Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    148s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    03-04-2023 18:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1d9bcc591aca6daea7bf85c9d61b951d962a8b45b4a9ade62010f65aec9af04a.exe

  • Size

    521KB

  • MD5

    ef328fa4568a2ad89ed6794d20168461

  • SHA1

    aa440580a465b49abdbc5da6a19fa0ebc4b1773b

  • SHA256

    1d9bcc591aca6daea7bf85c9d61b951d962a8b45b4a9ade62010f65aec9af04a

  • SHA512

    85d205f33d36bbbcdf2f5ef9affca452bd9663dfe42aeec9cf9fd1aeb695d4148461d422b2cf21c950ec8da3ecf4f9e7d4160db4a65a85d8eac93c1574209dff

  • SSDEEP

    12288:kMrHy90E3ZFm0B/DTAtkQpJ5kgK87rTSHjwRa:Ly93Cm/DUSZgjPNRa

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1d9bcc591aca6daea7bf85c9d61b951d962a8b45b4a9ade62010f65aec9af04a.exe
    "C:\Users\Admin\AppData\Local\Temp\1d9bcc591aca6daea7bf85c9d61b951d962a8b45b4a9ade62010f65aec9af04a.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2408
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziWD7696.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziWD7696.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3016
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr887463.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr887463.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2968
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku943519.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku943519.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3916
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr495310.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr495310.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3128

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr495310.exe
    Filesize

    175KB

    MD5

    41a4d7781733f38cbe34d777a406a697

    SHA1

    50d349d52edcf6e776dc85e658b146229d1924ec

    SHA256

    645ac92966f370a9da077e2e7c8a8bb54cd38227e988210ddab16b8dbe62837e

    SHA512

    ff5ecac8193c7798304abc4bf4afbaa84cba58e4213b30bf94f249e7af3c09c74c056eb179412ed16bbef4f2f2a2b6c215abc7b0ce9e012944845ac100bfc3ff

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr495310.exe
    Filesize

    175KB

    MD5

    41a4d7781733f38cbe34d777a406a697

    SHA1

    50d349d52edcf6e776dc85e658b146229d1924ec

    SHA256

    645ac92966f370a9da077e2e7c8a8bb54cd38227e988210ddab16b8dbe62837e

    SHA512

    ff5ecac8193c7798304abc4bf4afbaa84cba58e4213b30bf94f249e7af3c09c74c056eb179412ed16bbef4f2f2a2b6c215abc7b0ce9e012944845ac100bfc3ff

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziWD7696.exe
    Filesize

    379KB

    MD5

    1991473e9e866d2e7b676f321bbfee5d

    SHA1

    580e57ccdf8ba7fb257402f20492ac404df88563

    SHA256

    1162551110b8c552543f70d367046b0999e312a396ed0bc1f82526fef3ef13d0

    SHA512

    7567dda226eb512d33366368ffab233bce7defa631dc90cbef1f421c83d9582b1db26e72b442a850a994149ec26b0a064ecfa2d3d78fe38e2fb0aaad1dec7d81

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziWD7696.exe
    Filesize

    379KB

    MD5

    1991473e9e866d2e7b676f321bbfee5d

    SHA1

    580e57ccdf8ba7fb257402f20492ac404df88563

    SHA256

    1162551110b8c552543f70d367046b0999e312a396ed0bc1f82526fef3ef13d0

    SHA512

    7567dda226eb512d33366368ffab233bce7defa631dc90cbef1f421c83d9582b1db26e72b442a850a994149ec26b0a064ecfa2d3d78fe38e2fb0aaad1dec7d81

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr887463.exe
    Filesize

    11KB

    MD5

    a4f89f8dc8ca3450dc0240359e4c002c

    SHA1

    5b23c62b34d9adcfdb997a039b29115ba117fd1b

    SHA256

    03454e8aad3ebc11c3a0662fe85773cec8e85d456313438a94f99afc1c2fc42e

    SHA512

    9e8427ac8d39272ffdfed294238fdbfdd3a54ae379ed5a2d3d9acbe9a62ba19cf5b082b11b6f295ecb75da0f15aeb5c377f95198508c5e406e39406b1383bcab

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr887463.exe
    Filesize

    11KB

    MD5

    a4f89f8dc8ca3450dc0240359e4c002c

    SHA1

    5b23c62b34d9adcfdb997a039b29115ba117fd1b

    SHA256

    03454e8aad3ebc11c3a0662fe85773cec8e85d456313438a94f99afc1c2fc42e

    SHA512

    9e8427ac8d39272ffdfed294238fdbfdd3a54ae379ed5a2d3d9acbe9a62ba19cf5b082b11b6f295ecb75da0f15aeb5c377f95198508c5e406e39406b1383bcab

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku943519.exe
    Filesize

    294KB

    MD5

    ca8d36bb7a7bf359f20557c5c8408aa7

    SHA1

    9f5ac1264f467d95583f363e6bb99267ca39edde

    SHA256

    db9248a8ed7023dd5aea72b91ca57e26f6a44aae943d6cf07c92785c86142d35

    SHA512

    62246165de0db6fc2c86fb5e1527c75816f8dc01ec6c4db2c7ff4082fc107063393aaf48551265c5c649731b79353a67daf7bcd34c62dea2a7b5a037b263e82f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku943519.exe
    Filesize

    294KB

    MD5

    ca8d36bb7a7bf359f20557c5c8408aa7

    SHA1

    9f5ac1264f467d95583f363e6bb99267ca39edde

    SHA256

    db9248a8ed7023dd5aea72b91ca57e26f6a44aae943d6cf07c92785c86142d35

    SHA512

    62246165de0db6fc2c86fb5e1527c75816f8dc01ec6c4db2c7ff4082fc107063393aaf48551265c5c649731b79353a67daf7bcd34c62dea2a7b5a037b263e82f

    Download Submit
  • memory/2968-135-0x00000000002B0000-0x00000000002BA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3128-1073-0x0000000000420000-0x0000000000452000-memory.dmp
    Filesize

    200KB

    Download
  • memory/3128-1074-0x0000000004E60000-0x0000000004EAB000-memory.dmp
    Filesize

    300KB

    Download
  • memory/3128-1075-0x0000000004F90000-0x0000000004FA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3916-203-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3916-177-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3916-144-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3916-145-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3916-146-0x00000000006D0000-0x000000000071B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/3916-148-0x0000000004A60000-0x0000000004A70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3916-149-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3916-159-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3916-157-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3916-173-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3916-175-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3916-181-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3916-179-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3916-183-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3916-187-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3916-195-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3916-193-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3916-205-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3916-209-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3916-207-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3916-142-0x0000000004A70000-0x0000000004F6E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3916-201-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3916-199-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3916-197-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3916-191-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3916-189-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3916-185-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3916-143-0x0000000004A20000-0x0000000004A64000-memory.dmp
    Filesize

    272KB

    Download
  • memory/3916-171-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3916-169-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3916-167-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3916-165-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3916-163-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3916-161-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3916-155-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3916-153-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3916-151-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3916-1052-0x00000000055E0000-0x0000000005BE6000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/3916-1053-0x0000000005050000-0x000000000515A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/3916-1054-0x0000000005190000-0x00000000051A2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/3916-1055-0x00000000051B0000-0x00000000051EE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/3916-1056-0x0000000004A60000-0x0000000004A70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3916-1057-0x0000000005300000-0x000000000534B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/3916-1059-0x0000000005490000-0x0000000005522000-memory.dmp
    Filesize

    584KB

    Download
  • memory/3916-1060-0x0000000005530000-0x0000000005596000-memory.dmp
    Filesize

    408KB

    Download
  • memory/3916-1061-0x0000000004A60000-0x0000000004A70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3916-1062-0x0000000004A60000-0x0000000004A70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3916-1063-0x0000000006340000-0x0000000006502000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/3916-141-0x0000000002070000-0x00000000020B6000-memory.dmp
    Filesize

    280KB

    Download
  • memory/3916-1064-0x0000000006520000-0x0000000006A4C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/3916-1065-0x0000000006B80000-0x0000000006BF6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/3916-1066-0x0000000006C10000-0x0000000006C60000-memory.dmp
    Filesize

    320KB

    Download
  • memory/3916-1067-0x0000000004A60000-0x0000000004A70000-memory.dmp
    Filesize

    64KB

    Download