Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    55s
  • max time network
    146s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    31-03-2023 20:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b26bf9ed08b8d2770543a3567b950cbaf3a134a15820b1b7c2bbfae70657bc71.exe

  • Size

    533KB

  • MD5

    25338b85b90cf9a9337b4d030c5f0985

  • SHA1

    c19111598b5335b7319c5cccd0c48a6e8077296e

  • SHA256

    b26bf9ed08b8d2770543a3567b950cbaf3a134a15820b1b7c2bbfae70657bc71

  • SHA512

    7ce647c1d28fa695da05fa87892493239a37b2098e979a79a37dd254b74a7ddc7b1ca23768b75a8b23bc3215341507eefc534450c0db2adbb90f7a52552b9cd4

  • SSDEEP

    12288:uMrWy904GZjK5xORYC6t7XhQvGOb4rb6OIFWYEjrnGwz:8yse5wAAbW6JWYmGA

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b26bf9ed08b8d2770543a3567b950cbaf3a134a15820b1b7c2bbfae70657bc71.exe
    "C:\Users\Admin\AppData\Local\Temp\b26bf9ed08b8d2770543a3567b950cbaf3a134a15820b1b7c2bbfae70657bc71.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3904
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziQD6332.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziQD6332.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1792
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr791247.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr791247.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4132
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku627902.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku627902.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2264
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr676411.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr676411.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr676411.exe
    Filesize

    175KB

    MD5

    a94d5e0cfbdbcf3e6587eecdfea2299a

    SHA1

    7e926654cfc1abb84f742dc6013c794add003ad7

    SHA256

    8111bda5b45a77f0a1eb36ad9913a8427948d66c0fb956c91d8de800c1dd29ac

    SHA512

    e24163fb7ae71d94ae0c59e6a332b496ef07edc0a11c295ef87c7433027d49c1e925d7915aefedd12e0889a22a516352bdf9707683dbaa0e27f3b75971b7cbf0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr676411.exe
    Filesize

    175KB

    MD5

    a94d5e0cfbdbcf3e6587eecdfea2299a

    SHA1

    7e926654cfc1abb84f742dc6013c794add003ad7

    SHA256

    8111bda5b45a77f0a1eb36ad9913a8427948d66c0fb956c91d8de800c1dd29ac

    SHA512

    e24163fb7ae71d94ae0c59e6a332b496ef07edc0a11c295ef87c7433027d49c1e925d7915aefedd12e0889a22a516352bdf9707683dbaa0e27f3b75971b7cbf0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziQD6332.exe
    Filesize

    392KB

    MD5

    cc77e46a967773533020f2e6b6aaf58c

    SHA1

    45e1a9f30d247c9b79d2bd6456d9027e16442921

    SHA256

    2eaef54c68829edc279a4b8dfd0c097c1b365636cdb00114f1d53b315b26bdae

    SHA512

    4189efb7e0381fa4a56dff430842d174a0f00aac98603734ed857cfb9ca3039f1e3d92b7b4ea264f4fd809f7e770180b73475cadcedd4b83fdf8ae503a8ac5ca

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziQD6332.exe
    Filesize

    392KB

    MD5

    cc77e46a967773533020f2e6b6aaf58c

    SHA1

    45e1a9f30d247c9b79d2bd6456d9027e16442921

    SHA256

    2eaef54c68829edc279a4b8dfd0c097c1b365636cdb00114f1d53b315b26bdae

    SHA512

    4189efb7e0381fa4a56dff430842d174a0f00aac98603734ed857cfb9ca3039f1e3d92b7b4ea264f4fd809f7e770180b73475cadcedd4b83fdf8ae503a8ac5ca

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr791247.exe
    Filesize

    11KB

    MD5

    147be3e9f28ff2b981c0d39c95eb977a

    SHA1

    b366eaad27f284b441b4c3ae3becf4ebda101f1c

    SHA256

    e305c1b1ec49c7f8715709df7e109643050eb2f4bd5e9fa6876ac93916158d4b

    SHA512

    538b8a5129ad23a342294bf071db3e29e46e6a81449318bcd07ef06d915d5d5d22bea61ed93414cd058457de0ee75bcab8953f44acf594e2f1b899b2cc810be9

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr791247.exe
    Filesize

    11KB

    MD5

    147be3e9f28ff2b981c0d39c95eb977a

    SHA1

    b366eaad27f284b441b4c3ae3becf4ebda101f1c

    SHA256

    e305c1b1ec49c7f8715709df7e109643050eb2f4bd5e9fa6876ac93916158d4b

    SHA512

    538b8a5129ad23a342294bf071db3e29e46e6a81449318bcd07ef06d915d5d5d22bea61ed93414cd058457de0ee75bcab8953f44acf594e2f1b899b2cc810be9

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku627902.exe
    Filesize

    318KB

    MD5

    98942922be725f945e7a7c6d5aa69e00

    SHA1

    a3514dd748552d4b9411bd2f6d728e7d0aff6c62

    SHA256

    5f2e42d3a6c9b9237852bc95c14a127bbd465364015d44eff307e82dab0278d8

    SHA512

    a2d0ab1d29242285eb21fb253b6a9fd6e48b2049b42fe79ccd9e2385201f7c38bf0e3923f08aceb9de50b75119633d0cce188b1e46b838481c4419e4b8e918cb

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku627902.exe
    Filesize

    318KB

    MD5

    98942922be725f945e7a7c6d5aa69e00

    SHA1

    a3514dd748552d4b9411bd2f6d728e7d0aff6c62

    SHA256

    5f2e42d3a6c9b9237852bc95c14a127bbd465364015d44eff307e82dab0278d8

    SHA512

    a2d0ab1d29242285eb21fb253b6a9fd6e48b2049b42fe79ccd9e2385201f7c38bf0e3923f08aceb9de50b75119633d0cce188b1e46b838481c4419e4b8e918cb

    Download Submit
  • memory/2264-137-0x00000000021D0000-0x0000000002216000-memory.dmp
    Filesize

    280KB

    Download
  • memory/2264-138-0x0000000004C70000-0x000000000516E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2264-140-0x00000000004C0000-0x000000000050B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/2264-139-0x0000000002270000-0x00000000022B4000-memory.dmp
    Filesize

    272KB

    Download
  • memory/2264-141-0x0000000004C60000-0x0000000004C70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2264-142-0x0000000004C60000-0x0000000004C70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2264-143-0x0000000004C60000-0x0000000004C70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2264-144-0x0000000002270000-0x00000000022AF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2264-145-0x0000000002270000-0x00000000022AF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2264-149-0x0000000002270000-0x00000000022AF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2264-147-0x0000000002270000-0x00000000022AF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2264-151-0x0000000002270000-0x00000000022AF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2264-153-0x0000000002270000-0x00000000022AF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2264-155-0x0000000002270000-0x00000000022AF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2264-157-0x0000000002270000-0x00000000022AF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2264-159-0x0000000002270000-0x00000000022AF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2264-161-0x0000000002270000-0x00000000022AF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2264-163-0x0000000002270000-0x00000000022AF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2264-165-0x0000000002270000-0x00000000022AF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2264-167-0x0000000002270000-0x00000000022AF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2264-169-0x0000000002270000-0x00000000022AF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2264-171-0x0000000002270000-0x00000000022AF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2264-173-0x0000000002270000-0x00000000022AF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2264-175-0x0000000002270000-0x00000000022AF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2264-177-0x0000000002270000-0x00000000022AF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2264-179-0x0000000002270000-0x00000000022AF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2264-181-0x0000000002270000-0x00000000022AF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2264-183-0x0000000002270000-0x00000000022AF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2264-185-0x0000000002270000-0x00000000022AF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2264-187-0x0000000002270000-0x00000000022AF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2264-189-0x0000000002270000-0x00000000022AF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2264-191-0x0000000002270000-0x00000000022AF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2264-193-0x0000000002270000-0x00000000022AF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2264-195-0x0000000002270000-0x00000000022AF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2264-197-0x0000000002270000-0x00000000022AF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2264-199-0x0000000002270000-0x00000000022AF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2264-201-0x0000000002270000-0x00000000022AF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2264-203-0x0000000002270000-0x00000000022AF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2264-205-0x0000000002270000-0x00000000022AF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2264-207-0x0000000002270000-0x00000000022AF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2264-1050-0x0000000005170000-0x0000000005776000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/2264-1051-0x00000000057A0000-0x00000000058AA000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/2264-1052-0x00000000058E0000-0x00000000058F2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2264-1053-0x0000000004C60000-0x0000000004C70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2264-1054-0x0000000005900000-0x000000000593E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2264-1055-0x0000000005A50000-0x0000000005A9B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/2264-1057-0x0000000005BE0000-0x0000000005C46000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2264-1058-0x00000000062A0000-0x0000000006332000-memory.dmp
    Filesize

    584KB

    Download
  • memory/2264-1059-0x00000000063A0000-0x0000000006562000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2264-1060-0x0000000004C60000-0x0000000004C70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2264-1062-0x0000000004C60000-0x0000000004C70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2264-1061-0x0000000004C60000-0x0000000004C70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2264-1063-0x0000000006570000-0x0000000006A9C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/2264-1064-0x0000000004C60000-0x0000000004C70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2264-1065-0x0000000006CC0000-0x0000000006D36000-memory.dmp
    Filesize

    472KB

    Download
  • memory/2264-1066-0x0000000006D50000-0x0000000006DA0000-memory.dmp
    Filesize

    320KB

    Download
  • memory/3040-1072-0x0000000000090000-0x00000000000C2000-memory.dmp
    Filesize

    200KB

    Download
  • memory/3040-1073-0x0000000004AD0000-0x0000000004B1B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/3040-1074-0x0000000004920000-0x0000000004930000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3040-1075-0x0000000004920000-0x0000000004930000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4132-131-0x0000000000CF0000-0x0000000000CFA000-memory.dmp
    Filesize

    40KB

    Download