Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    55s
  • max time network
    147s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    02/04/2023, 19:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    64f6fa2eb3102fe5f41ab16a1be18e02d26dccf28c9ffe6f2c83e46c04ec469b.exe

  • Size

    536KB

  • MD5

    4e860e4cc566f627b8b0304f60710e66

  • SHA1

    4312a8dca18b0643ef9fd5e65130e23d6340a4c9

  • SHA256

    64f6fa2eb3102fe5f41ab16a1be18e02d26dccf28c9ffe6f2c83e46c04ec469b

  • SHA512

    10bbc67cc68784019cf233e3c86c79896ef4f5651c4935725ce2c0846c735a635fcf52dae0463ffa7a8eaecf42fbb554914906ba19197fc84de7e2fa7d732f04

  • SSDEEP

    12288:BMruy90kIo6uqxtBjfNHz7U5nL+aQt1S6:jyJ67xt5NHanw1S6

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\64f6fa2eb3102fe5f41ab16a1be18e02d26dccf28c9ffe6f2c83e46c04ec469b.exe
    "C:\Users\Admin\AppData\Local\Temp\64f6fa2eb3102fe5f41ab16a1be18e02d26dccf28c9ffe6f2c83e46c04ec469b.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3480
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zizK7275.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zizK7275.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1656
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr112520.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr112520.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3444
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku752877.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku752877.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2680
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr100975.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr100975.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3604

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr100975.exe
    Filesize

    175KB

    MD5

    4f2ac49fb6a47ec5d24e075f11520668

    SHA1

    73b7e2ece4132fb3c5ae77d334a3b16ff9650e18

    SHA256

    c5acb6cbc7be50dbfb8c66caa5d49aa2c3c1476c4cc6a07f9f40b3d1aaa778c7

    SHA512

    0aa4dd24e16786910a82ab4891ea6487e09a9fcdfe5a4c1af5251a79dd9817b2b5b0e107a3c54978048f74867d3b0c83c0cb780ded035d47d52e974375cf621b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr100975.exe
    Filesize

    175KB

    MD5

    4f2ac49fb6a47ec5d24e075f11520668

    SHA1

    73b7e2ece4132fb3c5ae77d334a3b16ff9650e18

    SHA256

    c5acb6cbc7be50dbfb8c66caa5d49aa2c3c1476c4cc6a07f9f40b3d1aaa778c7

    SHA512

    0aa4dd24e16786910a82ab4891ea6487e09a9fcdfe5a4c1af5251a79dd9817b2b5b0e107a3c54978048f74867d3b0c83c0cb780ded035d47d52e974375cf621b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zizK7275.exe
    Filesize

    394KB

    MD5

    90864cc75e862f75d712de86bb04c414

    SHA1

    84139fcf98cd252ad1982edfdd075124a894d35a

    SHA256

    8bb6188e3ff4b235d1782fd81f5ad610b23990e4189778f19c3141261ea2a335

    SHA512

    1dbf50c5f30cfef709c949c905dbf8be4f354449241a343ce878ea972a9c2ee7d2074eeeae2dc6abcbbac342fafbc7014a50e7c5b31332203025fcde145cc030

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zizK7275.exe
    Filesize

    394KB

    MD5

    90864cc75e862f75d712de86bb04c414

    SHA1

    84139fcf98cd252ad1982edfdd075124a894d35a

    SHA256

    8bb6188e3ff4b235d1782fd81f5ad610b23990e4189778f19c3141261ea2a335

    SHA512

    1dbf50c5f30cfef709c949c905dbf8be4f354449241a343ce878ea972a9c2ee7d2074eeeae2dc6abcbbac342fafbc7014a50e7c5b31332203025fcde145cc030

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr112520.exe
    Filesize

    13KB

    MD5

    059fc7e32c1363ac041f3a555088c2bb

    SHA1

    9f88fa5207a07a3bfc695c29b81d8c7c50e96c28

    SHA256

    32dddb2196eaf9095b3ae9fd76a70ee17c052684a0db674361b1cb598e8edd24

    SHA512

    35f9e84df7a84322ee5367ae4dc3ae06d5691a3f87e37a969b55c3f1658e321b52768dd83133181c43d8d64ebaf875d4c2e0aabde4c1be663d0191f243f363cd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr112520.exe
    Filesize

    13KB

    MD5

    059fc7e32c1363ac041f3a555088c2bb

    SHA1

    9f88fa5207a07a3bfc695c29b81d8c7c50e96c28

    SHA256

    32dddb2196eaf9095b3ae9fd76a70ee17c052684a0db674361b1cb598e8edd24

    SHA512

    35f9e84df7a84322ee5367ae4dc3ae06d5691a3f87e37a969b55c3f1658e321b52768dd83133181c43d8d64ebaf875d4c2e0aabde4c1be663d0191f243f363cd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku752877.exe
    Filesize

    353KB

    MD5

    9c1415690309d390c494265dee1eb8f0

    SHA1

    1c2925cffa3bb2331e1a9079ffce657b8c73684c

    SHA256

    c48aa9eaf8a3308fc03f73fb19fdc226e9f38165ed27e8878f1f839bacd486c7

    SHA512

    11a5c84a8ef3971ade50424de2483704538add7d63017bd0fcd2c9d051b587379fe8871642fcc956dbf602fbc7472ebdd9942f4e4701105adced0bdb5dfe5a82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku752877.exe
    Filesize

    353KB

    MD5

    9c1415690309d390c494265dee1eb8f0

    SHA1

    1c2925cffa3bb2331e1a9079ffce657b8c73684c

    SHA256

    c48aa9eaf8a3308fc03f73fb19fdc226e9f38165ed27e8878f1f839bacd486c7

    SHA512

    11a5c84a8ef3971ade50424de2483704538add7d63017bd0fcd2c9d051b587379fe8871642fcc956dbf602fbc7472ebdd9942f4e4701105adced0bdb5dfe5a82

    Download Submit

  • memory/2680-137-0x0000000002610000-0x0000000002656000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2680-138-0x0000000000810000-0x000000000085B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2680-139-0x0000000004F30000-0x0000000004F40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2680-140-0x0000000004F40000-0x000000000543E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2680-141-0x0000000004DB0000-0x0000000004DF4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2680-142-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2680-143-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2680-145-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2680-147-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2680-149-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2680-151-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2680-153-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2680-155-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2680-157-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2680-159-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2680-161-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2680-163-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2680-165-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2680-167-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2680-169-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2680-171-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2680-173-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2680-175-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2680-177-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2680-179-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2680-181-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2680-183-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2680-185-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2680-187-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2680-189-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2680-191-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2680-193-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2680-195-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2680-197-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2680-199-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2680-201-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2680-203-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2680-205-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2680-1048-0x0000000005540000-0x0000000005B46000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2680-1049-0x0000000005B50000-0x0000000005C5A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2680-1050-0x0000000004F00000-0x0000000004F12000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2680-1051-0x0000000005C60000-0x0000000005C9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2680-1052-0x0000000005DA0000-0x0000000005DEB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2680-1053-0x0000000004F30000-0x0000000004F40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2680-1055-0x0000000005F30000-0x0000000005F96000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2680-1056-0x0000000004F30000-0x0000000004F40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2680-1057-0x00000000064D0000-0x0000000006562000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2680-1058-0x0000000004F30000-0x0000000004F40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2680-1059-0x00000000067E0000-0x0000000006856000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2680-1060-0x0000000006860000-0x00000000068B0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2680-1061-0x00000000068D0000-0x0000000006A92000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2680-1062-0x0000000006AA0000-0x0000000006FCC000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/3444-131-0x0000000000140000-0x000000000014A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3604-1068-0x0000000000710000-0x0000000000742000-memory.dmp

    Filesize

    200KB

    Download

  • memory/3604-1069-0x0000000005030000-0x000000000507B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3604-1070-0x0000000002B00000-0x0000000002B10000-memory.dmp

    Filesize

    64KB

    Download