Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    99s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-04-2023 19:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    384478f9d2595829cf30c069d86b2c7ed2ef0bdff6205cb70fa1bbe5ce0b2601.exe

  • Size

    522KB

  • MD5

    59e5946df8723d28ef834cd104826579

  • SHA1

    ba88b5ff513422d8d2e60ec30c1e0fede7d38baf

  • SHA256

    384478f9d2595829cf30c069d86b2c7ed2ef0bdff6205cb70fa1bbe5ce0b2601

  • SHA512

    4593f564c2c4c62bafef07832b3784d1ec34e81a77e7164ec6764965095a94caae833af8e8e4eaa5aef8f00ad1391f7b329e0f12de8e732efdbfe32c978b292d

  • SSDEEP

    12288:IMrWy90pOvbDVhEN2ExbrRsvebSKb/Hl63dUqsu0r:uyrHA4+tsqSKzs3dU

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 34 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\384478f9d2595829cf30c069d86b2c7ed2ef0bdff6205cb70fa1bbe5ce0b2601.exe
    "C:\Users\Admin\AppData\Local\Temp\384478f9d2595829cf30c069d86b2c7ed2ef0bdff6205cb70fa1bbe5ce0b2601.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1520
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziMs0771.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziMs0771.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:392
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr777320.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr777320.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3116
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku706196.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku706196.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2552
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 1544
          4⤵
          • Program crash
          PID:5092
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr751923.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr751923.exe
      2⤵
      • Executes dropped EXE
      PID:1608
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2552 -ip 2552
    1⤵
      PID:1052

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr751923.exe
      Filesize

      175KB

      MD5

      94c9e04b9e1144aac31ba0444e5a8a3f

      SHA1

      0eadd922f3b7ff67ffacc9ec39106c5b7c039f4b

      SHA256

      9bb5bc5db558c6767cb2d9607c793f6f5aa99fab49d0c277c388aa5a709b4439

      SHA512

      c0dd7d0fd2364d27dd68287cf6051b35c13f68ab6bb3f4381befd73d0994a302719651b72145af2518855dd845d3bcd97de5cb88ffeec81d4924e4a780886766

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziMs0771.exe
      Filesize

      379KB

      MD5

      9244210a4a522c3487c46f0a7092ad02

      SHA1

      98f2ff7af46ff70272243ea59c4ad9fea9b72797

      SHA256

      6211c5c9fb581a3c90a6c7fcbb4de1c0c2adcd5a60ef7877e9762b91b477ca7d

      SHA512

      f27611282261680e90a61b354d484764d65cc330faec14feb8bf8e5917791f02611c2972f0f2ec1f5f5e2202837700eab0b8db925ef6040e9d3159bb7811f4b6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziMs0771.exe
      Filesize

      379KB

      MD5

      9244210a4a522c3487c46f0a7092ad02

      SHA1

      98f2ff7af46ff70272243ea59c4ad9fea9b72797

      SHA256

      6211c5c9fb581a3c90a6c7fcbb4de1c0c2adcd5a60ef7877e9762b91b477ca7d

      SHA512

      f27611282261680e90a61b354d484764d65cc330faec14feb8bf8e5917791f02611c2972f0f2ec1f5f5e2202837700eab0b8db925ef6040e9d3159bb7811f4b6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr777320.exe
      Filesize

      11KB

      MD5

      615810407dc112e860fea1ea461d0374

      SHA1

      49c57e14e4ae44e69f3d9324b982df3de4aea2ba

      SHA256

      7bc5a078b412273d275ff9280228e3dc1379b8a6880f2cf2aa8ba1e4da2ffb31

      SHA512

      5f4c1db527cbeb4b846677202f0cb014909bb9919025777c949e9658771c2ea0f37a4d6251e393db8964f994580003ce8bcca5fe4adb4be8b67d23982b9f2790

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr777320.exe
      Filesize

      11KB

      MD5

      615810407dc112e860fea1ea461d0374

      SHA1

      49c57e14e4ae44e69f3d9324b982df3de4aea2ba

      SHA256

      7bc5a078b412273d275ff9280228e3dc1379b8a6880f2cf2aa8ba1e4da2ffb31

      SHA512

      5f4c1db527cbeb4b846677202f0cb014909bb9919025777c949e9658771c2ea0f37a4d6251e393db8964f994580003ce8bcca5fe4adb4be8b67d23982b9f2790

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku706196.exe
      Filesize

      294KB

      MD5

      1f54df50bf5edf34226112127f5b3499

      SHA1

      71ea2c906a078552d896f43da8e0a49e89221649

      SHA256

      8927f3e5221573b08575f93fb3b831754749ce7868670be2c24daad8149bd67e

      SHA512

      87d2d7f2e6a5ecdff19eeb9ec6da8fae0ed293a132109a60c4ab644cdbded09886bb0046ab28fc032a277d175f7f6f8b237952fc237fde552f26f2eb1ab653f7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku706196.exe
      Filesize

      294KB

      MD5

      1f54df50bf5edf34226112127f5b3499

      SHA1

      71ea2c906a078552d896f43da8e0a49e89221649

      SHA256

      8927f3e5221573b08575f93fb3b831754749ce7868670be2c24daad8149bd67e

      SHA512

      87d2d7f2e6a5ecdff19eeb9ec6da8fae0ed293a132109a60c4ab644cdbded09886bb0046ab28fc032a277d175f7f6f8b237952fc237fde552f26f2eb1ab653f7

      Download Submit

    • memory/2552-153-0x0000000000620000-0x000000000066B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2552-154-0x0000000004AD0000-0x0000000005074000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2552-155-0x0000000004A70000-0x0000000004AAF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2552-158-0x0000000004A70000-0x0000000004AAF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2552-160-0x0000000004A70000-0x0000000004AAF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2552-156-0x0000000004A70000-0x0000000004AAF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2552-162-0x0000000004A70000-0x0000000004AAF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2552-164-0x0000000004A70000-0x0000000004AAF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2552-166-0x0000000004A70000-0x0000000004AAF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2552-168-0x0000000004A70000-0x0000000004AAF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2552-170-0x0000000004A70000-0x0000000004AAF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2552-172-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2552-174-0x0000000004A70000-0x0000000004AAF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2552-173-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2552-176-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2552-177-0x0000000004A70000-0x0000000004AAF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2552-179-0x0000000004A70000-0x0000000004AAF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2552-181-0x0000000004A70000-0x0000000004AAF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2552-183-0x0000000004A70000-0x0000000004AAF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2552-185-0x0000000004A70000-0x0000000004AAF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2552-187-0x0000000004A70000-0x0000000004AAF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2552-189-0x0000000004A70000-0x0000000004AAF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2552-191-0x0000000004A70000-0x0000000004AAF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2552-193-0x0000000004A70000-0x0000000004AAF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2552-195-0x0000000004A70000-0x0000000004AAF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2552-197-0x0000000004A70000-0x0000000004AAF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2552-199-0x0000000004A70000-0x0000000004AAF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2552-201-0x0000000004A70000-0x0000000004AAF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2552-203-0x0000000004A70000-0x0000000004AAF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2552-205-0x0000000004A70000-0x0000000004AAF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2552-207-0x0000000004A70000-0x0000000004AAF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2552-209-0x0000000004A70000-0x0000000004AAF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2552-211-0x0000000004A70000-0x0000000004AAF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2552-213-0x0000000004A70000-0x0000000004AAF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2552-215-0x0000000004A70000-0x0000000004AAF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2552-217-0x0000000004A70000-0x0000000004AAF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2552-219-0x0000000004A70000-0x0000000004AAF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2552-221-0x0000000004A70000-0x0000000004AAF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2552-1064-0x0000000005200000-0x0000000005818000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2552-1065-0x00000000058A0000-0x00000000059AA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2552-1066-0x00000000059E0000-0x00000000059F2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2552-1067-0x0000000005A00000-0x0000000005A3C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2552-1068-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2552-1070-0x0000000005CF0000-0x0000000005D82000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2552-1071-0x0000000005D90000-0x0000000005DF6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2552-1072-0x00000000064B0000-0x0000000006672000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2552-1073-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2552-1074-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2552-1075-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2552-1076-0x0000000006690000-0x0000000006BBC000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/2552-1077-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2552-1078-0x0000000006E10000-0x0000000006E86000-memory.dmp

      Filesize

      472KB

      Download

    • memory/2552-1079-0x0000000006E90000-0x0000000006EE0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/3116-147-0x0000000000A70000-0x0000000000A7A000-memory.dmp

      Filesize

      40KB

      Download