Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    60s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-03-2023 20:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e80c565f9fe45a571700bd75a2a89df91b7b6f76f06f93924e0eaa747f340765.exe

  • Size

    533KB

  • MD5

    33f914b2b49999a89cb86105bf41bd04

  • SHA1

    efb24410ff695bfe3eaa5be6115e024365911011

  • SHA256

    e80c565f9fe45a571700bd75a2a89df91b7b6f76f06f93924e0eaa747f340765

  • SHA512

    dee3d5996458a03caf03fae0bf9dad23131d6a133f545223b5bd91e2a52f3614a797cb9d4140162ae0e36a35c3b80031dbe7b6f4d7a2581b907fffe09c6c23d1

  • SSDEEP

    12288:TMrry90vI1c9++W2us7dW83b8mNyMjNTOp3Lq+hFJloy3L6SuO:gyvc8N2ubG8pM5Op3G+hloy3uSuO

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 34 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e80c565f9fe45a571700bd75a2a89df91b7b6f76f06f93924e0eaa747f340765.exe
    "C:\Users\Admin\AppData\Local\Temp\e80c565f9fe45a571700bd75a2a89df91b7b6f76f06f93924e0eaa747f340765.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4224
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zizc1180.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zizc1180.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2100
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr387431.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr387431.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1292
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku732245.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku732245.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1084
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 1364
          4⤵
          • Program crash
          PID:5044
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr397974.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr397974.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3820
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1084 -ip 1084
    1⤵
      PID:4680

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr397974.exe
      Filesize

      175KB

      MD5

      e6433dce4b18da2cc90faada22cb1d50

      SHA1

      cca62e812ca5b8e650b3a88a1b3ecc9007400d7c

      SHA256

      24637c4d1bde940d0b28a70d738172bae9e37c51dd8608bc13f9413c12242de3

      SHA512

      13cdd2a00b4e895d99e9f10c8095cab2682096915af528804dc0cccb36c40b5973899bdde6e8a3c22ef2e25d7f4d898fa93a329d1c08c36db2a7f94425505ea1

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr397974.exe
      Filesize

      175KB

      MD5

      e6433dce4b18da2cc90faada22cb1d50

      SHA1

      cca62e812ca5b8e650b3a88a1b3ecc9007400d7c

      SHA256

      24637c4d1bde940d0b28a70d738172bae9e37c51dd8608bc13f9413c12242de3

      SHA512

      13cdd2a00b4e895d99e9f10c8095cab2682096915af528804dc0cccb36c40b5973899bdde6e8a3c22ef2e25d7f4d898fa93a329d1c08c36db2a7f94425505ea1

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zizc1180.exe
      Filesize

      391KB

      MD5

      cd87069ebe6fb83d21bfad710af489cd

      SHA1

      f065e8ac6763331c4032ddf5e9acc4e9224d31d7

      SHA256

      fbfe5d9d63fa7f0098f2bfe8bb7af8fc2f5620d14a9071368a9b5aae6b01c0f2

      SHA512

      26d7c2074049fa9e5b59bf1423892ee320b2af7cb5ace3304abd2122333b2091e5fdbda41eca5abbb0b0a1a29ef794f55ec8ea3c924bf3741eb6f4ca9bc3331a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zizc1180.exe
      Filesize

      391KB

      MD5

      cd87069ebe6fb83d21bfad710af489cd

      SHA1

      f065e8ac6763331c4032ddf5e9acc4e9224d31d7

      SHA256

      fbfe5d9d63fa7f0098f2bfe8bb7af8fc2f5620d14a9071368a9b5aae6b01c0f2

      SHA512

      26d7c2074049fa9e5b59bf1423892ee320b2af7cb5ace3304abd2122333b2091e5fdbda41eca5abbb0b0a1a29ef794f55ec8ea3c924bf3741eb6f4ca9bc3331a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr387431.exe
      Filesize

      11KB

      MD5

      a8bf80c4df8bde84af9bf4a52acba510

      SHA1

      6e6597cc70b5c55a01b401a869a6e5f2f0274515

      SHA256

      40b8368bb7faa32c001d2602568520fc8ac8d13e69d264dfa70d51562bcaae5d

      SHA512

      7d5c93fb8648c0bf2fbda1267e81e59c1c66c675e41a224294f348a697e4300efbfc29974fa27e674c2bac2e1d7014b32b5503cf1edd754cb4578cb0d1d3259c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr387431.exe
      Filesize

      11KB

      MD5

      a8bf80c4df8bde84af9bf4a52acba510

      SHA1

      6e6597cc70b5c55a01b401a869a6e5f2f0274515

      SHA256

      40b8368bb7faa32c001d2602568520fc8ac8d13e69d264dfa70d51562bcaae5d

      SHA512

      7d5c93fb8648c0bf2fbda1267e81e59c1c66c675e41a224294f348a697e4300efbfc29974fa27e674c2bac2e1d7014b32b5503cf1edd754cb4578cb0d1d3259c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku732245.exe
      Filesize

      359KB

      MD5

      0daa488beeeb7b66a1927fe0c51f5b18

      SHA1

      39159d332843934ca8710debe0b84ab863f2392e

      SHA256

      4608a1b1fabc0327dc3f87a63871dce38eff013e2f727e9689f9ed33b41a42a6

      SHA512

      625632834af6c73a879cfc8eb3f124e44adc2a09d672c579271e019789ca24f243bf4b6df016410234e8c619bd3908b80f4a87a9738e4e80970e54b857c03d9d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku732245.exe
      Filesize

      359KB

      MD5

      0daa488beeeb7b66a1927fe0c51f5b18

      SHA1

      39159d332843934ca8710debe0b84ab863f2392e

      SHA256

      4608a1b1fabc0327dc3f87a63871dce38eff013e2f727e9689f9ed33b41a42a6

      SHA512

      625632834af6c73a879cfc8eb3f124e44adc2a09d672c579271e019789ca24f243bf4b6df016410234e8c619bd3908b80f4a87a9738e4e80970e54b857c03d9d

      Download Submit
    • memory/1084-153-0x00000000062C0000-0x0000000006864000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/1084-154-0x00000000060C0000-0x00000000060FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1084-155-0x00000000060C0000-0x00000000060FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1084-157-0x0000000001C80000-0x0000000001CCB000-memory.dmp
      Filesize

      300KB

      Download
    • memory/1084-158-0x00000000062B0000-0x00000000062C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1084-160-0x00000000062B0000-0x00000000062C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1084-162-0x00000000062B0000-0x00000000062C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1084-165-0x00000000060C0000-0x00000000060FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1084-163-0x00000000060C0000-0x00000000060FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1084-159-0x00000000060C0000-0x00000000060FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1084-167-0x00000000060C0000-0x00000000060FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1084-169-0x00000000060C0000-0x00000000060FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1084-171-0x00000000060C0000-0x00000000060FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1084-173-0x00000000060C0000-0x00000000060FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1084-175-0x00000000060C0000-0x00000000060FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1084-177-0x00000000060C0000-0x00000000060FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1084-179-0x00000000060C0000-0x00000000060FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1084-181-0x00000000060C0000-0x00000000060FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1084-183-0x00000000060C0000-0x00000000060FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1084-185-0x00000000060C0000-0x00000000060FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1084-187-0x00000000060C0000-0x00000000060FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1084-189-0x00000000060C0000-0x00000000060FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1084-193-0x00000000060C0000-0x00000000060FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1084-191-0x00000000060C0000-0x00000000060FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1084-195-0x00000000060C0000-0x00000000060FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1084-197-0x00000000060C0000-0x00000000060FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1084-199-0x00000000060C0000-0x00000000060FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1084-201-0x00000000060C0000-0x00000000060FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1084-203-0x00000000060C0000-0x00000000060FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1084-205-0x00000000060C0000-0x00000000060FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1084-207-0x00000000060C0000-0x00000000060FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1084-209-0x00000000060C0000-0x00000000060FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1084-211-0x00000000060C0000-0x00000000060FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1084-213-0x00000000060C0000-0x00000000060FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1084-215-0x00000000060C0000-0x00000000060FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1084-217-0x00000000060C0000-0x00000000060FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1084-219-0x00000000060C0000-0x00000000060FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1084-221-0x00000000060C0000-0x00000000060FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1084-1064-0x0000000006870000-0x0000000006E88000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/1084-1065-0x0000000006EE0000-0x0000000006FEA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/1084-1066-0x0000000007020000-0x0000000007032000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1084-1067-0x0000000007040000-0x000000000707C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1084-1068-0x00000000062B0000-0x00000000062C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1084-1070-0x0000000007330000-0x00000000073C2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1084-1071-0x00000000073D0000-0x0000000007436000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1084-1074-0x00000000062B0000-0x00000000062C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1084-1073-0x00000000062B0000-0x00000000062C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1084-1072-0x00000000062B0000-0x00000000062C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1084-1075-0x0000000007F30000-0x0000000007FA6000-memory.dmp
      Filesize

      472KB

      Download
    • memory/1084-1076-0x0000000007FB0000-0x0000000008000000-memory.dmp
      Filesize

      320KB

      Download
    • memory/1084-1077-0x0000000008020000-0x00000000081E2000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/1084-1078-0x0000000008200000-0x000000000872C000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/1084-1079-0x00000000062B0000-0x00000000062C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1292-147-0x0000000000CD0000-0x0000000000CDA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3820-1085-0x0000000000850000-0x0000000000882000-memory.dmp
      Filesize

      200KB

      Download
    • memory/3820-1086-0x0000000005270000-0x0000000005280000-memory.dmp
      Filesize

      64KB

      Download