Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    223s
  • max time network
    300s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/05/2023, 21:26

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    660cabd6fa9a1e9b46fbd6bf6606b38502aa583ac0636b54feb6c129d7c926bf.exe

  • Size

    481KB

  • MD5

    c03c1ae1cc25ac10f55bc2959980b22e

  • SHA1

    804ae310cd0a1c51e9d84bf58bdc2cc9c38d18f1

  • SHA256

    660cabd6fa9a1e9b46fbd6bf6606b38502aa583ac0636b54feb6c129d7c926bf

  • SHA512

    21ddd40110ebf9d16a3395e5c056b56bc5e12816b8a68e41be97d37a9376a2691133c32a5e6bdead4559aba2638fbc8d2e29db538678ca3a6e8db6e5d1d9b71f

  • SSDEEP

    12288:kMr1y90G1MLZ6hGZZH7mNg3/nSkeFAt3el90:pyBML/fTxeJ90

Score
10/10
redlinemisarevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

misar

C2

217.196.96.101:4132

Attributes
  • auth_value

    069dd9eeee8cff502b661416888f692a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\660cabd6fa9a1e9b46fbd6bf6606b38502aa583ac0636b54feb6c129d7c926bf.exe
    "C:\Users\Admin\AppData\Local\Temp\660cabd6fa9a1e9b46fbd6bf6606b38502aa583ac0636b54feb6c129d7c926bf.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1416
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1844168.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1844168.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4432
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3641118.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3641118.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4212
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5944876.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5944876.exe
        3⤵
        • Executes dropped EXE
        PID:1628

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1844168.exe
          Filesize

          309KB

          MD5

          4330034c2d699a9967ef44886c637e50

          SHA1

          de63ce0cf98f48f69d850d87a72622dc10ce165e

          SHA256

          e1e746265aac55df9d305b8a5632aa1007de38a70cd84245b3874cb843ba2725

          SHA512

          167228c3f4bcc55492c8fdd5598dee338cf2f10e6ab08b11993263e67405cd85b4a95dddaf949e1762e78ef4d4e3f33bd068d4f910ebe128fd7b7a8edbb4d68e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1844168.exe
          Filesize

          309KB

          MD5

          4330034c2d699a9967ef44886c637e50

          SHA1

          de63ce0cf98f48f69d850d87a72622dc10ce165e

          SHA256

          e1e746265aac55df9d305b8a5632aa1007de38a70cd84245b3874cb843ba2725

          SHA512

          167228c3f4bcc55492c8fdd5598dee338cf2f10e6ab08b11993263e67405cd85b4a95dddaf949e1762e78ef4d4e3f33bd068d4f910ebe128fd7b7a8edbb4d68e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3641118.exe
          Filesize

          178KB

          MD5

          cabeea9f04fbea3e7f4a90911f6a25c0

          SHA1

          a30799ab8afb89851bdd07590d2dfdad1ee83834

          SHA256

          d2873c7912042c701c049c59142290dcabbb42d62a066cc45adf71825d961033

          SHA512

          c3df173250819ddf8c7b9163789b0739d3dd781c622c208724db0dcfa7c85c7306b0da7055ea64441ce3af27d77b1946dfd0aac9e9ac1a38026764319e02c7d5

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3641118.exe
          Filesize

          178KB

          MD5

          cabeea9f04fbea3e7f4a90911f6a25c0

          SHA1

          a30799ab8afb89851bdd07590d2dfdad1ee83834

          SHA256

          d2873c7912042c701c049c59142290dcabbb42d62a066cc45adf71825d961033

          SHA512

          c3df173250819ddf8c7b9163789b0739d3dd781c622c208724db0dcfa7c85c7306b0da7055ea64441ce3af27d77b1946dfd0aac9e9ac1a38026764319e02c7d5

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5944876.exe
          Filesize

          168KB

          MD5

          ede7f3e5073724236fceb603804f7c6c

          SHA1

          413c8bb5c373534125f20b566e20ac24099796a6

          SHA256

          a7732155a708dd56b71d14e78c6db0329ecaf4e59f6ee36e32c6b049cdac7ce7

          SHA512

          4870d1c5404c6dfd9b1ca6edabf5f0ecc66ab95940201be83d3341dd88a6c3d16b69c7752292b184b7e0d697085970ec5ced3fcb2d54636bc08e8a8b4045e13c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5944876.exe
          Filesize

          168KB

          MD5

          ede7f3e5073724236fceb603804f7c6c

          SHA1

          413c8bb5c373534125f20b566e20ac24099796a6

          SHA256

          a7732155a708dd56b71d14e78c6db0329ecaf4e59f6ee36e32c6b049cdac7ce7

          SHA512

          4870d1c5404c6dfd9b1ca6edabf5f0ecc66ab95940201be83d3341dd88a6c3d16b69c7752292b184b7e0d697085970ec5ced3fcb2d54636bc08e8a8b4045e13c

          Download Submit

        • memory/1628-191-0x00000000053E0000-0x00000000053F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1628-190-0x000000000A9B0000-0x000000000A9EC000-memory.dmp

          Filesize

          240KB

          Download

        • memory/1628-189-0x000000000A950000-0x000000000A962000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1628-188-0x000000000AA20000-0x000000000AB2A000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1628-187-0x000000000AED0000-0x000000000B4E8000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/1628-186-0x0000000000BE0000-0x0000000000C10000-memory.dmp

          Filesize

          192KB

          Download

        • memory/4212-166-0x0000000004A90000-0x0000000004AA2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4212-179-0x0000000004C70000-0x0000000004C80000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4212-162-0x0000000004A90000-0x0000000004AA2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4212-164-0x0000000004A90000-0x0000000004AA2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4212-158-0x0000000004A90000-0x0000000004AA2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4212-168-0x0000000004A90000-0x0000000004AA2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4212-170-0x0000000004A90000-0x0000000004AA2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4212-172-0x0000000004A90000-0x0000000004AA2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4212-174-0x0000000004A90000-0x0000000004AA2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4212-176-0x0000000004A90000-0x0000000004AA2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4212-178-0x0000000004A90000-0x0000000004AA2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4212-160-0x0000000004A90000-0x0000000004AA2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4212-180-0x0000000004C70000-0x0000000004C80000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4212-181-0x0000000004C70000-0x0000000004C80000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4212-156-0x0000000004A90000-0x0000000004AA2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4212-154-0x0000000004A90000-0x0000000004AA2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4212-152-0x0000000004A90000-0x0000000004AA2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4212-151-0x0000000004A90000-0x0000000004AA2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4212-150-0x0000000004C70000-0x0000000004C80000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4212-149-0x0000000004C70000-0x0000000004C80000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4212-148-0x0000000004C70000-0x0000000004C80000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4212-147-0x0000000004C80000-0x0000000005224000-memory.dmp

          Filesize

          5.6MB

          Download