Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-03-2023 01:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f5de4e2cc351fa3dc15ef8ddf2c0e5e3a29b4ab806fa09fc1def103c7ab97677.exe

  • Size

    850KB

  • MD5

    d826665fdb211ae135ade15bafc762d6

  • SHA1

    7cd87faddb86fd3b6499f85f736f9108141c38ec

  • SHA256

    f5de4e2cc351fa3dc15ef8ddf2c0e5e3a29b4ab806fa09fc1def103c7ab97677

  • SHA512

    60cf5508851a665132aa990550c77a62e39aaab12df7edfdf7510deacaa695e22c2a1e2b22d9656d46e81a6178017bcbde5ec8dbc3af778becc5eb0030dc4664

  • SSDEEP

    24576:oyC0clZyzZ5rn3QhXxEgMqdTm3HgtWJmP:vC0SyzPrnAjETqdgHgE

Score
10/10
redlinegenarukadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

gena

C2

193.233.20.30:4125

Attributes
  • auth_value

    93c20961cb6b06b2d5781c212db6201e

Extracted

Family

redline

Botnet

ruka

C2

193.233.20.28:4125

Attributes
  • auth_value

    5d1d0e51ebe1e3f16cca573ff651c43c

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 17 IoCs
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f5de4e2cc351fa3dc15ef8ddf2c0e5e3a29b4ab806fa09fc1def103c7ab97677.exe
    "C:\Users\Admin\AppData\Local\Temp\f5de4e2cc351fa3dc15ef8ddf2c0e5e3a29b4ab806fa09fc1def103c7ab97677.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1736
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba3603.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba3603.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2044
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba1496.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba1496.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2176
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4613Xg.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4613Xg.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2256
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h46Ef90.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h46Ef90.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3504
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iSuXQ67.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iSuXQ67.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1480
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 1344
          4⤵
          • Program crash
          PID:2660
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l21GJ71.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l21GJ71.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1716
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1480 -ip 1480
    1⤵
      PID:2072

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Disabling Security Tools

    2
    T1089

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l21GJ71.exe
      Filesize

      175KB

      MD5

      6c4c2a56d5dd785adbe4fe60fa3cc1f2

      SHA1

      f8bd4379310258f8e54c47b56f5eec7394adb9a2

      SHA256

      b182f2d3d49bdda2e29a0ed312deef4bee03983de54080c5e97ad6422de192d2

      SHA512

      f6958cab80e2f7736cea307b51be546e50acd5494b72db0343a09e6ef8c446114f51be6c9826fcb6e9f7190e4ec8415c0a403c3c1706183577c2604b877ff830

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l21GJ71.exe
      Filesize

      175KB

      MD5

      6c4c2a56d5dd785adbe4fe60fa3cc1f2

      SHA1

      f8bd4379310258f8e54c47b56f5eec7394adb9a2

      SHA256

      b182f2d3d49bdda2e29a0ed312deef4bee03983de54080c5e97ad6422de192d2

      SHA512

      f6958cab80e2f7736cea307b51be546e50acd5494b72db0343a09e6ef8c446114f51be6c9826fcb6e9f7190e4ec8415c0a403c3c1706183577c2604b877ff830

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba3603.exe
      Filesize

      708KB

      MD5

      b48afb56c0a564f365a1a76c2a62b899

      SHA1

      646e84eb9df76cec2e5b9af3d27056e11f872d7f

      SHA256

      6ac6be3a4315b5b8de8e51b18b9c6a06016b666559a0f76c1f2ec05ed6913d2a

      SHA512

      0f5a5dc6e30eab34c194e180de6ca884851cf14b53e9ab3efef096b7d3569a968e487f2c6123409cce75e1f26ab0464d7ee13292a8d00c879d43c35e7c7367e1

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba3603.exe
      Filesize

      708KB

      MD5

      b48afb56c0a564f365a1a76c2a62b899

      SHA1

      646e84eb9df76cec2e5b9af3d27056e11f872d7f

      SHA256

      6ac6be3a4315b5b8de8e51b18b9c6a06016b666559a0f76c1f2ec05ed6913d2a

      SHA512

      0f5a5dc6e30eab34c194e180de6ca884851cf14b53e9ab3efef096b7d3569a968e487f2c6123409cce75e1f26ab0464d7ee13292a8d00c879d43c35e7c7367e1

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iSuXQ67.exe
      Filesize

      391KB

      MD5

      80d2d28a4e0646e72bc2027bad1184a8

      SHA1

      02102c6b3b7e6e896036b1cc22e870d00b11a1a8

      SHA256

      89a1f01053947d1468cd49d5b1353db0e0ebf507b9b45e731b1624d3c90d396d

      SHA512

      755bb532f7c40ec1047ed690d1c4779b5467635005d777ae6fe3e06694660986c1ebc7b0653bd1acf5de294bde608d896b3d66a64ef94cd265b8958b7a910130

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iSuXQ67.exe
      Filesize

      391KB

      MD5

      80d2d28a4e0646e72bc2027bad1184a8

      SHA1

      02102c6b3b7e6e896036b1cc22e870d00b11a1a8

      SHA256

      89a1f01053947d1468cd49d5b1353db0e0ebf507b9b45e731b1624d3c90d396d

      SHA512

      755bb532f7c40ec1047ed690d1c4779b5467635005d777ae6fe3e06694660986c1ebc7b0653bd1acf5de294bde608d896b3d66a64ef94cd265b8958b7a910130

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba1496.exe
      Filesize

      358KB

      MD5

      e05845ffc085a14df48553b0b17ab1b6

      SHA1

      be4f0544304841409d90cb8b826d9bdb21b5af0a

      SHA256

      2c88dc2369617d067491ba1f0bd11854de235bc1d24d594e923a16fc850e80f6

      SHA512

      1de0827c8350545afd2539fbf7f85be8bfd4c3e64988079f3cf74ce544df8357c03d7a8478961db334cc092d08c74506c5c199c37c893d0c1f0846693bbd7d05

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba1496.exe
      Filesize

      358KB

      MD5

      e05845ffc085a14df48553b0b17ab1b6

      SHA1

      be4f0544304841409d90cb8b826d9bdb21b5af0a

      SHA256

      2c88dc2369617d067491ba1f0bd11854de235bc1d24d594e923a16fc850e80f6

      SHA512

      1de0827c8350545afd2539fbf7f85be8bfd4c3e64988079f3cf74ce544df8357c03d7a8478961db334cc092d08c74506c5c199c37c893d0c1f0846693bbd7d05

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4613Xg.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4613Xg.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h46Ef90.exe
      Filesize

      371KB

      MD5

      3bbc1076778bb26cc0689840d589abd6

      SHA1

      a4e99023c68f4c6a3d7954adb01a0202e233fd1c

      SHA256

      e74d98c7356e311372e2b262c5b4385eb0e6717b38a9304835bf084a0ac6d1e2

      SHA512

      5460135172952d7370d805a1b4a0a4d2c9a538c8cab5d5a468ca2df3c13fdeb5022ec0bd417557d07394ff5da1274ed29e6c133be919bbb0f40db81c854cb70c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h46Ef90.exe
      Filesize

      371KB

      MD5

      3bbc1076778bb26cc0689840d589abd6

      SHA1

      a4e99023c68f4c6a3d7954adb01a0202e233fd1c

      SHA256

      e74d98c7356e311372e2b262c5b4385eb0e6717b38a9304835bf084a0ac6d1e2

      SHA512

      5460135172952d7370d805a1b4a0a4d2c9a538c8cab5d5a468ca2df3c13fdeb5022ec0bd417557d07394ff5da1274ed29e6c133be919bbb0f40db81c854cb70c

      Download Submit
    • memory/1480-236-0x0000000004D60000-0x0000000004D9E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/1480-1114-0x00000000080A0000-0x00000000080DC000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1480-1126-0x0000000004F70000-0x0000000004F80000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1480-1125-0x0000000009620000-0x0000000009670000-memory.dmp
      Filesize

      320KB

      Download
    • memory/1480-1124-0x00000000095A0000-0x0000000009616000-memory.dmp
      Filesize

      472KB

      Download
    • memory/1480-1123-0x0000000008CF0000-0x000000000921C000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/1480-1122-0x0000000008B10000-0x0000000008CD2000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/1480-1121-0x0000000008A20000-0x0000000008AB2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1480-1120-0x0000000008350000-0x00000000083B6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1480-1119-0x0000000004F70000-0x0000000004F80000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1480-1118-0x0000000004F70000-0x0000000004F80000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1480-1117-0x0000000004F70000-0x0000000004F80000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1480-1115-0x0000000004F70000-0x0000000004F80000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1480-1113-0x0000000008040000-0x0000000008052000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1480-1112-0x0000000007F00000-0x000000000800A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/1480-1111-0x0000000007880000-0x0000000007E98000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/1480-234-0x0000000004D60000-0x0000000004D9E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/1480-232-0x0000000004D60000-0x0000000004D9E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/1480-230-0x0000000004D60000-0x0000000004D9E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/1480-228-0x0000000004D60000-0x0000000004D9E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/1480-226-0x0000000004D60000-0x0000000004D9E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/1480-224-0x0000000004D60000-0x0000000004D9E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/1480-201-0x0000000002CC0000-0x0000000002D0B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/1480-202-0x0000000004F70000-0x0000000004F80000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1480-203-0x0000000004F70000-0x0000000004F80000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1480-204-0x0000000004F70000-0x0000000004F80000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1480-205-0x0000000004D60000-0x0000000004D9E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/1480-206-0x0000000004D60000-0x0000000004D9E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/1480-208-0x0000000004D60000-0x0000000004D9E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/1480-210-0x0000000004D60000-0x0000000004D9E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/1480-212-0x0000000004D60000-0x0000000004D9E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/1480-214-0x0000000004D60000-0x0000000004D9E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/1480-216-0x0000000004D60000-0x0000000004D9E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/1480-218-0x0000000004D60000-0x0000000004D9E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/1480-220-0x0000000004D60000-0x0000000004D9E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/1480-222-0x0000000004D60000-0x0000000004D9E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/1716-1134-0x00000000056D0000-0x00000000056E0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1716-1133-0x00000000056D0000-0x00000000056E0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1716-1132-0x0000000000D90000-0x0000000000DC2000-memory.dmp
      Filesize

      200KB

      Download
    • memory/2256-156-0x000000001ABF0000-0x000000001AD3E000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2256-154-0x0000000000040000-0x000000000004A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3504-184-0x0000000004C40000-0x0000000004C52000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3504-176-0x0000000004C40000-0x0000000004C52000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3504-191-0x0000000004C40000-0x0000000004C52000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3504-190-0x0000000004BF0000-0x0000000004C00000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3504-188-0x0000000004C40000-0x0000000004C52000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3504-164-0x0000000004C40000-0x0000000004C52000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3504-186-0x0000000004C40000-0x0000000004C52000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3504-162-0x00000000070C0000-0x0000000007664000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3504-182-0x0000000004C40000-0x0000000004C52000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3504-180-0x0000000004C40000-0x0000000004C52000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3504-178-0x0000000004C40000-0x0000000004C52000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3504-161-0x0000000002C60000-0x0000000002C8D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/3504-174-0x0000000004C40000-0x0000000004C52000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3504-172-0x0000000004C40000-0x0000000004C52000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3504-170-0x0000000004C40000-0x0000000004C52000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3504-168-0x0000000004C40000-0x0000000004C52000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3504-166-0x0000000004C40000-0x0000000004C52000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3504-192-0x0000000004BF0000-0x0000000004C00000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3504-193-0x0000000004BF0000-0x0000000004C00000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3504-194-0x0000000000400000-0x0000000002B0C000-memory.dmp
      Filesize

      39.0MB

      Download
    • memory/3504-196-0x0000000000400000-0x0000000002B0C000-memory.dmp
      Filesize

      39.0MB

      Download
    • memory/3504-163-0x0000000004C40000-0x0000000004C52000-memory.dmp
      Filesize

      72KB

      Download