Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    57s
  • max time network
    82s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-04-2023 19:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8b65d3a5f4b88531f63739b53787c6c8219c38856677e3397bf32353e035c340.exe

  • Size

    521KB

  • MD5

    017958dd2cfaf38ebe313a0178579ebc

  • SHA1

    d1d0e6c79ddf864f36da299b124bb0ee0db4127f

  • SHA256

    8b65d3a5f4b88531f63739b53787c6c8219c38856677e3397bf32353e035c340

  • SHA512

    33280fd7177ae38965fd4088a8d908bf5f884f9d6ce3b49bef06efd8313bf5a86d9a58eb730c80365dc64b1e7242e3863f0a327b2d9aae3e0de1ab35c8d61c0f

  • SSDEEP

    12288:QMr+y90lVBw7Nap0bv8kCGCsgdad6161hhhLuzNrl4t:+y8PnrkCWi6bXSzBl4t

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8b65d3a5f4b88531f63739b53787c6c8219c38856677e3397bf32353e035c340.exe
    "C:\Users\Admin\AppData\Local\Temp\8b65d3a5f4b88531f63739b53787c6c8219c38856677e3397bf32353e035c340.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2592
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOC2938.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOC2938.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4760
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr232318.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr232318.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3228
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku514166.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku514166.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1516
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 1588
          4⤵
          • Program crash
          PID:3944
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr100548.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr100548.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1792
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1516 -ip 1516
    1⤵
      PID:4140

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr100548.exe
      Filesize

      175KB

      MD5

      6cc515e87dcc47fb7a22adf519ee78a3

      SHA1

      001b620c46a81199d197e9cbebbe316004b2d7f4

      SHA256

      116739abf6789481517d4c1830ff32e61021981ef7ec2262afe7ff36a3fb0f4f

      SHA512

      b24bf63ad54544fa6b89deeebe3cc1e4ce308a84a125506c9052d42c485b49047aa23015eabfa0ab40b335f7b201ec00cd70114c135f2a2cf036bf4375d818a5

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr100548.exe
      Filesize

      175KB

      MD5

      6cc515e87dcc47fb7a22adf519ee78a3

      SHA1

      001b620c46a81199d197e9cbebbe316004b2d7f4

      SHA256

      116739abf6789481517d4c1830ff32e61021981ef7ec2262afe7ff36a3fb0f4f

      SHA512

      b24bf63ad54544fa6b89deeebe3cc1e4ce308a84a125506c9052d42c485b49047aa23015eabfa0ab40b335f7b201ec00cd70114c135f2a2cf036bf4375d818a5

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOC2938.exe
      Filesize

      379KB

      MD5

      8130044302aee73f7c8f9e4af9809dca

      SHA1

      4d47732c7a5033f47c306091d6a20e7f736c9563

      SHA256

      02d5e5008de423ee43a0aaca9931260f9a5888eb6439640e34da7dd9f81fd1eb

      SHA512

      36a5b8202c596c74346ac45453c3439af447184d26d8787915d72a1889bda0e8fcadebef5f73ac47fb995f3b2e37ffa6a0d3d1cba22f434d5b007c8a3a41925b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOC2938.exe
      Filesize

      379KB

      MD5

      8130044302aee73f7c8f9e4af9809dca

      SHA1

      4d47732c7a5033f47c306091d6a20e7f736c9563

      SHA256

      02d5e5008de423ee43a0aaca9931260f9a5888eb6439640e34da7dd9f81fd1eb

      SHA512

      36a5b8202c596c74346ac45453c3439af447184d26d8787915d72a1889bda0e8fcadebef5f73ac47fb995f3b2e37ffa6a0d3d1cba22f434d5b007c8a3a41925b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr232318.exe
      Filesize

      11KB

      MD5

      2fcca21537c2964f528bb4c3972f4c74

      SHA1

      586e5fe69648165dfac7a2db3934da725a7442ca

      SHA256

      6c686dc69975ce11b19e924260fbc6daea1eb633ed906622dbdca225eec71978

      SHA512

      9ee2023659f2905885af2b31107eba81e9da33e2f971cd4a20252ccb99b59e9cd3a4e2253836411e8701b437c3fc275cd80e84affedc0df9eec586f3d1e97554

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr232318.exe
      Filesize

      11KB

      MD5

      2fcca21537c2964f528bb4c3972f4c74

      SHA1

      586e5fe69648165dfac7a2db3934da725a7442ca

      SHA256

      6c686dc69975ce11b19e924260fbc6daea1eb633ed906622dbdca225eec71978

      SHA512

      9ee2023659f2905885af2b31107eba81e9da33e2f971cd4a20252ccb99b59e9cd3a4e2253836411e8701b437c3fc275cd80e84affedc0df9eec586f3d1e97554

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku514166.exe
      Filesize

      294KB

      MD5

      01cbd39c1298d1589ec43c4958ad1877

      SHA1

      e19da91311060c6e12ce7cc9ceaceae2f6a00073

      SHA256

      34538722cdf7f0c44fbb5e94696c4e51b00214b0186e877871568af7fc443174

      SHA512

      1d275883b24d8cecc86d8203e29afbeed0223a1cb82d07947eaa8b313f85c557f79970f32312330f1e3c8dd920f4d28efb23d159796b563b34cc0085b7427a80

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku514166.exe
      Filesize

      294KB

      MD5

      01cbd39c1298d1589ec43c4958ad1877

      SHA1

      e19da91311060c6e12ce7cc9ceaceae2f6a00073

      SHA256

      34538722cdf7f0c44fbb5e94696c4e51b00214b0186e877871568af7fc443174

      SHA512

      1d275883b24d8cecc86d8203e29afbeed0223a1cb82d07947eaa8b313f85c557f79970f32312330f1e3c8dd920f4d28efb23d159796b563b34cc0085b7427a80

      Download Submit
    • memory/1516-153-0x0000000000610000-0x000000000065B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/1516-154-0x0000000004BD0000-0x0000000005174000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/1516-155-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1516-156-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1516-157-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1516-158-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1516-161-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1516-159-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1516-163-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1516-165-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1516-167-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1516-169-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1516-171-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1516-173-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1516-175-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1516-177-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1516-179-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1516-181-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1516-183-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1516-185-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1516-187-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1516-189-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1516-191-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1516-193-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1516-195-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1516-197-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1516-199-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1516-201-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1516-203-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1516-205-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1516-207-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1516-209-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1516-211-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1516-213-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1516-215-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1516-217-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1516-219-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1516-221-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1516-1064-0x0000000005180000-0x0000000005798000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/1516-1065-0x00000000057A0000-0x00000000058AA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/1516-1066-0x00000000058B0000-0x00000000058C2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1516-1067-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1516-1068-0x00000000058D0000-0x000000000590C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1516-1070-0x0000000005BB0000-0x0000000005C42000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1516-1071-0x0000000005C50000-0x0000000005CB6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1516-1072-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1516-1073-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1516-1074-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1516-1075-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1516-1076-0x0000000007860000-0x0000000007A22000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/1516-1077-0x0000000007A30000-0x0000000007F5C000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/1516-1078-0x0000000008010000-0x0000000008086000-memory.dmp
      Filesize

      472KB

      Download
    • memory/1516-1079-0x00000000080A0000-0x00000000080F0000-memory.dmp
      Filesize

      320KB

      Download
    • memory/1792-1087-0x0000000000B50000-0x0000000000B82000-memory.dmp
      Filesize

      200KB

      Download
    • memory/1792-1088-0x0000000005790000-0x00000000057A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1792-1089-0x0000000005790000-0x00000000057A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3228-147-0x0000000000610000-0x000000000061A000-memory.dmp
      Filesize

      40KB

      Download