Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    149s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    03-04-2023 18:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c581efc1f6da0e948c0d8e0de66c0eb9ffbf68fd539b92e8ce209096bef4eb69.exe

  • Size

    522KB

  • MD5

    31a1ee1cab9bf1c1eb59e6037b82ac3c

  • SHA1

    c2d425801ce4a579752db058f92d52284f6e7a9f

  • SHA256

    c581efc1f6da0e948c0d8e0de66c0eb9ffbf68fd539b92e8ce209096bef4eb69

  • SHA512

    a970333c38f333268c480ad6f1897b776047fd958ee47c0de7f32a8a845d06ee4702032feafdcb85ae8fc5f08e4b1cef508fff9d93ffc64c0d37147c3985780f

  • SSDEEP

    12288:1Mriy90lXc+tQNsTzKyvKib4vl6IAWPYv53mA:3yicYNKiMsI6h/

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c581efc1f6da0e948c0d8e0de66c0eb9ffbf68fd539b92e8ce209096bef4eb69.exe
    "C:\Users\Admin\AppData\Local\Temp\c581efc1f6da0e948c0d8e0de66c0eb9ffbf68fd539b92e8ce209096bef4eb69.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zieq1714.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zieq1714.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4268
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr488774.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr488774.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2396
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku026854.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku026854.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3236
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr632927.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr632927.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4852

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr632927.exe
    Filesize

    175KB

    MD5

    7ea7f60a19b79bc51d026f76efa80ce4

    SHA1

    c18290661be3d25a9b2ec86ce7d62626d02f14e2

    SHA256

    fda21817b7eb1d85401ca7e750b80141c908c0c5967021ac364c01ed5b2976ee

    SHA512

    9e382d39538f2812e25fa722e1a701c64e3d717c02fdb51d42cf12a3247ffc8dad8c84819cf60cb3b67729499af4204e2ecd2d54e4b91841e8da9228f7b335ee

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr632927.exe
    Filesize

    175KB

    MD5

    7ea7f60a19b79bc51d026f76efa80ce4

    SHA1

    c18290661be3d25a9b2ec86ce7d62626d02f14e2

    SHA256

    fda21817b7eb1d85401ca7e750b80141c908c0c5967021ac364c01ed5b2976ee

    SHA512

    9e382d39538f2812e25fa722e1a701c64e3d717c02fdb51d42cf12a3247ffc8dad8c84819cf60cb3b67729499af4204e2ecd2d54e4b91841e8da9228f7b335ee

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zieq1714.exe
    Filesize

    379KB

    MD5

    f5bdcf71d160518833ae1712191bdb67

    SHA1

    fb6147f49f6c743deb80f78e29923e58258c4216

    SHA256

    12540d2edcd78e7a57e31081dbee5f607bf42571176c14082ef0b61ee20a19d9

    SHA512

    651bd12d827dd69e9196909251121b07da92bf44e0d3fb1d98df021f89ae856ab9e6c9b603b27697ced27fd2dac15038aaa949f4f2370c9e2d9245d4c7ae1161

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zieq1714.exe
    Filesize

    379KB

    MD5

    f5bdcf71d160518833ae1712191bdb67

    SHA1

    fb6147f49f6c743deb80f78e29923e58258c4216

    SHA256

    12540d2edcd78e7a57e31081dbee5f607bf42571176c14082ef0b61ee20a19d9

    SHA512

    651bd12d827dd69e9196909251121b07da92bf44e0d3fb1d98df021f89ae856ab9e6c9b603b27697ced27fd2dac15038aaa949f4f2370c9e2d9245d4c7ae1161

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr488774.exe
    Filesize

    11KB

    MD5

    3980b618ff21d8baeeadddebb90911c3

    SHA1

    6d8715ba96900b25420b079bee6dad97c05b655c

    SHA256

    e56621e7053a7d7ae74116a68fd38f6577c86f9dd1e74933c05c47d70ac802a8

    SHA512

    e4a2b6aa79a1a856bbe0b87707e1cae03a23c3a8b389fa58a4e28a7af889a776cfe52e34db5aac33dc81160c66bae9296ecdb66d30aa885200c3c5768fe36d99

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr488774.exe
    Filesize

    11KB

    MD5

    3980b618ff21d8baeeadddebb90911c3

    SHA1

    6d8715ba96900b25420b079bee6dad97c05b655c

    SHA256

    e56621e7053a7d7ae74116a68fd38f6577c86f9dd1e74933c05c47d70ac802a8

    SHA512

    e4a2b6aa79a1a856bbe0b87707e1cae03a23c3a8b389fa58a4e28a7af889a776cfe52e34db5aac33dc81160c66bae9296ecdb66d30aa885200c3c5768fe36d99

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku026854.exe
    Filesize

    294KB

    MD5

    7f8a3951bc8301931b50f587c602c8b8

    SHA1

    eb3b5ea515fbd2e57047404cd14b7d21c5d69f87

    SHA256

    a26716fec9df7807bac477d3fc330049c29aee079a42d81c662fe9fc0c894c30

    SHA512

    a42cb452c30c4ece5e0173ee2e6783915b84b384bb295f6b43f5e2b176ba4b9e1677a1ee82e6fae9b1a6311a3503bce80952409eec895d662ffc892be49de3f3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku026854.exe
    Filesize

    294KB

    MD5

    7f8a3951bc8301931b50f587c602c8b8

    SHA1

    eb3b5ea515fbd2e57047404cd14b7d21c5d69f87

    SHA256

    a26716fec9df7807bac477d3fc330049c29aee079a42d81c662fe9fc0c894c30

    SHA512

    a42cb452c30c4ece5e0173ee2e6783915b84b384bb295f6b43f5e2b176ba4b9e1677a1ee82e6fae9b1a6311a3503bce80952409eec895d662ffc892be49de3f3

    Download Submit
  • memory/2396-135-0x00000000004C0000-0x00000000004CA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3236-141-0x0000000001EB0000-0x0000000001EFB000-memory.dmp
    Filesize

    300KB

    Download
  • memory/3236-142-0x0000000002060000-0x00000000020A6000-memory.dmp
    Filesize

    280KB

    Download
  • memory/3236-143-0x0000000004B20000-0x000000000501E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3236-144-0x0000000004A50000-0x0000000004A94000-memory.dmp
    Filesize

    272KB

    Download
  • memory/3236-145-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3236-146-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3236-148-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3236-150-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3236-153-0x0000000004B10000-0x0000000004B20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3236-156-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3236-152-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3236-155-0x0000000004B10000-0x0000000004B20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3236-157-0x0000000004B10000-0x0000000004B20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3236-159-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3236-161-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3236-163-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3236-165-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3236-167-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3236-169-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3236-171-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3236-173-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3236-175-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3236-177-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3236-179-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3236-181-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3236-183-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3236-185-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3236-187-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3236-189-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3236-191-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3236-193-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3236-195-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3236-197-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3236-199-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3236-201-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3236-203-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3236-205-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3236-207-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3236-209-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3236-211-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3236-1054-0x0000000005630000-0x0000000005C36000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/3236-1055-0x0000000005050000-0x000000000515A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/3236-1056-0x0000000005190000-0x00000000051A2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/3236-1057-0x00000000051B0000-0x00000000051EE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/3236-1058-0x0000000005300000-0x000000000534B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/3236-1059-0x0000000004B10000-0x0000000004B20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3236-1061-0x0000000005490000-0x0000000005522000-memory.dmp
    Filesize

    584KB

    Download
  • memory/3236-1062-0x0000000005530000-0x0000000005596000-memory.dmp
    Filesize

    408KB

    Download
  • memory/3236-1063-0x0000000004B10000-0x0000000004B20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3236-1064-0x0000000004B10000-0x0000000004B20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3236-1065-0x0000000004B10000-0x0000000004B20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3236-1066-0x0000000006340000-0x0000000006502000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/3236-1067-0x0000000006520000-0x0000000006A4C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/3236-1068-0x0000000004B10000-0x0000000004B20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3236-1069-0x0000000007E50000-0x0000000007EC6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/3236-1070-0x0000000007ED0000-0x0000000007F20000-memory.dmp
    Filesize

    320KB

    Download
  • memory/4852-1076-0x0000000000B50000-0x0000000000B82000-memory.dmp
    Filesize

    200KB

    Download
  • memory/4852-1077-0x0000000005590000-0x00000000055DB000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4852-1078-0x00000000053A0000-0x00000000053B0000-memory.dmp
    Filesize

    64KB

    Download