Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    31-03-2023 20:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e2bbb44ce9906d51691f60a9830ff0aac0d8af6d0246ace2d9f3c24de7e84951.exe

  • Size

    533KB

  • MD5

    4a8f2882afcef505b010e73c060e57a0

  • SHA1

    4b4682e3e6b22295e4ce905fc2587a429afa8627

  • SHA256

    e2bbb44ce9906d51691f60a9830ff0aac0d8af6d0246ace2d9f3c24de7e84951

  • SHA512

    b6a4f17fee0d7078fe86e4445eaa91c7d1ffbbdab9c95312aa3ac982a765e53c5c79251d8b506e21b54f500e43f9b6b0d4ed93b7e70f3242f6e4a92318a74355

  • SSDEEP

    12288:GMroy90kX7H254ij4BUe3Lq/LW6NuYVygi6DHoZ:6yZXy4ijOUe3G/L+YVVi6+

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e2bbb44ce9906d51691f60a9830ff0aac0d8af6d0246ace2d9f3c24de7e84951.exe
    "C:\Users\Admin\AppData\Local\Temp\e2bbb44ce9906d51691f60a9830ff0aac0d8af6d0246ace2d9f3c24de7e84951.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5044
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipC1483.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipC1483.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2112
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr850778.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr850778.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4248
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku117815.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku117815.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4772
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr245357.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr245357.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4496

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr245357.exe
    Filesize

    175KB

    MD5

    412ff5d140a16e7148c1e2e5c4cff0cd

    SHA1

    fa29bb3954d50cf651f5361de9eec61a2579881e

    SHA256

    37a342b3cc25380bb57fc08b7cbb6433aeef83863922e0ce94d8371de647ccb9

    SHA512

    6273d81e04f0686cdd75a36ea969d04d24cfe4448b4f44f0fe4eb1d5d27df331411e47c36b586e4b2f49b52400dde96127f754d43e0db6a40ede21b4236a5421

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr245357.exe
    Filesize

    175KB

    MD5

    412ff5d140a16e7148c1e2e5c4cff0cd

    SHA1

    fa29bb3954d50cf651f5361de9eec61a2579881e

    SHA256

    37a342b3cc25380bb57fc08b7cbb6433aeef83863922e0ce94d8371de647ccb9

    SHA512

    6273d81e04f0686cdd75a36ea969d04d24cfe4448b4f44f0fe4eb1d5d27df331411e47c36b586e4b2f49b52400dde96127f754d43e0db6a40ede21b4236a5421

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipC1483.exe
    Filesize

    391KB

    MD5

    aeab912e6c53782b05ecaa259b25f868

    SHA1

    3ba1ec0ae90da713bbc76c7d40ea2706ce6a50ca

    SHA256

    3b725a61de34766f96ff6885bcec647081f877b34f4a025efdacf3ab023230f7

    SHA512

    ea2e14db739d7bc4fc9140d8613501e364c2d5d6974930471239f6b8e28245c87cdca333099ea9b3672024f75c07cffb4ca6096eb3657c9c3984c273ca640b50

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipC1483.exe
    Filesize

    391KB

    MD5

    aeab912e6c53782b05ecaa259b25f868

    SHA1

    3ba1ec0ae90da713bbc76c7d40ea2706ce6a50ca

    SHA256

    3b725a61de34766f96ff6885bcec647081f877b34f4a025efdacf3ab023230f7

    SHA512

    ea2e14db739d7bc4fc9140d8613501e364c2d5d6974930471239f6b8e28245c87cdca333099ea9b3672024f75c07cffb4ca6096eb3657c9c3984c273ca640b50

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr850778.exe
    Filesize

    11KB

    MD5

    da24b2706a7e8dd8ffbacde3b39d72f9

    SHA1

    1476442694f0798b17310bad3bff3416ae133436

    SHA256

    887265dbcad5bcf84e4a8558ea5fe34ddffa581fd6a6e55544785aa1df22698a

    SHA512

    5c7d1071b4a9666350b8cefc8edde1e819a8b1fc98bc059eb940070f89eedb648aee7db12b2ad9213485880dcd74dadadabd25a05f9c6a61f05aba0c1ab0a3f2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr850778.exe
    Filesize

    11KB

    MD5

    da24b2706a7e8dd8ffbacde3b39d72f9

    SHA1

    1476442694f0798b17310bad3bff3416ae133436

    SHA256

    887265dbcad5bcf84e4a8558ea5fe34ddffa581fd6a6e55544785aa1df22698a

    SHA512

    5c7d1071b4a9666350b8cefc8edde1e819a8b1fc98bc059eb940070f89eedb648aee7db12b2ad9213485880dcd74dadadabd25a05f9c6a61f05aba0c1ab0a3f2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku117815.exe
    Filesize

    359KB

    MD5

    1f19cf76122d87984e96ab9cb7795e0e

    SHA1

    fada4ccd1fad10b46a4606a649b85819bee6e7bc

    SHA256

    cc52fbd695d6aaef591e368dc418d138a7821617506f8cfe6810b1e4d4a755a2

    SHA512

    dbae5f1e707e6fff0b3ac82c581009a3504fffddaa36aa26dac8c50f048cc58e225d606753817a740f3a523e683fbbe725edea12d032fca71cce297042674051

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku117815.exe
    Filesize

    359KB

    MD5

    1f19cf76122d87984e96ab9cb7795e0e

    SHA1

    fada4ccd1fad10b46a4606a649b85819bee6e7bc

    SHA256

    cc52fbd695d6aaef591e368dc418d138a7821617506f8cfe6810b1e4d4a755a2

    SHA512

    dbae5f1e707e6fff0b3ac82c581009a3504fffddaa36aa26dac8c50f048cc58e225d606753817a740f3a523e683fbbe725edea12d032fca71cce297042674051

    Download Submit
  • memory/4248-134-0x00000000004D0000-0x00000000004DA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4496-1075-0x00000000004E0000-0x0000000000512000-memory.dmp
    Filesize

    200KB

    Download
  • memory/4496-1076-0x0000000004F20000-0x0000000004F6B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4496-1077-0x0000000004D70000-0x0000000004D80000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4772-180-0x00000000060A0000-0x00000000060DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4772-188-0x00000000060A0000-0x00000000060DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4772-143-0x00000000061C0000-0x00000000066BE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/4772-144-0x00000000060A0000-0x00000000060E4000-memory.dmp
    Filesize

    272KB

    Download
  • memory/4772-145-0x00000000060A0000-0x00000000060DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4772-148-0x00000000060A0000-0x00000000060DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4772-146-0x00000000060A0000-0x00000000060DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4772-150-0x00000000060A0000-0x00000000060DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4772-152-0x00000000060A0000-0x00000000060DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4772-154-0x00000000060A0000-0x00000000060DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4772-156-0x00000000060A0000-0x00000000060DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4772-158-0x00000000060A0000-0x00000000060DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4772-160-0x00000000060A0000-0x00000000060DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4772-162-0x00000000060A0000-0x00000000060DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4772-164-0x00000000060A0000-0x00000000060DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4772-166-0x00000000060A0000-0x00000000060DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4772-168-0x00000000060A0000-0x00000000060DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4772-170-0x00000000060A0000-0x00000000060DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4772-172-0x00000000060A0000-0x00000000060DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4772-174-0x00000000060A0000-0x00000000060DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4772-176-0x00000000060A0000-0x00000000060DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4772-178-0x00000000060A0000-0x00000000060DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4772-141-0x0000000001B00000-0x0000000001B4B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4772-183-0x00000000060A0000-0x00000000060DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4772-182-0x00000000061B0000-0x00000000061C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4772-186-0x00000000060A0000-0x00000000060DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4772-184-0x00000000061B0000-0x00000000061C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4772-142-0x00000000061B0000-0x00000000061C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4772-190-0x00000000060A0000-0x00000000060DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4772-192-0x00000000060A0000-0x00000000060DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4772-194-0x00000000060A0000-0x00000000060DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4772-196-0x00000000060A0000-0x00000000060DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4772-198-0x00000000060A0000-0x00000000060DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4772-200-0x00000000060A0000-0x00000000060DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4772-202-0x00000000060A0000-0x00000000060DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4772-204-0x00000000060A0000-0x00000000060DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4772-206-0x00000000060A0000-0x00000000060DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4772-208-0x00000000060A0000-0x00000000060DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4772-210-0x00000000060A0000-0x00000000060DF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4772-1053-0x0000000006DD0000-0x00000000073D6000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/4772-1054-0x00000000067D0000-0x00000000068DA000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/4772-1055-0x0000000006910000-0x0000000006922000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4772-1056-0x0000000006930000-0x000000000696E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4772-1057-0x0000000006A80000-0x0000000006ACB000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4772-1058-0x00000000061B0000-0x00000000061C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4772-1060-0x0000000006C10000-0x0000000006C76000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4772-1061-0x00000000061B0000-0x00000000061C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4772-1062-0x00000000078E0000-0x0000000007972000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4772-1063-0x0000000007C10000-0x0000000007DD2000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/4772-1064-0x0000000007DE0000-0x000000000830C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4772-1065-0x00000000061B0000-0x00000000061C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4772-140-0x0000000006020000-0x0000000006066000-memory.dmp
    Filesize

    280KB

    Download
  • memory/4772-1066-0x00000000061B0000-0x00000000061C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4772-1067-0x0000000008440000-0x00000000084B6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/4772-1068-0x00000000084C0000-0x0000000008510000-memory.dmp
    Filesize

    320KB

    Download
  • memory/4772-1069-0x00000000061B0000-0x00000000061C0000-memory.dmp
    Filesize

    64KB

    Download