cacc3e817934533cc052965df118b11bbb7706922e35d63f622bec8199275bc30ef13d37eef0a7bb66df5f476b24785b1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitq0924.exe
    Filesize

    392KB

    MD5

    ea3b3aebf5b994c0e17770bd83e32f4c

    SHA1

    349e4fbe26d71f364b6c3d6c3a714bdc77f0aba4

    SHA256

    6426f9da0ab4aeafe9d0918a6c8fa857809fe5f3f170e725e2194a3cfb44babf

    SHA512

    c41f152ac339d30ccbb9df9b70f49821ea7fa6271e49e0abd9ddb64049aef98183234b392a74093becb1595515d0336964a27f70d67ea987f6cedb36539018dc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitq0924.exe
    Filesize

    392KB

    MD5

    ea3b3aebf5b994c0e17770bd83e32f4c

    SHA1

    349e4fbe26d71f364b6c3d6c3a714bdc77f0aba4

    SHA256

    6426f9da0ab4aeafe9d0918a6c8fa857809fe5f3f170e725e2194a3cfb44babf

    SHA512

    c41f152ac339d30ccbb9df9b70f49821ea7fa6271e49e0abd9ddb64049aef98183234b392a74093becb1595515d0336964a27f70d67ea987f6cedb36539018dc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr979904.exe
    Filesize

    11KB

    MD5

    25be4ba623db6b6dad94cbff708cf9ae

    SHA1

    35fd25c031d2d994b589cfcd367a5e30b711885e

    SHA256

    0ffb779f8ce23c54c39a2b3a1c815870b22740fe5c05d9a3dc291ac8861d03a6

    SHA512

    25fdc3e93ca60247f000ae7090832a641401d44eab60c3822c9c2ca6d7de1e687c3ee62eebffa6d8fc9b433f598bc003c24dc9d1bfae2eeed3aa06f97d099067

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr979904.exe
    Filesize

    11KB

    MD5

    25be4ba623db6b6dad94cbff708cf9ae

    SHA1

    35fd25c031d2d994b589cfcd367a5e30b711885e

    SHA256

    0ffb779f8ce23c54c39a2b3a1c815870b22740fe5c05d9a3dc291ac8861d03a6

    SHA512

    25fdc3e93ca60247f000ae7090832a641401d44eab60c3822c9c2ca6d7de1e687c3ee62eebffa6d8fc9b433f598bc003c24dc9d1bfae2eeed3aa06f97d099067

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku792883.exe
    Filesize

    319KB

    MD5

    ff106628fd21bc789400c25fcb3a2390

    SHA1

    73445d89c78e9a2a4fe47ff6c1b41a52e5236f6d

    SHA256

    ab1a174f6b5b9648d6f64b69323461962642f6df7381f90ff258966c345705ab

    SHA512

    172cd40f418b4478298ed90a9df5e68f42dd169bb4e73e0bcb0ae3e16c0ef9ae65aeab5a76fe1a3c51a81fed93b4468e5aff5838c6d2a29191aa1f50eae6661b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku792883.exe
    Filesize

    319KB

    MD5

    ff106628fd21bc789400c25fcb3a2390

    SHA1

    73445d89c78e9a2a4fe47ff6c1b41a52e5236f6d

    SHA256

    ab1a174f6b5b9648d6f64b69323461962642f6df7381f90ff258966c345705ab

    SHA512

    172cd40f418b4478298ed90a9df5e68f42dd169bb4e73e0bcb0ae3e16c0ef9ae65aeab5a76fe1a3c51a81fed93b4468e5aff5838c6d2a29191aa1f50eae6661b

    Download Submit

  • memory/1204-1076-0x0000000000D40000-0x0000000000D72000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1204-1077-0x0000000005780000-0x00000000057CB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1204-1078-0x0000000005580000-0x0000000005590000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3656-181-0x00000000025F0000-0x000000000262F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3656-195-0x00000000025F0000-0x000000000262F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3656-144-0x00000000025F0000-0x0000000002634000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3656-145-0x00000000025F0000-0x000000000262F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3656-146-0x00000000025F0000-0x000000000262F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3656-148-0x00000000025F0000-0x000000000262F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3656-150-0x00000000025F0000-0x000000000262F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3656-152-0x00000000025F0000-0x000000000262F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3656-155-0x00000000025F0000-0x000000000262F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3656-158-0x00000000025F0000-0x000000000262F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3656-156-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3656-154-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3656-159-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3656-161-0x00000000025F0000-0x000000000262F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3656-163-0x00000000025F0000-0x000000000262F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3656-165-0x00000000025F0000-0x000000000262F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3656-167-0x00000000025F0000-0x000000000262F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3656-169-0x00000000025F0000-0x000000000262F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3656-171-0x00000000025F0000-0x000000000262F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3656-173-0x00000000025F0000-0x000000000262F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3656-175-0x00000000025F0000-0x000000000262F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3656-177-0x00000000025F0000-0x000000000262F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3656-179-0x00000000025F0000-0x000000000262F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3656-142-0x0000000002570000-0x00000000025B6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/3656-183-0x00000000025F0000-0x000000000262F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3656-185-0x00000000025F0000-0x000000000262F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3656-187-0x00000000025F0000-0x000000000262F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3656-189-0x00000000025F0000-0x000000000262F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3656-191-0x00000000025F0000-0x000000000262F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3656-143-0x0000000004BD0000-0x00000000050CE000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/3656-193-0x00000000025F0000-0x000000000262F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3656-197-0x00000000025F0000-0x000000000262F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3656-199-0x00000000025F0000-0x000000000262F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3656-201-0x00000000025F0000-0x000000000262F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3656-203-0x00000000025F0000-0x000000000262F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3656-205-0x00000000025F0000-0x000000000262F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3656-207-0x00000000025F0000-0x000000000262F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3656-209-0x00000000025F0000-0x000000000262F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3656-211-0x00000000025F0000-0x000000000262F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3656-1054-0x00000000056E0000-0x0000000005CE6000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/3656-1055-0x00000000050D0000-0x00000000051DA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3656-1056-0x0000000004B70000-0x0000000004B82000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3656-1057-0x00000000051E0000-0x000000000521E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3656-1058-0x0000000005320000-0x000000000536B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3656-1059-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3656-1061-0x0000000005490000-0x0000000005522000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3656-1062-0x0000000005530000-0x0000000005596000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3656-1063-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3656-1064-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3656-1065-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3656-1066-0x0000000006330000-0x00000000063A6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3656-141-0x0000000000630000-0x000000000067B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3656-1067-0x00000000063B0000-0x0000000006400000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3656-1068-0x0000000006580000-0x0000000006742000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3656-1069-0x0000000006750000-0x0000000006C7C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/3656-1070-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-135-0x0000000000720000-0x000000000072A000-memory.dmp

    Filesize

    40KB

    Download