Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    109s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    10-04-2023 21:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e1dea6c0b807ff2455838fb511b781695b3908f835b27f2dfb0d397cfc1c41fd.exe

  • Size

    801KB

  • MD5

    dcd5801b10da4fd62c37277d63c2d325

  • SHA1

    40f70eb32def75d4d5c35b6b1d9a220bb5914bca

  • SHA256

    e1dea6c0b807ff2455838fb511b781695b3908f835b27f2dfb0d397cfc1c41fd

  • SHA512

    907631659c4465546869e2fabcdf52e1510ba0b6d4c93c4dd7d2051b0e98ea434e4d3c90b59bb474d66da4d62b56c51c140667654209e1c32e07c90cd1bf2d4e

  • SSDEEP

    24576:LyKJptPSMvT72HUDxfy4R0Sl/Fh3nownbxHH8Qk6bwi:+KbtS05Dx64eSl9KQd8XYw

Score
10/10
amadeyredlinerosnzimadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

zima

C2

176.113.115.145:4125

Attributes
  • auth_value

    2ef701d510c0d27e8a8e3270281678b1

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e1dea6c0b807ff2455838fb511b781695b3908f835b27f2dfb0d397cfc1c41fd.exe
    "C:\Users\Admin\AppData\Local\Temp\e1dea6c0b807ff2455838fb511b781695b3908f835b27f2dfb0d397cfc1c41fd.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2132
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitu4001.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitu4001.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2452
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziEX1756.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziEX1756.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2592
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it393249.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it393249.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2820
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr070755.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr070755.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4076
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp675250.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp675250.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2960
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr224589.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr224589.exe
      2⤵
      • Executes dropped EXE
      PID:3584
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 620
        3⤵
        • Program crash
        PID:3732
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 700
        3⤵
        • Program crash
        PID:3720
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 772
        3⤵
        • Program crash
        PID:3756
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 868
        3⤵
        • Program crash
        PID:364
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 916
        3⤵
        • Program crash
        PID:1700
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 756
        3⤵
        • Program crash
        PID:4792
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 1084
        3⤵
        • Program crash
        PID:2068

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr224589.exe
    Filesize

    231KB

    MD5

    5a531a1495614605383afe7a35731a7a

    SHA1

    f00c58c5745c7adeb14b5b176fc0cd8d6d694bb6

    SHA256

    2aa40e53a153a68c6fd28793fdd06fa3bcbe4658820261607f6f4f8ecd3b8c2d

    SHA512

    906eb4afa865e09a68e5f40e48837bf576ced8218e8545daa25bd1ac0bea2087f77c9905d143c243cb3cbf04b3472c049620e2b51ccf243ac75f7134376e4aa3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr224589.exe
    Filesize

    231KB

    MD5

    5a531a1495614605383afe7a35731a7a

    SHA1

    f00c58c5745c7adeb14b5b176fc0cd8d6d694bb6

    SHA256

    2aa40e53a153a68c6fd28793fdd06fa3bcbe4658820261607f6f4f8ecd3b8c2d

    SHA512

    906eb4afa865e09a68e5f40e48837bf576ced8218e8545daa25bd1ac0bea2087f77c9905d143c243cb3cbf04b3472c049620e2b51ccf243ac75f7134376e4aa3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitu4001.exe
    Filesize

    536KB

    MD5

    23c4082c393bd1c4e270d3a2f24adbcf

    SHA1

    1cce404c96a08c8bf2c0b701543616a0ca22f1c5

    SHA256

    540ee7dd946685f143d5fe3a0b5405829a557133ea2aa6349e114bf868848fed

    SHA512

    a3404c95693fd375fa32749d63f0e89cb838c285ab4fa969dcfc480a0ee390fdcfbfd067f4edf1b0d6a99d9a7d6abffb6d34284f3aa7adb16aada2e8dcb6a6a1

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitu4001.exe
    Filesize

    536KB

    MD5

    23c4082c393bd1c4e270d3a2f24adbcf

    SHA1

    1cce404c96a08c8bf2c0b701543616a0ca22f1c5

    SHA256

    540ee7dd946685f143d5fe3a0b5405829a557133ea2aa6349e114bf868848fed

    SHA512

    a3404c95693fd375fa32749d63f0e89cb838c285ab4fa969dcfc480a0ee390fdcfbfd067f4edf1b0d6a99d9a7d6abffb6d34284f3aa7adb16aada2e8dcb6a6a1

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp675250.exe
    Filesize

    169KB

    MD5

    8b2dfa8b7b7d7aba6c6bf5b9a1a1c35e

    SHA1

    80b10ba4e020dc7e209b079800ccf012b0a7b554

    SHA256

    f0c309879ee4031317d748ac1e5d773b67a27af5550fc47007fedca149ea589c

    SHA512

    b4776d8a7d7cbb0ed7beda73febf9d226dc081d8892d43fd8ec035215d8c0640e13343a0bed67e042d8ff727c446d7321e64b8d6835006866e8eb8a649887017

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp675250.exe
    Filesize

    169KB

    MD5

    8b2dfa8b7b7d7aba6c6bf5b9a1a1c35e

    SHA1

    80b10ba4e020dc7e209b079800ccf012b0a7b554

    SHA256

    f0c309879ee4031317d748ac1e5d773b67a27af5550fc47007fedca149ea589c

    SHA512

    b4776d8a7d7cbb0ed7beda73febf9d226dc081d8892d43fd8ec035215d8c0640e13343a0bed67e042d8ff727c446d7321e64b8d6835006866e8eb8a649887017

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziEX1756.exe
    Filesize

    382KB

    MD5

    e059e1a486116cf8a33cc8556d622809

    SHA1

    2c2aece26deb1cacd405e35a47e3a2272a78ac04

    SHA256

    7a64676ca0bb2e358fe20943d94841dd1da74dbbf0b14e14a26105682ab0efa6

    SHA512

    07bdccde8218c5af561200b3edb84b6766539444a9065b6aaa2ee968a42804e005e9cf6c375f14e7e8921f8ec6296250a476c639c89639754d9d1ba286a41b7c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziEX1756.exe
    Filesize

    382KB

    MD5

    e059e1a486116cf8a33cc8556d622809

    SHA1

    2c2aece26deb1cacd405e35a47e3a2272a78ac04

    SHA256

    7a64676ca0bb2e358fe20943d94841dd1da74dbbf0b14e14a26105682ab0efa6

    SHA512

    07bdccde8218c5af561200b3edb84b6766539444a9065b6aaa2ee968a42804e005e9cf6c375f14e7e8921f8ec6296250a476c639c89639754d9d1ba286a41b7c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it393249.exe
    Filesize

    11KB

    MD5

    96453ece97c4c73df430e1fa169562ea

    SHA1

    1005f54616f3988b12b221e6341315ada7ced16c

    SHA256

    bf5b62087ff64770f2f41daf976861918250912e5a03dd38c8fb9d91b79eb263

    SHA512

    b5a4b4ac2ac2831160a3df3c28151303b42a2573aed1b423ea1fcd622f5965a85e98388e68b01ff184441960d7ab2c93275f0d081001d0b2205d51616f475725

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it393249.exe
    Filesize

    11KB

    MD5

    96453ece97c4c73df430e1fa169562ea

    SHA1

    1005f54616f3988b12b221e6341315ada7ced16c

    SHA256

    bf5b62087ff64770f2f41daf976861918250912e5a03dd38c8fb9d91b79eb263

    SHA512

    b5a4b4ac2ac2831160a3df3c28151303b42a2573aed1b423ea1fcd622f5965a85e98388e68b01ff184441960d7ab2c93275f0d081001d0b2205d51616f475725

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr070755.exe
    Filesize

    297KB

    MD5

    e02162a348c25afdb875a1405fb7e4d7

    SHA1

    5b254b012f94edf242046458dfd929142ce902f4

    SHA256

    986249ace2ee197880b4a19e0cba399c4a8f8fa7fc0b9e5d59be24b548360844

    SHA512

    168583fece9094134403fcd024298258fd3bbee37a99d4e1f79770176e3525eb481b026fefd751bdba48b5096944925ada68d7a9cea770d78bd657fd2d943df7

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr070755.exe
    Filesize

    297KB

    MD5

    e02162a348c25afdb875a1405fb7e4d7

    SHA1

    5b254b012f94edf242046458dfd929142ce902f4

    SHA256

    986249ace2ee197880b4a19e0cba399c4a8f8fa7fc0b9e5d59be24b548360844

    SHA512

    168583fece9094134403fcd024298258fd3bbee37a99d4e1f79770176e3525eb481b026fefd751bdba48b5096944925ada68d7a9cea770d78bd657fd2d943df7

    Download Submit
  • memory/2820-142-0x0000000000660000-0x000000000066A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2960-1083-0x00000000003F0000-0x0000000000420000-memory.dmp
    Filesize

    192KB

    Download
  • memory/2960-1084-0x0000000000B20000-0x0000000000B26000-memory.dmp
    Filesize

    24KB

    Download
  • memory/2960-1086-0x0000000004CA0000-0x0000000004CB0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2960-1085-0x000000000A1D0000-0x000000000A21B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/3584-1092-0x00000000005A0000-0x00000000005DB000-memory.dmp
    Filesize

    236KB

    Download
  • memory/4076-186-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4076-204-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4076-157-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4076-159-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4076-161-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4076-163-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4076-165-0x0000000004AC0000-0x0000000004AD0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4076-167-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4076-166-0x0000000004AC0000-0x0000000004AD0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4076-169-0x0000000004AC0000-0x0000000004AD0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4076-170-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4076-172-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4076-174-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4076-176-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4076-178-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4076-180-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4076-182-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4076-184-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4076-153-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4076-188-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4076-190-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4076-192-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4076-194-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4076-196-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4076-198-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4076-200-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4076-202-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4076-155-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4076-206-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4076-208-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4076-210-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4076-212-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4076-214-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4076-216-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4076-218-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4076-1061-0x00000000055E0000-0x0000000005BE6000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/4076-1062-0x0000000005050000-0x000000000515A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/4076-1063-0x0000000005190000-0x00000000051A2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4076-1064-0x00000000051B0000-0x00000000051EE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4076-1065-0x0000000005300000-0x000000000534B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4076-1066-0x0000000004AC0000-0x0000000004AD0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4076-1068-0x0000000005490000-0x0000000005522000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4076-1069-0x0000000005530000-0x0000000005596000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4076-1070-0x0000000004AC0000-0x0000000004AD0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4076-1071-0x0000000004AC0000-0x0000000004AD0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4076-1072-0x0000000004AC0000-0x0000000004AD0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4076-1073-0x0000000006340000-0x0000000006502000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/4076-152-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4076-151-0x0000000004A50000-0x0000000004A94000-memory.dmp
    Filesize

    272KB

    Download
  • memory/4076-150-0x0000000004AD0000-0x0000000004FCE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/4076-149-0x00000000024D0000-0x0000000002516000-memory.dmp
    Filesize

    280KB

    Download
  • memory/4076-148-0x00000000005E0000-0x000000000062B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4076-1074-0x0000000006530000-0x0000000006A5C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4076-1075-0x0000000004AC0000-0x0000000004AD0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4076-1076-0x0000000006BA0000-0x0000000006C16000-memory.dmp
    Filesize

    472KB

    Download
  • memory/4076-1077-0x0000000006C20000-0x0000000006C70000-memory.dmp
    Filesize

    320KB

    Download