Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-04-2023 19:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f3200f1fceb3c7875a3f851f6db47807a8f4bf2335dd74b898598772f20a1342.exe

  • Size

    522KB

  • MD5

    f18f7621b71f3efe9c232ac7f12ccb18

  • SHA1

    43cedd83b6d0a8e0af51b7855c21bf1c11e5623c

  • SHA256

    f3200f1fceb3c7875a3f851f6db47807a8f4bf2335dd74b898598772f20a1342

  • SHA512

    1a767ad53dfdf6b37554ed775d70000a2344f8275b4752103417a86e0c2615b73295cb79a3f602680bb7325392acdb72190e722d7efeb8bc73d1b3985d91a3cf

  • SSDEEP

    12288:WMrxy90Yxm0iQ93dPfjZx+G1qr8KK4zfzWKk37F3O:Py5mU9rxBsgKrzqKaB3O

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f3200f1fceb3c7875a3f851f6db47807a8f4bf2335dd74b898598772f20a1342.exe
    "C:\Users\Admin\AppData\Local\Temp\f3200f1fceb3c7875a3f851f6db47807a8f4bf2335dd74b898598772f20a1342.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziJS2022.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziJS2022.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2296
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr798151.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr798151.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3816
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku590557.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku590557.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3764
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 1372
          4⤵
          • Program crash
          PID:1564
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr604245.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr604245.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2204
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3764 -ip 3764
    1⤵
      PID:3948

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr604245.exe
      Filesize

      175KB

      MD5

      53b29bf6cd15a89725f155024d266ad5

      SHA1

      4c47fdf61f41d2067062f1c5b95534684c4213d7

      SHA256

      264b42e06856ac6c4820deb9a6bdffb071a95927b2f55664c78c9c92655c7fbe

      SHA512

      d25ab8c437d70d19947725cdbe7b883d9c6e610c9d3b3f61da9ac34648162942ed99bb8e1b93f02ca60eb120b640bde20b13e4c74edb0ed3a28d66858c7f52cf

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr604245.exe
      Filesize

      175KB

      MD5

      53b29bf6cd15a89725f155024d266ad5

      SHA1

      4c47fdf61f41d2067062f1c5b95534684c4213d7

      SHA256

      264b42e06856ac6c4820deb9a6bdffb071a95927b2f55664c78c9c92655c7fbe

      SHA512

      d25ab8c437d70d19947725cdbe7b883d9c6e610c9d3b3f61da9ac34648162942ed99bb8e1b93f02ca60eb120b640bde20b13e4c74edb0ed3a28d66858c7f52cf

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziJS2022.exe
      Filesize

      380KB

      MD5

      f939f43160224737850f888f07a0b867

      SHA1

      64ebebf9dfa9ba97579077de72891c14b3995501

      SHA256

      7dc780d4c46ddc759f5b90184a6e0b8cd1713b600e2e4b4c79ae0fb0b48fd865

      SHA512

      d8717d2a179a9cf8a9111a27e64ad275a90fd5a980d6b02f16219c12f9ce1bee2109bd64637c2405cbe675a0366011ade3ccd4a3751b5282be4910f387917f1c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziJS2022.exe
      Filesize

      380KB

      MD5

      f939f43160224737850f888f07a0b867

      SHA1

      64ebebf9dfa9ba97579077de72891c14b3995501

      SHA256

      7dc780d4c46ddc759f5b90184a6e0b8cd1713b600e2e4b4c79ae0fb0b48fd865

      SHA512

      d8717d2a179a9cf8a9111a27e64ad275a90fd5a980d6b02f16219c12f9ce1bee2109bd64637c2405cbe675a0366011ade3ccd4a3751b5282be4910f387917f1c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr798151.exe
      Filesize

      11KB

      MD5

      fbf65b9904bf8833e09530f06f4fe032

      SHA1

      8c3f9e3e7aab0694931a6423de920deef2558e17

      SHA256

      98dc95e8cb0a469932bbadf9a2ae7319533a331e85e5c862f9d06fada3255145

      SHA512

      e1cf3cc6e5fc60533dc9afa48cbcbc394518c4cb2866be334dc7d215cbed2943dfc00ee859bb5159a706e6b9128ce6a93313a796dee1f6c17dc03d7df6dc1f5b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr798151.exe
      Filesize

      11KB

      MD5

      fbf65b9904bf8833e09530f06f4fe032

      SHA1

      8c3f9e3e7aab0694931a6423de920deef2558e17

      SHA256

      98dc95e8cb0a469932bbadf9a2ae7319533a331e85e5c862f9d06fada3255145

      SHA512

      e1cf3cc6e5fc60533dc9afa48cbcbc394518c4cb2866be334dc7d215cbed2943dfc00ee859bb5159a706e6b9128ce6a93313a796dee1f6c17dc03d7df6dc1f5b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku590557.exe
      Filesize

      294KB

      MD5

      2ba0d851d5e3fa8248b40770ece9e45f

      SHA1

      031b8741a3931643acf55c79adadd422cac377d9

      SHA256

      43e97d9c703432e1a791d5c2fa572505610d3bf6415c89d37f1cd1a13869e447

      SHA512

      a1a0d175a7d69a0ffa63949e71e259d1d489f4455ba2eb3e5dcd4cf3d5ec66a16eea3639dd4b1be73d6a4a1d27a48daa76dd8db987c29e03d59f2eef85625261

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku590557.exe
      Filesize

      294KB

      MD5

      2ba0d851d5e3fa8248b40770ece9e45f

      SHA1

      031b8741a3931643acf55c79adadd422cac377d9

      SHA256

      43e97d9c703432e1a791d5c2fa572505610d3bf6415c89d37f1cd1a13869e447

      SHA512

      a1a0d175a7d69a0ffa63949e71e259d1d489f4455ba2eb3e5dcd4cf3d5ec66a16eea3639dd4b1be73d6a4a1d27a48daa76dd8db987c29e03d59f2eef85625261

      Download Submit
    • memory/2204-1085-0x00000000001C0000-0x00000000001F2000-memory.dmp
      Filesize

      200KB

      Download
    • memory/2204-1086-0x0000000004B00000-0x0000000004B10000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3764-191-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3764-201-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3764-155-0x0000000004C10000-0x0000000004C20000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3764-157-0x0000000004C10000-0x0000000004C20000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3764-156-0x0000000004C10000-0x0000000004C20000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3764-158-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3764-159-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3764-161-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3764-163-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3764-165-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3764-167-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3764-169-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3764-171-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3764-173-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3764-175-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3764-177-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3764-179-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3764-181-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3764-183-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3764-185-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3764-187-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3764-189-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3764-153-0x0000000004C20000-0x00000000051C4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3764-193-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3764-195-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3764-197-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3764-199-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3764-154-0x0000000000740000-0x000000000078B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/3764-203-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3764-205-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3764-207-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3764-209-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3764-211-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3764-213-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3764-215-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3764-217-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3764-219-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3764-221-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3764-1064-0x00000000052D0000-0x00000000058E8000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/3764-1065-0x00000000058F0000-0x00000000059FA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/3764-1066-0x0000000004BF0000-0x0000000004C02000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3764-1067-0x0000000005A40000-0x0000000005A7C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/3764-1068-0x0000000004C10000-0x0000000004C20000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3764-1070-0x0000000005CF0000-0x0000000005D82000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3764-1071-0x0000000005D90000-0x0000000005DF6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3764-1072-0x0000000004C10000-0x0000000004C20000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3764-1074-0x0000000004C10000-0x0000000004C20000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3764-1073-0x0000000004C10000-0x0000000004C20000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3764-1075-0x00000000066F0000-0x00000000068B2000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/3764-1076-0x00000000068C0000-0x0000000006DEC000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/3764-1077-0x0000000006F40000-0x0000000006FB6000-memory.dmp
      Filesize

      472KB

      Download
    • memory/3764-1078-0x0000000006FC0000-0x0000000007010000-memory.dmp
      Filesize

      320KB

      Download
    • memory/3764-1079-0x0000000004C10000-0x0000000004C20000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3816-147-0x00000000006E0000-0x00000000006EA000-memory.dmp
      Filesize

      40KB

      Download