Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    67s
  • max time network
    132s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    01-04-2023 10:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    165e79c79334b6aaf15ccf03ba0cf1613f96a53b36199fdea5101a04c632554c.exe

  • Size

    530KB

  • MD5

    dbeb0b3a667c9f87d04cb5026024ef36

  • SHA1

    00bf88a25a4c09c109521089a70f6edb72679a82

  • SHA256

    165e79c79334b6aaf15ccf03ba0cf1613f96a53b36199fdea5101a04c632554c

  • SHA512

    2d5d7f460b7a574d8be0b4e966c5ca1291b494e1afdb5180278585bfea57ecd4ee0edc17e010251746f35cf238654f8e7acdbdbb996a5d9a161214b458e4f152

  • SSDEEP

    12288:3Mrsy90IfluNQYfqSj99crSssW7J4IIymgJNd:byRf0NQYfl9WIVyrJNd

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\165e79c79334b6aaf15ccf03ba0cf1613f96a53b36199fdea5101a04c632554c.exe
    "C:\Users\Admin\AppData\Local\Temp\165e79c79334b6aaf15ccf03ba0cf1613f96a53b36199fdea5101a04c632554c.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1560
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYZ0526.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYZ0526.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2272
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr195687.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr195687.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2456
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku924769.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku924769.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2832
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr921212.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr921212.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4476

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr921212.exe
    Filesize

    176KB

    MD5

    9d80a52f486eb620dd74426ac507c62e

    SHA1

    b5381841079b36a6e90bf5c7089cf8cfdc9d99c5

    SHA256

    7b1deb4fc6f3090ca0b0d8147611404d85177cf084e6feaa41dd77ef6955c5dc

    SHA512

    d16345ba50239f68b5f48ba9a1e15bcb0a2f9751eaccbed0e6e809708801cdd6f303326ef45707555ec438dc033a517cbc70674b09b488bde56a1911f6cbdfa9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr921212.exe
    Filesize

    176KB

    MD5

    9d80a52f486eb620dd74426ac507c62e

    SHA1

    b5381841079b36a6e90bf5c7089cf8cfdc9d99c5

    SHA256

    7b1deb4fc6f3090ca0b0d8147611404d85177cf084e6feaa41dd77ef6955c5dc

    SHA512

    d16345ba50239f68b5f48ba9a1e15bcb0a2f9751eaccbed0e6e809708801cdd6f303326ef45707555ec438dc033a517cbc70674b09b488bde56a1911f6cbdfa9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYZ0526.exe
    Filesize

    387KB

    MD5

    ea9a45796ceb3a15720bc7437bad1c62

    SHA1

    8e683ee5421b1be3f36e57258f8e2f6634d0f32f

    SHA256

    e12101ad3ebff7b719bd5f21ace67810a877b81925bd16e6fe293aacce2d7b36

    SHA512

    a0aafd3257b361f6af31436652e1c55aed4618311fc4c902cad76f2dcaa6c0f5fa5f3fc9d02acd32e9b48aed448b3cfa76d6ce700bfc616c7626e9668452c362

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYZ0526.exe
    Filesize

    387KB

    MD5

    ea9a45796ceb3a15720bc7437bad1c62

    SHA1

    8e683ee5421b1be3f36e57258f8e2f6634d0f32f

    SHA256

    e12101ad3ebff7b719bd5f21ace67810a877b81925bd16e6fe293aacce2d7b36

    SHA512

    a0aafd3257b361f6af31436652e1c55aed4618311fc4c902cad76f2dcaa6c0f5fa5f3fc9d02acd32e9b48aed448b3cfa76d6ce700bfc616c7626e9668452c362

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr195687.exe
    Filesize

    12KB

    MD5

    e6612c3bbfce6b8c0d47ea85df2d7fb0

    SHA1

    de8103457e88248d1b8b3011c97a8bcaf07c653b

    SHA256

    f78ea2d92d6f62d82b05cbb4387f0f97b2fa67ffb927fa0393a8f52139e2f576

    SHA512

    6ac90335647a1ee29901d4a2b292b38db6380a44ad06f3f12d01eaf5965c9d9c6c3deb8144430fd3516e770e1aef6bb31ab38e3e54b885c72cd0075047b1ae31

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr195687.exe
    Filesize

    12KB

    MD5

    e6612c3bbfce6b8c0d47ea85df2d7fb0

    SHA1

    de8103457e88248d1b8b3011c97a8bcaf07c653b

    SHA256

    f78ea2d92d6f62d82b05cbb4387f0f97b2fa67ffb927fa0393a8f52139e2f576

    SHA512

    6ac90335647a1ee29901d4a2b292b38db6380a44ad06f3f12d01eaf5965c9d9c6c3deb8144430fd3516e770e1aef6bb31ab38e3e54b885c72cd0075047b1ae31

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku924769.exe
    Filesize

    342KB

    MD5

    9c07523ad162ee08988e136b1b647bb3

    SHA1

    2dfddb83bf92c990ebef8934a0c3dc17d2967edd

    SHA256

    1b0fefde0cd989b4a81d1b39f525f3ee64f768d8f031580c6dd56c9ba544ea11

    SHA512

    c9493067ba5a537d64ae51bbceb6fb472cd33bf62b4fa9f5b610a1a44540d6c4f162df2d8a5da065881e6f0558347e98b1c28f8c49cc4fc28e9c4065c37dbee7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku924769.exe
    Filesize

    342KB

    MD5

    9c07523ad162ee08988e136b1b647bb3

    SHA1

    2dfddb83bf92c990ebef8934a0c3dc17d2967edd

    SHA256

    1b0fefde0cd989b4a81d1b39f525f3ee64f768d8f031580c6dd56c9ba544ea11

    SHA512

    c9493067ba5a537d64ae51bbceb6fb472cd33bf62b4fa9f5b610a1a44540d6c4f162df2d8a5da065881e6f0558347e98b1c28f8c49cc4fc28e9c4065c37dbee7

    Download Submit

  • memory/2456-135-0x0000000000460000-0x000000000046A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2832-141-0x0000000002B90000-0x0000000002BDB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2832-142-0x0000000004830000-0x0000000004876000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2832-143-0x0000000007400000-0x00000000078FE000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2832-144-0x0000000004A90000-0x0000000004AD4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2832-145-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2832-148-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2832-146-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2832-150-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2832-152-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2832-154-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2832-156-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2832-158-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2832-160-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2832-162-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2832-164-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2832-166-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2832-168-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2832-172-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2832-174-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2832-178-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2832-184-0x00000000073F0000-0x0000000007400000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2832-182-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2832-180-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2832-176-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2832-186-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2832-189-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2832-187-0x00000000073F0000-0x0000000007400000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2832-185-0x00000000073F0000-0x0000000007400000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2832-170-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2832-193-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2832-191-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2832-195-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2832-197-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2832-199-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2832-203-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2832-201-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2832-205-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2832-207-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2832-209-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2832-211-0x0000000004A90000-0x0000000004ACF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2832-1054-0x0000000007900000-0x0000000007F06000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2832-1055-0x0000000007220000-0x000000000732A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2832-1056-0x0000000007350000-0x0000000007362000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2832-1057-0x00000000073F0000-0x0000000007400000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2832-1058-0x0000000007370000-0x00000000073AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2832-1059-0x0000000008010000-0x000000000805B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2832-1061-0x0000000008170000-0x00000000081D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2832-1062-0x0000000008830000-0x00000000088C2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2832-1063-0x00000000073F0000-0x0000000007400000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2832-1064-0x00000000073F0000-0x0000000007400000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2832-1065-0x00000000073F0000-0x0000000007400000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2832-1066-0x0000000008910000-0x0000000008AD2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2832-1067-0x0000000008AE0000-0x000000000900C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/2832-1068-0x0000000009260000-0x00000000092D6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2832-1069-0x00000000092E0000-0x0000000009330000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4476-1075-0x00000000008A0000-0x00000000008D2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4476-1076-0x00000000052E0000-0x000000000532B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4476-1077-0x00000000050F0000-0x0000000005100000-memory.dmp

    Filesize

    64KB

    Download