Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    56s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-04-2023 18:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a5f5b705be98307e3c5735534f46bfc80671ee09d5e8e6e5f4e28d5bbd2d8e4e.exe

  • Size

    521KB

  • MD5

    9bd5928ba455df6d9824a51a2d91b182

  • SHA1

    9a12155d2e8e078320961290cbdf0338a35b2535

  • SHA256

    a5f5b705be98307e3c5735534f46bfc80671ee09d5e8e6e5f4e28d5bbd2d8e4e

  • SHA512

    616694d42003e50a6dcfdbe0bc838ae2a5d7f07a1d3f5bc493742651cc77397a7a579f41396d0a3fe86bb9de9ccf1a34d733af1eea1c7a260b37bba47eefecae

  • SSDEEP

    12288:hMrxy90vNdovFTXvqpm57LSvJgKiePBxz9r4vFXLxpCges0B:Myk6XmenwgDwX9kvFXbCgk

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a5f5b705be98307e3c5735534f46bfc80671ee09d5e8e6e5f4e28d5bbd2d8e4e.exe
    "C:\Users\Admin\AppData\Local\Temp\a5f5b705be98307e3c5735534f46bfc80671ee09d5e8e6e5f4e28d5bbd2d8e4e.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4900
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitA1934.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitA1934.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2636
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku429623.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku429623.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2848
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 1336
          4⤵
          • Program crash
          PID:768
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr067674.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr067674.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3876
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr776855.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr776855.exe
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Executes dropped EXE
    • Windows security modification
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3088
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2848 -ip 2848
    1⤵
      PID:4324

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr067674.exe
      Filesize

      175KB

      MD5

      7704ba33ef8cdb1512f80c2525e04f76

      SHA1

      e7c29983e9e189db31e44a79cdd171ff338a9f26

      SHA256

      eb092df8244b50100fa36fbc4085a1138027dd2cc873dc860113e7bc9988fd37

      SHA512

      fff7f5152154a02ca662dd40224893ccf0d7bca3884cf315b087afddb2018cc7d08e17e6c24ea711c9ba60a37948ba4689c703bf13eaf37423fa9cfa8e413b7d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr067674.exe
      Filesize

      175KB

      MD5

      7704ba33ef8cdb1512f80c2525e04f76

      SHA1

      e7c29983e9e189db31e44a79cdd171ff338a9f26

      SHA256

      eb092df8244b50100fa36fbc4085a1138027dd2cc873dc860113e7bc9988fd37

      SHA512

      fff7f5152154a02ca662dd40224893ccf0d7bca3884cf315b087afddb2018cc7d08e17e6c24ea711c9ba60a37948ba4689c703bf13eaf37423fa9cfa8e413b7d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitA1934.exe
      Filesize

      379KB

      MD5

      ad0ede4ee3165b50bf04b4d0ed197f4b

      SHA1

      1586baf9ccf6209fda0c1f0315257bc4206303b5

      SHA256

      f65ef891d4c773409c3c14a64332884db1cf4bd77739d1efc5affe7c5f17859a

      SHA512

      ebe0b6f8f62384fa46c203eeb966fbff51812a4fa33893165734f4e6bec0e6ad64e8145caed4519e6eafa23e70f3ed363bdfa7010730205eb4c7fc0d8090757e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitA1934.exe
      Filesize

      379KB

      MD5

      ad0ede4ee3165b50bf04b4d0ed197f4b

      SHA1

      1586baf9ccf6209fda0c1f0315257bc4206303b5

      SHA256

      f65ef891d4c773409c3c14a64332884db1cf4bd77739d1efc5affe7c5f17859a

      SHA512

      ebe0b6f8f62384fa46c203eeb966fbff51812a4fa33893165734f4e6bec0e6ad64e8145caed4519e6eafa23e70f3ed363bdfa7010730205eb4c7fc0d8090757e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr776855.exe
      Filesize

      11KB

      MD5

      dc60801fd9e0ca4edcaf57ae68675c31

      SHA1

      5ad54ba5d8d424a27da7579f3853f5d60a7fcbe3

      SHA256

      7a3e60dbec28e18927d13cbee7784b016d9bdc162a7f25f6f27d19ac466ff05e

      SHA512

      46d8016f01195a6c63ecca7eb92c0d3ed9c06fb57f2411686b7b56def9ae3624789cb9881b47017160439370a86d4c16841ca57744f8fd3e6202e78c258e67f9

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr776855.exe
      Filesize

      11KB

      MD5

      dc60801fd9e0ca4edcaf57ae68675c31

      SHA1

      5ad54ba5d8d424a27da7579f3853f5d60a7fcbe3

      SHA256

      7a3e60dbec28e18927d13cbee7784b016d9bdc162a7f25f6f27d19ac466ff05e

      SHA512

      46d8016f01195a6c63ecca7eb92c0d3ed9c06fb57f2411686b7b56def9ae3624789cb9881b47017160439370a86d4c16841ca57744f8fd3e6202e78c258e67f9

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku429623.exe
      Filesize

      294KB

      MD5

      7d114c74a246dc0dde9bc006ef04981f

      SHA1

      258e114954f7c642250e324dd5558baeb6e8ff86

      SHA256

      7a3811de7a1169afa800290ac9893d2482f2643d423d73660a0aa729fd34c839

      SHA512

      4107b0683b519f73a53a4780b4b3ad05a7eafeef033065a6f78518aaf2f4a496d9bc547237ef359887355b9c1ff6afae481c8c7a813bdf515b69be04347f4e80

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku429623.exe
      Filesize

      294KB

      MD5

      7d114c74a246dc0dde9bc006ef04981f

      SHA1

      258e114954f7c642250e324dd5558baeb6e8ff86

      SHA256

      7a3811de7a1169afa800290ac9893d2482f2643d423d73660a0aa729fd34c839

      SHA512

      4107b0683b519f73a53a4780b4b3ad05a7eafeef033065a6f78518aaf2f4a496d9bc547237ef359887355b9c1ff6afae481c8c7a813bdf515b69be04347f4e80

      Download Submit
    • memory/2848-153-0x0000000004E10000-0x00000000053B4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/2848-154-0x0000000002110000-0x000000000215B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/2848-155-0x0000000004E00000-0x0000000004E10000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2848-156-0x0000000004E00000-0x0000000004E10000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2848-157-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2848-160-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2848-158-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2848-162-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2848-164-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2848-166-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2848-168-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2848-170-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2848-172-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2848-174-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2848-176-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2848-178-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2848-180-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2848-182-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2848-184-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2848-186-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2848-188-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2848-190-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2848-192-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2848-194-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2848-196-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2848-198-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2848-200-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2848-202-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2848-204-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2848-206-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2848-208-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2848-210-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2848-212-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2848-214-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2848-216-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2848-218-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2848-220-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2848-1063-0x00000000053C0000-0x00000000059D8000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/2848-1064-0x0000000004C10000-0x0000000004D1A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/2848-1065-0x0000000002650000-0x0000000002662000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2848-1066-0x0000000002780000-0x00000000027BC000-memory.dmp
      Filesize

      240KB

      Download
    • memory/2848-1067-0x0000000004E00000-0x0000000004E10000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2848-1069-0x0000000005BB0000-0x0000000005C16000-memory.dmp
      Filesize

      408KB

      Download
    • memory/2848-1070-0x0000000004E00000-0x0000000004E10000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2848-1071-0x0000000004E00000-0x0000000004E10000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2848-1072-0x0000000006270000-0x0000000006302000-memory.dmp
      Filesize

      584KB

      Download
    • memory/2848-1073-0x00000000065B0000-0x0000000006772000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/2848-1074-0x0000000006790000-0x0000000006CBC000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/2848-1075-0x0000000004E00000-0x0000000004E10000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2848-1076-0x0000000006DF0000-0x0000000006E66000-memory.dmp
      Filesize

      472KB

      Download
    • memory/2848-1077-0x0000000006E80000-0x0000000006ED0000-memory.dmp
      Filesize

      320KB

      Download
    • memory/3088-147-0x00000000009B0000-0x00000000009BA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3876-1083-0x0000000000630000-0x0000000000662000-memory.dmp
      Filesize

      200KB

      Download
    • memory/3876-1084-0x0000000005350000-0x0000000005360000-memory.dmp
      Filesize

      64KB

      Download