Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    57s
  • max time network
    148s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    03-04-2023 18:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4f1d1c4ae6060f14a9f5fb938efdaab86c38007d56259983acdd3873b51348fa.exe

  • Size

    521KB

  • MD5

    43c20c897dd2ea192547db181929824e

  • SHA1

    16de98bbb4ee24971bcb705d784058a25e7eef00

  • SHA256

    4f1d1c4ae6060f14a9f5fb938efdaab86c38007d56259983acdd3873b51348fa

  • SHA512

    afab6d10fa760308ff7f412ae1d723e0d9aa41854381ba762605f93b5fdc4dfb55c8910ee99b374684df993f379b0af25c93c9f4b25d888272235fc23ef8b70c

  • SSDEEP

    12288:BMrPy90Rj0iDUScj4FcO6SbTNl6bS2kRXw/:2ygUR66SlsbSr8

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4f1d1c4ae6060f14a9f5fb938efdaab86c38007d56259983acdd3873b51348fa.exe
    "C:\Users\Admin\AppData\Local\Temp\4f1d1c4ae6060f14a9f5fb938efdaab86c38007d56259983acdd3873b51348fa.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4104
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziQc0552.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziQc0552.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4376
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr221991.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr221991.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4456
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku513710.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku513710.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4968
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr966552.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr966552.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2372

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr966552.exe
    Filesize

    175KB

    MD5

    3be703f40efd7d68e2ddad1c604e206a

    SHA1

    6b5b4f2f8aace9fdbecaa8b3142e9ebfa9913306

    SHA256

    8e5a645223a11cb5962fc09c54ed8a6b2e86ebf4ace9b2360b0e02768510c169

    SHA512

    e6a8245a3ea17d59da3cf141f03fcdd4c958ba67ac6f737b2d18bc60439d3d91a8dc6bed88df1dd06842af7095b825ec3a60d82fd5994bad553122e941e6b0ab

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr966552.exe
    Filesize

    175KB

    MD5

    3be703f40efd7d68e2ddad1c604e206a

    SHA1

    6b5b4f2f8aace9fdbecaa8b3142e9ebfa9913306

    SHA256

    8e5a645223a11cb5962fc09c54ed8a6b2e86ebf4ace9b2360b0e02768510c169

    SHA512

    e6a8245a3ea17d59da3cf141f03fcdd4c958ba67ac6f737b2d18bc60439d3d91a8dc6bed88df1dd06842af7095b825ec3a60d82fd5994bad553122e941e6b0ab

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziQc0552.exe
    Filesize

    379KB

    MD5

    69263f342fe30d16ee48ffb52a8bf70f

    SHA1

    e5d19e82ec1761787eb8a0c6fe007001c0a3372a

    SHA256

    dff90ee0872ef120226ce15b384d1e7785437b822ad0eff4569a6e3ebc4207ea

    SHA512

    710e8fa1787630df99019a4453d763461fdf5f985148093eecc475735aab815c56e2250fb1487d69651099824dd7124ae0e8081bd9f8b9fe07d1b60a59c1c272

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziQc0552.exe
    Filesize

    379KB

    MD5

    69263f342fe30d16ee48ffb52a8bf70f

    SHA1

    e5d19e82ec1761787eb8a0c6fe007001c0a3372a

    SHA256

    dff90ee0872ef120226ce15b384d1e7785437b822ad0eff4569a6e3ebc4207ea

    SHA512

    710e8fa1787630df99019a4453d763461fdf5f985148093eecc475735aab815c56e2250fb1487d69651099824dd7124ae0e8081bd9f8b9fe07d1b60a59c1c272

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr221991.exe
    Filesize

    11KB

    MD5

    99c00d0acec9ede87a1c9e72a5c63d5d

    SHA1

    11454a8ec68b43a87cb1c9a133fba8edfdd9085a

    SHA256

    94815237076f78edbf213ac0a7142fbedb2423c5b937be280728c971374fe13d

    SHA512

    d2a7e5b99de2b6665b09ea164b188d60a0e3c64b3f5e88fd8d4d1021d0ea1bd8f85d1afae21dff9f574093738153e369dd7a90bbeb0cf5c08751124f4266d533

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr221991.exe
    Filesize

    11KB

    MD5

    99c00d0acec9ede87a1c9e72a5c63d5d

    SHA1

    11454a8ec68b43a87cb1c9a133fba8edfdd9085a

    SHA256

    94815237076f78edbf213ac0a7142fbedb2423c5b937be280728c971374fe13d

    SHA512

    d2a7e5b99de2b6665b09ea164b188d60a0e3c64b3f5e88fd8d4d1021d0ea1bd8f85d1afae21dff9f574093738153e369dd7a90bbeb0cf5c08751124f4266d533

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku513710.exe
    Filesize

    294KB

    MD5

    57ecff24c723a249a3a3c1b491aac38b

    SHA1

    4de5b586242760ec66f62dd5075858866ac31542

    SHA256

    28ea121d9ad22eafa2718af2a35ee22f5fc22c09cb8542f2d3a5f0adced4beed

    SHA512

    c3cf399cdc8cc083758fb94b85172b9414b2442a817bb6c49f54c65297eb43f70f6ec8dfbf92fd3d14fb38b7a15fbe3eb9907ec0ae9d62c6da0227e9a4ecc2b2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku513710.exe
    Filesize

    294KB

    MD5

    57ecff24c723a249a3a3c1b491aac38b

    SHA1

    4de5b586242760ec66f62dd5075858866ac31542

    SHA256

    28ea121d9ad22eafa2718af2a35ee22f5fc22c09cb8542f2d3a5f0adced4beed

    SHA512

    c3cf399cdc8cc083758fb94b85172b9414b2442a817bb6c49f54c65297eb43f70f6ec8dfbf92fd3d14fb38b7a15fbe3eb9907ec0ae9d62c6da0227e9a4ecc2b2

    Download Submit
  • memory/2372-1073-0x0000000000D00000-0x0000000000D32000-memory.dmp
    Filesize

    200KB

    Download
  • memory/2372-1074-0x0000000005740000-0x000000000578B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/2372-1075-0x00000000055C0000-0x00000000055D0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4456-133-0x0000000000620000-0x000000000062A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4968-173-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4968-187-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4968-142-0x0000000004B60000-0x000000000505E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/4968-143-0x0000000004A20000-0x0000000004A64000-memory.dmp
    Filesize

    272KB

    Download
  • memory/4968-144-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4968-145-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4968-147-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4968-149-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4968-151-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4968-153-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4968-155-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4968-157-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4968-159-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4968-161-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4968-163-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4968-165-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4968-168-0x0000000004B50000-0x0000000004B60000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4968-167-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4968-171-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4968-170-0x0000000004B50000-0x0000000004B60000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4968-140-0x0000000004B50000-0x0000000004B60000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4968-175-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4968-177-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4968-179-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4968-181-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4968-183-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4968-185-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4968-141-0x0000000004990000-0x00000000049D6000-memory.dmp
    Filesize

    280KB

    Download
  • memory/4968-189-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4968-191-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4968-193-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4968-195-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4968-197-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4968-199-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4968-201-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4968-203-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4968-205-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4968-207-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4968-209-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4968-1052-0x0000000005060000-0x0000000005666000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/4968-1053-0x0000000005670000-0x000000000577A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/4968-1054-0x00000000057A0000-0x00000000057B2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4968-1055-0x00000000057C0000-0x00000000057FE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4968-1056-0x0000000004B50000-0x0000000004B60000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4968-1057-0x0000000005910000-0x000000000595B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4968-1059-0x0000000005AA0000-0x0000000005B32000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4968-1060-0x0000000005B40000-0x0000000005BA6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4968-1061-0x0000000004B50000-0x0000000004B60000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4968-1062-0x0000000004B50000-0x0000000004B60000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4968-1063-0x0000000006250000-0x0000000006412000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/4968-139-0x00000000005C0000-0x000000000060B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4968-1064-0x0000000006430000-0x000000000695C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4968-1065-0x0000000006B80000-0x0000000006BF6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/4968-1066-0x0000000006C10000-0x0000000006C60000-memory.dmp
    Filesize

    320KB

    Download
  • memory/4968-1067-0x0000000004B50000-0x0000000004B60000-memory.dmp
    Filesize

    64KB

    Download