Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    56s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-04-2023 17:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8223ef2a19067b340287e11150253ddfaa67aa809ea980be08614818e935a3e3.exe

  • Size

    521KB

  • MD5

    9113ae97a93e5910d0a99561250756b2

  • SHA1

    c7d57b36efa36d2e4a6374f05c7f55c6205528fd

  • SHA256

    8223ef2a19067b340287e11150253ddfaa67aa809ea980be08614818e935a3e3

  • SHA512

    21d94ec2c328204bf10eac9c5ec8ce3df98f3be6995ce62b0b77ad45e714d704b259a591db90982982f2180b46f7e13e57ecff542fd6c250728eccd286b04b15

  • SSDEEP

    12288:iMrGy90BvOuVTlOjWucoqsOrLi4XcvwA1YLl:MyUGETkcvsO64Xcvw7Ll

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8223ef2a19067b340287e11150253ddfaa67aa809ea980be08614818e935a3e3.exe
    "C:\Users\Admin\AppData\Local\Temp\8223ef2a19067b340287e11150253ddfaa67aa809ea980be08614818e935a3e3.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3980
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziEt5746.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziEt5746.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1012
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr661153.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr661153.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1904
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku444930.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku444930.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5028
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1348
          4⤵
          • Program crash
          PID:1088
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr070277.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr070277.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3488
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5028 -ip 5028
    1⤵
      PID:2008

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr070277.exe
      Filesize

      175KB

      MD5

      bb6d43fa4ebafe62b98ec4dea4ff49d9

      SHA1

      d8188e664ac977f59d3ec26589e3cf67b1fab23b

      SHA256

      1d1cdf01afc38fc6784a41fe8aa2f308ec44606d2d16c4edd9445813af33fe89

      SHA512

      679a0e394c5751020c38ceaba6a1bd1a33c558b8c9142fc796fa3570baa0ac082d099891451fde50249e165625b9738ead7321dccf2b2da567f3f7e3d4ee4644

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr070277.exe
      Filesize

      175KB

      MD5

      bb6d43fa4ebafe62b98ec4dea4ff49d9

      SHA1

      d8188e664ac977f59d3ec26589e3cf67b1fab23b

      SHA256

      1d1cdf01afc38fc6784a41fe8aa2f308ec44606d2d16c4edd9445813af33fe89

      SHA512

      679a0e394c5751020c38ceaba6a1bd1a33c558b8c9142fc796fa3570baa0ac082d099891451fde50249e165625b9738ead7321dccf2b2da567f3f7e3d4ee4644

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziEt5746.exe
      Filesize

      379KB

      MD5

      e8527c3a91673ba294bbcf9d0bd08119

      SHA1

      51edf0ee993591a699e2d33a145e27f076f93ebc

      SHA256

      5278a8160fbbbcfcc4c7b6a0268d4177b19e0b343ea0066e59a8fe9aa244d796

      SHA512

      4256ed9468cf31a5a7369695565e227fe7e005ca2f25c5c65443862b11fd2f8e7da35a234674b1d4768a308c887911235304b768f2741ddc2c6ba77990a5ab85

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziEt5746.exe
      Filesize

      379KB

      MD5

      e8527c3a91673ba294bbcf9d0bd08119

      SHA1

      51edf0ee993591a699e2d33a145e27f076f93ebc

      SHA256

      5278a8160fbbbcfcc4c7b6a0268d4177b19e0b343ea0066e59a8fe9aa244d796

      SHA512

      4256ed9468cf31a5a7369695565e227fe7e005ca2f25c5c65443862b11fd2f8e7da35a234674b1d4768a308c887911235304b768f2741ddc2c6ba77990a5ab85

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr661153.exe
      Filesize

      15KB

      MD5

      aeff45ba3f4b81cd57c25059e4586298

      SHA1

      1c03e4f3ee6ce617a7dd3ba254d705848cec00f0

      SHA256

      0f3f62aa2178776bd3b0a0173a6e4beeb1dd5b462373de26d3f8b07ac1f89a4d

      SHA512

      81417b4671fe6c519d98d14aead37b47bac09ab0ae57d96687b043e847357776097698f98d4cd7c1ad221a3af0e056ad0dc6d8c79bdf053c243673b3a4e044d1

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr661153.exe
      Filesize

      15KB

      MD5

      aeff45ba3f4b81cd57c25059e4586298

      SHA1

      1c03e4f3ee6ce617a7dd3ba254d705848cec00f0

      SHA256

      0f3f62aa2178776bd3b0a0173a6e4beeb1dd5b462373de26d3f8b07ac1f89a4d

      SHA512

      81417b4671fe6c519d98d14aead37b47bac09ab0ae57d96687b043e847357776097698f98d4cd7c1ad221a3af0e056ad0dc6d8c79bdf053c243673b3a4e044d1

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku444930.exe
      Filesize

      295KB

      MD5

      373469cddb32e48dfe23913baa5b5979

      SHA1

      5d665e56327c1d7800056f52fcfe74580e931300

      SHA256

      81a184524342d0c235760d32793a551e499e797a418c9c7e832708a1b59a5649

      SHA512

      b93bcd5d2047f78ff9512cbc2df4ed77f551ba809d93ef3acdc3d00615b166d859be8f12661b6355c36707f8d84ea3bd5f686143e48f14071a3cf19d5fb8a8d6

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku444930.exe
      Filesize

      295KB

      MD5

      373469cddb32e48dfe23913baa5b5979

      SHA1

      5d665e56327c1d7800056f52fcfe74580e931300

      SHA256

      81a184524342d0c235760d32793a551e499e797a418c9c7e832708a1b59a5649

      SHA512

      b93bcd5d2047f78ff9512cbc2df4ed77f551ba809d93ef3acdc3d00615b166d859be8f12661b6355c36707f8d84ea3bd5f686143e48f14071a3cf19d5fb8a8d6

      Download Submit
    • memory/1904-147-0x0000000000130000-0x000000000013A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3488-1085-0x0000000000770000-0x00000000007A2000-memory.dmp
      Filesize

      200KB

      Download
    • memory/3488-1086-0x0000000005420000-0x0000000005430000-memory.dmp
      Filesize

      64KB

      Download
    • memory/5028-189-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5028-201-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5028-156-0x0000000004B50000-0x0000000004B60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/5028-155-0x0000000004B50000-0x0000000004B60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/5028-157-0x0000000004B50000-0x0000000004B60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/5028-158-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5028-159-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5028-161-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5028-163-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5028-165-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5028-167-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5028-169-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5028-171-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5028-173-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5028-175-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5028-177-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5028-179-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5028-181-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5028-183-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5028-185-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5028-187-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5028-153-0x0000000002100000-0x000000000214B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/5028-191-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5028-193-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5028-195-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5028-197-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5028-199-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5028-154-0x0000000004B60000-0x0000000005104000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/5028-203-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5028-205-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5028-207-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5028-209-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5028-211-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5028-213-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5028-215-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5028-217-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5028-219-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5028-221-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5028-1064-0x0000000005210000-0x0000000005828000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/5028-1065-0x00000000058A0000-0x00000000059AA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/5028-1066-0x00000000059E0000-0x00000000059F2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/5028-1067-0x0000000005A00000-0x0000000005A3C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/5028-1068-0x0000000004B50000-0x0000000004B60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/5028-1070-0x0000000005CF0000-0x0000000005D82000-memory.dmp
      Filesize

      584KB

      Download
    • memory/5028-1071-0x0000000005D90000-0x0000000005DF6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/5028-1072-0x0000000004B50000-0x0000000004B60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/5028-1073-0x0000000004B50000-0x0000000004B60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/5028-1074-0x0000000004B50000-0x0000000004B60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/5028-1075-0x0000000004B50000-0x0000000004B60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/5028-1076-0x00000000065B0000-0x0000000006626000-memory.dmp
      Filesize

      472KB

      Download
    • memory/5028-1077-0x0000000006640000-0x0000000006690000-memory.dmp
      Filesize

      320KB

      Download
    • memory/5028-1078-0x00000000066A0000-0x0000000006862000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/5028-1079-0x0000000006880000-0x0000000006DAC000-memory.dmp
      Filesize

      5.2MB

      Download