Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/05/2023, 00:37

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    b47b381b7a5f551b7cfb62199b046420d5a3a1636f4893a87d1d5ace0d92ad39.exe

  • Size

    981KB

  • MD5

    f0c6811c62766421c4c431ce213d5761

  • SHA1

    5a05c76ba9c25a6e12355d514adb103064717dad

  • SHA256

    b47b381b7a5f551b7cfb62199b046420d5a3a1636f4893a87d1d5ace0d92ad39

  • SHA512

    03abd5ce99b72678712ac5abf64e9cc3e58184db4d822025d7250656961d52a7a24bdcc3166b0541e646dbb56f66a488733f39abf338cae7b3823254808f281e

  • SSDEEP

    24576:/ylSKw/23guy7FGR+TGoqhn7pyI3LFqkfUNC7:KniuERGIGdhn7pJ3MdC

Score
10/10
redlinehavalmaxidiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.122:19062

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Extracted

Family

redline

Botnet

haval

C2

83.97.73.122:19062

Attributes
  • auth_value

    d23dec6813deb04eb8abd82657a9b0af

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b47b381b7a5f551b7cfb62199b046420d5a3a1636f4893a87d1d5ace0d92ad39.exe
    "C:\Users\Admin\AppData\Local\Temp\b47b381b7a5f551b7cfb62199b046420d5a3a1636f4893a87d1d5ace0d92ad39.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:400
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2499217.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2499217.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3692
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3887655.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3887655.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3904
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3402155.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3402155.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:3476
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1800
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0595578.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0595578.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1736
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c3444289.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c3444289.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4440
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
          4⤵
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:652
          • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
            "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"
            5⤵
            • Executes dropped EXE
            PID:1492
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d3542575.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d3542575.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2632
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:480

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
          Filesize

          226B

          MD5

          916851e072fbabc4796d8916c5131092

          SHA1

          d48a602229a690c512d5fdaf4c8d77547a88e7a2

          SHA256

          7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

          SHA512

          07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d3542575.exe
          Filesize

          328KB

          MD5

          d1df373bb242bda7f0a6a53ea6fe3676

          SHA1

          3456efe29f5c04467d6b730c00bfc87608db739b

          SHA256

          059431ac86d58a117e9486e34a8e198b471930fe159fe384a286fb7ba910063d

          SHA512

          8b2bad8e510d09157e276a2c4665754be36488d75c70401f5658a1a7c7aaceb3f388ebb4bb9fdcd137f000b71ca4f27eb2bcca17dcec7be5770921ecf41a6f39

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d3542575.exe
          Filesize

          328KB

          MD5

          d1df373bb242bda7f0a6a53ea6fe3676

          SHA1

          3456efe29f5c04467d6b730c00bfc87608db739b

          SHA256

          059431ac86d58a117e9486e34a8e198b471930fe159fe384a286fb7ba910063d

          SHA512

          8b2bad8e510d09157e276a2c4665754be36488d75c70401f5658a1a7c7aaceb3f388ebb4bb9fdcd137f000b71ca4f27eb2bcca17dcec7be5770921ecf41a6f39

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2499217.exe
          Filesize

          661KB

          MD5

          193013e737ec38338078e75e501e217c

          SHA1

          756703532ac5de1e5ae02949bdfbd62cfa49a915

          SHA256

          5deac3f4dbbd06c8cd4c1732e8f8b39d7cd99dc9af7e4ca95f0c9829f127186f

          SHA512

          fd81a1b48132227977b937236d636c6ab8de80aafc26ba8e27be9748d3845b47921b86421cf4ce8988888b7e47a9b117946c46fe3d623f82e61ed921becc3d59

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2499217.exe
          Filesize

          661KB

          MD5

          193013e737ec38338078e75e501e217c

          SHA1

          756703532ac5de1e5ae02949bdfbd62cfa49a915

          SHA256

          5deac3f4dbbd06c8cd4c1732e8f8b39d7cd99dc9af7e4ca95f0c9829f127186f

          SHA512

          fd81a1b48132227977b937236d636c6ab8de80aafc26ba8e27be9748d3845b47921b86421cf4ce8988888b7e47a9b117946c46fe3d623f82e61ed921becc3d59

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c3444289.exe
          Filesize

          388KB

          MD5

          9ecd84c0f817dbab44725111ced84227

          SHA1

          c488d2ace4232e7600675c97dada9492ffb4f558

          SHA256

          c2eb80d0fab8a89d86a02f16296f89a323e4cb57d9b9d4b17a0273ea15d6cb93

          SHA512

          4340c0a4f1fe2a9ec4123d001dc4e3d698b6ba2c080e3974809f5a334496d406c081c2dd15b4f55f7ce9e708b5b575b6a3315d31afeca72675ab259cbcaa1fd4

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c3444289.exe
          Filesize

          388KB

          MD5

          9ecd84c0f817dbab44725111ced84227

          SHA1

          c488d2ace4232e7600675c97dada9492ffb4f558

          SHA256

          c2eb80d0fab8a89d86a02f16296f89a323e4cb57d9b9d4b17a0273ea15d6cb93

          SHA512

          4340c0a4f1fe2a9ec4123d001dc4e3d698b6ba2c080e3974809f5a334496d406c081c2dd15b4f55f7ce9e708b5b575b6a3315d31afeca72675ab259cbcaa1fd4

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3887655.exe
          Filesize

          280KB

          MD5

          c9ab2b03f8284a32ddba9574a7e36573

          SHA1

          7075733be88a738089099248be298c4159e021fd

          SHA256

          a1ffce35046340c5e116f916e1a14eb0981431d6687089b61261c2dbfb909a3d

          SHA512

          fbce2ca1339cf8f793d1ae1b94a35f59d493d7794ba90c43e698fc344b76e0a2fabc1ab71b4e8c7c4134945f67fdf99a33c221a338962aad40a9b50ad3d84b1e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3887655.exe
          Filesize

          280KB

          MD5

          c9ab2b03f8284a32ddba9574a7e36573

          SHA1

          7075733be88a738089099248be298c4159e021fd

          SHA256

          a1ffce35046340c5e116f916e1a14eb0981431d6687089b61261c2dbfb909a3d

          SHA512

          fbce2ca1339cf8f793d1ae1b94a35f59d493d7794ba90c43e698fc344b76e0a2fabc1ab71b4e8c7c4134945f67fdf99a33c221a338962aad40a9b50ad3d84b1e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3402155.exe
          Filesize

          194KB

          MD5

          51d66356d6031321ff2a04f3125f1316

          SHA1

          9f0802fb0ff1924144c03d39ff36699be81f5db9

          SHA256

          d20ced6f6873f4f0cd9979c6b7047cc2d4a95826ee9b6345ab74793f0f8cf653

          SHA512

          57fde216c5152c7861a1eea01c5be80f5b580188223c1035c18355bbe1a50e4b714ff45998cd9a1146bf6e6a3f83f13731fe7a6c349517ce9f970a840c10ea3b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3402155.exe
          Filesize

          194KB

          MD5

          51d66356d6031321ff2a04f3125f1316

          SHA1

          9f0802fb0ff1924144c03d39ff36699be81f5db9

          SHA256

          d20ced6f6873f4f0cd9979c6b7047cc2d4a95826ee9b6345ab74793f0f8cf653

          SHA512

          57fde216c5152c7861a1eea01c5be80f5b580188223c1035c18355bbe1a50e4b714ff45998cd9a1146bf6e6a3f83f13731fe7a6c349517ce9f970a840c10ea3b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0595578.exe
          Filesize

          145KB

          MD5

          437800fe395632836e34711b671927f6

          SHA1

          71c6badb2f0aa712bc2bc9f1c6456e8184c54672

          SHA256

          fa6bca7d126952813e7909e9a97c7463da8cbb8e1f494249ff946c069e1f825e

          SHA512

          53a5f3c9ff764e30fca6af33117a6e8809f2312730420d7aaf54a71496d77356bc090dd0f21bb7f3539ab2a0ecce937a7d5e3e761d72c80e1a0bb5f7282239a1

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0595578.exe
          Filesize

          145KB

          MD5

          437800fe395632836e34711b671927f6

          SHA1

          71c6badb2f0aa712bc2bc9f1c6456e8184c54672

          SHA256

          fa6bca7d126952813e7909e9a97c7463da8cbb8e1f494249ff946c069e1f825e

          SHA512

          53a5f3c9ff764e30fca6af33117a6e8809f2312730420d7aaf54a71496d77356bc090dd0f21bb7f3539ab2a0ecce937a7d5e3e761d72c80e1a0bb5f7282239a1

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
          Filesize

          101KB

          MD5

          89d41e1cf478a3d3c2c701a27a5692b2

          SHA1

          691e20583ef80cb9a2fd3258560e7f02481d12fd

          SHA256

          dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac

          SHA512

          5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
          Filesize

          101KB

          MD5

          89d41e1cf478a3d3c2c701a27a5692b2

          SHA1

          691e20583ef80cb9a2fd3258560e7f02481d12fd

          SHA256

          dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac

          SHA512

          5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
          Filesize

          101KB

          MD5

          89d41e1cf478a3d3c2c701a27a5692b2

          SHA1

          691e20583ef80cb9a2fd3258560e7f02481d12fd

          SHA256

          dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac

          SHA512

          5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

          Download Submit

        • memory/480-196-0x0000000000400000-0x000000000042A000-memory.dmp

          Filesize

          168KB

          Download

        • memory/480-215-0x0000000005110000-0x0000000005120000-memory.dmp

          Filesize

          64KB

          Download

        • memory/652-193-0x00000000007A0000-0x00000000007D8000-memory.dmp

          Filesize

          224KB

          Download

        • memory/652-192-0x00000000007A0000-0x00000000007D8000-memory.dmp

          Filesize

          224KB

          Download

        • memory/652-183-0x00000000007A0000-0x00000000007D8000-memory.dmp

          Filesize

          224KB

          Download

        • memory/1736-163-0x0000000000E80000-0x0000000000EAA000-memory.dmp

          Filesize

          168KB

          Download

        • memory/1736-177-0x0000000007130000-0x0000000007180000-memory.dmp

          Filesize

          320KB

          Download

        • memory/1736-176-0x00000000070B0000-0x0000000007126000-memory.dmp

          Filesize

          472KB

          Download

        • memory/1736-175-0x0000000007900000-0x0000000007E2C000-memory.dmp

          Filesize

          5.2MB

          Download

        • memory/1736-174-0x0000000007200000-0x00000000073C2000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/1736-173-0x0000000005980000-0x0000000005990000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1736-171-0x0000000005DC0000-0x0000000005E26000-memory.dmp

          Filesize

          408KB

          Download

        • memory/1736-170-0x0000000005D20000-0x0000000005DB2000-memory.dmp

          Filesize

          584KB

          Download

        • memory/1736-169-0x0000000006A80000-0x0000000007024000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/1736-168-0x00000000058D0000-0x000000000590C000-memory.dmp

          Filesize

          240KB

          Download

        • memory/1736-167-0x0000000005980000-0x0000000005990000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1736-166-0x0000000003500000-0x0000000003512000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1736-165-0x00000000059A0000-0x0000000005AAA000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1736-164-0x0000000005EB0000-0x00000000064C8000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/1800-155-0x0000000000400000-0x000000000040A000-memory.dmp

          Filesize

          40KB

          Download