Overview

overview

10

Static

static

3

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    25/05/2023, 17:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fa58ae4baf0e3da30a2e318ee1ca45c27d39c32b4affbaea57dc4237bbee8ded.exe

  • Size

    768KB

  • MD5

    38b9105c16c49c40ff3673d08fa168a4

  • SHA1

    a25a8d1ec0b9679db5dcf633162ed95b87254702

  • SHA256

    fa58ae4baf0e3da30a2e318ee1ca45c27d39c32b4affbaea57dc4237bbee8ded

  • SHA512

    4ba87f511edc2dcf788a317ebe4f7c2dfebe9dfa208e01bbfe57468e5d2d407672eeb585119776fb9fa063acd92dbc71d2b23259022f0b6661dd297688e0e315

  • SSDEEP

    12288:VMrvy90ikE6G68nZQRuR063TjwIzO+cG3TPZ7ldVABnw3m+fGavbw4WHEvu70T:2yrdnZquaMTjwIKGj/fgw2+Oqw45NT

Score
10/10
redlinedinaevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

dina

C2

83.97.73.122:19062

Attributes
  • auth_value

    4f77073adc624269de1bff760b9bc471

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fa58ae4baf0e3da30a2e318ee1ca45c27d39c32b4affbaea57dc4237bbee8ded.exe
    "C:\Users\Admin\AppData\Local\Temp\fa58ae4baf0e3da30a2e318ee1ca45c27d39c32b4affbaea57dc4237bbee8ded.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1608
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4098657.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4098657.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3968
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4346922.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4346922.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1420
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7008812.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7008812.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:2068
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2780
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8789647.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8789647.exe
          4⤵
          • Executes dropped EXE
          PID:2900

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4098657.exe
    Filesize

    449KB

    MD5

    2b3565e3be576188611c3c769e49c4ba

    SHA1

    28e0e93b6bc5bce030439bab2dc777ee3b4fbb9d

    SHA256

    ea6d659776324ccb54e027904b233578532b915be5ee006e209bad27a314b646

    SHA512

    2f95e1d396e6e2f54b9d87277936529647db4cec7624ba2cc40285b5b5b872b79a28529270ceeab4e4443bcc9346c0bc98690fc0105dd3f207fcc36e2225c625

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4098657.exe
    Filesize

    449KB

    MD5

    2b3565e3be576188611c3c769e49c4ba

    SHA1

    28e0e93b6bc5bce030439bab2dc777ee3b4fbb9d

    SHA256

    ea6d659776324ccb54e027904b233578532b915be5ee006e209bad27a314b646

    SHA512

    2f95e1d396e6e2f54b9d87277936529647db4cec7624ba2cc40285b5b5b872b79a28529270ceeab4e4443bcc9346c0bc98690fc0105dd3f207fcc36e2225c625

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4346922.exe
    Filesize

    277KB

    MD5

    cbfe05e4f9026e433a0889db60b04e50

    SHA1

    cf3ca1d58036370e450550a85404455d82c51005

    SHA256

    9c6378ac14bbda0c9528ea1795c79df4a6bb407e9b97d7ff628076ca52b35fb1

    SHA512

    81d5ab4cb3bcb604ded176b0a4d351ccd6e166f62cba4675718db923aa2f10c52b195666e1b916cd700989ab31116247930741259018e7dceaa8b0d1afa8e765

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4346922.exe
    Filesize

    277KB

    MD5

    cbfe05e4f9026e433a0889db60b04e50

    SHA1

    cf3ca1d58036370e450550a85404455d82c51005

    SHA256

    9c6378ac14bbda0c9528ea1795c79df4a6bb407e9b97d7ff628076ca52b35fb1

    SHA512

    81d5ab4cb3bcb604ded176b0a4d351ccd6e166f62cba4675718db923aa2f10c52b195666e1b916cd700989ab31116247930741259018e7dceaa8b0d1afa8e765

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7008812.exe
    Filesize

    188KB

    MD5

    f10adc1c54a41e09550fe70c8f3b29b8

    SHA1

    11c586b64dd9c5e8659dca82435e79c444c4feb8

    SHA256

    ec83b909f627792cb40943acd1f2e2fb9437597bec70a99f899b5bcb276e2f5b

    SHA512

    e938bac47b7ce460cd0e0069dda726a9c89dc6a4ba208371be386e9c3c80d6e2ef683c14b1676534d55aae1cb80a2fa29702f42aa6f675e7c51d3a79c474a813

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7008812.exe
    Filesize

    188KB

    MD5

    f10adc1c54a41e09550fe70c8f3b29b8

    SHA1

    11c586b64dd9c5e8659dca82435e79c444c4feb8

    SHA256

    ec83b909f627792cb40943acd1f2e2fb9437597bec70a99f899b5bcb276e2f5b

    SHA512

    e938bac47b7ce460cd0e0069dda726a9c89dc6a4ba208371be386e9c3c80d6e2ef683c14b1676534d55aae1cb80a2fa29702f42aa6f675e7c51d3a79c474a813

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8789647.exe
    Filesize

    145KB

    MD5

    527d627fe8475d34f1eb0ca5131f7bc9

    SHA1

    b8677a17726846cbc8daed644b2ded7ec67a14e2

    SHA256

    a904c4efcee9ec118b77fb721d2887fc02b5be6c593e8ae21cb8e12bcd586fcd

    SHA512

    4646b72ececf3a04cd753b98242385b0ac28ba5be9df2fec7f9da2f8ad3d534156adc2b7080b7bff47cc194d582a448db765bbac8d60d1466f7d3553d95c20a2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8789647.exe
    Filesize

    145KB

    MD5

    527d627fe8475d34f1eb0ca5131f7bc9

    SHA1

    b8677a17726846cbc8daed644b2ded7ec67a14e2

    SHA256

    a904c4efcee9ec118b77fb721d2887fc02b5be6c593e8ae21cb8e12bcd586fcd

    SHA512

    4646b72ececf3a04cd753b98242385b0ac28ba5be9df2fec7f9da2f8ad3d534156adc2b7080b7bff47cc194d582a448db765bbac8d60d1466f7d3553d95c20a2

    Download Submit

  • memory/2780-142-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2900-153-0x0000000000D90000-0x0000000000DBA000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2900-154-0x0000000005B20000-0x0000000006126000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2900-155-0x00000000056B0000-0x00000000057BA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2900-156-0x00000000055F0000-0x0000000005602000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2900-157-0x00000000055C0000-0x00000000055D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2900-158-0x0000000005650000-0x000000000568E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2900-159-0x00000000057C0000-0x000000000580B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2900-182-0x00000000055C0000-0x00000000055D0000-memory.dmp

    Filesize

    64KB

    Download