Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    62s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-03-2023 21:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7aaee224559608d8c305b6016b0461200dc88758ef46374b1eb3df3a8cc6114d.exe

  • Size

    533KB

  • MD5

    6686c2e73f606bb17d692fe1219f10f0

  • SHA1

    2cedfceb62c28cea0792af906ef6a4311a18cd04

  • SHA256

    7aaee224559608d8c305b6016b0461200dc88758ef46374b1eb3df3a8cc6114d

  • SHA512

    b55620234bb0d4a4510c0482ed174820693175e6d680d93bdab8a8c010c5fd1d7309e8820ecbd94fd8b15cb86e366a9a8f6f9c1d480a1727fc6221e727742b30

  • SSDEEP

    12288:eMrCy90PPR0CiCK4P7Q97PIzR653LqwBddzsOPrWg64:oysPBK4jQ9Li653GG/vrWq

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7aaee224559608d8c305b6016b0461200dc88758ef46374b1eb3df3a8cc6114d.exe
    "C:\Users\Admin\AppData\Local\Temp\7aaee224559608d8c305b6016b0461200dc88758ef46374b1eb3df3a8cc6114d.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5088
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziWb3664.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziWb3664.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4160
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr487695.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr487695.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4124
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku927546.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku927546.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4840
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 1348
          4⤵
          • Program crash
          PID:4752
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr315463.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr315463.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3380
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4840 -ip 4840
    1⤵
      PID:5040

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr315463.exe
      Filesize

      175KB

      MD5

      e296c470a14209b5ed35f67780c9a586

      SHA1

      d7d51ad92212804096ff31781c8a28d969258e28

      SHA256

      e471d6a736b6356705b5273b8db720402bf65fdf32ec5ddc08479d9969da0e62

      SHA512

      376597f830b79326634fbc17fe8d8ef2fb9afddea0f9407d749c1568a851fd9b38c516e2abd212469b2c08f52ed870fe4be079d4ee212e86bb6512f3356effe7

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr315463.exe
      Filesize

      175KB

      MD5

      e296c470a14209b5ed35f67780c9a586

      SHA1

      d7d51ad92212804096ff31781c8a28d969258e28

      SHA256

      e471d6a736b6356705b5273b8db720402bf65fdf32ec5ddc08479d9969da0e62

      SHA512

      376597f830b79326634fbc17fe8d8ef2fb9afddea0f9407d749c1568a851fd9b38c516e2abd212469b2c08f52ed870fe4be079d4ee212e86bb6512f3356effe7

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziWb3664.exe
      Filesize

      391KB

      MD5

      6d1cb76a0364ca403f7950753cb668ea

      SHA1

      6b8c94e21e1a4345631cff0516901c2c7ca5b316

      SHA256

      49cf88f11e3daac0b51ad460713ec8cd51a6baff29f98f8027783d1643f6f9a6

      SHA512

      536125e3a8c08536fc08dfeee48b8084e7d9af881aa648d498296914564e339af75763882022f49ac4f0488c2f653e4d97d0f933a1c4ebfcec77935a83419d5d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziWb3664.exe
      Filesize

      391KB

      MD5

      6d1cb76a0364ca403f7950753cb668ea

      SHA1

      6b8c94e21e1a4345631cff0516901c2c7ca5b316

      SHA256

      49cf88f11e3daac0b51ad460713ec8cd51a6baff29f98f8027783d1643f6f9a6

      SHA512

      536125e3a8c08536fc08dfeee48b8084e7d9af881aa648d498296914564e339af75763882022f49ac4f0488c2f653e4d97d0f933a1c4ebfcec77935a83419d5d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr487695.exe
      Filesize

      11KB

      MD5

      4f171a52eb12a56f75d60ce240a5af34

      SHA1

      90eea52aa1092c72d830e429b5fc62861ee56ee7

      SHA256

      1fde1b55ee728d8e26797421ea16256d25f454ac7e8fc891b064bec9941bd92f

      SHA512

      694109eb6259e31777461f1d58b47dce56ab3e18586e51ce0034452f31d2f0becc39784fabe16bd9e30020fc94914bfb7c3634e7bd77e7bfe19c05671ab08189

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr487695.exe
      Filesize

      11KB

      MD5

      4f171a52eb12a56f75d60ce240a5af34

      SHA1

      90eea52aa1092c72d830e429b5fc62861ee56ee7

      SHA256

      1fde1b55ee728d8e26797421ea16256d25f454ac7e8fc891b064bec9941bd92f

      SHA512

      694109eb6259e31777461f1d58b47dce56ab3e18586e51ce0034452f31d2f0becc39784fabe16bd9e30020fc94914bfb7c3634e7bd77e7bfe19c05671ab08189

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku927546.exe
      Filesize

      359KB

      MD5

      8ff62cce9015fec02ae09d51e23ab46a

      SHA1

      d16a50ad6a8cc7736f576a0e08620eeb3c96aeee

      SHA256

      667748899d945da6d5becf3fe47d6e35a59a22636616b0040dd23c7d5961409c

      SHA512

      e328de5da07c76d7ecb96cd8384119a2b4c83f317a7504ae852bce17e769b7e999ab72c196c89293c1a7475d0515aa11334adff48e3206f9002b92a1b33ace17

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku927546.exe
      Filesize

      359KB

      MD5

      8ff62cce9015fec02ae09d51e23ab46a

      SHA1

      d16a50ad6a8cc7736f576a0e08620eeb3c96aeee

      SHA256

      667748899d945da6d5becf3fe47d6e35a59a22636616b0040dd23c7d5961409c

      SHA512

      e328de5da07c76d7ecb96cd8384119a2b4c83f317a7504ae852bce17e769b7e999ab72c196c89293c1a7475d0515aa11334adff48e3206f9002b92a1b33ace17

      Download Submit
    • memory/3380-1085-0x0000000000DE0000-0x0000000000E12000-memory.dmp
      Filesize

      200KB

      Download
    • memory/3380-1086-0x0000000005650000-0x0000000005660000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4124-147-0x0000000000A10000-0x0000000000A1A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4840-185-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4840-197-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4840-156-0x0000000006340000-0x0000000006350000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4840-155-0x0000000006350000-0x00000000068F4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4840-157-0x0000000006340000-0x0000000006350000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4840-158-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4840-159-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4840-161-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4840-163-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4840-165-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4840-167-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4840-169-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4840-171-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4840-173-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4840-175-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4840-177-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4840-179-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4840-181-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4840-183-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4840-153-0x0000000003650000-0x000000000369B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/4840-187-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4840-189-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4840-191-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4840-193-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4840-195-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4840-154-0x0000000006340000-0x0000000006350000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4840-199-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4840-201-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4840-203-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4840-205-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4840-207-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4840-209-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4840-211-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4840-213-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4840-215-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4840-217-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4840-219-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4840-221-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4840-1064-0x0000000006900000-0x0000000006F18000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/4840-1065-0x00000000061C0000-0x00000000062CA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/4840-1066-0x0000000006300000-0x0000000006312000-memory.dmp
      Filesize

      72KB

      Download
    • memory/4840-1067-0x0000000006340000-0x0000000006350000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4840-1068-0x0000000006F20000-0x0000000006F5C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/4840-1070-0x0000000006340000-0x0000000006350000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4840-1071-0x0000000006340000-0x0000000006350000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4840-1072-0x00000000071F0000-0x0000000007282000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4840-1073-0x0000000007290000-0x00000000072F6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4840-1074-0x0000000006340000-0x0000000006350000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4840-1075-0x0000000007BF0000-0x0000000007C66000-memory.dmp
      Filesize

      472KB

      Download
    • memory/4840-1076-0x0000000007C80000-0x0000000007CD0000-memory.dmp
      Filesize

      320KB

      Download
    • memory/4840-1077-0x0000000007CE0000-0x0000000007EA2000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/4840-1078-0x0000000007EC0000-0x00000000083EC000-memory.dmp
      Filesize

      5.2MB

      Download