Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/03/2023, 01:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    54e313971b500630efaac0eb35a13e5ab1d2854b8c5b9a78fd920299aed53e20.exe

  • Size

    819KB

  • MD5

    f2aafbd35bd9d45a9eb4a16f6bc4a30d

  • SHA1

    1f243f8e0a93f8b34eb1dec4595ff684c2c4e302

  • SHA256

    54e313971b500630efaac0eb35a13e5ab1d2854b8c5b9a78fd920299aed53e20

  • SHA512

    08e0cef4d0645a9a27d89f2a41461aed5ffac6f21d47a093ff7b9699d6c88def24e0dbd0aa790a16479e752733c90ff30674798240751c4f0010ae51cee20114

  • SSDEEP

    24576:6ysoRtUp9SCT31Wf2W2spuCve0V8UHUkzz:B9RYICb2LFe0b

Score
10/10
redlinegenarelondiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

gena

C2

193.233.20.30:4125

Attributes
  • auth_value

    93c20961cb6b06b2d5781c212db6201e

Extracted

Family

redline

Botnet

relon

C2

193.233.20.30:4125

Attributes
  • auth_value

    17da69809725577b595e217ba006b869

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 18 IoCs
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\54e313971b500630efaac0eb35a13e5ab1d2854b8c5b9a78fd920299aed53e20.exe
    "C:\Users\Admin\AppData\Local\Temp\54e313971b500630efaac0eb35a13e5ab1d2854b8c5b9a78fd920299aed53e20.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:548
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio3825.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio3825.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2300
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio1583.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio1583.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3928
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro3327.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro3327.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4400
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu4065.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu4065.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3172
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 1084
            5⤵
            • Program crash
            PID:3956
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rra06s11.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rra06s11.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4736
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 1136
          4⤵
          • Program crash
          PID:764
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si824417.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si824417.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3888
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3172 -ip 3172
    1⤵
      PID:4924
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4736 -ip 4736
      1⤵
        PID:2680

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si824417.exe
        Filesize

        175KB

        MD5

        6fbff2d7c9ba7f0a71f02a5c70df9dfc

        SHA1

        003da0075734cd2d7f201c5b0e4779b8e1f33621

        SHA256

        cb56407367a42f61993842b66bcd24993a30c87116313c26d6af9e37bbb1b6b3

        SHA512

        25842b9df4767b16096f2bfcedc9d368a9696e6c6d9c7b2c75987769a5b338ae04b23b1e89f18eef2244e84f04e4acf6af56643a97abfe5b605f66cba0bac27f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si824417.exe
        Filesize

        175KB

        MD5

        6fbff2d7c9ba7f0a71f02a5c70df9dfc

        SHA1

        003da0075734cd2d7f201c5b0e4779b8e1f33621

        SHA256

        cb56407367a42f61993842b66bcd24993a30c87116313c26d6af9e37bbb1b6b3

        SHA512

        25842b9df4767b16096f2bfcedc9d368a9696e6c6d9c7b2c75987769a5b338ae04b23b1e89f18eef2244e84f04e4acf6af56643a97abfe5b605f66cba0bac27f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio3825.exe
        Filesize

        677KB

        MD5

        bb6ff8ef09163f490eb29ef06526226f

        SHA1

        71265dbb5306298740efb44de11989f2d901046f

        SHA256

        6e8ac8b73d64e26aae5755e755a38505a74940ea05c3112969daff47b27e58fa

        SHA512

        700c445a4781425ebb7f783dc5bc1c16c54057fb8469536fcc3f9ffdcc870e3dc5268fb0816a640ecad55ecf9c493b5caf61aa67870cc92c206411c638d41299

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio3825.exe
        Filesize

        677KB

        MD5

        bb6ff8ef09163f490eb29ef06526226f

        SHA1

        71265dbb5306298740efb44de11989f2d901046f

        SHA256

        6e8ac8b73d64e26aae5755e755a38505a74940ea05c3112969daff47b27e58fa

        SHA512

        700c445a4781425ebb7f783dc5bc1c16c54057fb8469536fcc3f9ffdcc870e3dc5268fb0816a640ecad55ecf9c493b5caf61aa67870cc92c206411c638d41299

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rra06s11.exe
        Filesize

        349KB

        MD5

        64168927a05aa85dc2c4db995c6ca95a

        SHA1

        6482d89dbf2a6dc412c9ff441886f073f0e04159

        SHA256

        16b06a6f98732c189907c5d024ba1cdfb4dce89f3f19b542fbf1a74a6118de09

        SHA512

        eaa97534cca9c18ec99ef7a825e61c52abd0a720d4b89908a78a5ce265370a2e436ea2a47cad2e1e320d1a129639b8d2b45f41be15050e3e384ccf0fb67412e7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rra06s11.exe
        Filesize

        349KB

        MD5

        64168927a05aa85dc2c4db995c6ca95a

        SHA1

        6482d89dbf2a6dc412c9ff441886f073f0e04159

        SHA256

        16b06a6f98732c189907c5d024ba1cdfb4dce89f3f19b542fbf1a74a6118de09

        SHA512

        eaa97534cca9c18ec99ef7a825e61c52abd0a720d4b89908a78a5ce265370a2e436ea2a47cad2e1e320d1a129639b8d2b45f41be15050e3e384ccf0fb67412e7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio1583.exe
        Filesize

        334KB

        MD5

        222c690122564fb197cb971655f3690e

        SHA1

        acedea68a7b472691b169f4545442a7624fbd194

        SHA256

        af8849a1dd14ae358ffda4f10fdcfb7dd9ce7f719ab1dceeda7e35cbeb073f15

        SHA512

        be15f9d41336084dbca092959cc589e59ba2e6e4342b04132bf593684c4cb33269e248ab61bfbe31000ab5b19518f8d288877aac25e4ed15d940421dd189dca4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio1583.exe
        Filesize

        334KB

        MD5

        222c690122564fb197cb971655f3690e

        SHA1

        acedea68a7b472691b169f4545442a7624fbd194

        SHA256

        af8849a1dd14ae358ffda4f10fdcfb7dd9ce7f719ab1dceeda7e35cbeb073f15

        SHA512

        be15f9d41336084dbca092959cc589e59ba2e6e4342b04132bf593684c4cb33269e248ab61bfbe31000ab5b19518f8d288877aac25e4ed15d940421dd189dca4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro3327.exe
        Filesize

        11KB

        MD5

        7e93bacbbc33e6652e147e7fe07572a0

        SHA1

        421a7167da01c8da4dc4d5234ca3dd84e319e762

        SHA256

        850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

        SHA512

        250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro3327.exe
        Filesize

        11KB

        MD5

        7e93bacbbc33e6652e147e7fe07572a0

        SHA1

        421a7167da01c8da4dc4d5234ca3dd84e319e762

        SHA256

        850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

        SHA512

        250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu4065.exe
        Filesize

        290KB

        MD5

        b8aeaa4996bf6b9a7248dc549dfd6979

        SHA1

        9dd1c33aefca3e166ab7811dcac35a103433ed31

        SHA256

        9d54866e97817c9412c7b18868ba1729d7d7a7c1175b35332338924010b5172d

        SHA512

        c704b30e423919a389c2746722bb8dd51eef5ab8631a51f86154199a3c77d06c24e519e20dada694d283f7d27d778f389d48660bbc04601c82a6e4f1e88ee3a7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu4065.exe
        Filesize

        290KB

        MD5

        b8aeaa4996bf6b9a7248dc549dfd6979

        SHA1

        9dd1c33aefca3e166ab7811dcac35a103433ed31

        SHA256

        9d54866e97817c9412c7b18868ba1729d7d7a7c1175b35332338924010b5172d

        SHA512

        c704b30e423919a389c2746722bb8dd51eef5ab8631a51f86154199a3c77d06c24e519e20dada694d283f7d27d778f389d48660bbc04601c82a6e4f1e88ee3a7

        Download Submit

      • memory/3172-169-0x0000000002820000-0x0000000002832000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3172-183-0x0000000002820000-0x0000000002832000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3172-162-0x0000000002820000-0x0000000002832000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3172-163-0x0000000002820000-0x0000000002832000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3172-165-0x0000000002820000-0x0000000002832000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3172-167-0x0000000002820000-0x0000000002832000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3172-160-0x00000000008D0000-0x00000000008FD000-memory.dmp

        Filesize

        180KB

        Download

      • memory/3172-171-0x0000000002820000-0x0000000002832000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3172-173-0x0000000002820000-0x0000000002832000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3172-175-0x0000000002820000-0x0000000002832000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3172-177-0x0000000002820000-0x0000000002832000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3172-179-0x0000000002820000-0x0000000002832000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3172-181-0x0000000002820000-0x0000000002832000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3172-161-0x0000000004FE0000-0x0000000005584000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/3172-185-0x0000000002820000-0x0000000002832000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3172-187-0x0000000002820000-0x0000000002832000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3172-189-0x0000000002820000-0x0000000002832000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3172-190-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3172-191-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3172-192-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3172-193-0x0000000000400000-0x0000000000830000-memory.dmp

        Filesize

        4.2MB

        Download

      • memory/3172-195-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3172-196-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3172-197-0x0000000000400000-0x0000000000830000-memory.dmp

        Filesize

        4.2MB

        Download

      • memory/3888-1134-0x0000000004D60000-0x0000000004D70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3888-1133-0x00000000004F0000-0x0000000000522000-memory.dmp

        Filesize

        200KB

        Download

      • memory/4400-154-0x0000000000020000-0x000000000002A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4736-203-0x00000000025F0000-0x0000000002600000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4736-209-0x0000000002910000-0x000000000294E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4736-211-0x0000000002910000-0x000000000294E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4736-213-0x0000000002910000-0x000000000294E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4736-208-0x00000000025F0000-0x0000000002600000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4736-215-0x0000000002910000-0x000000000294E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4736-206-0x00000000025F0000-0x0000000002600000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4736-204-0x0000000002910000-0x000000000294E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4736-217-0x0000000002910000-0x000000000294E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4736-219-0x0000000002910000-0x000000000294E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4736-221-0x0000000002910000-0x000000000294E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4736-223-0x0000000002910000-0x000000000294E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4736-225-0x0000000002910000-0x000000000294E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4736-227-0x0000000002910000-0x000000000294E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4736-229-0x0000000002910000-0x000000000294E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4736-231-0x0000000002910000-0x000000000294E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4736-233-0x0000000002910000-0x000000000294E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4736-235-0x0000000002910000-0x000000000294E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4736-237-0x0000000002910000-0x000000000294E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4736-239-0x0000000002910000-0x000000000294E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4736-1112-0x00000000054B0000-0x0000000005AC8000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/4736-1113-0x0000000005AE0000-0x0000000005BEA000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/4736-1114-0x0000000005C20000-0x0000000005C32000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4736-1115-0x0000000005C40000-0x0000000005C7C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/4736-1116-0x00000000025F0000-0x0000000002600000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4736-1117-0x0000000005F30000-0x0000000005FC2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4736-1118-0x0000000005FD0000-0x0000000006036000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4736-1119-0x00000000066F0000-0x00000000068B2000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/4736-1120-0x00000000068D0000-0x0000000006DFC000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/4736-1122-0x00000000025F0000-0x0000000002600000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4736-1123-0x00000000025F0000-0x0000000002600000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4736-1124-0x00000000025F0000-0x0000000002600000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4736-1125-0x0000000007070000-0x00000000070E6000-memory.dmp

        Filesize

        472KB

        Download

      • memory/4736-205-0x0000000002910000-0x000000000294E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4736-202-0x0000000000990000-0x00000000009DB000-memory.dmp

        Filesize

        300KB

        Download

      • memory/4736-1126-0x0000000007100000-0x0000000007150000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4736-1127-0x00000000025F0000-0x0000000002600000-memory.dmp

        Filesize

        64KB

        Download