Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    86s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/03/2023, 00:33

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    4c03cb97506b770d1e1f3e22fc965533d811f73ffe5b71a9716762a94484d40b.exe

  • Size

    777KB

  • MD5

    309c99d2bc3e4d0afd95be0275432158

  • SHA1

    debf2e8beb57817fcc32eac30add37d8828fc8e8

  • SHA256

    4c03cb97506b770d1e1f3e22fc965533d811f73ffe5b71a9716762a94484d40b

  • SHA512

    7264c45428e1c765b8f2aa7b0464709e8fc6a5f9f4e7db88c6bdb0d2f534e6fb3d5e2655e4c3fd25a8e1eb80299cff421db4f3adf129ec40f79b0b5ae2c28b43

  • SSDEEP

    12288:pMrqy90kNvRVq/2F3p15xuTxph5Jc9mjIwT7VrfKcqjIMOlT5IQUlTBd8D5t:3yBrnp15KH4mjIWrtM4IrTBWDL

Score
10/10
redlinegenarelondiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

gena

C2

193.233.20.30:4125

Attributes
  • auth_value

    93c20961cb6b06b2d5781c212db6201e

Extracted

Family

redline

Botnet

relon

C2

193.233.20.30:4125

Attributes
  • auth_value

    17da69809725577b595e217ba006b869

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 19 IoCs
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4c03cb97506b770d1e1f3e22fc965533d811f73ffe5b71a9716762a94484d40b.exe
    "C:\Users\Admin\AppData\Local\Temp\4c03cb97506b770d1e1f3e22fc965533d811f73ffe5b71a9716762a94484d40b.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4548
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio0818.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio0818.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2212
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio5462.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio5462.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:796
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro1913.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro1913.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1808
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu7816.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu7816.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4208
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 1080
            5⤵
            • Program crash
            PID:3032
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rWr40s40.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rWr40s40.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3608
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1336
          4⤵
          • Program crash
          PID:3676
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si711066.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si711066.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2168
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4208 -ip 4208
    1⤵
      PID:1416
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3608 -ip 3608
      1⤵
        PID:3544

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si711066.exe
        Filesize

        175KB

        MD5

        6fbff2d7c9ba7f0a71f02a5c70df9dfc

        SHA1

        003da0075734cd2d7f201c5b0e4779b8e1f33621

        SHA256

        cb56407367a42f61993842b66bcd24993a30c87116313c26d6af9e37bbb1b6b3

        SHA512

        25842b9df4767b16096f2bfcedc9d368a9696e6c6d9c7b2c75987769a5b338ae04b23b1e89f18eef2244e84f04e4acf6af56643a97abfe5b605f66cba0bac27f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si711066.exe
        Filesize

        175KB

        MD5

        6fbff2d7c9ba7f0a71f02a5c70df9dfc

        SHA1

        003da0075734cd2d7f201c5b0e4779b8e1f33621

        SHA256

        cb56407367a42f61993842b66bcd24993a30c87116313c26d6af9e37bbb1b6b3

        SHA512

        25842b9df4767b16096f2bfcedc9d368a9696e6c6d9c7b2c75987769a5b338ae04b23b1e89f18eef2244e84f04e4acf6af56643a97abfe5b605f66cba0bac27f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio0818.exe
        Filesize

        635KB

        MD5

        6f3fc5ad128627e77ea59e827ca4bfd2

        SHA1

        161395ea266ab0aab388d06e4ed28865f9fe581b

        SHA256

        165fd7d7ece5bc0bf527d76c6074912931dcf7c3f8fb5f102782af58f5815297

        SHA512

        526be0dfb034f2eed7387c01245818a739fdeee9da938e89a5aee616d10072e26cb820afed9c53612d0ef86ec1efbaf53267c67ba377d42939fcd783c19bf8c1

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio0818.exe
        Filesize

        635KB

        MD5

        6f3fc5ad128627e77ea59e827ca4bfd2

        SHA1

        161395ea266ab0aab388d06e4ed28865f9fe581b

        SHA256

        165fd7d7ece5bc0bf527d76c6074912931dcf7c3f8fb5f102782af58f5815297

        SHA512

        526be0dfb034f2eed7387c01245818a739fdeee9da938e89a5aee616d10072e26cb820afed9c53612d0ef86ec1efbaf53267c67ba377d42939fcd783c19bf8c1

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rWr40s40.exe
        Filesize

        288KB

        MD5

        5ca45323c394aca44e0429177566cfe9

        SHA1

        fa431adb8a3218d292594a1bb1aad9ad44c177db

        SHA256

        79851ab5e6bb3ba45c2acfbb6c293c2c8df3509ede9d4c5e8c3ba6fcb62b5679

        SHA512

        9630d3e4f15a25ac537faabcdafabdae3d2a3d1d769970b0c39cb6c7206cc28a5f9d0d073bfbd876d050a7b5ae463b59a130212b3d84d080eebf0ab21cf93757

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rWr40s40.exe
        Filesize

        288KB

        MD5

        5ca45323c394aca44e0429177566cfe9

        SHA1

        fa431adb8a3218d292594a1bb1aad9ad44c177db

        SHA256

        79851ab5e6bb3ba45c2acfbb6c293c2c8df3509ede9d4c5e8c3ba6fcb62b5679

        SHA512

        9630d3e4f15a25ac537faabcdafabdae3d2a3d1d769970b0c39cb6c7206cc28a5f9d0d073bfbd876d050a7b5ae463b59a130212b3d84d080eebf0ab21cf93757

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio5462.exe
        Filesize

        313KB

        MD5

        d93bb7feca3b3af96c6bba369339609a

        SHA1

        6dd28dd9d007c943578ca988b5f479809f40cb51

        SHA256

        f1204d221de20ff55fb6d24153958d23df97ed61265c185e354671ef6092381d

        SHA512

        c8a2833dba95bf23da4b2a9a5583dc390c97e8b9f8605d9d116d6596b9e84f0d06086edfc44ab5e092d034a902ef454f43afc9871700a94d904383b4dd84b83f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio5462.exe
        Filesize

        313KB

        MD5

        d93bb7feca3b3af96c6bba369339609a

        SHA1

        6dd28dd9d007c943578ca988b5f479809f40cb51

        SHA256

        f1204d221de20ff55fb6d24153958d23df97ed61265c185e354671ef6092381d

        SHA512

        c8a2833dba95bf23da4b2a9a5583dc390c97e8b9f8605d9d116d6596b9e84f0d06086edfc44ab5e092d034a902ef454f43afc9871700a94d904383b4dd84b83f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro1913.exe
        Filesize

        11KB

        MD5

        7e93bacbbc33e6652e147e7fe07572a0

        SHA1

        421a7167da01c8da4dc4d5234ca3dd84e319e762

        SHA256

        850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

        SHA512

        250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro1913.exe
        Filesize

        11KB

        MD5

        7e93bacbbc33e6652e147e7fe07572a0

        SHA1

        421a7167da01c8da4dc4d5234ca3dd84e319e762

        SHA256

        850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

        SHA512

        250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu7816.exe
        Filesize

        230KB

        MD5

        a44e711e827c120768897aa668c137ee

        SHA1

        3bde46e888ab19e6b72a6521a128eae650d73fe2

        SHA256

        1caab1615a6ecec7d764756846714d96f33d66bdd1696818276fcfe7fc885547

        SHA512

        07e49980dd01962b139a63c267241366433591c6fb3ea44c4ce448ca2b58f679a049574534ac260d86115261ab36ca6a387ba7c2f4f96df19d7a85f3bebbfa00

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu7816.exe
        Filesize

        230KB

        MD5

        a44e711e827c120768897aa668c137ee

        SHA1

        3bde46e888ab19e6b72a6521a128eae650d73fe2

        SHA256

        1caab1615a6ecec7d764756846714d96f33d66bdd1696818276fcfe7fc885547

        SHA512

        07e49980dd01962b139a63c267241366433591c6fb3ea44c4ce448ca2b58f679a049574534ac260d86115261ab36ca6a387ba7c2f4f96df19d7a85f3bebbfa00

        Download Submit

      • memory/1808-154-0x0000000000D10000-0x0000000000D1A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2168-1134-0x00000000005E0000-0x0000000000612000-memory.dmp

        Filesize

        200KB

        Download

      • memory/2168-1135-0x0000000004F30000-0x0000000004F40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3608-240-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3608-1116-0x0000000005A10000-0x0000000005A4C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/3608-1128-0x0000000004B00000-0x0000000004B10000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3608-1127-0x0000000007AF0000-0x000000000801C000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/3608-1126-0x0000000007920000-0x0000000007AE2000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/3608-1125-0x0000000004B00000-0x0000000004B10000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3608-1124-0x0000000004B00000-0x0000000004B10000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3608-1123-0x0000000004B00000-0x0000000004B10000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3608-1121-0x0000000006530000-0x0000000006580000-memory.dmp

        Filesize

        320KB

        Download

      • memory/3608-1120-0x00000000064A0000-0x0000000006516000-memory.dmp

        Filesize

        472KB

        Download

      • memory/3608-1119-0x0000000005DA0000-0x0000000005E06000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3608-1118-0x0000000005D00000-0x0000000005D92000-memory.dmp

        Filesize

        584KB

        Download

      • memory/3608-1117-0x0000000004B00000-0x0000000004B10000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3608-1115-0x00000000059F0000-0x0000000005A02000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3608-1114-0x00000000058B0000-0x00000000059BA000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/3608-1113-0x0000000005210000-0x0000000005828000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/3608-236-0x0000000004B00000-0x0000000004B10000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3608-237-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3608-238-0x0000000004B00000-0x0000000004B10000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3608-232-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3608-235-0x0000000004B00000-0x0000000004B10000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3608-203-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3608-204-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3608-206-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3608-208-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3608-210-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3608-212-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3608-214-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3608-216-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3608-218-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3608-220-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3608-224-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3608-222-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3608-226-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3608-228-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3608-230-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3608-233-0x0000000001EB0000-0x0000000001EFB000-memory.dmp

        Filesize

        300KB

        Download

      • memory/4208-189-0x0000000002590000-0x00000000025A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4208-162-0x0000000002590000-0x00000000025A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4208-198-0x0000000000400000-0x00000000004BA000-memory.dmp

        Filesize

        744KB

        Download

      • memory/4208-197-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4208-196-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4208-165-0x0000000002590000-0x00000000025A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4208-195-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4208-193-0x0000000000400000-0x00000000004BA000-memory.dmp

        Filesize

        744KB

        Download

      • memory/4208-192-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4208-171-0x0000000002590000-0x00000000025A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4208-191-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4208-190-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4208-169-0x0000000002590000-0x00000000025A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4208-185-0x0000000002590000-0x00000000025A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4208-167-0x0000000002590000-0x00000000025A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4208-183-0x0000000002590000-0x00000000025A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4208-181-0x0000000002590000-0x00000000025A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4208-179-0x0000000002590000-0x00000000025A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4208-177-0x0000000002590000-0x00000000025A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4208-175-0x0000000002590000-0x00000000025A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4208-173-0x0000000002590000-0x00000000025A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4208-187-0x0000000002590000-0x00000000025A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4208-163-0x0000000002590000-0x00000000025A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4208-161-0x0000000004AD0000-0x0000000005074000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4208-160-0x0000000000590000-0x00000000005BD000-memory.dmp

        Filesize

        180KB

        Download