Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    148s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    31-03-2023 19:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f130e761bfb0425d2a23dc3fcd3e11b1bbf55ab74c9eb7b2bcbf6042021e8f8b.exe

  • Size

    534KB

  • MD5

    ce818715bbbe5873d0e572a55be9eeb9

  • SHA1

    63c893bec9296189545b69dc379ea63721256acc

  • SHA256

    f130e761bfb0425d2a23dc3fcd3e11b1bbf55ab74c9eb7b2bcbf6042021e8f8b

  • SHA512

    1a9c8aff4d210982c6a10a1191c1da7a061ce9c760085a4c85016b9ffa87eceb12bb554cd351c9f99ecf5dc5f578a44a3536c58e47e504ad11e1d293fefdb319

  • SSDEEP

    12288:HMrxy90zO8HWgOZJQVFH5WjLmWJ/O6DJSnrMaAsTp:qyMWgObQVFZWdIrMaAsF

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f130e761bfb0425d2a23dc3fcd3e11b1bbf55ab74c9eb7b2bcbf6042021e8f8b.exe
    "C:\Users\Admin\AppData\Local\Temp\f130e761bfb0425d2a23dc3fcd3e11b1bbf55ab74c9eb7b2bcbf6042021e8f8b.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4052
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNe9130.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNe9130.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3904
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr159180.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr159180.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4816
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku257209.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku257209.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1540
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr475438.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr475438.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4572

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr475438.exe
    Filesize

    175KB

    MD5

    b3270fd2a5a169f2f063ce8bf1c88392

    SHA1

    36f923efba25d9c56a5991e2e5195027ca919806

    SHA256

    c15b2ee652970cb233a1c54f4e8989433a0f70b44e28433a77c062f1487fa03b

    SHA512

    bcc8b990dd3c897e665d3a234ab48886cee017e8b9c811fe81d787cef7970c6563e3035da0d3a202c096f5e14c74bcaaeb0fa1f9978feac86e3e6cd1dba84e9d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr475438.exe
    Filesize

    175KB

    MD5

    b3270fd2a5a169f2f063ce8bf1c88392

    SHA1

    36f923efba25d9c56a5991e2e5195027ca919806

    SHA256

    c15b2ee652970cb233a1c54f4e8989433a0f70b44e28433a77c062f1487fa03b

    SHA512

    bcc8b990dd3c897e665d3a234ab48886cee017e8b9c811fe81d787cef7970c6563e3035da0d3a202c096f5e14c74bcaaeb0fa1f9978feac86e3e6cd1dba84e9d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNe9130.exe
    Filesize

    392KB

    MD5

    919f618f0ce76cef25ff929ba1a64079

    SHA1

    c2f71978abe73964ba649d7afafb0980a8d11e6c

    SHA256

    3a9937532798c2be8a87505fe5eeb48a2f574cfff1f722cdabc04b6653fa0cf4

    SHA512

    a38bf6bbb2c1a710570b7b9ceee5aa084dc47103bf5e2b6b50de3158355c5d7bf9aec5b785b41dd66bf52c1168229bcc39b80dafac4e85cc4a16f98c1f8240f2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNe9130.exe
    Filesize

    392KB

    MD5

    919f618f0ce76cef25ff929ba1a64079

    SHA1

    c2f71978abe73964ba649d7afafb0980a8d11e6c

    SHA256

    3a9937532798c2be8a87505fe5eeb48a2f574cfff1f722cdabc04b6653fa0cf4

    SHA512

    a38bf6bbb2c1a710570b7b9ceee5aa084dc47103bf5e2b6b50de3158355c5d7bf9aec5b785b41dd66bf52c1168229bcc39b80dafac4e85cc4a16f98c1f8240f2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr159180.exe
    Filesize

    11KB

    MD5

    578db0fa5399c347f0e402797a1ecb6f

    SHA1

    7ba53627d4a29aab2c93c50f96916f300135f1f9

    SHA256

    a3dffdea23bfa317f501f1f6fa1dfb28bac189935cf14ac07e38a7a96d6ca3b4

    SHA512

    ef8f37146e09dd0f12fce2846f3bb8595065b722f0ca0a10cf17bef4c610c5503e6ca205849f10e68c98836d32e19054ff2fec86f171e075a21b3f04db9a99ff

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr159180.exe
    Filesize

    11KB

    MD5

    578db0fa5399c347f0e402797a1ecb6f

    SHA1

    7ba53627d4a29aab2c93c50f96916f300135f1f9

    SHA256

    a3dffdea23bfa317f501f1f6fa1dfb28bac189935cf14ac07e38a7a96d6ca3b4

    SHA512

    ef8f37146e09dd0f12fce2846f3bb8595065b722f0ca0a10cf17bef4c610c5503e6ca205849f10e68c98836d32e19054ff2fec86f171e075a21b3f04db9a99ff

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku257209.exe
    Filesize

    318KB

    MD5

    c40490633f26a37f7092a046d22a2b93

    SHA1

    40fcc872f08448eec4a6abf9f949865af398c494

    SHA256

    4032438522dbc6a7b4f2862494f9d33b40fcfd8a4d259e0945b826bc3d3948a9

    SHA512

    3a78fb55fb5b0eae12a47eacbb95a68dedb64d2796b7ed349bdd3b7bc5623ce103045b22d7207785f37655c58288a97c115a85cb1c439a437fd8930889e5cda8

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku257209.exe
    Filesize

    318KB

    MD5

    c40490633f26a37f7092a046d22a2b93

    SHA1

    40fcc872f08448eec4a6abf9f949865af398c494

    SHA256

    4032438522dbc6a7b4f2862494f9d33b40fcfd8a4d259e0945b826bc3d3948a9

    SHA512

    3a78fb55fb5b0eae12a47eacbb95a68dedb64d2796b7ed349bdd3b7bc5623ce103045b22d7207785f37655c58288a97c115a85cb1c439a437fd8930889e5cda8

    Download Submit
  • memory/1540-136-0x0000000004A10000-0x0000000004A56000-memory.dmp
    Filesize

    280KB

    Download
  • memory/1540-137-0x0000000004A50000-0x0000000004F4E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/1540-138-0x0000000000590000-0x00000000005DB000-memory.dmp
    Filesize

    300KB

    Download
  • memory/1540-140-0x0000000004F90000-0x0000000004FD4000-memory.dmp
    Filesize

    272KB

    Download
  • memory/1540-141-0x0000000000700000-0x0000000000710000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1540-142-0x0000000000700000-0x0000000000710000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1540-139-0x0000000000700000-0x0000000000710000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1540-143-0x0000000004F90000-0x0000000004FCF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1540-144-0x0000000004F90000-0x0000000004FCF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1540-146-0x0000000004F90000-0x0000000004FCF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1540-148-0x0000000004F90000-0x0000000004FCF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1540-150-0x0000000004F90000-0x0000000004FCF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1540-152-0x0000000004F90000-0x0000000004FCF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1540-154-0x0000000004F90000-0x0000000004FCF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1540-156-0x0000000004F90000-0x0000000004FCF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1540-158-0x0000000004F90000-0x0000000004FCF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1540-160-0x0000000004F90000-0x0000000004FCF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1540-162-0x0000000004F90000-0x0000000004FCF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1540-164-0x0000000004F90000-0x0000000004FCF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1540-166-0x0000000004F90000-0x0000000004FCF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1540-168-0x0000000004F90000-0x0000000004FCF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1540-170-0x0000000004F90000-0x0000000004FCF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1540-172-0x0000000004F90000-0x0000000004FCF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1540-174-0x0000000004F90000-0x0000000004FCF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1540-176-0x0000000004F90000-0x0000000004FCF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1540-178-0x0000000004F90000-0x0000000004FCF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1540-182-0x0000000004F90000-0x0000000004FCF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1540-180-0x0000000004F90000-0x0000000004FCF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1540-186-0x0000000004F90000-0x0000000004FCF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1540-184-0x0000000004F90000-0x0000000004FCF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1540-188-0x0000000004F90000-0x0000000004FCF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1540-190-0x0000000004F90000-0x0000000004FCF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1540-192-0x0000000004F90000-0x0000000004FCF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1540-194-0x0000000004F90000-0x0000000004FCF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1540-196-0x0000000004F90000-0x0000000004FCF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1540-198-0x0000000004F90000-0x0000000004FCF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1540-200-0x0000000004F90000-0x0000000004FCF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1540-204-0x0000000004F90000-0x0000000004FCF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1540-206-0x0000000004F90000-0x0000000004FCF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1540-202-0x0000000004F90000-0x0000000004FCF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1540-1049-0x0000000005110000-0x0000000005716000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/1540-1050-0x00000000057A0000-0x00000000058AA000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/1540-1051-0x00000000058E0000-0x00000000058F2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1540-1052-0x0000000005900000-0x000000000593E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1540-1053-0x0000000005A90000-0x0000000005ADB000-memory.dmp
    Filesize

    300KB

    Download
  • memory/1540-1054-0x0000000000700000-0x0000000000710000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1540-1056-0x0000000005BE0000-0x0000000005C72000-memory.dmp
    Filesize

    584KB

    Download
  • memory/1540-1057-0x0000000005C80000-0x0000000005CE6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1540-1058-0x0000000000700000-0x0000000000710000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1540-1059-0x0000000006480000-0x0000000006642000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1540-1060-0x0000000006670000-0x0000000006B9C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/1540-1061-0x0000000006E10000-0x0000000006E86000-memory.dmp
    Filesize

    472KB

    Download
  • memory/1540-1062-0x0000000006EA0000-0x0000000006EF0000-memory.dmp
    Filesize

    320KB

    Download
  • memory/1540-1063-0x0000000000700000-0x0000000000710000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4572-1069-0x00000000001A0000-0x00000000001D2000-memory.dmp
    Filesize

    200KB

    Download
  • memory/4572-1070-0x0000000004D90000-0x0000000004DA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4572-1071-0x0000000004BE0000-0x0000000004C2B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4572-1072-0x0000000004D90000-0x0000000004DA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4816-130-0x0000000000E30000-0x0000000000E3A000-memory.dmp
    Filesize

    40KB

    Download