Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    87s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/03/2023, 19:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4d12024410e958df9364ef3d9fc4d1258e19007a2b70d89367fab34780652b30.exe

  • Size

    776KB

  • MD5

    5099d07dda26068d93c68b8601ed42cd

  • SHA1

    28f00407de4cb9c60eae3d482b831b3c436769f2

  • SHA256

    4d12024410e958df9364ef3d9fc4d1258e19007a2b70d89367fab34780652b30

  • SHA512

    475606f7f19225047e7150f897f78591a41a2c80454ac961dbbf5361ffba8eb395c132748cd3a3577e9ac91032b99b7bed07f02d7b9832192e5c5d3234ce5ea5

  • SSDEEP

    12288:XMrhy90EJvi+2tEQLsE/tHlcCqRLNtoY0WoEXXIyifnYNuWX31kZDZIvdFxwksML:6y+EWs4OxDocCfnYNuxS1kcxR0Ij

Score
10/10
redlinegenarukadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

gena

C2

193.233.20.30:4125

Attributes
  • auth_value

    93c20961cb6b06b2d5781c212db6201e

Extracted

Family

redline

Botnet

ruka

C2

193.233.20.28:4125

Attributes
  • auth_value

    5d1d0e51ebe1e3f16cca573ff651c43c

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 19 IoCs
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4d12024410e958df9364ef3d9fc4d1258e19007a2b70d89367fab34780652b30.exe
    "C:\Users\Admin\AppData\Local\Temp\4d12024410e958df9364ef3d9fc4d1258e19007a2b70d89367fab34780652b30.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1196
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba2571.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba2571.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2656
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba7827.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba7827.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4032
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7197UW.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7197UW.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:636
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h13kt61.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h13kt61.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1976
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 1104
            5⤵
            • Program crash
            PID:4472
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iVIqW40.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iVIqW40.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3044
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 1440
          4⤵
          • Program crash
          PID:3776
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l24iG53.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l24iG53.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1240
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1976 -ip 1976
    1⤵
      PID:4040
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3044 -ip 3044
      1⤵
        PID:4040

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l24iG53.exe
        Filesize

        175KB

        MD5

        6c4c2a56d5dd785adbe4fe60fa3cc1f2

        SHA1

        f8bd4379310258f8e54c47b56f5eec7394adb9a2

        SHA256

        b182f2d3d49bdda2e29a0ed312deef4bee03983de54080c5e97ad6422de192d2

        SHA512

        f6958cab80e2f7736cea307b51be546e50acd5494b72db0343a09e6ef8c446114f51be6c9826fcb6e9f7190e4ec8415c0a403c3c1706183577c2604b877ff830

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l24iG53.exe
        Filesize

        175KB

        MD5

        6c4c2a56d5dd785adbe4fe60fa3cc1f2

        SHA1

        f8bd4379310258f8e54c47b56f5eec7394adb9a2

        SHA256

        b182f2d3d49bdda2e29a0ed312deef4bee03983de54080c5e97ad6422de192d2

        SHA512

        f6958cab80e2f7736cea307b51be546e50acd5494b72db0343a09e6ef8c446114f51be6c9826fcb6e9f7190e4ec8415c0a403c3c1706183577c2604b877ff830

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba2571.exe
        Filesize

        634KB

        MD5

        128798cdb8a29b33f733936baa3f6be8

        SHA1

        e5e40a897e9df871809daef85397057b691f9876

        SHA256

        bd7dd97b1ab86408336f2d298fb453e8e207c9af1022ab9abe4c1d459861550e

        SHA512

        08dd22a558d45ee03d3dbd7acf003bbcdf1be542b4b6ee0f988ddf13f317de12c174307d7b06ce21173fb4e34f0a4daa7fba1d90d8fb2e57f2dc0ead29893e4a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba2571.exe
        Filesize

        634KB

        MD5

        128798cdb8a29b33f733936baa3f6be8

        SHA1

        e5e40a897e9df871809daef85397057b691f9876

        SHA256

        bd7dd97b1ab86408336f2d298fb453e8e207c9af1022ab9abe4c1d459861550e

        SHA512

        08dd22a558d45ee03d3dbd7acf003bbcdf1be542b4b6ee0f988ddf13f317de12c174307d7b06ce21173fb4e34f0a4daa7fba1d90d8fb2e57f2dc0ead29893e4a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iVIqW40.exe
        Filesize

        288KB

        MD5

        05821a068d6789b2a66b55ec0c630239

        SHA1

        4472efee94061b21327fde2b38bed0b1f34456b0

        SHA256

        cd2498d187fc5020cacd060af782fec5554bd2070258a0eb9836438ce425157d

        SHA512

        5ef8a92742ee4e98c3dde03df4e4d38f3c41b2630442f9398ef0a3b9c7727df952fdaa140b01695c7c98553be203584eef8f2f5ebbdece754e3ca42f8fdd1cf9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iVIqW40.exe
        Filesize

        288KB

        MD5

        05821a068d6789b2a66b55ec0c630239

        SHA1

        4472efee94061b21327fde2b38bed0b1f34456b0

        SHA256

        cd2498d187fc5020cacd060af782fec5554bd2070258a0eb9836438ce425157d

        SHA512

        5ef8a92742ee4e98c3dde03df4e4d38f3c41b2630442f9398ef0a3b9c7727df952fdaa140b01695c7c98553be203584eef8f2f5ebbdece754e3ca42f8fdd1cf9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba7827.exe
        Filesize

        314KB

        MD5

        348cb243fe1f29d747b320cab7752417

        SHA1

        fb8ff854cb0e9ae58f8694eb2c8c0f0f52f1c4be

        SHA256

        7d555aaae4f32b2d747bdb03fe6a0f0fafaa3914254ee0889fcfa8d53a9e3885

        SHA512

        16db694d873c4d42ad0044def5847528780b8acb1b7f317e66c95e1c4129497c5370e052085421e2bc8e7df969ea918f57c7beed7ca985143840326f06ce1acd

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba7827.exe
        Filesize

        314KB

        MD5

        348cb243fe1f29d747b320cab7752417

        SHA1

        fb8ff854cb0e9ae58f8694eb2c8c0f0f52f1c4be

        SHA256

        7d555aaae4f32b2d747bdb03fe6a0f0fafaa3914254ee0889fcfa8d53a9e3885

        SHA512

        16db694d873c4d42ad0044def5847528780b8acb1b7f317e66c95e1c4129497c5370e052085421e2bc8e7df969ea918f57c7beed7ca985143840326f06ce1acd

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7197UW.exe
        Filesize

        11KB

        MD5

        7e93bacbbc33e6652e147e7fe07572a0

        SHA1

        421a7167da01c8da4dc4d5234ca3dd84e319e762

        SHA256

        850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

        SHA512

        250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7197UW.exe
        Filesize

        11KB

        MD5

        7e93bacbbc33e6652e147e7fe07572a0

        SHA1

        421a7167da01c8da4dc4d5234ca3dd84e319e762

        SHA256

        850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

        SHA512

        250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h13kt61.exe
        Filesize

        230KB

        MD5

        abb1bcfd988ce47a26fb3ff73bf6ca8c

        SHA1

        7728a60c631f26f708fddde45ea0ef278f693ce5

        SHA256

        72bfeb4e4ce4d313eeedb8fac54dccd63409aef6157657f17962aa88921ceb9e

        SHA512

        0fff16838d41b9ce4957cb12cbe558f8e9c36ff8e05e5e3b6a334dfa87caad989b0b5e89628e94f6465e38faff85c06e6d2451510e4470e8444e9f933713fd47

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h13kt61.exe
        Filesize

        230KB

        MD5

        abb1bcfd988ce47a26fb3ff73bf6ca8c

        SHA1

        7728a60c631f26f708fddde45ea0ef278f693ce5

        SHA256

        72bfeb4e4ce4d313eeedb8fac54dccd63409aef6157657f17962aa88921ceb9e

        SHA512

        0fff16838d41b9ce4957cb12cbe558f8e9c36ff8e05e5e3b6a334dfa87caad989b0b5e89628e94f6465e38faff85c06e6d2451510e4470e8444e9f933713fd47

        Download Submit

      • memory/636-154-0x0000000000E70000-0x0000000000E7A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1240-1133-0x00000000056B0000-0x00000000056C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1240-1132-0x0000000000A40000-0x0000000000A72000-memory.dmp

        Filesize

        200KB

        Download

      • memory/1976-166-0x0000000002720000-0x0000000002732000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1976-182-0x0000000002720000-0x0000000002732000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1976-164-0x0000000002720000-0x0000000002732000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1976-162-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1976-168-0x0000000002720000-0x0000000002732000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1976-170-0x0000000002720000-0x0000000002732000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1976-172-0x0000000002720000-0x0000000002732000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1976-174-0x0000000002720000-0x0000000002732000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1976-176-0x0000000002720000-0x0000000002732000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1976-178-0x0000000002720000-0x0000000002732000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1976-180-0x0000000002720000-0x0000000002732000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1976-163-0x0000000002720000-0x0000000002732000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1976-184-0x0000000002720000-0x0000000002732000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1976-186-0x0000000002720000-0x0000000002732000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1976-188-0x0000000002720000-0x0000000002732000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1976-190-0x0000000002720000-0x0000000002732000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1976-191-0x0000000000400000-0x00000000004BA000-memory.dmp

        Filesize

        744KB

        Download

      • memory/1976-192-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1976-193-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1976-194-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1976-196-0x0000000000400000-0x00000000004BA000-memory.dmp

        Filesize

        744KB

        Download

      • memory/1976-161-0x00000000004C0000-0x00000000004ED000-memory.dmp

        Filesize

        180KB

        Download

      • memory/1976-160-0x0000000004DE0000-0x0000000005384000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/3044-202-0x0000000005030000-0x000000000506E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3044-206-0x0000000005030000-0x000000000506E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3044-208-0x0000000005030000-0x000000000506E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3044-210-0x0000000005030000-0x000000000506E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3044-212-0x0000000005030000-0x000000000506E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3044-214-0x0000000005030000-0x000000000506E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3044-216-0x0000000005030000-0x000000000506E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3044-218-0x0000000005030000-0x000000000506E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3044-220-0x0000000005030000-0x000000000506E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3044-222-0x0000000005030000-0x000000000506E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3044-224-0x0000000005030000-0x000000000506E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3044-226-0x0000000005030000-0x000000000506E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3044-228-0x0000000005030000-0x000000000506E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3044-230-0x0000000005030000-0x000000000506E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3044-232-0x0000000005030000-0x000000000506E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3044-234-0x0000000005030000-0x000000000506E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3044-437-0x00000000005A0000-0x00000000005EB000-memory.dmp

        Filesize

        300KB

        Download

      • memory/3044-439-0x0000000002080000-0x0000000002090000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3044-444-0x0000000002080000-0x0000000002090000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3044-441-0x0000000002080000-0x0000000002090000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3044-1111-0x0000000005210000-0x0000000005828000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/3044-1112-0x00000000058B0000-0x00000000059BA000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/3044-1113-0x00000000059F0000-0x0000000005A02000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3044-1114-0x0000000005A10000-0x0000000005A4C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/3044-1115-0x0000000002080000-0x0000000002090000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3044-1116-0x0000000005D00000-0x0000000005D66000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3044-1117-0x00000000063B0000-0x0000000006442000-memory.dmp

        Filesize

        584KB

        Download

      • memory/3044-1119-0x0000000002080000-0x0000000002090000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3044-1120-0x0000000002080000-0x0000000002090000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3044-1121-0x0000000002080000-0x0000000002090000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3044-1122-0x0000000002080000-0x0000000002090000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3044-1123-0x00000000065C0000-0x0000000006636000-memory.dmp

        Filesize

        472KB

        Download

      • memory/3044-1124-0x0000000006650000-0x00000000066A0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/3044-204-0x0000000005030000-0x000000000506E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3044-201-0x0000000005030000-0x000000000506E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3044-1125-0x00000000066E0000-0x00000000068A2000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/3044-1126-0x00000000068B0000-0x0000000006DDC000-memory.dmp

        Filesize

        5.2MB

        Download