Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    105s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-04-2023 09:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e75ffd8413836527845c06202713356c8f9c6ae1b21aea3e8f8806cba6435a75.exe

  • Size

    522KB

  • MD5

    3a64990d749114d9363810375ba63b4a

  • SHA1

    41fb719d82365ddeab6836d5d8eab153d24bd7bd

  • SHA256

    e75ffd8413836527845c06202713356c8f9c6ae1b21aea3e8f8806cba6435a75

  • SHA512

    c4c5cb98ab4362d89bae392294ef5ab320ed91bcc1992d0e0540302dbce9edefe3f7061d3e444edf4d00a38a318c0c26639e95f2bdcc290a909be5c862b72e56

  • SSDEEP

    12288:BMroy90od6Q8Az8rq0Jz9utn324QLRMIHUtTKd/pUnH:ZyJoQX8vOtn324QL+LFKpK

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e75ffd8413836527845c06202713356c8f9c6ae1b21aea3e8f8806cba6435a75.exe
    "C:\Users\Admin\AppData\Local\Temp\e75ffd8413836527845c06202713356c8f9c6ae1b21aea3e8f8806cba6435a75.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4176
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziBd3928.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziBd3928.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1540
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr527997.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr527997.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4064
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku311044.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku311044.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2596
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 2012
          4⤵
          • Program crash
          PID:4480
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr126613.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr126613.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4760
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2596 -ip 2596
    1⤵
      PID:1440

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr126613.exe
      Filesize

      176KB

      MD5

      9f46b7ff77ba94347cc27efd5177a3e8

      SHA1

      3334d4d82a0294744a1c7968723155f3207bfaa7

      SHA256

      63caf04d7e6854b803b9f6b47f2843472634c0cc488f0ba99826537fb95939a0

      SHA512

      9fec70b32609b19b3da4ab24fd775412a3afed540aa909db7f56384a909fe070e6d28408ad59ae258d224be8fc152322f3f694be94ed4648a7debb646c72de97

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr126613.exe
      Filesize

      176KB

      MD5

      9f46b7ff77ba94347cc27efd5177a3e8

      SHA1

      3334d4d82a0294744a1c7968723155f3207bfaa7

      SHA256

      63caf04d7e6854b803b9f6b47f2843472634c0cc488f0ba99826537fb95939a0

      SHA512

      9fec70b32609b19b3da4ab24fd775412a3afed540aa909db7f56384a909fe070e6d28408ad59ae258d224be8fc152322f3f694be94ed4648a7debb646c72de97

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziBd3928.exe
      Filesize

      380KB

      MD5

      5865adea70503da38aa3f1f3b14238ea

      SHA1

      7a34dcdf8c63a12a7e14f06812eb876113620edd

      SHA256

      a05cc348a9aa904bf0bb28b91c35b001575b9ed59d5959f0d62274a70f02d10c

      SHA512

      46e418d07bf1ada4bc1b2cc5871da1c7258dbd8b101cef04257878ca7b33ce7ae4974da7f1116ee5202f50bbf88c8c23934b02df119d017cae5300cb6275c76a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziBd3928.exe
      Filesize

      380KB

      MD5

      5865adea70503da38aa3f1f3b14238ea

      SHA1

      7a34dcdf8c63a12a7e14f06812eb876113620edd

      SHA256

      a05cc348a9aa904bf0bb28b91c35b001575b9ed59d5959f0d62274a70f02d10c

      SHA512

      46e418d07bf1ada4bc1b2cc5871da1c7258dbd8b101cef04257878ca7b33ce7ae4974da7f1116ee5202f50bbf88c8c23934b02df119d017cae5300cb6275c76a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr527997.exe
      Filesize

      14KB

      MD5

      a541e5bc810bd5dd2a93edf97f08d4d2

      SHA1

      42bdfb09207009ebf7bf2d4cc5e15c51035dc001

      SHA256

      80920071ae1e89a5f14035fb691adb5a5a0baae8d234901687eb31f8cc5c4846

      SHA512

      23a4ab8a71fe0824adcc3f8ba4b28a8b0382095834fe5c909037ffca46822ac574735e79ff4023772f6951931db7bdf92076238b5115e802931fd997025be9f5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr527997.exe
      Filesize

      14KB

      MD5

      a541e5bc810bd5dd2a93edf97f08d4d2

      SHA1

      42bdfb09207009ebf7bf2d4cc5e15c51035dc001

      SHA256

      80920071ae1e89a5f14035fb691adb5a5a0baae8d234901687eb31f8cc5c4846

      SHA512

      23a4ab8a71fe0824adcc3f8ba4b28a8b0382095834fe5c909037ffca46822ac574735e79ff4023772f6951931db7bdf92076238b5115e802931fd997025be9f5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku311044.exe
      Filesize

      295KB

      MD5

      975708c5bbcf818b58220bdeb84491a1

      SHA1

      b117b027470e9528887f49a84a088486af30dfd9

      SHA256

      434622e305d19b629d4668644f824260cc95953dece9b5869c432aba78c3fbde

      SHA512

      bd6e48a6f4883fdfeae4904dce6fe5657953f6de52121c81bbb3d39133e36d73b80e72100c1ff8e546295e614f5eab45994a7e341e8bcbac7f22a7b26fc7593d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku311044.exe
      Filesize

      295KB

      MD5

      975708c5bbcf818b58220bdeb84491a1

      SHA1

      b117b027470e9528887f49a84a088486af30dfd9

      SHA256

      434622e305d19b629d4668644f824260cc95953dece9b5869c432aba78c3fbde

      SHA512

      bd6e48a6f4883fdfeae4904dce6fe5657953f6de52121c81bbb3d39133e36d73b80e72100c1ff8e546295e614f5eab45994a7e341e8bcbac7f22a7b26fc7593d

      Download Submit

    • memory/2596-153-0x0000000004C40000-0x00000000051E4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2596-154-0x0000000001FE0000-0x000000000202B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2596-155-0x0000000004C30000-0x0000000004C40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2596-156-0x0000000004C30000-0x0000000004C40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2596-157-0x0000000004C30000-0x0000000004C40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2596-158-0x00000000025A0000-0x00000000025DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2596-159-0x00000000025A0000-0x00000000025DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2596-161-0x00000000025A0000-0x00000000025DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2596-163-0x00000000025A0000-0x00000000025DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2596-165-0x00000000025A0000-0x00000000025DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2596-167-0x00000000025A0000-0x00000000025DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2596-169-0x00000000025A0000-0x00000000025DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2596-171-0x00000000025A0000-0x00000000025DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2596-173-0x00000000025A0000-0x00000000025DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2596-175-0x00000000025A0000-0x00000000025DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2596-177-0x00000000025A0000-0x00000000025DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2596-179-0x00000000025A0000-0x00000000025DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2596-181-0x00000000025A0000-0x00000000025DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2596-183-0x00000000025A0000-0x00000000025DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2596-185-0x00000000025A0000-0x00000000025DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2596-187-0x00000000025A0000-0x00000000025DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2596-189-0x00000000025A0000-0x00000000025DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2596-191-0x00000000025A0000-0x00000000025DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2596-193-0x00000000025A0000-0x00000000025DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2596-195-0x00000000025A0000-0x00000000025DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2596-197-0x00000000025A0000-0x00000000025DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2596-199-0x00000000025A0000-0x00000000025DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2596-201-0x00000000025A0000-0x00000000025DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2596-203-0x00000000025A0000-0x00000000025DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2596-205-0x00000000025A0000-0x00000000025DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2596-207-0x00000000025A0000-0x00000000025DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2596-209-0x00000000025A0000-0x00000000025DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2596-211-0x00000000025A0000-0x00000000025DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2596-213-0x00000000025A0000-0x00000000025DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2596-215-0x00000000025A0000-0x00000000025DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2596-217-0x00000000025A0000-0x00000000025DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2596-219-0x00000000025A0000-0x00000000025DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2596-221-0x00000000025A0000-0x00000000025DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2596-1064-0x00000000051F0000-0x0000000005808000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2596-1065-0x0000000005810000-0x000000000591A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2596-1066-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2596-1067-0x0000000004BD0000-0x0000000004C0C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2596-1068-0x0000000004C30000-0x0000000004C40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2596-1070-0x0000000004C30000-0x0000000004C40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2596-1071-0x0000000004C30000-0x0000000004C40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2596-1072-0x0000000004C30000-0x0000000004C40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2596-1073-0x0000000005BB0000-0x0000000005C42000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2596-1074-0x0000000005C50000-0x0000000005CB6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2596-1075-0x0000000007860000-0x00000000078D6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/2596-1076-0x00000000078F0000-0x0000000007940000-memory.dmp

      Filesize

      320KB

      Download

    • memory/2596-1077-0x0000000004C30000-0x0000000004C40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2596-1078-0x0000000007980000-0x0000000007B42000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2596-1079-0x0000000007D50000-0x000000000827C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/4064-147-0x0000000000D90000-0x0000000000D9A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4760-1086-0x0000000000F90000-0x0000000000FC2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4760-1087-0x0000000005B10000-0x0000000005B20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4760-1088-0x0000000005B10000-0x0000000005B20000-memory.dmp

      Filesize

      64KB

      Download