Overview

overview

10

Static

static

3

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    05/06/2023, 19:56

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    d8a860b47c297d054a41adc27b659088aac19c0ccf0f5f56755810cd005b70a0.exe

  • Size

    584KB

  • MD5

    0f7cbdb1c7395b351099360a89410cef

  • SHA1

    0e5776633ee0d36d1b839145a53b2637c64be181

  • SHA256

    d8a860b47c297d054a41adc27b659088aac19c0ccf0f5f56755810cd005b70a0

  • SHA512

    f6d640e7ecdc7b5bc089c2e6be1045d2562627d80a0fdd152697a59935e2295f220abc358dcd815407e9c4b059c037e075695992cdfbbd5b77ef2cdaf1f9f0c3

  • SSDEEP

    12288:HMrSy90c/KcfqvBUG7EzzuT7uxe6VKUk+4pdG:Vyj8yCuIuzB

Score
10/10
redlinedizaevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19048

Attributes
  • auth_value

    0d09b419c8bc967f91c68be4a17e92ee

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d8a860b47c297d054a41adc27b659088aac19c0ccf0f5f56755810cd005b70a0.exe
    "C:\Users\Admin\AppData\Local\Temp\d8a860b47c297d054a41adc27b659088aac19c0ccf0f5f56755810cd005b70a0.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2480
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7962169.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7962169.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2520
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9045222.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9045222.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3168
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8728674.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8728674.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5028
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1381581.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1381581.exe
          4⤵
          • Executes dropped EXE
          PID:3840

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7962169.exe
          Filesize

          377KB

          MD5

          b8de5cec99f9a60c7057b7f42345446a

          SHA1

          68257e2ddde67dc8991d509b2e2c391dbaec9c16

          SHA256

          117a2aed1bc000beb5112aacbf719f3c76d2ffc928626f259a2daa273365dcf5

          SHA512

          6855b124e0546f7e71d122e0b9ae1ef2010fb939951167563612f6174e47ae0748da6e2c994d0927cf7d72245aec116d94bc6d9afc3f54065d8eea2ca66a9668

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7962169.exe
          Filesize

          377KB

          MD5

          b8de5cec99f9a60c7057b7f42345446a

          SHA1

          68257e2ddde67dc8991d509b2e2c391dbaec9c16

          SHA256

          117a2aed1bc000beb5112aacbf719f3c76d2ffc928626f259a2daa273365dcf5

          SHA512

          6855b124e0546f7e71d122e0b9ae1ef2010fb939951167563612f6174e47ae0748da6e2c994d0927cf7d72245aec116d94bc6d9afc3f54065d8eea2ca66a9668

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9045222.exe
          Filesize

          206KB

          MD5

          8280aeca2af6aa11490aef60b0d175f1

          SHA1

          9dc6910fe0bf7b37faead0ce794afa587bdda551

          SHA256

          d656458eb85794f8ebf253bbe235f775ae90d57bc263e05b6f52a11c31f6d3b0

          SHA512

          38c8a2681b3144f00a8c1607909b773dd873792168bd6989dcadcf35a1c9066d93ecbaaf0901a749a97f890d9b83261cf79bd225850837406bfbe86f7ebc2927

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9045222.exe
          Filesize

          206KB

          MD5

          8280aeca2af6aa11490aef60b0d175f1

          SHA1

          9dc6910fe0bf7b37faead0ce794afa587bdda551

          SHA256

          d656458eb85794f8ebf253bbe235f775ae90d57bc263e05b6f52a11c31f6d3b0

          SHA512

          38c8a2681b3144f00a8c1607909b773dd873792168bd6989dcadcf35a1c9066d93ecbaaf0901a749a97f890d9b83261cf79bd225850837406bfbe86f7ebc2927

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8728674.exe
          Filesize

          12KB

          MD5

          a4a90c12051936be81b13f5b4778409b

          SHA1

          e4a10b3fd62e25b6935dd56c07043205cdbb4188

          SHA256

          dc6cbbb27e8f1a11f42d484ba7c6d5d0675aafdc479bd99397d374711e427aac

          SHA512

          36066408c153b7da5efe90ce707845829492358f181ce076dc48893d5352c7957b82a8d092c1ac1e65d93911a309f7dda3b013310ddb876709cb325fce372851

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8728674.exe
          Filesize

          12KB

          MD5

          a4a90c12051936be81b13f5b4778409b

          SHA1

          e4a10b3fd62e25b6935dd56c07043205cdbb4188

          SHA256

          dc6cbbb27e8f1a11f42d484ba7c6d5d0675aafdc479bd99397d374711e427aac

          SHA512

          36066408c153b7da5efe90ce707845829492358f181ce076dc48893d5352c7957b82a8d092c1ac1e65d93911a309f7dda3b013310ddb876709cb325fce372851

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1381581.exe
          Filesize

          172KB

          MD5

          5ef5ffea5daed7e23ae5d9bd80efc093

          SHA1

          1997a806a7f98597deada80ad826c924be728fa3

          SHA256

          45839f1d03fc7ec2f82735248ad1c05b2a212ac5050c2c811b87e68918dd4270

          SHA512

          82d2dba5c6d4d1b4d8d801de92b2f4ef4b4ffc4c95aaf4762fb94487370f740e3666640b129e8ff7ed3cd69fc0087b60a7a6fb4f9b7b49100f2a40deb8b90f5d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1381581.exe
          Filesize

          172KB

          MD5

          5ef5ffea5daed7e23ae5d9bd80efc093

          SHA1

          1997a806a7f98597deada80ad826c924be728fa3

          SHA256

          45839f1d03fc7ec2f82735248ad1c05b2a212ac5050c2c811b87e68918dd4270

          SHA512

          82d2dba5c6d4d1b4d8d801de92b2f4ef4b4ffc4c95aaf4762fb94487370f740e3666640b129e8ff7ed3cd69fc0087b60a7a6fb4f9b7b49100f2a40deb8b90f5d

          Download Submit

        • memory/3840-147-0x00000000007E0000-0x0000000000810000-memory.dmp

          Filesize

          192KB

          Download

        • memory/3840-148-0x0000000002950000-0x0000000002956000-memory.dmp

          Filesize

          24KB

          Download

        • memory/3840-149-0x000000000AB00000-0x000000000B106000-memory.dmp

          Filesize

          6.0MB

          Download

        • memory/3840-150-0x000000000A600000-0x000000000A70A000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3840-151-0x000000000A510000-0x000000000A522000-memory.dmp

          Filesize

          72KB

          Download

        • memory/3840-152-0x000000000A570000-0x000000000A5AE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/3840-153-0x000000000A710000-0x000000000A75B000-memory.dmp

          Filesize

          300KB

          Download

        • memory/3840-154-0x0000000005160000-0x0000000005170000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5028-142-0x0000000000B10000-0x0000000000B1A000-memory.dmp

          Filesize

          40KB

          Download