Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    53s
  • max time network
    154s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    19-03-2023 20:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    228e170cbc2dcce5b087bb38e579e4f111c030457d1bad8e464642ba5a1a6da7.exe

  • Size

    835KB

  • MD5

    a247cad43660b92642f7c99e179e7842

  • SHA1

    6f5f285ddfcc77d66ea4a90e9390601a0e19c8c0

  • SHA256

    228e170cbc2dcce5b087bb38e579e4f111c030457d1bad8e464642ba5a1a6da7

  • SHA512

    f37b26e5c02202e11001df51b084e010fe29cba2219eefd96cbcadcd97a51124615343aec0a7108efb9f037eed67dbddc69078b8fcd08b3175dd36657f1ef317

  • SSDEEP

    12288:dMr0y902mnKm+DRmdm4wRbNpEyaXDkLsLYo6o8qbv+jJrK8HEd8m7RDVX+Mixhml:hy7Lm8fjojYLskoxt2K7RJxixFtYoW

Score
10/10
redlinegenavintdiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

gena

C2

193.233.20.30:4125

Attributes
  • auth_value

    93c20961cb6b06b2d5781c212db6201e

Extracted

Family

redline

Botnet

vint

C2

193.233.20.30:4125

Attributes
  • auth_value

    fb8811912f8370b3d23bffda092d88d0

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\228e170cbc2dcce5b087bb38e579e4f111c030457d1bad8e464642ba5a1a6da7.exe
    "C:\Users\Admin\AppData\Local\Temp\228e170cbc2dcce5b087bb38e579e4f111c030457d1bad8e464642ba5a1a6da7.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2568
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zip1862.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zip1862.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3020
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zip7830.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zip7830.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4592
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3857Sr.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3857Sr.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4948
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w16dl02.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w16dl02.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2088
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xFhEK44.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xFhEK44.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1416
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y78YX10.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y78YX10.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4828

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y78YX10.exe
    Filesize

    175KB

    MD5

    3389637c0d072121bf1b127629736d37

    SHA1

    300e915efdf2479bfd0d3699c0a6bc51260f9655

    SHA256

    2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153

    SHA512

    a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y78YX10.exe
    Filesize

    175KB

    MD5

    3389637c0d072121bf1b127629736d37

    SHA1

    300e915efdf2479bfd0d3699c0a6bc51260f9655

    SHA256

    2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153

    SHA512

    a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zip1862.exe
    Filesize

    694KB

    MD5

    f72160da08bfe8dc72248f5bd911bf24

    SHA1

    84241db136a1a3a3ac596d3884967f3d65f1d9d4

    SHA256

    4734900f858c8bd337093323f7ad60bd4fd6f04407e9d28b812511494623d4f4

    SHA512

    282384736025c385add40d29af40e9b6d5734521dcdcc3afe77e3c7c32331032adba9f1b65c032303b162c0c4eadd3a784cb6dd41e94ab9672ed3c4de9bba1bf

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zip1862.exe
    Filesize

    694KB

    MD5

    f72160da08bfe8dc72248f5bd911bf24

    SHA1

    84241db136a1a3a3ac596d3884967f3d65f1d9d4

    SHA256

    4734900f858c8bd337093323f7ad60bd4fd6f04407e9d28b812511494623d4f4

    SHA512

    282384736025c385add40d29af40e9b6d5734521dcdcc3afe77e3c7c32331032adba9f1b65c032303b162c0c4eadd3a784cb6dd41e94ab9672ed3c4de9bba1bf

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xFhEK44.exe
    Filesize

    391KB

    MD5

    d36427559523e49e9c8ce5e4224457e4

    SHA1

    0b45340716816ab13348dd95b79d2cc05c38c894

    SHA256

    d4d450fd951990a6671d33e94d4f88a209f391d99b0df2283ad77c499de1e19c

    SHA512

    1fec7ba54f597b21b85d924639166cf95693b90f29df2e8c90add31d678165bf8e173f60a2ad0822793f5248634429a90ffd696c06daab857c9ec1d87d92a0e3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xFhEK44.exe
    Filesize

    391KB

    MD5

    d36427559523e49e9c8ce5e4224457e4

    SHA1

    0b45340716816ab13348dd95b79d2cc05c38c894

    SHA256

    d4d450fd951990a6671d33e94d4f88a209f391d99b0df2283ad77c499de1e19c

    SHA512

    1fec7ba54f597b21b85d924639166cf95693b90f29df2e8c90add31d678165bf8e173f60a2ad0822793f5248634429a90ffd696c06daab857c9ec1d87d92a0e3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zip7830.exe
    Filesize

    344KB

    MD5

    eb7437d8daf02c2d4b6f53ba02f4b50e

    SHA1

    71a567dc922ece276b2c31f13cc983ec7986a024

    SHA256

    a1c977fb39a4db88dea54581705b4225f0922cfb1c286e910baac840ec1bef91

    SHA512

    5511281fa2817e8720c8ca32f73a355fd30cc4e4b175926e3b49c41bed8830bb41d2ff31e2871ecfbc427cd23df78b00b5ee042d1e552803c7eb7713611097e0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zip7830.exe
    Filesize

    344KB

    MD5

    eb7437d8daf02c2d4b6f53ba02f4b50e

    SHA1

    71a567dc922ece276b2c31f13cc983ec7986a024

    SHA256

    a1c977fb39a4db88dea54581705b4225f0922cfb1c286e910baac840ec1bef91

    SHA512

    5511281fa2817e8720c8ca32f73a355fd30cc4e4b175926e3b49c41bed8830bb41d2ff31e2871ecfbc427cd23df78b00b5ee042d1e552803c7eb7713611097e0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3857Sr.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3857Sr.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w16dl02.exe
    Filesize

    334KB

    MD5

    2004d5d5c01c4fd6186ddf135c099e23

    SHA1

    88fc74a784ab8ab3d60b41b56c3c5cdad98b79c2

    SHA256

    4d26dc1fcceca217ffc1d35727ac7352688908fb013213431b66c099275a9053

    SHA512

    1244a67fcb7ae43193cf74c371ffcb1e237779a72589ea56da143d1e7e072afb3800cc63f9dc5623e4ca83746d09b2db4ba6b513597a98585d8b29ba291c509c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w16dl02.exe
    Filesize

    334KB

    MD5

    2004d5d5c01c4fd6186ddf135c099e23

    SHA1

    88fc74a784ab8ab3d60b41b56c3c5cdad98b79c2

    SHA256

    4d26dc1fcceca217ffc1d35727ac7352688908fb013213431b66c099275a9053

    SHA512

    1244a67fcb7ae43193cf74c371ffcb1e237779a72589ea56da143d1e7e072afb3800cc63f9dc5623e4ca83746d09b2db4ba6b513597a98585d8b29ba291c509c

    Download Submit
  • memory/1416-226-0x0000000004C30000-0x0000000004C6E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1416-1102-0x0000000007960000-0x000000000799E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1416-1115-0x0000000007240000-0x0000000007250000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1416-1114-0x0000000008DB0000-0x00000000092DC000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/1416-1113-0x0000000008BE0000-0x0000000008DA2000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1416-1112-0x0000000008B50000-0x0000000008BA0000-memory.dmp
    Filesize

    320KB

    Download
  • memory/1416-1111-0x0000000008AD0000-0x0000000008B46000-memory.dmp
    Filesize

    472KB

    Download
  • memory/1416-1110-0x0000000007240000-0x0000000007250000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1416-1109-0x0000000007240000-0x0000000007250000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1416-1108-0x0000000007240000-0x0000000007250000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1416-1107-0x0000000008930000-0x00000000089C2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/1416-1105-0x0000000007C30000-0x0000000007C96000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1416-1103-0x0000000007AA0000-0x0000000007AEB000-memory.dmp
    Filesize

    300KB

    Download
  • memory/1416-1104-0x0000000007240000-0x0000000007250000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1416-1101-0x0000000007210000-0x0000000007222000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1416-1100-0x0000000007850000-0x000000000795A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/1416-1099-0x0000000007E60000-0x0000000008466000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/1416-224-0x0000000004C30000-0x0000000004C6E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1416-222-0x0000000004C30000-0x0000000004C6E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1416-220-0x0000000004C30000-0x0000000004C6E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1416-218-0x0000000004C30000-0x0000000004C6E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1416-216-0x0000000004C30000-0x0000000004C6E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1416-214-0x0000000004C30000-0x0000000004C6E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1416-212-0x0000000004C30000-0x0000000004C6E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1416-210-0x0000000004C30000-0x0000000004C6E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1416-187-0x00000000048D0000-0x0000000004916000-memory.dmp
    Filesize

    280KB

    Download
  • memory/1416-188-0x0000000002C90000-0x0000000002CDB000-memory.dmp
    Filesize

    300KB

    Download
  • memory/1416-190-0x0000000007240000-0x0000000007250000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1416-189-0x0000000004C30000-0x0000000004C74000-memory.dmp
    Filesize

    272KB

    Download
  • memory/1416-191-0x0000000007240000-0x0000000007250000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1416-193-0x0000000004C30000-0x0000000004C6E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1416-192-0x0000000007240000-0x0000000007250000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1416-194-0x0000000004C30000-0x0000000004C6E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1416-196-0x0000000004C30000-0x0000000004C6E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1416-198-0x0000000004C30000-0x0000000004C6E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1416-200-0x0000000004C30000-0x0000000004C6E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1416-202-0x0000000004C30000-0x0000000004C6E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1416-204-0x0000000004C30000-0x0000000004C6E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1416-206-0x0000000004C30000-0x0000000004C6E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1416-208-0x0000000004C30000-0x0000000004C6E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2088-166-0x0000000004AD0000-0x0000000004AE2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2088-182-0x0000000000400000-0x0000000002B03000-memory.dmp
    Filesize

    39.0MB

    Download
  • memory/2088-164-0x0000000004AD0000-0x0000000004AE2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2088-179-0x0000000007300000-0x0000000007310000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2088-180-0x0000000007300000-0x0000000007310000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2088-178-0x0000000007300000-0x0000000007310000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2088-177-0x0000000000400000-0x0000000002B03000-memory.dmp
    Filesize

    39.0MB

    Download
  • memory/2088-176-0x0000000004AD0000-0x0000000004AE2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2088-144-0x0000000007310000-0x000000000780E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2088-172-0x0000000004AD0000-0x0000000004AE2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2088-174-0x0000000004AD0000-0x0000000004AE2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2088-170-0x0000000004AD0000-0x0000000004AE2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2088-148-0x0000000004AD0000-0x0000000004AE8000-memory.dmp
    Filesize

    96KB

    Download
  • memory/2088-168-0x0000000004AD0000-0x0000000004AE2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2088-145-0x00000000001D0000-0x00000000001FD000-memory.dmp
    Filesize

    180KB

    Download
  • memory/2088-146-0x0000000007300000-0x0000000007310000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2088-162-0x0000000004AD0000-0x0000000004AE2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2088-160-0x0000000004AD0000-0x0000000004AE2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2088-158-0x0000000004AD0000-0x0000000004AE2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2088-156-0x0000000004AD0000-0x0000000004AE2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2088-154-0x0000000004AD0000-0x0000000004AE2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2088-152-0x0000000004AD0000-0x0000000004AE2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2088-150-0x0000000004AD0000-0x0000000004AE2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2088-149-0x0000000004AD0000-0x0000000004AE2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2088-147-0x0000000007300000-0x0000000007310000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2088-143-0x0000000004760000-0x000000000477A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/4828-1121-0x0000000000010000-0x0000000000042000-memory.dmp
    Filesize

    200KB

    Download
  • memory/4828-1122-0x0000000004A50000-0x0000000004A9B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4828-1123-0x0000000004B60000-0x0000000004B70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4948-137-0x0000000000510000-0x000000000051A000-memory.dmp
    Filesize

    40KB

    Download