Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    53s
  • max time network
    56s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    03-04-2023 03:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ba8a69e867a7a78542ef7df5d02248850c265f5ada1d90a0f3ef8834a03799f6.exe

  • Size

    537KB

  • MD5

    eaba220c7b7d3dac46bcd8a48499e708

  • SHA1

    1d3bc5ceddcd179983fbe32a37ffe865ef91aad5

  • SHA256

    ba8a69e867a7a78542ef7df5d02248850c265f5ada1d90a0f3ef8834a03799f6

  • SHA512

    ee360bfb49f6a737ab932eeae43b372d9143d9b9789b6d9528c296bdd6f5228f2bec9ada6d854a32971dc29d99747c8e818317d1991fb7f38e6877b5bb8c4a03

  • SSDEEP

    12288:8MrEy90un9FwmEBu5prV5fWVrUdGHs8wooaP7bG6FjhFZFi:4yBwmnpkrXLw987Nxi

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ba8a69e867a7a78542ef7df5d02248850c265f5ada1d90a0f3ef8834a03799f6.exe
    "C:\Users\Admin\AppData\Local\Temp\ba8a69e867a7a78542ef7df5d02248850c265f5ada1d90a0f3ef8834a03799f6.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3208
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zinv4256.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zinv4256.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1000
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr453076.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr453076.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3364
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku119437.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku119437.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4472
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr153251.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr153251.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4492

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr153251.exe
    Filesize

    176KB

    MD5

    5b9f61d1dcfb038ac10bcbe674b1eaaf

    SHA1

    7750e925d79ce8c6f7236d3dd052d566d0473d50

    SHA256

    e569182c7ace9c014aa877c473a7438e168e20d5c6d521b5de4445f36f483774

    SHA512

    f3c8b8d7067246d2b5a1492ddb0d4b271bce130600758238c3c17afe2c4af7c4279e0c527bf1b22a8cd027a014b6ac7b10f3ac7214fe8820f9583d6cb1cd4dfe

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr153251.exe
    Filesize

    176KB

    MD5

    5b9f61d1dcfb038ac10bcbe674b1eaaf

    SHA1

    7750e925d79ce8c6f7236d3dd052d566d0473d50

    SHA256

    e569182c7ace9c014aa877c473a7438e168e20d5c6d521b5de4445f36f483774

    SHA512

    f3c8b8d7067246d2b5a1492ddb0d4b271bce130600758238c3c17afe2c4af7c4279e0c527bf1b22a8cd027a014b6ac7b10f3ac7214fe8820f9583d6cb1cd4dfe

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zinv4256.exe
    Filesize

    395KB

    MD5

    1b545aad1f9485d8c86e1e061d65815c

    SHA1

    dac244595ffe9f5dcdd12622b5df418089a8f6ca

    SHA256

    09e2a40ef61073ee123a7d9153c6a0e1add26c3f65260c48f9bec1e7c19935f7

    SHA512

    6a78212ca2a12e77c12793c33d79c0ec15a865961deae6c2cd15f8bc27e7139bbde853f192f22203d9a430aa891a48ed064b7b8836739bac52e6cdcc84cce255

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zinv4256.exe
    Filesize

    395KB

    MD5

    1b545aad1f9485d8c86e1e061d65815c

    SHA1

    dac244595ffe9f5dcdd12622b5df418089a8f6ca

    SHA256

    09e2a40ef61073ee123a7d9153c6a0e1add26c3f65260c48f9bec1e7c19935f7

    SHA512

    6a78212ca2a12e77c12793c33d79c0ec15a865961deae6c2cd15f8bc27e7139bbde853f192f22203d9a430aa891a48ed064b7b8836739bac52e6cdcc84cce255

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr453076.exe
    Filesize

    14KB

    MD5

    477974078f61539d33857e4e347d1c12

    SHA1

    49e77dd5813765a7eef08ecead29e3351c2a60f9

    SHA256

    ccb79ec034cf9415940e864838a34df0bc448d040e2c3f06aafa6a2841540f5d

    SHA512

    4bad5129940fefb999a84a1e7f844e32d489a13d7c1cf60789912b1bcd0f85b6405e788eca2a2ed890f87392e359e286bbadff71fb30863b36767a8d5ddf7a4e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr453076.exe
    Filesize

    14KB

    MD5

    477974078f61539d33857e4e347d1c12

    SHA1

    49e77dd5813765a7eef08ecead29e3351c2a60f9

    SHA256

    ccb79ec034cf9415940e864838a34df0bc448d040e2c3f06aafa6a2841540f5d

    SHA512

    4bad5129940fefb999a84a1e7f844e32d489a13d7c1cf60789912b1bcd0f85b6405e788eca2a2ed890f87392e359e286bbadff71fb30863b36767a8d5ddf7a4e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku119437.exe
    Filesize

    352KB

    MD5

    b6020f8f3334b099c6a6e035443e403d

    SHA1

    a66eb46e9c558951cda232e24488f5e1817eb425

    SHA256

    c44cbd79e6ebcaef0325400b059f92f45b4c420bdfe5c7e85603c1717371a87e

    SHA512

    cfae1a5e6df5b28e02944e70982b19918b33b7f7374c177095118efb14a8a50e5714201c9a49422ddbd703813d522ec49bcd555de2842d266bf48aec313c082a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku119437.exe
    Filesize

    352KB

    MD5

    b6020f8f3334b099c6a6e035443e403d

    SHA1

    a66eb46e9c558951cda232e24488f5e1817eb425

    SHA256

    c44cbd79e6ebcaef0325400b059f92f45b4c420bdfe5c7e85603c1717371a87e

    SHA512

    cfae1a5e6df5b28e02944e70982b19918b33b7f7374c177095118efb14a8a50e5714201c9a49422ddbd703813d522ec49bcd555de2842d266bf48aec313c082a

    Download Submit

  • memory/3364-135-0x0000000000C70000-0x0000000000C7A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4472-141-0x0000000002200000-0x000000000224B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4472-142-0x0000000004D40000-0x0000000004D86000-memory.dmp

    Filesize

    280KB

    Download

  • memory/4472-143-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4472-144-0x0000000004EB0000-0x00000000053AE000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/4472-145-0x0000000004DC0000-0x0000000004E04000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4472-146-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4472-153-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4472-151-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4472-163-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4472-161-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4472-167-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4472-173-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4472-181-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4472-189-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4472-201-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4472-209-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4472-207-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4472-205-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4472-203-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4472-199-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4472-197-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4472-195-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4472-193-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4472-191-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4472-187-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4472-185-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4472-183-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4472-179-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4472-177-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4472-175-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4472-171-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4472-169-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4472-165-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4472-159-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4472-157-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4472-155-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4472-149-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4472-147-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4472-1052-0x00000000053B0000-0x00000000059B6000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4472-1053-0x00000000059C0000-0x0000000005ACA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4472-1054-0x0000000005AF0000-0x0000000005B02000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4472-1055-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4472-1056-0x0000000005B10000-0x0000000005B4E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4472-1057-0x0000000005C60000-0x0000000005CAB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4472-1059-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4472-1060-0x0000000005DF0000-0x0000000005E82000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4472-1061-0x0000000005E90000-0x0000000005EF6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4472-1062-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4472-1063-0x00000000067E0000-0x0000000006856000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4472-1064-0x0000000006860000-0x00000000068B0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4472-1065-0x00000000068D0000-0x0000000006A92000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4472-1067-0x0000000006AA0000-0x0000000006FCC000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4492-1073-0x0000000000B40000-0x0000000000B72000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4492-1074-0x0000000005450000-0x000000000549B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4492-1075-0x00000000054D0000-0x00000000054E0000-memory.dmp

    Filesize

    64KB

    Download