Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    75s
  • max time network
    78s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    03-04-2023 11:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cf4eae81ef22d5675b7f20b2d0c7d02ac6d8cbceba53949db18a9ddbbf15615a.exe

  • Size

    522KB

  • MD5

    b0c31c877982c496f1147680c0c2af59

  • SHA1

    d583510258a4f6b2cab4ae5caa31a19e8e1e8d3b

  • SHA256

    cf4eae81ef22d5675b7f20b2d0c7d02ac6d8cbceba53949db18a9ddbbf15615a

  • SHA512

    2e2c18b7403d6b65052a93073c5377d85fae3d35cc56a8aae5ee444a5e0be18b7801619d58a08d2ead4b844721c8fd64d542157eda731a16684256fc47920e48

  • SSDEEP

    12288:7Mr/y90pE0JsE9z0CZv32d3SmxDZGsK97bUfC:oy2qE9zp32d3ScF09UfC

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf4eae81ef22d5675b7f20b2d0c7d02ac6d8cbceba53949db18a9ddbbf15615a.exe
    "C:\Users\Admin\AppData\Local\Temp\cf4eae81ef22d5675b7f20b2d0c7d02ac6d8cbceba53949db18a9ddbbf15615a.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3076
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziaE9096.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziaE9096.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3932
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr470833.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr470833.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3728
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku732208.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku732208.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4148
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr102910.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr102910.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2480

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr102910.exe
    Filesize

    177KB

    MD5

    8d3e32189eb59a7aff646209b963d036

    SHA1

    1528a0258e5900158863ec30d9bc923c713d9063

    SHA256

    ea34bb0fc0e7c8c57007d0f232574470b6dda526a81687e09d1bac153ae21934

    SHA512

    c07fd5525ec3edb0a225307387208cbefd2cc2ed5cbffbb42dcb5d1cbe5a09e3d0c57c0fbd572ec79125d81fd7a1701dd5f831f739ee567b0103dc9d1360fb11

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr102910.exe
    Filesize

    177KB

    MD5

    8d3e32189eb59a7aff646209b963d036

    SHA1

    1528a0258e5900158863ec30d9bc923c713d9063

    SHA256

    ea34bb0fc0e7c8c57007d0f232574470b6dda526a81687e09d1bac153ae21934

    SHA512

    c07fd5525ec3edb0a225307387208cbefd2cc2ed5cbffbb42dcb5d1cbe5a09e3d0c57c0fbd572ec79125d81fd7a1701dd5f831f739ee567b0103dc9d1360fb11

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziaE9096.exe
    Filesize

    380KB

    MD5

    509f2536d6070cd16d0c7fa6a03ede52

    SHA1

    6ac0c66646a02efc7569bf8d0427ef7f91fb78ba

    SHA256

    227377cbffa2f1eb676dd8d6318bca6550e8106eead5c307054c112fa8289d35

    SHA512

    3b95566ce1da27b00e295593a92c2aa7680924aeacf1db956817366d91f1e97e69a4a6dfdf840c244f009792a7f8d5b9b6c67752972e77eaf9af28266d40e1cb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziaE9096.exe
    Filesize

    380KB

    MD5

    509f2536d6070cd16d0c7fa6a03ede52

    SHA1

    6ac0c66646a02efc7569bf8d0427ef7f91fb78ba

    SHA256

    227377cbffa2f1eb676dd8d6318bca6550e8106eead5c307054c112fa8289d35

    SHA512

    3b95566ce1da27b00e295593a92c2aa7680924aeacf1db956817366d91f1e97e69a4a6dfdf840c244f009792a7f8d5b9b6c67752972e77eaf9af28266d40e1cb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr470833.exe
    Filesize

    14KB

    MD5

    dde1aca108730bccac6bda826e34245c

    SHA1

    43bffb11d8eb52d876a144a9917ecf22f3c43dc3

    SHA256

    fc2affa3d854859a21cb532f4963433ad3052861ce86a434063b10bc8973b83a

    SHA512

    5e0ee2de38b64362585a41f8fcd3b9557913723bf8242a4760f447d0a654512e03cebc12250915a4033431a088e9133a7d8ce8076f04be60faf818790919799f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr470833.exe
    Filesize

    14KB

    MD5

    dde1aca108730bccac6bda826e34245c

    SHA1

    43bffb11d8eb52d876a144a9917ecf22f3c43dc3

    SHA256

    fc2affa3d854859a21cb532f4963433ad3052861ce86a434063b10bc8973b83a

    SHA512

    5e0ee2de38b64362585a41f8fcd3b9557913723bf8242a4760f447d0a654512e03cebc12250915a4033431a088e9133a7d8ce8076f04be60faf818790919799f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku732208.exe
    Filesize

    295KB

    MD5

    3c1780313742c849f7fa28992f432a8a

    SHA1

    d88456f00fde9dd012a1d48a7da6379056f12f5f

    SHA256

    865d9c13088e37a369bcb5cb63c98814dd3159e7e80b76268739b899aaacc7de

    SHA512

    40307ce6f79d8c1b5d75a33dfa13f12fc8f09aa581a4514bb6ffc118952f32c3add9d4601f1c66ea83c158f77e6c423124cef1145f7ebbc5baf6382e1cbbb9c4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku732208.exe
    Filesize

    295KB

    MD5

    3c1780313742c849f7fa28992f432a8a

    SHA1

    d88456f00fde9dd012a1d48a7da6379056f12f5f

    SHA256

    865d9c13088e37a369bcb5cb63c98814dd3159e7e80b76268739b899aaacc7de

    SHA512

    40307ce6f79d8c1b5d75a33dfa13f12fc8f09aa581a4514bb6ffc118952f32c3add9d4601f1c66ea83c158f77e6c423124cef1145f7ebbc5baf6382e1cbbb9c4

    Download Submit

  • memory/2480-1073-0x00000000001D0000-0x0000000000202000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2480-1074-0x0000000004C10000-0x0000000004C5B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2480-1076-0x0000000004D40000-0x0000000004D50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2480-1075-0x0000000004D40000-0x0000000004D50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3728-134-0x0000000000540000-0x000000000054A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4148-175-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4148-191-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4148-144-0x00000000049D0000-0x00000000049E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4148-145-0x00000000049D0000-0x00000000049E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4148-146-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4148-147-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4148-149-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4148-151-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4148-153-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4148-155-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4148-157-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4148-159-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4148-161-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4148-163-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4148-165-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4148-167-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4148-169-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4148-171-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4148-173-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4148-143-0x0000000004F30000-0x0000000004F74000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4148-177-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4148-179-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4148-181-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4148-183-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4148-185-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4148-187-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4148-189-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4148-142-0x00000000005D0000-0x000000000061B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4148-193-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4148-195-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4148-197-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4148-199-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4148-201-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4148-203-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4148-205-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4148-207-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4148-209-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4148-1052-0x00000000055E0000-0x0000000005BE6000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4148-1053-0x0000000005050000-0x000000000515A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4148-1054-0x0000000005190000-0x00000000051A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4148-1055-0x00000000051B0000-0x00000000051EE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4148-1056-0x0000000005300000-0x000000000534B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4148-1057-0x00000000049D0000-0x00000000049E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4148-1059-0x0000000005490000-0x00000000054F6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4148-1060-0x0000000006160000-0x00000000061F2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4148-1061-0x0000000006200000-0x0000000006276000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4148-1062-0x00000000062A0000-0x00000000062F0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4148-1063-0x00000000049D0000-0x00000000049E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4148-141-0x00000000049E0000-0x0000000004EDE000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/4148-140-0x0000000004990000-0x00000000049D6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/4148-1064-0x00000000049D0000-0x00000000049E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4148-1065-0x0000000006320000-0x00000000064E2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4148-1066-0x0000000006510000-0x0000000006A3C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4148-1067-0x00000000049D0000-0x00000000049E0000-memory.dmp

    Filesize

    64KB

    Download