Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    52s
  • max time network
    54s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    31-03-2023 19:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bfa6a358bc1d5f97f6fe5a93f96153f9bc831f5959d7fc5ebbfcb3aa1c5cf2c8.exe

  • Size

    534KB

  • MD5

    39344fa7272b175fcfddf62463027dfc

  • SHA1

    f0bda7dec2dec1655f221ed8b166e71656b324dd

  • SHA256

    bfa6a358bc1d5f97f6fe5a93f96153f9bc831f5959d7fc5ebbfcb3aa1c5cf2c8

  • SHA512

    874f1234e5425c5e2ae6e222eeaa271e93dd1a3929951c45aabe531183b5cb1869bcf6c712cd07222717e127bf9c4d98a422f6167b02f33aa49cd6790e16adc8

  • SSDEEP

    12288:aMrSy90vK/kV3bRazEwDVF3tlmObgr27Vs0e:8yJcVchF3tvbZ5E

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bfa6a358bc1d5f97f6fe5a93f96153f9bc831f5959d7fc5ebbfcb3aa1c5cf2c8.exe
    "C:\Users\Admin\AppData\Local\Temp\bfa6a358bc1d5f97f6fe5a93f96153f9bc831f5959d7fc5ebbfcb3aa1c5cf2c8.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2488
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZd0991.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZd0991.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3264
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr963673.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr963673.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3656
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku767220.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku767220.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3720
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr040080.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr040080.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4080

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr040080.exe
    Filesize

    175KB

    MD5

    7eba4abf86effd26604557d1b8d45747

    SHA1

    fcb791a5af35044361c981e0ca481e31b677b144

    SHA256

    a714737f8b4e30b2cb17813d5eda1ca44bd79cfd595f575a2f1153a61617e091

    SHA512

    eb5ee9b78338b3b9437c45bf43247e8086ba1be4181995a71f0bef92501937b21fd0d9ce681d351a54508f443268648cd0688b4dd6e0a6cee6d08464d37f92c5

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr040080.exe
    Filesize

    175KB

    MD5

    7eba4abf86effd26604557d1b8d45747

    SHA1

    fcb791a5af35044361c981e0ca481e31b677b144

    SHA256

    a714737f8b4e30b2cb17813d5eda1ca44bd79cfd595f575a2f1153a61617e091

    SHA512

    eb5ee9b78338b3b9437c45bf43247e8086ba1be4181995a71f0bef92501937b21fd0d9ce681d351a54508f443268648cd0688b4dd6e0a6cee6d08464d37f92c5

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZd0991.exe
    Filesize

    392KB

    MD5

    90f954796b5fd633dddd311f150c385b

    SHA1

    0dc8a32bb4d264c39f2d02283f9fc0981b3a28e1

    SHA256

    3f66cfd1693f6c639f1ed7cfe1732b1413590c7d68de71b7656da772bac5fabc

    SHA512

    fbc561237bad4c0d007c38aa192639fadf4a054df077f03b99cfbc832f00b90bb3b103d8c060f1fd2bd1a765aae74a63559eefd34adbcb0c2f936b1d3139660f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZd0991.exe
    Filesize

    392KB

    MD5

    90f954796b5fd633dddd311f150c385b

    SHA1

    0dc8a32bb4d264c39f2d02283f9fc0981b3a28e1

    SHA256

    3f66cfd1693f6c639f1ed7cfe1732b1413590c7d68de71b7656da772bac5fabc

    SHA512

    fbc561237bad4c0d007c38aa192639fadf4a054df077f03b99cfbc832f00b90bb3b103d8c060f1fd2bd1a765aae74a63559eefd34adbcb0c2f936b1d3139660f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr963673.exe
    Filesize

    11KB

    MD5

    9c7875bba80ab76652eaaf0707f6ce80

    SHA1

    897298ea589484384bc2f10297952a680ef661b8

    SHA256

    89c7e538387a4e94bdba09b321936c7325f5248d3dafe43fcb3568659345520f

    SHA512

    ddb96a7eb9683aea7a1044c5be2b0374327c7b6740955d64f84a9dac9d410e3883b24b4b8d9ac981f9d6692aac7afc6d7fa8aeaffdb57d382d38827d19c17b8d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr963673.exe
    Filesize

    11KB

    MD5

    9c7875bba80ab76652eaaf0707f6ce80

    SHA1

    897298ea589484384bc2f10297952a680ef661b8

    SHA256

    89c7e538387a4e94bdba09b321936c7325f5248d3dafe43fcb3568659345520f

    SHA512

    ddb96a7eb9683aea7a1044c5be2b0374327c7b6740955d64f84a9dac9d410e3883b24b4b8d9ac981f9d6692aac7afc6d7fa8aeaffdb57d382d38827d19c17b8d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku767220.exe
    Filesize

    318KB

    MD5

    5752276807fe923b99d26f996ac2b46c

    SHA1

    f9d946d230c0ec5d218b3e528b9ac1c36e9e8ad1

    SHA256

    83ed7b61aab555aaa234e06f4c9ffb8828930f3f24cf4935b5a2a86c160af8ad

    SHA512

    04d5222a553c49cb29c20bedfaddad11ae231e302ee9a347b95390292049ddac3d2b93244fcd4823386c81fb408e24cfbc3f6995da3a54855ac12c29564bbf5f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku767220.exe
    Filesize

    318KB

    MD5

    5752276807fe923b99d26f996ac2b46c

    SHA1

    f9d946d230c0ec5d218b3e528b9ac1c36e9e8ad1

    SHA256

    83ed7b61aab555aaa234e06f4c9ffb8828930f3f24cf4935b5a2a86c160af8ad

    SHA512

    04d5222a553c49cb29c20bedfaddad11ae231e302ee9a347b95390292049ddac3d2b93244fcd4823386c81fb408e24cfbc3f6995da3a54855ac12c29564bbf5f

    Download Submit
  • memory/3656-135-0x00000000005F0000-0x00000000005FA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3720-141-0x00000000005A0000-0x00000000005EB000-memory.dmp
    Filesize

    300KB

    Download
  • memory/3720-142-0x0000000002190000-0x00000000021D6000-memory.dmp
    Filesize

    280KB

    Download
  • memory/3720-143-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3720-144-0x0000000004BD0000-0x00000000050CE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3720-145-0x0000000004A20000-0x0000000004A64000-memory.dmp
    Filesize

    272KB

    Download
  • memory/3720-146-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3720-147-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3720-149-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3720-151-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3720-153-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3720-157-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3720-155-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3720-159-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3720-161-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3720-165-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3720-163-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3720-167-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3720-175-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3720-173-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3720-179-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3720-183-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3720-181-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3720-177-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3720-171-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3720-169-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3720-191-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3720-199-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3720-203-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3720-207-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3720-205-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3720-201-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3720-197-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3720-195-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3720-193-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3720-189-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3720-187-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3720-185-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3720-209-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3720-1052-0x00000000056E0000-0x0000000005CE6000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/3720-1053-0x00000000050D0000-0x00000000051DA000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/3720-1054-0x0000000004B70000-0x0000000004B82000-memory.dmp
    Filesize

    72KB

    Download
  • memory/3720-1055-0x00000000051E0000-0x000000000521E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/3720-1056-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3720-1057-0x0000000005320000-0x000000000536B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/3720-1059-0x0000000005490000-0x0000000005522000-memory.dmp
    Filesize

    584KB

    Download
  • memory/3720-1060-0x0000000005530000-0x0000000005596000-memory.dmp
    Filesize

    408KB

    Download
  • memory/3720-1061-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3720-1063-0x0000000006480000-0x0000000006642000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/3720-1064-0x0000000006660000-0x0000000006B8C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/3720-1065-0x0000000006CC0000-0x0000000006D36000-memory.dmp
    Filesize

    472KB

    Download
  • memory/3720-1066-0x0000000006D50000-0x0000000006DA0000-memory.dmp
    Filesize

    320KB

    Download
  • memory/4080-1072-0x0000000000770000-0x00000000007A2000-memory.dmp
    Filesize

    200KB

    Download
  • memory/4080-1073-0x00000000051C0000-0x000000000520B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4080-1074-0x0000000004FF0000-0x0000000005000000-memory.dmp
    Filesize

    64KB

    Download