Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    83s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-04-2023 05:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    829bee0039ce4b18d3b6ce11926f38a155ac9ee4887170509c362cfd96b44a6a.exe

  • Size

    534KB

  • MD5

    060a101bdac854ad314aeb9b7b5f63e7

  • SHA1

    f5af2b97a903e2c0480624a4ef5b8ed5559d6142

  • SHA256

    829bee0039ce4b18d3b6ce11926f38a155ac9ee4887170509c362cfd96b44a6a

  • SHA512

    2e1814aa80bbf2d45967c25a5b39904ed94d7bbf7a9e2b9740855ca494cfe7f1690ed7df3d97d5ecd6d138c5995dd485804bcb332f8191a7d74dd45b6cc66de0

  • SSDEEP

    12288:eMrVy90jWqkLLkDvHuc++umwzFb5WItpZOECD/GP2ns:Hy+HvtZwzp5FtpmaP

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\829bee0039ce4b18d3b6ce11926f38a155ac9ee4887170509c362cfd96b44a6a.exe
    "C:\Users\Admin\AppData\Local\Temp\829bee0039ce4b18d3b6ce11926f38a155ac9ee4887170509c362cfd96b44a6a.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1832
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidE9779.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidE9779.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1916
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr207306.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr207306.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1564
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku154125.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku154125.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4112
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 1480
          4⤵
          • Program crash
          PID:1364
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr205778.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr205778.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:948
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4112 -ip 4112
    1⤵
      PID:3288

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr205778.exe
      Filesize

      176KB

      MD5

      b32fe3a83193acd2ef57cd6395b38482

      SHA1

      70773bd523572e939c1c4ad034a716030513aa95

      SHA256

      5d6bee7d8fda77287c594efdfe728d7d0cdfa0d8cb71bb5c262604dc1e4ea68b

      SHA512

      27ff5c42c6e625532674020f7e5df6e0b3ac9cea94d5e387ca221b072458e5da67bc8360e608458e05eb5e8ead42341217cce29050c2db64c1a9a18df8542410

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr205778.exe
      Filesize

      176KB

      MD5

      b32fe3a83193acd2ef57cd6395b38482

      SHA1

      70773bd523572e939c1c4ad034a716030513aa95

      SHA256

      5d6bee7d8fda77287c594efdfe728d7d0cdfa0d8cb71bb5c262604dc1e4ea68b

      SHA512

      27ff5c42c6e625532674020f7e5df6e0b3ac9cea94d5e387ca221b072458e5da67bc8360e608458e05eb5e8ead42341217cce29050c2db64c1a9a18df8542410

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidE9779.exe
      Filesize

      392KB

      MD5

      9ec80ad224effaf1a647536e0e5716ae

      SHA1

      8ceb4f963ebe40b762f6882aa470e73c6a4ea1ea

      SHA256

      75acd6b32d0d75656560b890fa3a51a3cc10ac4ede5941d988466794979379f8

      SHA512

      098116f99801828f76dc2019c718dfe88f2718dddeab2920fcf8f05d0141e5179981a0afba3c9663ff51912c8c66c91dc2ab1c86fe238f0f660d9cd4ea08d4f7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidE9779.exe
      Filesize

      392KB

      MD5

      9ec80ad224effaf1a647536e0e5716ae

      SHA1

      8ceb4f963ebe40b762f6882aa470e73c6a4ea1ea

      SHA256

      75acd6b32d0d75656560b890fa3a51a3cc10ac4ede5941d988466794979379f8

      SHA512

      098116f99801828f76dc2019c718dfe88f2718dddeab2920fcf8f05d0141e5179981a0afba3c9663ff51912c8c66c91dc2ab1c86fe238f0f660d9cd4ea08d4f7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr207306.exe
      Filesize

      12KB

      MD5

      0ee9057f54482764d57de3704660c52f

      SHA1

      36fb1302d8d7f90cf4645737a3eb522b7f1c2412

      SHA256

      9f30ec1839b39b042cc00cd4f86173ab99e5d5df9a99d4d2bb32232caf749bc7

      SHA512

      9e8822e2f793e3a39d90138beae5d8f4a42f3155ce67e0e090e7845f16b651667158f13090cf5b9cfe6411396f0fbc68b23a1f9ebab3765f89da449ca25bc85b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr207306.exe
      Filesize

      12KB

      MD5

      0ee9057f54482764d57de3704660c52f

      SHA1

      36fb1302d8d7f90cf4645737a3eb522b7f1c2412

      SHA256

      9f30ec1839b39b042cc00cd4f86173ab99e5d5df9a99d4d2bb32232caf749bc7

      SHA512

      9e8822e2f793e3a39d90138beae5d8f4a42f3155ce67e0e090e7845f16b651667158f13090cf5b9cfe6411396f0fbc68b23a1f9ebab3765f89da449ca25bc85b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku154125.exe
      Filesize

      319KB

      MD5

      2dc7bcde816e033f22c41c6ddb2b10ae

      SHA1

      a94863bab098a111bd5c7d6dc15436fd5267b9a6

      SHA256

      173745b77918e94bedd7a41c7dcd131eab5acc409959263f6f34c946155f0da4

      SHA512

      67e308a7a48d7c0250c0d0a4c87f9ed33f892cba55c39c06edc892ad91ae51c3e6a353f7eed8c8df806d617aa36c16ce80873cd18257bcb9f5cd1f1b7546d716

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku154125.exe
      Filesize

      319KB

      MD5

      2dc7bcde816e033f22c41c6ddb2b10ae

      SHA1

      a94863bab098a111bd5c7d6dc15436fd5267b9a6

      SHA256

      173745b77918e94bedd7a41c7dcd131eab5acc409959263f6f34c946155f0da4

      SHA512

      67e308a7a48d7c0250c0d0a4c87f9ed33f892cba55c39c06edc892ad91ae51c3e6a353f7eed8c8df806d617aa36c16ce80873cd18257bcb9f5cd1f1b7546d716

      Download Submit

    • memory/948-1085-0x0000000000C70000-0x0000000000CA2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/948-1086-0x0000000005590000-0x00000000055A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1564-147-0x0000000000100000-0x000000000010A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4112-187-0x0000000004A60000-0x0000000004A9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4112-201-0x0000000004A60000-0x0000000004A9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4112-155-0x0000000004A60000-0x0000000004A9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4112-157-0x0000000004A60000-0x0000000004A9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4112-159-0x0000000004A60000-0x0000000004A9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4112-161-0x0000000004A60000-0x0000000004A9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4112-163-0x0000000004A60000-0x0000000004A9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4112-165-0x0000000004A60000-0x0000000004A9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4112-167-0x0000000004A60000-0x0000000004A9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4112-169-0x0000000004A60000-0x0000000004A9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4112-170-0x0000000002150000-0x000000000219B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4112-171-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4112-173-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4112-174-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4112-175-0x0000000004A60000-0x0000000004A9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4112-177-0x0000000004A60000-0x0000000004A9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4112-179-0x0000000004A60000-0x0000000004A9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4112-181-0x0000000004A60000-0x0000000004A9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4112-183-0x0000000004A60000-0x0000000004A9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4112-185-0x0000000004A60000-0x0000000004A9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4112-189-0x0000000004A60000-0x0000000004A9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4112-153-0x0000000004BD0000-0x0000000005174000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4112-191-0x0000000004A60000-0x0000000004A9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4112-193-0x0000000004A60000-0x0000000004A9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4112-195-0x0000000004A60000-0x0000000004A9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4112-197-0x0000000004A60000-0x0000000004A9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4112-199-0x0000000004A60000-0x0000000004A9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4112-154-0x0000000004A60000-0x0000000004A9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4112-203-0x0000000004A60000-0x0000000004A9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4112-205-0x0000000004A60000-0x0000000004A9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4112-207-0x0000000004A60000-0x0000000004A9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4112-209-0x0000000004A60000-0x0000000004A9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4112-211-0x0000000004A60000-0x0000000004A9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4112-213-0x0000000004A60000-0x0000000004A9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4112-215-0x0000000004A60000-0x0000000004A9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4112-217-0x0000000004A60000-0x0000000004A9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4112-219-0x0000000004A60000-0x0000000004A9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4112-221-0x0000000004A60000-0x0000000004A9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4112-1064-0x0000000005280000-0x0000000005898000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4112-1065-0x00000000058A0000-0x00000000059AA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4112-1066-0x00000000059E0000-0x00000000059F2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4112-1067-0x0000000005A00000-0x0000000005A3C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4112-1068-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4112-1070-0x0000000005CF0000-0x0000000005D82000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4112-1071-0x0000000005D90000-0x0000000005DF6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4112-1072-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4112-1073-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4112-1074-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4112-1075-0x0000000006480000-0x00000000064F6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4112-1076-0x0000000006520000-0x0000000006570000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4112-1077-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4112-1078-0x00000000067D0000-0x0000000006992000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4112-1079-0x00000000069F0000-0x0000000006F1C000-memory.dmp

      Filesize

      5.2MB

      Download