Overview

overview

10

Static

static

3

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    155s
  • platform
    windows10-1703_x64
  • resource
    win10-20230703-en
  • resource tags

    arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
  • submitted
    21/08/2023, 18:43 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    df298de3a413061c479b66a5219302fe0da0b11a2c3a90e521b68f67219b0571.exe

  • Size

    838KB

  • MD5

    2e88ed1b1b88eaa7f44cf2f29930d130

  • SHA1

    548d56fd197f8fccf4ba981ad05ee9695a5c0da2

  • SHA256

    df298de3a413061c479b66a5219302fe0da0b11a2c3a90e521b68f67219b0571

  • SHA512

    7bf9cf794e9edad4ce1eff1c8c17327b87cc923629b15961850c64cb8a33ac48b4183a0bff8d59688bb3722875151e765fe7ca50d342e99425608078714c432e

  • SSDEEP

    12288:tMrdy9050kSlvF2P4BiHYoZNkvb4uSQyiWtsozDnDblaXcb9bkbO+Srca:gyi0JA4Bi44kcuSpsoPV4+9ca

Score
10/10
healerredlinelangdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

lang

C2

77.91.124.73:19071

Attributes
  • auth_value

    92c0fc2b7a8b3fc5a01baa1abf31c42a

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 7 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\df298de3a413061c479b66a5219302fe0da0b11a2c3a90e521b68f67219b0571.exe
    "C:\Users\Admin\AppData\Local\Temp\df298de3a413061c479b66a5219302fe0da0b11a2c3a90e521b68f67219b0571.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3824
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9380082.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9380082.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:5104
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1660097.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1660097.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4108
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9196762.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9196762.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4580
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9398116.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9398116.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:1868
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7486979.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7486979.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2092
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7271290.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7271290.exe
              6⤵
              • Executes dropped EXE
              PID:4908
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9841968.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9841968.exe
            5⤵
            • Executes dropped EXE
            PID:4888

Network

  • flag-ru
    POST
    http://193.233.254.61/loghub/master
    b7271290.exe
    Remote address:
    193.233.254.61:80
    Request
    POST /loghub/master HTTP/1.1
    Content-Type: multipart/form-data; boundary=TgxLZtelNGwZNfvrxlUW
    Content-Length: 213
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
    Host: 193.233.254.61
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0 (Ubuntu)
    Date: Mon, 21 Aug 2023 18:43:24 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 8
    Connection: keep-alive
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Referrer-Policy: same-origin
  • flag-us
    DNS
    61.254.233.193.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    61.254.233.193.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    1.0.9.d.d.a.4.9.c.a.d.3.7.f.6.1.1.0.9.d.d.a.4.9.8.0.8.0.8.0.8.0.ip6.arpa
    Remote address:
    8.8.8.8:53
    Request
    1.0.9.d.d.a.4.9.c.a.d.3.7.f.6.1.1.0.9.d.d.a.4.9.8.0.8.0.8.0.8.0.ip6.arpa
    IN PTR
    Response
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    1.77.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    1.77.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    9.57.101.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    9.57.101.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    152.141.79.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    152.141.79.40.in-addr.arpa
    IN PTR
    Response
  • 193.233.254.61:80
    http://193.233.254.61/loghub/master
    http
    b7271290.exe
    755 B
     436 B
     6
    4

    HTTP Request

    POST http://193.233.254.61/loghub/master

    HTTP Response

    200
  • 77.91.124.73:19071
    c9841968.exe
    156 B
     3
  • 77.91.124.73:19071
    c9841968.exe
    156 B
     3
  • 77.91.124.73:19071
    c9841968.exe
    156 B
     3
  • 77.91.124.73:19071
    c9841968.exe
    156 B
     3
  • 77.91.124.73:19071
    c9841968.exe
    156 B
     3
  • 77.91.124.73:19071
    c9841968.exe
    104 B
     2
  • 8.8.8.8:53
    61.254.233.193.in-addr.arpa
    dns
    73 B
     128 B
     1
    1

    DNS Request

    61.254.233.193.in-addr.arpa

  • 8.8.8.8:53
    1.0.9.d.d.a.4.9.c.a.d.3.7.f.6.1.1.0.9.d.d.a.4.9.8.0.8.0.8.0.8.0.ip6.arpa
    dns
    118 B
     182 B
     1
    1

    DNS Request

    1.0.9.d.d.a.4.9.c.a.d.3.7.f.6.1.1.0.9.d.d.a.4.9.8.0.8.0.8.0.8.0.ip6.arpa

  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    1.77.109.52.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    1.77.109.52.in-addr.arpa

  • 8.8.8.8:53
    9.57.101.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    9.57.101.20.in-addr.arpa

  • 8.8.8.8:53
    152.141.79.40.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    152.141.79.40.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9380082.exe
    Filesize

    723KB

    MD5

    f6e81de36d1ae9b9d5d16148dc18d5ec

    SHA1

    41f34290ef3a7b533b9efb6cf3bbbd44afb4aac8

    SHA256

    0bb8a3ffdfc717b9ea7589bcde109226653d3da9f000c045a72efed03729565f

    SHA512

    f1537a19919da13890f47362ea475e3617449545b78023a9159b3f1577bc9c7c6e79894d35e440e053d500cfff9f61a6d6a87d389672911321e16c5f9d9a5797

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9380082.exe
    Filesize

    723KB

    MD5

    f6e81de36d1ae9b9d5d16148dc18d5ec

    SHA1

    41f34290ef3a7b533b9efb6cf3bbbd44afb4aac8

    SHA256

    0bb8a3ffdfc717b9ea7589bcde109226653d3da9f000c045a72efed03729565f

    SHA512

    f1537a19919da13890f47362ea475e3617449545b78023a9159b3f1577bc9c7c6e79894d35e440e053d500cfff9f61a6d6a87d389672911321e16c5f9d9a5797

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1660097.exe
    Filesize

    497KB

    MD5

    d838d5f19206a71c6d21b8dad49313e1

    SHA1

    e7abc94e89771012e3d63fe9abed67d945c18d37

    SHA256

    8dd0c7ca37fbf7b02171a6b4be9c26292097b75c81528d77a4f9fcd8d218cc59

    SHA512

    19ec056d51a79b8bcde6770b088a3ea3807d6e98ecf25712b189abf245c996c9c904c244b57d9b6acbe0684ca4944616ecd0fb80a9d271c9af526070cbd614a7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1660097.exe
    Filesize

    497KB

    MD5

    d838d5f19206a71c6d21b8dad49313e1

    SHA1

    e7abc94e89771012e3d63fe9abed67d945c18d37

    SHA256

    8dd0c7ca37fbf7b02171a6b4be9c26292097b75c81528d77a4f9fcd8d218cc59

    SHA512

    19ec056d51a79b8bcde6770b088a3ea3807d6e98ecf25712b189abf245c996c9c904c244b57d9b6acbe0684ca4944616ecd0fb80a9d271c9af526070cbd614a7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9196762.exe
    Filesize

    373KB

    MD5

    fde6c292c59acb8eb28959380a978d67

    SHA1

    569167b9a5da70005e6c68e7e6b2af8f813d8cd9

    SHA256

    77754fd5b99892efc33cb2492a213bca70fbf00c3ff31bc5b865e4b9fa77cc1f

    SHA512

    d9ff06e0d97e34364afee11576f9ee7ed24e5dbc9edb0dcad06aaea7f720408a10bc0efc9dd6b120f57cf79999c85ed51057da3ae9d361a79901428b4f59226f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9196762.exe
    Filesize

    373KB

    MD5

    fde6c292c59acb8eb28959380a978d67

    SHA1

    569167b9a5da70005e6c68e7e6b2af8f813d8cd9

    SHA256

    77754fd5b99892efc33cb2492a213bca70fbf00c3ff31bc5b865e4b9fa77cc1f

    SHA512

    d9ff06e0d97e34364afee11576f9ee7ed24e5dbc9edb0dcad06aaea7f720408a10bc0efc9dd6b120f57cf79999c85ed51057da3ae9d361a79901428b4f59226f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9841968.exe
    Filesize

    174KB

    MD5

    ccad5b7b6606de8f1750aad530bf5000

    SHA1

    68456914673d99a614954eabffc23774d58110fb

    SHA256

    bed30abbf9cb3a60873db7178cf43bba3b30a74d12b46a0b8fb2f0fb32f305d9

    SHA512

    b13301f0486649f121d1005a1cb9b14efe05301a52c3d07fd53943e03c77d72c78c97cf82d973c2c38edf1b2c3577085210a82c742d66a8f9572ed3daa6ec7ca

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9841968.exe
    Filesize

    174KB

    MD5

    ccad5b7b6606de8f1750aad530bf5000

    SHA1

    68456914673d99a614954eabffc23774d58110fb

    SHA256

    bed30abbf9cb3a60873db7178cf43bba3b30a74d12b46a0b8fb2f0fb32f305d9

    SHA512

    b13301f0486649f121d1005a1cb9b14efe05301a52c3d07fd53943e03c77d72c78c97cf82d973c2c38edf1b2c3577085210a82c742d66a8f9572ed3daa6ec7ca

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9398116.exe
    Filesize

    216KB

    MD5

    82e0a2b5bb0a294723a0007337579b70

    SHA1

    6ca6360350ac3116f691aeeff7bcd88b15db4f61

    SHA256

    e8b16530ce366d5de0d2d288a28793bcaca82944eb1aedfc82bbfc9c3b3e4fed

    SHA512

    3cc2d7fd4b1783538f7bda284f79a6a780049e608320b360e521929fb9023e4d932a8d914c68beb6f4aacbe5349936866d011427e490ca4f1ed5592f41eb4e68

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9398116.exe
    Filesize

    216KB

    MD5

    82e0a2b5bb0a294723a0007337579b70

    SHA1

    6ca6360350ac3116f691aeeff7bcd88b15db4f61

    SHA256

    e8b16530ce366d5de0d2d288a28793bcaca82944eb1aedfc82bbfc9c3b3e4fed

    SHA512

    3cc2d7fd4b1783538f7bda284f79a6a780049e608320b360e521929fb9023e4d932a8d914c68beb6f4aacbe5349936866d011427e490ca4f1ed5592f41eb4e68

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7486979.exe
    Filesize

    11KB

    MD5

    0458441986a4112e5f730ab86c58defc

    SHA1

    2fef4b04cb5e09e4dbfc4ea5452f0b1b6282bb93

    SHA256

    e05a7c1141caab0974e3cfd38521d9baa45ad972c5f023b87da902271d0ed830

    SHA512

    452525d29682b7baf97243042f1c945a6128ee3b0952440731079dea0eb7a02aa5c093cce5c6ac0ace91a94fc388243e4e14507c817f667a31e7a08ebaeb3e46

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7486979.exe
    Filesize

    11KB

    MD5

    0458441986a4112e5f730ab86c58defc

    SHA1

    2fef4b04cb5e09e4dbfc4ea5452f0b1b6282bb93

    SHA256

    e05a7c1141caab0974e3cfd38521d9baa45ad972c5f023b87da902271d0ed830

    SHA512

    452525d29682b7baf97243042f1c945a6128ee3b0952440731079dea0eb7a02aa5c093cce5c6ac0ace91a94fc388243e4e14507c817f667a31e7a08ebaeb3e46

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7271290.exe
    Filesize

    140KB

    MD5

    86dddefde76bee519941ebd64ebf42d3

    SHA1

    6f8fb7e67b962fb179e732ea9a5456a7a4488ae8

    SHA256

    0a68806186ea863903468c787ddfb3d0ea084a2c6d86842f21735f453079ef20

    SHA512

    d44ca80467ce3a5cd8de07d163c636b0a8c08be7ba31d36e73daaa5884ef6d38ae2b5315c667042d36482cd6b1f4a5dc5897b16b8d3063cf79b55bac0e769295

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7271290.exe
    Filesize

    140KB

    MD5

    86dddefde76bee519941ebd64ebf42d3

    SHA1

    6f8fb7e67b962fb179e732ea9a5456a7a4488ae8

    SHA256

    0a68806186ea863903468c787ddfb3d0ea084a2c6d86842f21735f453079ef20

    SHA512

    d44ca80467ce3a5cd8de07d163c636b0a8c08be7ba31d36e73daaa5884ef6d38ae2b5315c667042d36482cd6b1f4a5dc5897b16b8d3063cf79b55bac0e769295

    Download Submit

  • memory/2092-158-0x00007FFB32910000-0x00007FFB332FC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2092-156-0x00007FFB32910000-0x00007FFB332FC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2092-155-0x00000000001F0000-0x00000000001FA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4888-165-0x0000000000CD0000-0x0000000000D00000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4888-166-0x00000000730E0000-0x00000000737CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4888-167-0x0000000002EF0000-0x0000000002EF6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4888-168-0x000000000B130000-0x000000000B736000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4888-169-0x000000000AC30000-0x000000000AD3A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4888-170-0x000000000AB50000-0x000000000AB62000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4888-171-0x000000000ABB0000-0x000000000ABEE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4888-172-0x000000000AD40000-0x000000000AD8B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4888-173-0x00000000730E0000-0x00000000737CE000-memory.dmp

    Filesize

    6.9MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.