Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    143s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    02-04-2023 06:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    93f0f089b05aaaafe91008e469906d8e3276c204c1755a3a95700d62f41fc22c.exe

  • Size

    529KB

  • MD5

    2c2db6e9f7152172733f8e8061702f5a

  • SHA1

    0ec4d97524bc00c45a34732443422bda59b0d23d

  • SHA256

    93f0f089b05aaaafe91008e469906d8e3276c204c1755a3a95700d62f41fc22c

  • SHA512

    16a3539fcf7979b67d2884f8a02feb3108c92c1e85c33e9532eaa926910e508688790f15126f6471e0e31b145ce7b8d6e729dd99530d16d05e7c0ac7901b5a23

  • SSDEEP

    12288:cMrpy90CGPn67lPVzIJc7m0utJkk03M+xFYx1oBf:Vy+vcltzIOhutut3dt9

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\93f0f089b05aaaafe91008e469906d8e3276c204c1755a3a95700d62f41fc22c.exe
    "C:\Users\Admin\AppData\Local\Temp\93f0f089b05aaaafe91008e469906d8e3276c204c1755a3a95700d62f41fc22c.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3704
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXL3208.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXL3208.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3628
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr000675.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr000675.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4484
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku304334.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku304334.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4924
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr105877.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr105877.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2876

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr105877.exe
    Filesize

    176KB

    MD5

    1d0bfaf544107c7c5dae9ddcc7af2eac

    SHA1

    a25a760d3afc5ce3cc11dc185a469ce4fbac70d5

    SHA256

    e3af7cba1b015e5c7ae7c260d6ea8b19b6846098ac5c152d425bc74bb166d1c7

    SHA512

    6cf810dbc2cd1017d2e45576ca7485a2571bb045e0fbb4cc20769d01b8d0de914b82850e3a4ed6a489011c122971c63ef2af66c41100e1f7f6c0b76a6301437b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr105877.exe
    Filesize

    176KB

    MD5

    1d0bfaf544107c7c5dae9ddcc7af2eac

    SHA1

    a25a760d3afc5ce3cc11dc185a469ce4fbac70d5

    SHA256

    e3af7cba1b015e5c7ae7c260d6ea8b19b6846098ac5c152d425bc74bb166d1c7

    SHA512

    6cf810dbc2cd1017d2e45576ca7485a2571bb045e0fbb4cc20769d01b8d0de914b82850e3a4ed6a489011c122971c63ef2af66c41100e1f7f6c0b76a6301437b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXL3208.exe
    Filesize

    388KB

    MD5

    d4abe478e9475b6870087363844027eb

    SHA1

    f9735e8c2760b9a97e9a6c00dee3556e35bb3969

    SHA256

    b3921edb177e0d856a87f08cc8d6fde5dec98e1678b6524d6be2f172a8fdae2a

    SHA512

    75b1766e83390f1cf2be46a9610385e7cdd169966a539bb9a88cfb3b405b657f7b8edcea747cc04f905528ee68f6d12e4f28a565f80556f9e6a8d67d5c917177

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXL3208.exe
    Filesize

    388KB

    MD5

    d4abe478e9475b6870087363844027eb

    SHA1

    f9735e8c2760b9a97e9a6c00dee3556e35bb3969

    SHA256

    b3921edb177e0d856a87f08cc8d6fde5dec98e1678b6524d6be2f172a8fdae2a

    SHA512

    75b1766e83390f1cf2be46a9610385e7cdd169966a539bb9a88cfb3b405b657f7b8edcea747cc04f905528ee68f6d12e4f28a565f80556f9e6a8d67d5c917177

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr000675.exe
    Filesize

    12KB

    MD5

    ab5cc9c6ac3a2cd1edfe6c88519a1657

    SHA1

    a80bbb55864e0c11843978228e753a37f41fcdd2

    SHA256

    aaf24c282b65858e4f24da5d081ee46c71be1968139e2d50ee949c1e6ff2f0f5

    SHA512

    c86b90406309909169dfb576fc33b8be55f8fa60704080af235da0db1958fa45af5fbe9bc4e94044a1e2d9c95ea684738ab4babf0c88071b504895778af9e814

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr000675.exe
    Filesize

    12KB

    MD5

    ab5cc9c6ac3a2cd1edfe6c88519a1657

    SHA1

    a80bbb55864e0c11843978228e753a37f41fcdd2

    SHA256

    aaf24c282b65858e4f24da5d081ee46c71be1968139e2d50ee949c1e6ff2f0f5

    SHA512

    c86b90406309909169dfb576fc33b8be55f8fa60704080af235da0db1958fa45af5fbe9bc4e94044a1e2d9c95ea684738ab4babf0c88071b504895778af9e814

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku304334.exe
    Filesize

    434KB

    MD5

    46e53bcb820041cbc9f8c22eee5166e0

    SHA1

    16162fdfd2fcc4006d8ebb2ab97e5e11feb4aca3

    SHA256

    a42c7713cbe85641045d71e64f0f1980699d40462214f3be5bc7755a029ace1c

    SHA512

    7442a5ea6eca05d581625595cad89be95c4ab6ed97e1c583cfe91fb127b4da1a45ad96ea0beccdfd7518161a2611bcd784fc9355f2b3fb95e44524f8c3ba5fac

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku304334.exe
    Filesize

    434KB

    MD5

    46e53bcb820041cbc9f8c22eee5166e0

    SHA1

    16162fdfd2fcc4006d8ebb2ab97e5e11feb4aca3

    SHA256

    a42c7713cbe85641045d71e64f0f1980699d40462214f3be5bc7755a029ace1c

    SHA512

    7442a5ea6eca05d581625595cad89be95c4ab6ed97e1c583cfe91fb127b4da1a45ad96ea0beccdfd7518161a2611bcd784fc9355f2b3fb95e44524f8c3ba5fac

    Download Submit

  • memory/2876-1071-0x0000000000AE0000-0x0000000000B12000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2876-1072-0x0000000005520000-0x000000000556B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2876-1074-0x00000000056D0000-0x00000000056E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2876-1073-0x00000000056D0000-0x00000000056E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4484-130-0x0000000000650000-0x000000000065A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4924-176-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4924-186-0x0000000002590000-0x00000000025CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4924-140-0x0000000002590000-0x00000000025D4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4924-141-0x0000000002590000-0x00000000025CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4924-142-0x0000000002590000-0x00000000025CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4924-144-0x0000000002590000-0x00000000025CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4924-146-0x0000000002590000-0x00000000025CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4924-148-0x0000000002590000-0x00000000025CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4924-150-0x0000000002590000-0x00000000025CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4924-152-0x0000000002590000-0x00000000025CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4924-154-0x0000000002590000-0x00000000025CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4924-156-0x0000000002590000-0x00000000025CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4924-158-0x0000000002590000-0x00000000025CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4924-160-0x0000000002590000-0x00000000025CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4924-162-0x0000000002590000-0x00000000025CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4924-164-0x0000000002590000-0x00000000025CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4924-166-0x0000000002590000-0x00000000025CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4924-168-0x0000000002590000-0x00000000025CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4924-170-0x0000000002590000-0x00000000025CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4924-172-0x0000000002590000-0x00000000025CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4924-173-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4924-138-0x00000000023C0000-0x0000000002406000-memory.dmp

    Filesize

    280KB

    Download

  • memory/4924-175-0x0000000002590000-0x00000000025CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4924-178-0x0000000002590000-0x00000000025CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4924-180-0x0000000002590000-0x00000000025CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4924-182-0x0000000002590000-0x00000000025CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4924-184-0x0000000002590000-0x00000000025CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4924-139-0x0000000004FB0000-0x00000000054AE000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/4924-188-0x0000000002590000-0x00000000025CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4924-190-0x0000000002590000-0x00000000025CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4924-192-0x0000000002590000-0x00000000025CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4924-194-0x0000000002590000-0x00000000025CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4924-196-0x0000000002590000-0x00000000025CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4924-198-0x0000000002590000-0x00000000025CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4924-200-0x0000000002590000-0x00000000025CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4924-202-0x0000000002590000-0x00000000025CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4924-204-0x0000000002590000-0x00000000025CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4924-206-0x0000000002590000-0x00000000025CF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4924-1049-0x00000000054B0000-0x0000000005AB6000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4924-1050-0x0000000005AC0000-0x0000000005BCA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4924-1051-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4924-1052-0x0000000004F00000-0x0000000004F3E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4924-1053-0x0000000004F50000-0x0000000004F9B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4924-1054-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4924-1056-0x0000000005E10000-0x0000000005E76000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4924-1057-0x00000000064E0000-0x0000000006572000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4924-1058-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4924-1059-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4924-1060-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4924-1061-0x0000000007870000-0x0000000007A32000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4924-137-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4924-136-0x0000000000900000-0x000000000094B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4924-1062-0x0000000007A40000-0x0000000007F6C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4924-1063-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4924-1064-0x0000000004970000-0x00000000049E6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4924-1065-0x0000000008080000-0x00000000080D0000-memory.dmp

    Filesize

    320KB

    Download