Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    83s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/04/2023, 12:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9ab60b02c514d652b52fe7de5ce4e8840e9329cbfe7a664925e176281db7fd90.exe

  • Size

    522KB

  • MD5

    77248a524cf9dd110b98d67355e31092

  • SHA1

    ca334a3fef0e0620bad180f4a867d899fc419708

  • SHA256

    9ab60b02c514d652b52fe7de5ce4e8840e9329cbfe7a664925e176281db7fd90

  • SHA512

    024c494fb59459fdfc38bef5d50fbc5d42b9ea44579dee908c1441f8c5ce9c8fe706fea1a80c80cd890bbb0c3e83d1b251501d1b7e92b720dd3feb8b40c66ef7

  • SSDEEP

    12288:jMr1y90o3/VqRY/bOs4p4Zpv32Nsmu5HZLEnAUCF9I:CyjoaUp4Zpv32Ns7ZLE4rI

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9ab60b02c514d652b52fe7de5ce4e8840e9329cbfe7a664925e176281db7fd90.exe
    "C:\Users\Admin\AppData\Local\Temp\9ab60b02c514d652b52fe7de5ce4e8840e9329cbfe7a664925e176281db7fd90.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4484
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziqP5343.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziqP5343.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3196
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr365683.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr365683.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4164
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku587873.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku587873.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4236
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 1924
          4⤵
          • Program crash
          PID:3764
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr005799.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr005799.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4212
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4236 -ip 4236
    1⤵
      PID:2664

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr005799.exe
      Filesize

      177KB

      MD5

      be3bdd8b81ff7a56987a01439d3b273f

      SHA1

      0e848d19fc798009a2a71bed43264e731a891057

      SHA256

      b052aec3cf7b944784d8818ed3ac3b252f3ddb00f03229808a82d3dc00c86b4a

      SHA512

      7fed91cd5134161407403e6eb43c73468e34b93c1ecf03edbbab7a2dd39db11fde9ddf15b4a05b388fb5ad70581cced444d3b54d32df76125a64e8c86a74b84c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr005799.exe
      Filesize

      177KB

      MD5

      be3bdd8b81ff7a56987a01439d3b273f

      SHA1

      0e848d19fc798009a2a71bed43264e731a891057

      SHA256

      b052aec3cf7b944784d8818ed3ac3b252f3ddb00f03229808a82d3dc00c86b4a

      SHA512

      7fed91cd5134161407403e6eb43c73468e34b93c1ecf03edbbab7a2dd39db11fde9ddf15b4a05b388fb5ad70581cced444d3b54d32df76125a64e8c86a74b84c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziqP5343.exe
      Filesize

      380KB

      MD5

      32d42ccb716e94e36b932e9ef596a7a2

      SHA1

      27dbaae89d2bb2b5d240f6ce8053f0b5aaa14384

      SHA256

      084399034bb73b14056fe6c8accb7294a29a68f45b50aa43f22489aa12db4c52

      SHA512

      c939d468e87cd8de4cbfdc6d67379b879869e861fc1d0f4ebe95970e96b99fd63162a60cba4917f651346dbbd250181075265ba5f59e4d44a38faaee9bb6e63c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziqP5343.exe
      Filesize

      380KB

      MD5

      32d42ccb716e94e36b932e9ef596a7a2

      SHA1

      27dbaae89d2bb2b5d240f6ce8053f0b5aaa14384

      SHA256

      084399034bb73b14056fe6c8accb7294a29a68f45b50aa43f22489aa12db4c52

      SHA512

      c939d468e87cd8de4cbfdc6d67379b879869e861fc1d0f4ebe95970e96b99fd63162a60cba4917f651346dbbd250181075265ba5f59e4d44a38faaee9bb6e63c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr365683.exe
      Filesize

      15KB

      MD5

      cb75544663c3ac8913d16ee778a6cd7a

      SHA1

      0285d21a42f7740adbb136676074c5413b8cd49b

      SHA256

      fb6fe21a4251be2676faf814152f2a068ba7cc7e1833827fe173dea18c96e415

      SHA512

      a22a8410d176964f017516f77b36319ca80bfc76dd8f5eaab0f207e6f836cf03b06bfa71a429e55d2fefcaa4d59d82555a71880974646a2d90ece2025416844e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr365683.exe
      Filesize

      15KB

      MD5

      cb75544663c3ac8913d16ee778a6cd7a

      SHA1

      0285d21a42f7740adbb136676074c5413b8cd49b

      SHA256

      fb6fe21a4251be2676faf814152f2a068ba7cc7e1833827fe173dea18c96e415

      SHA512

      a22a8410d176964f017516f77b36319ca80bfc76dd8f5eaab0f207e6f836cf03b06bfa71a429e55d2fefcaa4d59d82555a71880974646a2d90ece2025416844e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku587873.exe
      Filesize

      295KB

      MD5

      1efac1df6f23cd70bcccc53bd8afcae3

      SHA1

      eb1c31d3e18d179f970a1e761437158411a880c2

      SHA256

      c61648fc200d7bf3f4daccdf9a4dd325a3583def217c6ba9dba3ff8d6687132e

      SHA512

      4d4d1752210467fbfeca34310ac5706d294e356e0ec56a1e66bfe4fbfeda4f492d099eff8519f053977e8a02e6fc61bce9e1cd60d035e13333c33a99100f389c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku587873.exe
      Filesize

      295KB

      MD5

      1efac1df6f23cd70bcccc53bd8afcae3

      SHA1

      eb1c31d3e18d179f970a1e761437158411a880c2

      SHA256

      c61648fc200d7bf3f4daccdf9a4dd325a3583def217c6ba9dba3ff8d6687132e

      SHA512

      4d4d1752210467fbfeca34310ac5706d294e356e0ec56a1e66bfe4fbfeda4f492d099eff8519f053977e8a02e6fc61bce9e1cd60d035e13333c33a99100f389c

      Download Submit

    • memory/4164-147-0x0000000000AE0000-0x0000000000AEA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4212-1086-0x0000000000900000-0x0000000000932000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4212-1087-0x00000000054C0000-0x00000000054D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4236-189-0x0000000005080000-0x00000000050BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4236-201-0x0000000005080000-0x00000000050BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4236-155-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4236-156-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4236-157-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4236-158-0x0000000005080000-0x00000000050BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4236-161-0x0000000005080000-0x00000000050BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4236-163-0x0000000005080000-0x00000000050BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4236-159-0x0000000005080000-0x00000000050BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4236-165-0x0000000005080000-0x00000000050BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4236-167-0x0000000005080000-0x00000000050BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4236-169-0x0000000005080000-0x00000000050BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4236-171-0x0000000005080000-0x00000000050BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4236-173-0x0000000005080000-0x00000000050BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4236-177-0x0000000005080000-0x00000000050BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4236-175-0x0000000005080000-0x00000000050BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4236-179-0x0000000005080000-0x00000000050BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4236-181-0x0000000005080000-0x00000000050BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4236-183-0x0000000005080000-0x00000000050BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4236-185-0x0000000005080000-0x00000000050BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4236-187-0x0000000005080000-0x00000000050BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4236-153-0x0000000002100000-0x000000000214B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4236-191-0x0000000005080000-0x00000000050BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4236-193-0x0000000005080000-0x00000000050BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4236-195-0x0000000005080000-0x00000000050BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4236-197-0x0000000005080000-0x00000000050BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4236-199-0x0000000005080000-0x00000000050BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4236-154-0x0000000004AD0000-0x0000000005074000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4236-203-0x0000000005080000-0x00000000050BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4236-205-0x0000000005080000-0x00000000050BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4236-207-0x0000000005080000-0x00000000050BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4236-209-0x0000000005080000-0x00000000050BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4236-211-0x0000000005080000-0x00000000050BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4236-213-0x0000000005080000-0x00000000050BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4236-215-0x0000000005080000-0x00000000050BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4236-217-0x0000000005080000-0x00000000050BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4236-219-0x0000000005080000-0x00000000050BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4236-221-0x0000000005080000-0x00000000050BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4236-1064-0x0000000005200000-0x0000000005818000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4236-1065-0x00000000058A0000-0x00000000059AA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4236-1067-0x00000000059E0000-0x00000000059F2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4236-1066-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4236-1068-0x0000000005A00000-0x0000000005A3C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4236-1070-0x0000000005CF0000-0x0000000005D82000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4236-1071-0x0000000005D90000-0x0000000005DF6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4236-1073-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4236-1072-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4236-1074-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4236-1075-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4236-1076-0x00000000066F0000-0x0000000006766000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4236-1077-0x0000000006790000-0x00000000067E0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4236-1078-0x00000000067F0000-0x00000000069B2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4236-1079-0x00000000069C0000-0x0000000006EEC000-memory.dmp

      Filesize

      5.2MB

      Download