Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    97s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-04-2023 18:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c822a6e25de82cddd30fd3cb0b8d151cf0d0575410a2489c0008f717e9064593.exe

  • Size

    522KB

  • MD5

    394a0a07c50a7ccba77bebb57895f6b7

  • SHA1

    fdbd3069d3201f53c3da338d704a0924bf0c60c2

  • SHA256

    c822a6e25de82cddd30fd3cb0b8d151cf0d0575410a2489c0008f717e9064593

  • SHA512

    35175fadf7c038ea276d7c431eb257620370b8376797b8181bccb888815359a0be69628654a24e8366b451642246fb834a35c9bdc0815bff8fc4a5bb1f8d38c5

  • SSDEEP

    12288:JMrry90puFQwjoy6TLlpqAIjbeql6u2txeZ:ayVQuoyehIjzsuaQZ

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 34 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c822a6e25de82cddd30fd3cb0b8d151cf0d0575410a2489c0008f717e9064593.exe
    "C:\Users\Admin\AppData\Local\Temp\c822a6e25de82cddd30fd3cb0b8d151cf0d0575410a2489c0008f717e9064593.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2264
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziQn4566.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziQn4566.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3924
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr129791.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr129791.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3468
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku930139.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku930139.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4108
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 1528
          4⤵
          • Program crash
          PID:2876
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr295173.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr295173.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3004
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4108 -ip 4108
    1⤵
      PID:1904

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr295173.exe
      Filesize

      175KB

      MD5

      121b92617462c469186747ad10d8d81a

      SHA1

      e78046245a9588deaffb8b740a3e80b83b279c18

      SHA256

      3fe4ddb7b3bfc1414cb1a1e82c63240cda4cb9ccb98d243140ec94edec521137

      SHA512

      d960d69583265823cd16c41c976b187df6d13aef49bdad567b4dd392c4519f8df6ab147d88428e89e5aaf0ee8e083213bfac76820de8dcd963b65c00d2c7051e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr295173.exe
      Filesize

      175KB

      MD5

      121b92617462c469186747ad10d8d81a

      SHA1

      e78046245a9588deaffb8b740a3e80b83b279c18

      SHA256

      3fe4ddb7b3bfc1414cb1a1e82c63240cda4cb9ccb98d243140ec94edec521137

      SHA512

      d960d69583265823cd16c41c976b187df6d13aef49bdad567b4dd392c4519f8df6ab147d88428e89e5aaf0ee8e083213bfac76820de8dcd963b65c00d2c7051e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziQn4566.exe
      Filesize

      379KB

      MD5

      23a56ff39b373263a484103c453b7142

      SHA1

      f2faa63d4532a06e64c542456caa8a36a0ae4054

      SHA256

      c8057623586a8533abf105f81ef66dd90c4acd7c9974038baf308a107dbdb751

      SHA512

      544557d7d46d03a4701f761116cf6a9feff87255ecbaa56f98e6a50e164760babf9472429c526be6e91ca1e144bd3aa98267c8b32a36504c00dcc96f4c97730e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziQn4566.exe
      Filesize

      379KB

      MD5

      23a56ff39b373263a484103c453b7142

      SHA1

      f2faa63d4532a06e64c542456caa8a36a0ae4054

      SHA256

      c8057623586a8533abf105f81ef66dd90c4acd7c9974038baf308a107dbdb751

      SHA512

      544557d7d46d03a4701f761116cf6a9feff87255ecbaa56f98e6a50e164760babf9472429c526be6e91ca1e144bd3aa98267c8b32a36504c00dcc96f4c97730e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr129791.exe
      Filesize

      11KB

      MD5

      8a218172360fc67288ee893727ba20c0

      SHA1

      f5c67ef1f36664bf9ffd895110b3533a7475f7a1

      SHA256

      b68c7f3c88249ba27bdba10392426e28705a9217d48970dddc384cad684c766c

      SHA512

      9acb449a84e08477b3652ec54e6f708c89455d45c41795de78232de238d0b25d08dbb281f273e2e1f3191f4408cb700de883fec9105adbce7b60e163f841a05b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr129791.exe
      Filesize

      11KB

      MD5

      8a218172360fc67288ee893727ba20c0

      SHA1

      f5c67ef1f36664bf9ffd895110b3533a7475f7a1

      SHA256

      b68c7f3c88249ba27bdba10392426e28705a9217d48970dddc384cad684c766c

      SHA512

      9acb449a84e08477b3652ec54e6f708c89455d45c41795de78232de238d0b25d08dbb281f273e2e1f3191f4408cb700de883fec9105adbce7b60e163f841a05b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku930139.exe
      Filesize

      294KB

      MD5

      67f86af5cddfe28a488fb021c84eb642

      SHA1

      764ed39386cc962dfd880be17a9af2df6d6e7617

      SHA256

      9924a7cff465efe21783ccce2d2c6875c52ff7c19a1fb2669c1d6e0cea3ee048

      SHA512

      05b09117c1453bb128491dcaef4a388e7c58380ed75cc6d1654e211f343f5d0ccf5f09fd71f553ed20649d6a7a88a932519c73b966ae3d2589fdc566f4141acf

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku930139.exe
      Filesize

      294KB

      MD5

      67f86af5cddfe28a488fb021c84eb642

      SHA1

      764ed39386cc962dfd880be17a9af2df6d6e7617

      SHA256

      9924a7cff465efe21783ccce2d2c6875c52ff7c19a1fb2669c1d6e0cea3ee048

      SHA512

      05b09117c1453bb128491dcaef4a388e7c58380ed75cc6d1654e211f343f5d0ccf5f09fd71f553ed20649d6a7a88a932519c73b966ae3d2589fdc566f4141acf

      Download Submit
    • memory/3004-1085-0x0000000000110000-0x0000000000142000-memory.dmp
      Filesize

      200KB

      Download
    • memory/3004-1086-0x0000000004C90000-0x0000000004CA0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3004-1087-0x0000000004C90000-0x0000000004CA0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3468-147-0x00000000004D0000-0x00000000004DA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4108-189-0x0000000005080000-0x00000000050BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4108-203-0x0000000005080000-0x00000000050BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4108-156-0x0000000005080000-0x00000000050BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4108-158-0x0000000005080000-0x00000000050BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4108-160-0x0000000005080000-0x00000000050BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4108-162-0x0000000005080000-0x00000000050BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4108-164-0x0000000005080000-0x00000000050BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4108-166-0x0000000005080000-0x00000000050BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4108-168-0x0000000005080000-0x00000000050BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4108-170-0x0000000005080000-0x00000000050BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4108-172-0x0000000005080000-0x00000000050BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4108-175-0x0000000002440000-0x0000000002450000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4108-176-0x0000000002440000-0x0000000002450000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4108-174-0x0000000005080000-0x00000000050BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4108-178-0x0000000002440000-0x0000000002450000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4108-179-0x0000000005080000-0x00000000050BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4108-181-0x0000000005080000-0x00000000050BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4108-183-0x0000000005080000-0x00000000050BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4108-185-0x0000000005080000-0x00000000050BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4108-187-0x0000000005080000-0x00000000050BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4108-154-0x0000000004A90000-0x0000000005034000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4108-191-0x0000000005080000-0x00000000050BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4108-193-0x0000000005080000-0x00000000050BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4108-195-0x0000000005080000-0x00000000050BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4108-197-0x0000000005080000-0x00000000050BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4108-199-0x0000000005080000-0x00000000050BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4108-201-0x0000000005080000-0x00000000050BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4108-155-0x0000000005080000-0x00000000050BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4108-205-0x0000000005080000-0x00000000050BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4108-207-0x0000000005080000-0x00000000050BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4108-209-0x0000000005080000-0x00000000050BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4108-211-0x0000000005080000-0x00000000050BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4108-213-0x0000000005080000-0x00000000050BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4108-215-0x0000000005080000-0x00000000050BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4108-217-0x0000000005080000-0x00000000050BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4108-219-0x0000000005080000-0x00000000050BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4108-221-0x0000000005080000-0x00000000050BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4108-1064-0x00000000050C0000-0x00000000056D8000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/4108-1065-0x0000000005760000-0x000000000586A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/4108-1066-0x00000000058A0000-0x00000000058B2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/4108-1067-0x00000000058C0000-0x00000000058FC000-memory.dmp
      Filesize

      240KB

      Download
    • memory/4108-1068-0x0000000002440000-0x0000000002450000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4108-1070-0x0000000005BB0000-0x0000000005C42000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4108-1071-0x0000000005C50000-0x0000000005CB6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4108-1072-0x0000000002440000-0x0000000002450000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4108-1073-0x0000000002440000-0x0000000002450000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4108-1074-0x0000000002440000-0x0000000002450000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4108-1075-0x0000000006470000-0x00000000064E6000-memory.dmp
      Filesize

      472KB

      Download
    • memory/4108-153-0x0000000000850000-0x000000000089B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/4108-1076-0x00000000064F0000-0x0000000006540000-memory.dmp
      Filesize

      320KB

      Download
    • memory/4108-1077-0x0000000002440000-0x0000000002450000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4108-1078-0x00000000066A0000-0x0000000006862000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/4108-1079-0x0000000006880000-0x0000000006DAC000-memory.dmp
      Filesize

      5.2MB

      Download