Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    53s
  • max time network
    57s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    03-04-2023 20:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    675a140da4a74ead9fb1aa31dbf727aa25e375f05169c430f74316995a1731b3.exe

  • Size

    522KB

  • MD5

    814b13fed951a935ca0dd0c69da7ec18

  • SHA1

    d8b4789da0dde535151747db5ecfd68bdfd3b2b0

  • SHA256

    675a140da4a74ead9fb1aa31dbf727aa25e375f05169c430f74316995a1731b3

  • SHA512

    1c493d9b3222f4aa2d2e88f2694666bd3fd66c1490fe453c6f5d48aa6d83528cb51fdfa515f582fadda632fd1a237a06e6a36415ea750cd77b7a42127e831016

  • SSDEEP

    12288:VMr6y90bwoIpIpROAzubOmJPd8Nw44OzWKaq4KgFJDa:vy5AlzATaNZ4XKaxva

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 37 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\675a140da4a74ead9fb1aa31dbf727aa25e375f05169c430f74316995a1731b3.exe
    "C:\Users\Admin\AppData\Local\Temp\675a140da4a74ead9fb1aa31dbf727aa25e375f05169c430f74316995a1731b3.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3540
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihj7785.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihj7785.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4188
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr217936.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr217936.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4376
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku376630.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku376630.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2080
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr428252.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr428252.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2748

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr428252.exe
    Filesize

    175KB

    MD5

    f4367bc5a67ef352ed852f02a6c17f6a

    SHA1

    0c9fd4f3ce6592874a7da4cd63afcdeef4f0485e

    SHA256

    7605bf216f8e6ee8a5ee0d4189e91a2277252d2e425824cfb58bcb7bf6bc123f

    SHA512

    852f661da9bc26178d093c2d593832c941bff16b70f596f61f45d223b44851c867d1accda4aa25a4e2e5651c42f545720e55d5e8ea0ee8246e3b1128a8000bd6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr428252.exe
    Filesize

    175KB

    MD5

    f4367bc5a67ef352ed852f02a6c17f6a

    SHA1

    0c9fd4f3ce6592874a7da4cd63afcdeef4f0485e

    SHA256

    7605bf216f8e6ee8a5ee0d4189e91a2277252d2e425824cfb58bcb7bf6bc123f

    SHA512

    852f661da9bc26178d093c2d593832c941bff16b70f596f61f45d223b44851c867d1accda4aa25a4e2e5651c42f545720e55d5e8ea0ee8246e3b1128a8000bd6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihj7785.exe
    Filesize

    380KB

    MD5

    da81667bb1c33fddb187d3ec2a3d2b01

    SHA1

    ec2b5feec9c7d441c40c7b59d7cb61948262d32f

    SHA256

    473c33b855120c0e92a7619ae285a93fe517105dd6b05aab77f39ab076be2567

    SHA512

    927e9c3b0f97960b3d6b30fe5fe30f90e0f69991393f399a3333a9d3cdcfacc8d02d5bbb9d15e00726e611983f042493ea73dc769ba97aee4480ad726e7a53a4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihj7785.exe
    Filesize

    380KB

    MD5

    da81667bb1c33fddb187d3ec2a3d2b01

    SHA1

    ec2b5feec9c7d441c40c7b59d7cb61948262d32f

    SHA256

    473c33b855120c0e92a7619ae285a93fe517105dd6b05aab77f39ab076be2567

    SHA512

    927e9c3b0f97960b3d6b30fe5fe30f90e0f69991393f399a3333a9d3cdcfacc8d02d5bbb9d15e00726e611983f042493ea73dc769ba97aee4480ad726e7a53a4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr217936.exe
    Filesize

    15KB

    MD5

    00aa4ab8ee8484da7fa4dc0ddd0b35a8

    SHA1

    b717d31675852f125c5e19285faf35da8c746bd8

    SHA256

    9911bc9a0622448542e29e6043c1dc6dbf252947f679aff45a1018da4c782c8b

    SHA512

    f8d1ad681e7f1e8bec464bfcc76b54d4bd527fe80944a6a7e8dc7c687f1fd9bf908d9e1fb45602f320028c9d24e9f67bbdb57087fdb3363b256ccf1562aa731d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr217936.exe
    Filesize

    15KB

    MD5

    00aa4ab8ee8484da7fa4dc0ddd0b35a8

    SHA1

    b717d31675852f125c5e19285faf35da8c746bd8

    SHA256

    9911bc9a0622448542e29e6043c1dc6dbf252947f679aff45a1018da4c782c8b

    SHA512

    f8d1ad681e7f1e8bec464bfcc76b54d4bd527fe80944a6a7e8dc7c687f1fd9bf908d9e1fb45602f320028c9d24e9f67bbdb57087fdb3363b256ccf1562aa731d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku376630.exe
    Filesize

    294KB

    MD5

    b1cd31d09d2f1af54bc47e5bcaa6e48e

    SHA1

    a50768a25fda6deb653b20c2b392df1e82fb3d5b

    SHA256

    04b2bd0b0ebaa55e64d857033b5b2fe298f2f8b2f2c31dc0a5e7bc27cd6032b6

    SHA512

    c37282dd23d12bbdcdb1016837187ad293c479932a2ac7e365e6be03cdc05272a81ad3f171c47941eebe384ffc40c7709022c19b3dcb7dff98bd2c6674882aaf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku376630.exe
    Filesize

    294KB

    MD5

    b1cd31d09d2f1af54bc47e5bcaa6e48e

    SHA1

    a50768a25fda6deb653b20c2b392df1e82fb3d5b

    SHA256

    04b2bd0b0ebaa55e64d857033b5b2fe298f2f8b2f2c31dc0a5e7bc27cd6032b6

    SHA512

    c37282dd23d12bbdcdb1016837187ad293c479932a2ac7e365e6be03cdc05272a81ad3f171c47941eebe384ffc40c7709022c19b3dcb7dff98bd2c6674882aaf

    Download Submit

  • memory/2080-137-0x0000000004A10000-0x0000000004A56000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2080-138-0x00000000005D0000-0x000000000061B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2080-139-0x0000000004A90000-0x0000000004AA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2080-140-0x0000000004AA0000-0x0000000004F9E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2080-141-0x0000000004FA0000-0x0000000004FE4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2080-142-0x0000000004FA0000-0x0000000004FDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2080-143-0x0000000004FA0000-0x0000000004FDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2080-145-0x0000000004FA0000-0x0000000004FDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2080-147-0x0000000004FA0000-0x0000000004FDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2080-149-0x0000000004FA0000-0x0000000004FDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2080-151-0x0000000004FA0000-0x0000000004FDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2080-153-0x0000000004FA0000-0x0000000004FDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2080-155-0x0000000004FA0000-0x0000000004FDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2080-157-0x0000000004FA0000-0x0000000004FDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2080-159-0x0000000004FA0000-0x0000000004FDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2080-161-0x0000000004FA0000-0x0000000004FDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2080-163-0x0000000004FA0000-0x0000000004FDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2080-165-0x0000000004FA0000-0x0000000004FDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2080-167-0x0000000004FA0000-0x0000000004FDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2080-169-0x0000000004FA0000-0x0000000004FDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2080-170-0x0000000004A90000-0x0000000004AA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2080-173-0x0000000004FA0000-0x0000000004FDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2080-172-0x0000000004A90000-0x0000000004AA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2080-175-0x0000000004FA0000-0x0000000004FDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2080-177-0x0000000004FA0000-0x0000000004FDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2080-179-0x0000000004FA0000-0x0000000004FDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2080-181-0x0000000004FA0000-0x0000000004FDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2080-183-0x0000000004FA0000-0x0000000004FDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2080-185-0x0000000004FA0000-0x0000000004FDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2080-187-0x0000000004FA0000-0x0000000004FDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2080-191-0x0000000004FA0000-0x0000000004FDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2080-189-0x0000000004FA0000-0x0000000004FDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2080-193-0x0000000004FA0000-0x0000000004FDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2080-195-0x0000000004FA0000-0x0000000004FDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2080-197-0x0000000004FA0000-0x0000000004FDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2080-199-0x0000000004FA0000-0x0000000004FDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2080-201-0x0000000004FA0000-0x0000000004FDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2080-203-0x0000000004FA0000-0x0000000004FDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2080-205-0x0000000004FA0000-0x0000000004FDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2080-207-0x0000000004FA0000-0x0000000004FDF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2080-1050-0x0000000004FE0000-0x00000000055E6000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2080-1051-0x0000000005660000-0x000000000576A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2080-1052-0x00000000057A0000-0x00000000057B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2080-1053-0x00000000057C0000-0x00000000057FE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2080-1054-0x0000000005910000-0x000000000595B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2080-1055-0x0000000004A90000-0x0000000004AA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2080-1057-0x0000000005AA0000-0x0000000005B06000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2080-1059-0x0000000004A90000-0x0000000004AA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2080-1058-0x0000000004A90000-0x0000000004AA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2080-1060-0x0000000006040000-0x00000000060D2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2080-1061-0x0000000004A90000-0x0000000004AA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2080-1062-0x00000000021B0000-0x0000000002226000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2080-1063-0x0000000007740000-0x0000000007790000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2080-1065-0x0000000007790000-0x0000000007952000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2080-1066-0x0000000007960000-0x0000000007E8C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/2748-1072-0x0000000000900000-0x0000000000932000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2748-1073-0x00000000051C0000-0x000000000520B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2748-1074-0x00000000051B0000-0x00000000051C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2748-1075-0x00000000051B0000-0x00000000051C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4376-131-0x0000000000600000-0x000000000060A000-memory.dmp

    Filesize

    40KB

    Download