Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    72s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    31-03-2023 19:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e9513decae92b8dc0d414a2f486d1ca427237b70a4af6a817e1f65dd4b767f12.exe

  • Size

    534KB

  • MD5

    a97c2e22294a3d15c0473567be596cfe

  • SHA1

    6329501f0e32f9419ef8fd2bc0502ce2be636fbf

  • SHA256

    e9513decae92b8dc0d414a2f486d1ca427237b70a4af6a817e1f65dd4b767f12

  • SHA512

    e9c58aa6ab1276dd1021f388d475bdf6d347dfd353c39410b832f5ce5b7108fb3c0d8fea8d90026150816ab19753008cb605e3cb431ae5d7630560a3c8d7c402

  • SSDEEP

    12288:9MrQy905UCuWp3N+ysyXRKWTT/O61FY0jCvmSUH1:pyoOWp3r/BH1DCvmSUV

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e9513decae92b8dc0d414a2f486d1ca427237b70a4af6a817e1f65dd4b767f12.exe
    "C:\Users\Admin\AppData\Local\Temp\e9513decae92b8dc0d414a2f486d1ca427237b70a4af6a817e1f65dd4b767f12.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3476
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziHT4786.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziHT4786.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4104
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr309558.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr309558.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4120
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku801077.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku801077.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4236
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr795655.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr795655.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4364

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr795655.exe
    Filesize

    175KB

    MD5

    3744f630c55fdec7a90b35397597eabb

    SHA1

    6edd3b6a0fbade60492aa57d3c624dea6f92465c

    SHA256

    bdda940775912b85ee2905982a3d2f31ce993542690ddabf9efa72784ce0fd71

    SHA512

    37937b01350f8d9e97a80ecb1396f63c54e50385cee41d699c7a75e3103512762e5458007de01b177a2ec062c48530e59c6a226f859d6233186b908c6c71524e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr795655.exe
    Filesize

    175KB

    MD5

    3744f630c55fdec7a90b35397597eabb

    SHA1

    6edd3b6a0fbade60492aa57d3c624dea6f92465c

    SHA256

    bdda940775912b85ee2905982a3d2f31ce993542690ddabf9efa72784ce0fd71

    SHA512

    37937b01350f8d9e97a80ecb1396f63c54e50385cee41d699c7a75e3103512762e5458007de01b177a2ec062c48530e59c6a226f859d6233186b908c6c71524e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziHT4786.exe
    Filesize

    392KB

    MD5

    8f53cbb6e5c4bcb61b8572aee47ab431

    SHA1

    a2158e7c99939ae21a6127467e1484d814b37ca9

    SHA256

    1c083bb6e0de60d79e954e4deaa280b4852359e2cd5ca570c029666efa7affb8

    SHA512

    1df1fcbe19d9985b9fff20f934ec541afca2f54c51b7ca02a37aa901001de98514346220d6630a6156121a0e0df9ce98d048a43995df5e9b05270e207a900bab

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziHT4786.exe
    Filesize

    392KB

    MD5

    8f53cbb6e5c4bcb61b8572aee47ab431

    SHA1

    a2158e7c99939ae21a6127467e1484d814b37ca9

    SHA256

    1c083bb6e0de60d79e954e4deaa280b4852359e2cd5ca570c029666efa7affb8

    SHA512

    1df1fcbe19d9985b9fff20f934ec541afca2f54c51b7ca02a37aa901001de98514346220d6630a6156121a0e0df9ce98d048a43995df5e9b05270e207a900bab

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr309558.exe
    Filesize

    11KB

    MD5

    b975d3458649d99f72a20025f14c1a0b

    SHA1

    8f8f73e48c8551367ea9f963d46c95478ec344fa

    SHA256

    405ee0e68d1e7888c944ea842e2b6bfda9a6f1ce20e6936969bdc5c28e152c50

    SHA512

    45fa5bc5d9eb93744e47f65cacb93042b16448a56ac5930a1b69bdf05297bc9e2e4c82c172f14a832c3d69e144b9304de05c517d87edcd3555c31a9501ccb7d8

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr309558.exe
    Filesize

    11KB

    MD5

    b975d3458649d99f72a20025f14c1a0b

    SHA1

    8f8f73e48c8551367ea9f963d46c95478ec344fa

    SHA256

    405ee0e68d1e7888c944ea842e2b6bfda9a6f1ce20e6936969bdc5c28e152c50

    SHA512

    45fa5bc5d9eb93744e47f65cacb93042b16448a56ac5930a1b69bdf05297bc9e2e4c82c172f14a832c3d69e144b9304de05c517d87edcd3555c31a9501ccb7d8

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku801077.exe
    Filesize

    318KB

    MD5

    d3bb52773905415cdcfea5735a217f71

    SHA1

    6ae3fa696b6eac5683c0ba3560b1ebd47114b272

    SHA256

    cdf6ca0d71a47239062bcdaeb15eb652986930012025167ffe625b9bc6305321

    SHA512

    ee160bf809adfd077b087356a9ffb7b902dd270d73902f128b1522d8904bc5a7152dd440bb3d2a5f02b915445a2c3d98b47231f67cdc52cc8623299981ca5e28

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku801077.exe
    Filesize

    318KB

    MD5

    d3bb52773905415cdcfea5735a217f71

    SHA1

    6ae3fa696b6eac5683c0ba3560b1ebd47114b272

    SHA256

    cdf6ca0d71a47239062bcdaeb15eb652986930012025167ffe625b9bc6305321

    SHA512

    ee160bf809adfd077b087356a9ffb7b902dd270d73902f128b1522d8904bc5a7152dd440bb3d2a5f02b915445a2c3d98b47231f67cdc52cc8623299981ca5e28

    Download Submit
  • memory/4120-131-0x0000000000A40000-0x0000000000A4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4236-137-0x00000000049E0000-0x0000000004A26000-memory.dmp
    Filesize

    280KB

    Download
  • memory/4236-138-0x0000000004A40000-0x0000000004F3E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/4236-140-0x0000000004F80000-0x0000000004FC4000-memory.dmp
    Filesize

    272KB

    Download
  • memory/4236-142-0x0000000004A30000-0x0000000004A40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4236-141-0x0000000004A30000-0x0000000004A40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4236-139-0x00000000004C0000-0x000000000050B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4236-143-0x0000000004A30000-0x0000000004A40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4236-144-0x0000000004F80000-0x0000000004FBF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4236-145-0x0000000004F80000-0x0000000004FBF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4236-147-0x0000000004F80000-0x0000000004FBF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4236-149-0x0000000004F80000-0x0000000004FBF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4236-151-0x0000000004F80000-0x0000000004FBF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4236-153-0x0000000004F80000-0x0000000004FBF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4236-155-0x0000000004F80000-0x0000000004FBF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4236-157-0x0000000004F80000-0x0000000004FBF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4236-159-0x0000000004F80000-0x0000000004FBF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4236-161-0x0000000004F80000-0x0000000004FBF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4236-163-0x0000000004F80000-0x0000000004FBF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4236-165-0x0000000004F80000-0x0000000004FBF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4236-167-0x0000000004F80000-0x0000000004FBF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4236-169-0x0000000004F80000-0x0000000004FBF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4236-171-0x0000000004F80000-0x0000000004FBF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4236-173-0x0000000004F80000-0x0000000004FBF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4236-175-0x0000000004F80000-0x0000000004FBF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4236-177-0x0000000004F80000-0x0000000004FBF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4236-179-0x0000000004F80000-0x0000000004FBF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4236-181-0x0000000004F80000-0x0000000004FBF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4236-183-0x0000000004F80000-0x0000000004FBF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4236-185-0x0000000004F80000-0x0000000004FBF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4236-189-0x0000000004F80000-0x0000000004FBF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4236-191-0x0000000004F80000-0x0000000004FBF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4236-187-0x0000000004F80000-0x0000000004FBF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4236-193-0x0000000004F80000-0x0000000004FBF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4236-195-0x0000000004F80000-0x0000000004FBF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4236-197-0x0000000004F80000-0x0000000004FBF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4236-199-0x0000000004F80000-0x0000000004FBF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4236-201-0x0000000004F80000-0x0000000004FBF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4236-203-0x0000000004F80000-0x0000000004FBF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4236-205-0x0000000004F80000-0x0000000004FBF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4236-207-0x0000000004F80000-0x0000000004FBF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4236-1050-0x0000000004FD0000-0x00000000055D6000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/4236-1051-0x0000000005660000-0x000000000576A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/4236-1052-0x00000000057A0000-0x00000000057B2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4236-1053-0x00000000057C0000-0x00000000057FE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4236-1054-0x0000000004A30000-0x0000000004A40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4236-1055-0x0000000005910000-0x000000000595B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4236-1057-0x0000000004A30000-0x0000000004A40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4236-1058-0x0000000004A30000-0x0000000004A40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4236-1059-0x0000000004A30000-0x0000000004A40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4236-1060-0x0000000005AA0000-0x0000000005B06000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4236-1061-0x0000000006160000-0x00000000061F2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4236-1062-0x0000000006200000-0x0000000006276000-memory.dmp
    Filesize

    472KB

    Download
  • memory/4236-1063-0x00000000062A0000-0x00000000062F0000-memory.dmp
    Filesize

    320KB

    Download
  • memory/4236-1064-0x0000000004A30000-0x0000000004A40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4236-1065-0x00000000076D0000-0x0000000007892000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/4236-1066-0x00000000078A0000-0x0000000007DCC000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4364-1072-0x0000000000820000-0x0000000000852000-memory.dmp
    Filesize

    200KB

    Download
  • memory/4364-1073-0x0000000005260000-0x00000000052AB000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4364-1074-0x0000000005130000-0x0000000005140000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4364-1075-0x0000000005130000-0x0000000005140000-memory.dmp
    Filesize

    64KB

    Download