Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    87s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-04-2023 21:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e4e70ddf3b899a0ef7550bd923c0f096ce19e83f6ece2dd6c02dd69f67fb8527.exe

  • Size

    522KB

  • MD5

    602d4bc32fdf66eaed40f34c99f185de

  • SHA1

    1d634d56fda91b9d58adc8d1c15d649723c80802

  • SHA256

    e4e70ddf3b899a0ef7550bd923c0f096ce19e83f6ece2dd6c02dd69f67fb8527

  • SHA512

    d2dfde434bb4256d91fd73c7e476a0354243f8ee6973fbf5b79dadfbfba37685f1ff3348c3b0224110c413a9f178a42042e93ae953d8f956674c9a5bf3b26485

  • SSDEEP

    12288:QMr9y90OGHHLmJ39EhZehs088r4wDzWKCO3L21wot:9yhGLvyg80w+KhaS6

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 34 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e4e70ddf3b899a0ef7550bd923c0f096ce19e83f6ece2dd6c02dd69f67fb8527.exe
    "C:\Users\Admin\AppData\Local\Temp\e4e70ddf3b899a0ef7550bd923c0f096ce19e83f6ece2dd6c02dd69f67fb8527.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:748
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zinY8512.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zinY8512.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4376
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr626342.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr626342.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1488
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku565361.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku565361.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3424
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 1700
          4⤵
          • Program crash
          PID:2220
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr329638.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr329638.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2788
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3424 -ip 3424
    1⤵
      PID:1688

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr329638.exe
      Filesize

      175KB

      MD5

      35eb3c5a7220feab3dca3fe4aec04713

      SHA1

      29a18d4513d31d0c28690388cc2819236be9c498

      SHA256

      638fcf5f14c943d2c43845033ac73c8cb902321369cabbf4ec9fd9f300cc7aae

      SHA512

      16be2316689c3415950b78ef921a488d8e31c1406aa9ead1a4066088a8180c9c78d869017c97cf7ea89b471c9c11e0fb30a5f0d50a0d4d95476cba3092cdf96d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr329638.exe
      Filesize

      175KB

      MD5

      35eb3c5a7220feab3dca3fe4aec04713

      SHA1

      29a18d4513d31d0c28690388cc2819236be9c498

      SHA256

      638fcf5f14c943d2c43845033ac73c8cb902321369cabbf4ec9fd9f300cc7aae

      SHA512

      16be2316689c3415950b78ef921a488d8e31c1406aa9ead1a4066088a8180c9c78d869017c97cf7ea89b471c9c11e0fb30a5f0d50a0d4d95476cba3092cdf96d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zinY8512.exe
      Filesize

      379KB

      MD5

      619446fc26de9e800e4e479fcf0f7590

      SHA1

      daf8517e1d3e7dddb4aa0c0b73eb83e7336d2352

      SHA256

      ec34a2530f7be5630549008fc5e848d058d33e5ee15f12cb3fda8c7045e41346

      SHA512

      3f99b3693718e9524b8423a431678a8ed63937e09e68d803827c6f7880a955a15c8d7e704f93882af62ccc06159fbac2baeaac97274ced739a1b704deed023b6

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zinY8512.exe
      Filesize

      379KB

      MD5

      619446fc26de9e800e4e479fcf0f7590

      SHA1

      daf8517e1d3e7dddb4aa0c0b73eb83e7336d2352

      SHA256

      ec34a2530f7be5630549008fc5e848d058d33e5ee15f12cb3fda8c7045e41346

      SHA512

      3f99b3693718e9524b8423a431678a8ed63937e09e68d803827c6f7880a955a15c8d7e704f93882af62ccc06159fbac2baeaac97274ced739a1b704deed023b6

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr626342.exe
      Filesize

      15KB

      MD5

      f5330610b4943ff96924695691d76aae

      SHA1

      da401fbd9ad180a3fda01b515299426fdc75af2d

      SHA256

      649464078cd4a0e5c9bc7e299a60b9a3d8614d500214d729a0fbcf0688a86825

      SHA512

      9748a9586a20c7c0f997cfae94837e6d8845c670cb614827155281b8fe18cb3b32273f50a98004b2f12513f8ca58a8f2770ff34a5ea6c69602a7e3524ff64118

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr626342.exe
      Filesize

      15KB

      MD5

      f5330610b4943ff96924695691d76aae

      SHA1

      da401fbd9ad180a3fda01b515299426fdc75af2d

      SHA256

      649464078cd4a0e5c9bc7e299a60b9a3d8614d500214d729a0fbcf0688a86825

      SHA512

      9748a9586a20c7c0f997cfae94837e6d8845c670cb614827155281b8fe18cb3b32273f50a98004b2f12513f8ca58a8f2770ff34a5ea6c69602a7e3524ff64118

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku565361.exe
      Filesize

      294KB

      MD5

      7190ad03b42c5a555cea7434f3c23249

      SHA1

      988432937fbdaf9922bc0fb8b1d332d9200b649d

      SHA256

      373abe03553d99a3a69e7a5810e7a600beabb323c1e9169d31959b026ccce8e7

      SHA512

      8dddae54e25358ff19489563702899ae11c996567d6b1075a267bf8eec26dad5958d3622acea04fc1538ee8e6a7b70a7169c74e9055364ad9e7ec366f644039a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku565361.exe
      Filesize

      294KB

      MD5

      7190ad03b42c5a555cea7434f3c23249

      SHA1

      988432937fbdaf9922bc0fb8b1d332d9200b649d

      SHA256

      373abe03553d99a3a69e7a5810e7a600beabb323c1e9169d31959b026ccce8e7

      SHA512

      8dddae54e25358ff19489563702899ae11c996567d6b1075a267bf8eec26dad5958d3622acea04fc1538ee8e6a7b70a7169c74e9055364ad9e7ec366f644039a

      Download Submit
    • memory/1488-147-0x0000000000CF0000-0x0000000000CFA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2788-1085-0x0000000000550000-0x0000000000582000-memory.dmp
      Filesize

      200KB

      Download
    • memory/2788-1086-0x00000000050E0000-0x00000000050F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2788-1087-0x00000000050E0000-0x00000000050F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3424-189-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3424-203-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3424-156-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3424-158-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3424-162-0x0000000004BA0000-0x0000000004BB0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3424-161-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3424-160-0x0000000004BA0000-0x0000000004BB0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3424-165-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3424-164-0x0000000004BA0000-0x0000000004BB0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3424-167-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3424-169-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3424-171-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3424-173-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3424-175-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3424-177-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3424-179-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3424-181-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3424-183-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3424-185-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3424-187-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3424-154-0x0000000004BB0000-0x0000000005154000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3424-191-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3424-193-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3424-195-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3424-197-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3424-199-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3424-201-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3424-155-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3424-205-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3424-207-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3424-209-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3424-211-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3424-213-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3424-215-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3424-217-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3424-219-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3424-221-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3424-1064-0x0000000005260000-0x0000000005878000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/3424-1065-0x00000000058A0000-0x00000000059AA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/3424-1066-0x00000000059E0000-0x00000000059F2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3424-1067-0x0000000004BA0000-0x0000000004BB0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3424-1068-0x0000000005A00000-0x0000000005A3C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/3424-1070-0x0000000000A10000-0x0000000000A5B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/3424-1071-0x0000000005CF0000-0x0000000005D82000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3424-1072-0x0000000005D90000-0x0000000005DF6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3424-1073-0x0000000004BA0000-0x0000000004BB0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3424-1074-0x0000000004BA0000-0x0000000004BB0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3424-1075-0x0000000004BA0000-0x0000000004BB0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3424-153-0x0000000000A10000-0x0000000000A5B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/3424-1076-0x0000000007860000-0x00000000078D6000-memory.dmp
      Filesize

      472KB

      Download
    • memory/3424-1077-0x00000000078F0000-0x0000000007940000-memory.dmp
      Filesize

      320KB

      Download
    • memory/3424-1078-0x0000000007950000-0x0000000007B12000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/3424-1079-0x0000000007B30000-0x000000000805C000-memory.dmp
      Filesize

      5.2MB

      Download