Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    55s
  • max time network
    62s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    31-03-2023 19:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cb6d199b34164a8efcfb37424b39a693bda05e4747fff696a8e08b3cbfa9bb68.exe

  • Size

    534KB

  • MD5

    00b0a0177174ef781a792c65fc0bf0a2

  • SHA1

    d457f8d85f8bb4650d07a6f70c30a085ef0c8007

  • SHA256

    cb6d199b34164a8efcfb37424b39a693bda05e4747fff696a8e08b3cbfa9bb68

  • SHA512

    54a7cb1b3a1dedaeea9885e56fddb4045e145c184886ab6063894c2e5c44d469e3b10600756748c1bc63373c6d71d4c63916e0c849e1c7fe0e1689fe6d58a9f4

  • SSDEEP

    12288:yMr2y902ViTRsVidBxJy0wqyqhwOb+rwQqYs8t:gyYRsaIrqxbml

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cb6d199b34164a8efcfb37424b39a693bda05e4747fff696a8e08b3cbfa9bb68.exe
    "C:\Users\Admin\AppData\Local\Temp\cb6d199b34164a8efcfb37424b39a693bda05e4747fff696a8e08b3cbfa9bb68.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4112
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNd1636.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNd1636.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2132
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr757391.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr757391.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3624
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku912111.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku912111.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5096
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr147255.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr147255.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1804

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr147255.exe
    Filesize

    175KB

    MD5

    53aebe08d58e4eb900b933f675c4a131

    SHA1

    8000f11fec0245b0f1d38277a094150a709a6a1d

    SHA256

    94da874e2c88a98984ecb98dc587d220fbde10c58508ec1521e955401ffe0962

    SHA512

    5dee7e53bc854bea91f594f61c5f88c4bc2401a1b5d29332849126df1c645ebf34dc0bfd9ac8174bd3e600d886a10695bf2cc0512782e7cb865e7349c4b639a2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr147255.exe
    Filesize

    175KB

    MD5

    53aebe08d58e4eb900b933f675c4a131

    SHA1

    8000f11fec0245b0f1d38277a094150a709a6a1d

    SHA256

    94da874e2c88a98984ecb98dc587d220fbde10c58508ec1521e955401ffe0962

    SHA512

    5dee7e53bc854bea91f594f61c5f88c4bc2401a1b5d29332849126df1c645ebf34dc0bfd9ac8174bd3e600d886a10695bf2cc0512782e7cb865e7349c4b639a2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNd1636.exe
    Filesize

    392KB

    MD5

    24b4ca6e2878e63ee09ad9e221a9c630

    SHA1

    48d7c34c1bacf57fd4ec7385641def33d9232aa7

    SHA256

    d8bc1054a8398bf7ccace9480019758bad2a192aa6456dfb7888f8f811041df5

    SHA512

    7890b17faff1114db4ff65cb18e9700921395ff6982456d34648d8d14aa77c5165c8aa6ff8a8f41301a87c56468d292880c3fba53058f5beba80ecaca5ad2114

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNd1636.exe
    Filesize

    392KB

    MD5

    24b4ca6e2878e63ee09ad9e221a9c630

    SHA1

    48d7c34c1bacf57fd4ec7385641def33d9232aa7

    SHA256

    d8bc1054a8398bf7ccace9480019758bad2a192aa6456dfb7888f8f811041df5

    SHA512

    7890b17faff1114db4ff65cb18e9700921395ff6982456d34648d8d14aa77c5165c8aa6ff8a8f41301a87c56468d292880c3fba53058f5beba80ecaca5ad2114

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr757391.exe
    Filesize

    11KB

    MD5

    ce1a8827157827a38f2cfb08005a3811

    SHA1

    ce77746125339fe184a5afd87967f17e6cf07ea6

    SHA256

    a3517ad5fee3636199c974006db5ba665da7fa2b9f1e2c9576d277bf24a4643c

    SHA512

    df728fd7491e5f04cf7f17f60b9be37cdf5f90bd8eb1b0350e27d0327706796eddfc866fa229223b6da45ec543a8079e67a0564996e431e463b03df7e4a2c286

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr757391.exe
    Filesize

    11KB

    MD5

    ce1a8827157827a38f2cfb08005a3811

    SHA1

    ce77746125339fe184a5afd87967f17e6cf07ea6

    SHA256

    a3517ad5fee3636199c974006db5ba665da7fa2b9f1e2c9576d277bf24a4643c

    SHA512

    df728fd7491e5f04cf7f17f60b9be37cdf5f90bd8eb1b0350e27d0327706796eddfc866fa229223b6da45ec543a8079e67a0564996e431e463b03df7e4a2c286

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku912111.exe
    Filesize

    318KB

    MD5

    fe7536da55e470eb2dbe415fb63a3b52

    SHA1

    4a173cadf3f1e494a399997bf7044fdd22db1276

    SHA256

    b3c5c157fce635b98faa5cddf3fa792773580387b9088cd0d086d0ecb0c441a1

    SHA512

    20b2c445e04721ef4c5253176810e60c6206d1485139ded2432ed4fa50f83e2879b7b9f21d153829da1008b272d103f1ac25c8f5a98b479e6455fb87ea1309a8

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku912111.exe
    Filesize

    318KB

    MD5

    fe7536da55e470eb2dbe415fb63a3b52

    SHA1

    4a173cadf3f1e494a399997bf7044fdd22db1276

    SHA256

    b3c5c157fce635b98faa5cddf3fa792773580387b9088cd0d086d0ecb0c441a1

    SHA512

    20b2c445e04721ef4c5253176810e60c6206d1485139ded2432ed4fa50f83e2879b7b9f21d153829da1008b272d103f1ac25c8f5a98b479e6455fb87ea1309a8

    Download Submit
  • memory/1804-1073-0x0000000000F20000-0x0000000000F52000-memory.dmp
    Filesize

    200KB

    Download
  • memory/1804-1074-0x0000000005840000-0x000000000588B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/1804-1075-0x0000000005B20000-0x0000000005B30000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3624-133-0x0000000000470000-0x000000000047A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/5096-177-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/5096-187-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/5096-142-0x00000000004C0000-0x000000000050B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/5096-143-0x0000000004B10000-0x0000000004B20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5096-144-0x0000000004B10000-0x0000000004B20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5096-145-0x0000000004B10000-0x0000000004B20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5096-146-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/5096-147-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/5096-149-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/5096-151-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/5096-153-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/5096-155-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/5096-157-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/5096-159-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/5096-161-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/5096-163-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/5096-165-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/5096-167-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/5096-169-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/5096-171-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/5096-140-0x0000000004B20000-0x000000000501E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/5096-179-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/5096-175-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/5096-173-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/5096-181-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/5096-183-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/5096-185-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/5096-141-0x0000000004A20000-0x0000000004A64000-memory.dmp
    Filesize

    272KB

    Download
  • memory/5096-189-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/5096-191-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/5096-193-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/5096-195-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/5096-197-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/5096-199-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/5096-201-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/5096-203-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/5096-205-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/5096-207-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/5096-209-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/5096-1052-0x0000000005730000-0x0000000005D36000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/5096-1053-0x0000000005190000-0x000000000529A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/5096-1054-0x00000000052D0000-0x00000000052E2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/5096-1055-0x0000000004B10000-0x0000000004B20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5096-1056-0x00000000052F0000-0x000000000532E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/5096-1057-0x0000000005440000-0x000000000548B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/5096-1059-0x00000000055D0000-0x0000000005636000-memory.dmp
    Filesize

    408KB

    Download
  • memory/5096-1060-0x00000000062A0000-0x0000000006332000-memory.dmp
    Filesize

    584KB

    Download
  • memory/5096-1061-0x00000000064D0000-0x0000000006692000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/5096-1062-0x0000000004B10000-0x0000000004B20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5096-1063-0x0000000004B10000-0x0000000004B20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5096-139-0x0000000004990000-0x00000000049D6000-memory.dmp
    Filesize

    280KB

    Download
  • memory/5096-1064-0x00000000066A0000-0x0000000006BCC000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/5096-1065-0x0000000006E10000-0x0000000006E86000-memory.dmp
    Filesize

    472KB

    Download
  • memory/5096-1066-0x0000000006E90000-0x0000000006EE0000-memory.dmp
    Filesize

    320KB

    Download
  • memory/5096-1067-0x0000000004B10000-0x0000000004B20000-memory.dmp
    Filesize

    64KB

    Download