Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    82s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-04-2023 17:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    10700dbab751e8b6b5356ac6cd123861b097fbb78024b0eace606e90bf59dc1d.exe

  • Size

    521KB

  • MD5

    44ad8eec8ddc15462e92a623367e2dee

  • SHA1

    fbed49512d7d50100ab90ea5629314a515843b6c

  • SHA256

    10700dbab751e8b6b5356ac6cd123861b097fbb78024b0eace606e90bf59dc1d

  • SHA512

    2b456aa73c798d7a9b45ac0313e9e75f7bdb54b08340da96d4a7d4862bdb8554e50d91938daa0b69050ef2c436f34e52c734d2f409230d696886c475cd6a61f0

  • SSDEEP

    12288:MMrsy90+hUcDMhAZ20oj3A+sFrLij1q6+ZhP:gyvQAZvY3tsF6pIXP

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 34 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\10700dbab751e8b6b5356ac6cd123861b097fbb78024b0eace606e90bf59dc1d.exe
    "C:\Users\Admin\AppData\Local\Temp\10700dbab751e8b6b5356ac6cd123861b097fbb78024b0eace606e90bf59dc1d.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1604
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOp1748.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOp1748.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:680
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr595616.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr595616.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3872
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku971327.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku971327.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4488
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 1856
          4⤵
          • Program crash
          PID:1064
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr355565.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr355565.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4152
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4488 -ip 4488
    1⤵
      PID:2232

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr355565.exe
      Filesize

      175KB

      MD5

      bb6d43fa4ebafe62b98ec4dea4ff49d9

      SHA1

      d8188e664ac977f59d3ec26589e3cf67b1fab23b

      SHA256

      1d1cdf01afc38fc6784a41fe8aa2f308ec44606d2d16c4edd9445813af33fe89

      SHA512

      679a0e394c5751020c38ceaba6a1bd1a33c558b8c9142fc796fa3570baa0ac082d099891451fde50249e165625b9738ead7321dccf2b2da567f3f7e3d4ee4644

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr355565.exe
      Filesize

      175KB

      MD5

      bb6d43fa4ebafe62b98ec4dea4ff49d9

      SHA1

      d8188e664ac977f59d3ec26589e3cf67b1fab23b

      SHA256

      1d1cdf01afc38fc6784a41fe8aa2f308ec44606d2d16c4edd9445813af33fe89

      SHA512

      679a0e394c5751020c38ceaba6a1bd1a33c558b8c9142fc796fa3570baa0ac082d099891451fde50249e165625b9738ead7321dccf2b2da567f3f7e3d4ee4644

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOp1748.exe
      Filesize

      379KB

      MD5

      623cb7a88c21e6a4070f7ff36848f8d7

      SHA1

      bab57fe748bdba58346428fe3c90e8c41cc244e1

      SHA256

      23169b71a45a61be1e0eaaa1511f160f52a300f6f42fc315fc53971cbab9d4de

      SHA512

      03fc2ce0d05b14c3ad3631c3a2a8ef12f0045c351a8ca9606893361f9d6ff18fc5bd7fd842549055840828e70781290232d3dd6e2b0beb7259dedcf6aabc842c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOp1748.exe
      Filesize

      379KB

      MD5

      623cb7a88c21e6a4070f7ff36848f8d7

      SHA1

      bab57fe748bdba58346428fe3c90e8c41cc244e1

      SHA256

      23169b71a45a61be1e0eaaa1511f160f52a300f6f42fc315fc53971cbab9d4de

      SHA512

      03fc2ce0d05b14c3ad3631c3a2a8ef12f0045c351a8ca9606893361f9d6ff18fc5bd7fd842549055840828e70781290232d3dd6e2b0beb7259dedcf6aabc842c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr595616.exe
      Filesize

      15KB

      MD5

      5d350daf879a6183266924ff5b22d1a7

      SHA1

      78614be3980eaff090bcd4d3dcc95b6a4d95eb2a

      SHA256

      d185992f02f19bd0ce3f92560cccc0ab7bc36a8a34c420c8a4bcdbb20a66a8ad

      SHA512

      e148b3006d42e3459c101db7d75e727d1bf9a785ac8511e5a63e6fe28ad0fe881c59cb74817503d2f6f604657a2271f3d784b406d84e3df46f75c65c7f501e6d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr595616.exe
      Filesize

      15KB

      MD5

      5d350daf879a6183266924ff5b22d1a7

      SHA1

      78614be3980eaff090bcd4d3dcc95b6a4d95eb2a

      SHA256

      d185992f02f19bd0ce3f92560cccc0ab7bc36a8a34c420c8a4bcdbb20a66a8ad

      SHA512

      e148b3006d42e3459c101db7d75e727d1bf9a785ac8511e5a63e6fe28ad0fe881c59cb74817503d2f6f604657a2271f3d784b406d84e3df46f75c65c7f501e6d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku971327.exe
      Filesize

      295KB

      MD5

      da8664fd5e5c19603edeb583f7c9647d

      SHA1

      ce6030ae6a22166860f79489c04ef6e6c0ff8f0c

      SHA256

      83c031add51e17a94ad20e581eafc31c7d684598e378987e78f6616e36de9678

      SHA512

      53d858aeed740513ea535f6ba1d9c0582a4b62045e92076fcf09e731fa1c76ac385930367192b078a56f66907555d0b9656773078dc65a913f06059ea5b806eb

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku971327.exe
      Filesize

      295KB

      MD5

      da8664fd5e5c19603edeb583f7c9647d

      SHA1

      ce6030ae6a22166860f79489c04ef6e6c0ff8f0c

      SHA256

      83c031add51e17a94ad20e581eafc31c7d684598e378987e78f6616e36de9678

      SHA512

      53d858aeed740513ea535f6ba1d9c0582a4b62045e92076fcf09e731fa1c76ac385930367192b078a56f66907555d0b9656773078dc65a913f06059ea5b806eb

      Download Submit
    • memory/3872-147-0x0000000000300000-0x000000000030A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4152-1083-0x0000000000FE0000-0x0000000001012000-memory.dmp
      Filesize

      200KB

      Download
    • memory/4152-1084-0x0000000005870000-0x0000000005880000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4488-188-0x0000000002580000-0x00000000025BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4488-200-0x0000000002580000-0x00000000025BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4488-158-0x0000000002580000-0x00000000025BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4488-156-0x0000000002580000-0x00000000025BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4488-162-0x0000000004BA0000-0x0000000004BB0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4488-161-0x0000000002580000-0x00000000025BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4488-159-0x0000000004BA0000-0x0000000004BB0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4488-164-0x0000000002580000-0x00000000025BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4488-166-0x0000000002580000-0x00000000025BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4488-168-0x0000000002580000-0x00000000025BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4488-170-0x0000000002580000-0x00000000025BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4488-172-0x0000000002580000-0x00000000025BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4488-174-0x0000000002580000-0x00000000025BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4488-176-0x0000000002580000-0x00000000025BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4488-178-0x0000000002580000-0x00000000025BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4488-180-0x0000000002580000-0x00000000025BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4488-182-0x0000000002580000-0x00000000025BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4488-184-0x0000000002580000-0x00000000025BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4488-186-0x0000000002580000-0x00000000025BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4488-154-0x0000000004BB0000-0x0000000005154000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4488-190-0x0000000002580000-0x00000000025BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4488-192-0x0000000002580000-0x00000000025BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4488-194-0x0000000002580000-0x00000000025BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4488-196-0x0000000002580000-0x00000000025BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4488-198-0x0000000002580000-0x00000000025BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4488-155-0x0000000002580000-0x00000000025BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4488-202-0x0000000002580000-0x00000000025BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4488-204-0x0000000002580000-0x00000000025BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4488-206-0x0000000002580000-0x00000000025BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4488-208-0x0000000002580000-0x00000000025BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4488-212-0x0000000002580000-0x00000000025BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4488-214-0x0000000002580000-0x00000000025BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4488-210-0x0000000002580000-0x00000000025BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4488-216-0x0000000002580000-0x00000000025BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4488-218-0x0000000002580000-0x00000000025BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4488-220-0x0000000002580000-0x00000000025BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4488-1063-0x0000000005160000-0x0000000005778000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/4488-1064-0x0000000005780000-0x000000000588A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/4488-1065-0x00000000058A0000-0x00000000058B2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/4488-1066-0x00000000058C0000-0x00000000058FC000-memory.dmp
      Filesize

      240KB

      Download
    • memory/4488-1067-0x0000000004BA0000-0x0000000004BB0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4488-1069-0x0000000004BA0000-0x0000000004BB0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4488-1070-0x0000000004BA0000-0x0000000004BB0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4488-1071-0x0000000005BB0000-0x0000000005C42000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4488-1072-0x0000000005C50000-0x0000000005CB6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4488-1073-0x0000000006370000-0x0000000006532000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/4488-1074-0x0000000006550000-0x0000000006A7C000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/4488-153-0x0000000000610000-0x000000000065B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/4488-1075-0x0000000004BA0000-0x0000000004BB0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4488-1076-0x0000000004620000-0x0000000004696000-memory.dmp
      Filesize

      472KB

      Download
    • memory/4488-1077-0x0000000007F80000-0x0000000007FD0000-memory.dmp
      Filesize

      320KB

      Download