Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    61s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/04/2023, 06:47

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    76c4c52e660c2a3e0966cbc78f0e94392c227bb5d7dcb467864b32ab144164f1.exe

  • Size

    529KB

  • MD5

    a488732e42e60c2134d3ab91d2f4a875

  • SHA1

    ed706fafc68aafe79d32bcadfd6170d531ccde1b

  • SHA256

    76c4c52e660c2a3e0966cbc78f0e94392c227bb5d7dcb467864b32ab144164f1

  • SHA512

    316c5910f5c24c483fd36fe93f22c58d9cda94715870e8f6a9b65d48401e9cd70f63dc4ae0f49f2a8265264c56dee1f6b0ebcddbd3b5f4d79db641f3f1650dac

  • SSDEEP

    12288:iMrQy90+smC7cCENhujvl7wjwhatXfABCLPMWu98:OyI7lWhu7l88h2vrBM8

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\76c4c52e660c2a3e0966cbc78f0e94392c227bb5d7dcb467864b32ab144164f1.exe
    "C:\Users\Admin\AppData\Local\Temp\76c4c52e660c2a3e0966cbc78f0e94392c227bb5d7dcb467864b32ab144164f1.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2068
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihl6590.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihl6590.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4864
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr697985.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr697985.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1188
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku972000.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku972000.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2660
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 1788
          4⤵
          • Program crash
          PID:4500
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr059694.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr059694.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4576
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2660 -ip 2660
    1⤵
      PID:2500

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr059694.exe
            Filesize

            176KB

            MD5

            8350c2da56c3b4dcbaef3302c468d856

            SHA1

            11ca7b46b8b3908418d6ce437a44070dd92b26de

            SHA256

            78e6dab34d1089526dda576af6522ce457719391c1601143f4d9b8eaa772a7ef

            SHA512

            a91a65d064d7047362a11c5fc5c289e989131482633f74604b18c53a016a7d53d3b0d4f20464e1ea150cf50f15060cde120fda0f1e4438d3a4eda1a5744fb220

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr059694.exe
            Filesize

            176KB

            MD5

            8350c2da56c3b4dcbaef3302c468d856

            SHA1

            11ca7b46b8b3908418d6ce437a44070dd92b26de

            SHA256

            78e6dab34d1089526dda576af6522ce457719391c1601143f4d9b8eaa772a7ef

            SHA512

            a91a65d064d7047362a11c5fc5c289e989131482633f74604b18c53a016a7d53d3b0d4f20464e1ea150cf50f15060cde120fda0f1e4438d3a4eda1a5744fb220

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihl6590.exe
            Filesize

            388KB

            MD5

            48b87dbbea5cd356368588c876ae3f71

            SHA1

            7dbb6ffae7be6dccfc8c9ef87ced80d7ae229cf1

            SHA256

            c7ad472a1594d3b9e17171ff4560cfa729a37e7b60a60219a3ced229283f496b

            SHA512

            9e712492db46961cf81f4e21625d67f2d07e6876dcc2078bc2dc3f80cc2c227e20f3afb6d7ae6d422444625f447a09ffcae43ab2574ec4140b50f534f182c983

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihl6590.exe
            Filesize

            388KB

            MD5

            48b87dbbea5cd356368588c876ae3f71

            SHA1

            7dbb6ffae7be6dccfc8c9ef87ced80d7ae229cf1

            SHA256

            c7ad472a1594d3b9e17171ff4560cfa729a37e7b60a60219a3ced229283f496b

            SHA512

            9e712492db46961cf81f4e21625d67f2d07e6876dcc2078bc2dc3f80cc2c227e20f3afb6d7ae6d422444625f447a09ffcae43ab2574ec4140b50f534f182c983

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr697985.exe
            Filesize

            12KB

            MD5

            b99a8d41703e629e4c22ac69840cfde3

            SHA1

            01fff850232f8953ad5b53384193c3d118ade671

            SHA256

            713b8ee63c2f0dd7db591b5075b5bc451e6666e03483f59de2feb199f1d5f003

            SHA512

            a8e33a6d926cd9b87717aeb7fa5718d93c65ed4bd1aba6e7fde8b6e631920c0910128bc2b3f1a16db944fbded6d0daf21577aeaf3326b15a9d4cfa938ee4ad16

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr697985.exe
            Filesize

            12KB

            MD5

            b99a8d41703e629e4c22ac69840cfde3

            SHA1

            01fff850232f8953ad5b53384193c3d118ade671

            SHA256

            713b8ee63c2f0dd7db591b5075b5bc451e6666e03483f59de2feb199f1d5f003

            SHA512

            a8e33a6d926cd9b87717aeb7fa5718d93c65ed4bd1aba6e7fde8b6e631920c0910128bc2b3f1a16db944fbded6d0daf21577aeaf3326b15a9d4cfa938ee4ad16

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku972000.exe
            Filesize

            434KB

            MD5

            2ddc106449f20f87c0bafaec15e4a525

            SHA1

            1487e72566676ce56762b30548aaa45b9b913eb6

            SHA256

            b9102a2d2e3243ed2d02930074010d98c71f7742469090089e732da36a497c0f

            SHA512

            a4883d3eb5b8523d8ecbecb6e234ea1f34c52555dbdea3903e962d5bbf341dd3765d8bc1e1b9e13287654b7251e05364807482db14d9fa70376c9f666b84f7cd

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku972000.exe
            Filesize

            434KB

            MD5

            2ddc106449f20f87c0bafaec15e4a525

            SHA1

            1487e72566676ce56762b30548aaa45b9b913eb6

            SHA256

            b9102a2d2e3243ed2d02930074010d98c71f7742469090089e732da36a497c0f

            SHA512

            a4883d3eb5b8523d8ecbecb6e234ea1f34c52555dbdea3903e962d5bbf341dd3765d8bc1e1b9e13287654b7251e05364807482db14d9fa70376c9f666b84f7cd

            Download Submit

          • memory/1188-147-0x0000000000EB0000-0x0000000000EBA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2660-153-0x0000000005050000-0x00000000055F4000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/2660-154-0x0000000000AB0000-0x0000000000AFB000-memory.dmp

            Filesize

            300KB

            Download

          • memory/2660-155-0x0000000005040000-0x0000000005050000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2660-156-0x0000000005040000-0x0000000005050000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2660-158-0x00000000029A0000-0x00000000029DF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2660-160-0x00000000029A0000-0x00000000029DF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2660-157-0x00000000029A0000-0x00000000029DF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2660-162-0x00000000029A0000-0x00000000029DF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2660-164-0x00000000029A0000-0x00000000029DF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2660-166-0x00000000029A0000-0x00000000029DF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2660-168-0x00000000029A0000-0x00000000029DF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2660-170-0x00000000029A0000-0x00000000029DF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2660-172-0x00000000029A0000-0x00000000029DF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2660-174-0x00000000029A0000-0x00000000029DF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2660-176-0x00000000029A0000-0x00000000029DF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2660-178-0x00000000029A0000-0x00000000029DF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2660-180-0x00000000029A0000-0x00000000029DF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2660-182-0x00000000029A0000-0x00000000029DF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2660-184-0x00000000029A0000-0x00000000029DF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2660-186-0x00000000029A0000-0x00000000029DF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2660-188-0x00000000029A0000-0x00000000029DF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2660-190-0x00000000029A0000-0x00000000029DF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2660-192-0x00000000029A0000-0x00000000029DF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2660-194-0x00000000029A0000-0x00000000029DF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2660-196-0x00000000029A0000-0x00000000029DF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2660-198-0x00000000029A0000-0x00000000029DF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2660-200-0x00000000029A0000-0x00000000029DF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2660-202-0x00000000029A0000-0x00000000029DF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2660-204-0x00000000029A0000-0x00000000029DF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2660-206-0x00000000029A0000-0x00000000029DF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2660-208-0x00000000029A0000-0x00000000029DF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2660-210-0x00000000029A0000-0x00000000029DF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2660-212-0x00000000029A0000-0x00000000029DF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2660-214-0x00000000029A0000-0x00000000029DF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2660-216-0x00000000029A0000-0x00000000029DF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2660-218-0x00000000029A0000-0x00000000029DF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2660-220-0x00000000029A0000-0x00000000029DF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2660-1063-0x0000000005600000-0x0000000005C18000-memory.dmp

            Filesize

            6.1MB

            Download

          • memory/2660-1064-0x0000000004EF0000-0x0000000004FFA000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/2660-1065-0x0000000005C20000-0x0000000005C32000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2660-1066-0x0000000005040000-0x0000000005050000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2660-1067-0x0000000005C40000-0x0000000005C7C000-memory.dmp

            Filesize

            240KB

            Download

          • memory/2660-1069-0x0000000005040000-0x0000000005050000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2660-1070-0x0000000005040000-0x0000000005050000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2660-1071-0x0000000005F20000-0x0000000005FB2000-memory.dmp

            Filesize

            584KB

            Download

          • memory/2660-1072-0x0000000005FC0000-0x0000000006026000-memory.dmp

            Filesize

            408KB

            Download

          • memory/2660-1073-0x0000000006900000-0x0000000006976000-memory.dmp

            Filesize

            472KB

            Download

          • memory/2660-1074-0x0000000006990000-0x00000000069E0000-memory.dmp

            Filesize

            320KB

            Download

          • memory/2660-1075-0x0000000006A10000-0x0000000006BD2000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/2660-1076-0x0000000006BE0000-0x000000000710C000-memory.dmp

            Filesize

            5.2MB

            Download

          • memory/2660-1077-0x0000000005040000-0x0000000005050000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4576-1083-0x00000000002F0000-0x0000000000322000-memory.dmp

            Filesize

            200KB

            Download

          • memory/4576-1084-0x0000000004E90000-0x0000000004EA0000-memory.dmp

            Filesize

            64KB

            Download