Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    85s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/03/2023, 16:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9a46ce71ec40db74e3cafaea7b02b1a45e952499e4be14899e2e62c1a9cf72f9.exe

  • Size

    876KB

  • MD5

    0c236869705587cf117fd4207ad201c7

  • SHA1

    a7f6643b03551e67f877cc8f3daa98af6b92fff6

  • SHA256

    9a46ce71ec40db74e3cafaea7b02b1a45e952499e4be14899e2e62c1a9cf72f9

  • SHA512

    87c1457151076abd06e751b8ca3d26ca5f91bd64d023e1a88c89f855fd74c43a100932d446a968273ffeee52f4d57e9d287d70bd55b37b0466252a0d3f9f4f7d

  • SSDEEP

    12288:vMrAy90NwbzSS81keFMiMp0fLZ/bwFpK0jn5BuOilG5THk7/jATS1MYjGk:TykzpwFp3uOilG5g9Zd

Score
10/10
redlinegenarelondiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

gena

C2

193.233.20.30:4125

Attributes
  • auth_value

    93c20961cb6b06b2d5781c212db6201e

Extracted

Family

redline

Botnet

relon

C2

193.233.20.30:4125

Attributes
  • auth_value

    17da69809725577b595e217ba006b869

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 19 IoCs
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9a46ce71ec40db74e3cafaea7b02b1a45e952499e4be14899e2e62c1a9cf72f9.exe
    "C:\Users\Admin\AppData\Local\Temp\9a46ce71ec40db74e3cafaea7b02b1a45e952499e4be14899e2e62c1a9cf72f9.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4780
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio9728.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio9728.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2504
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio1734.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio1734.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1964
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro9253.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro9253.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1708
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu4368.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu4368.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4788
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 1036
            5⤵
            • Program crash
            PID:3204
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rvN09s55.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rvN09s55.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3696
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 1664
          4⤵
          • Program crash
          PID:4232
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si310724.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si310724.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1636
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4788 -ip 4788
    1⤵
      PID:3916
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3696 -ip 3696
      1⤵
        PID:2992

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si310724.exe
        Filesize

        175KB

        MD5

        6fbff2d7c9ba7f0a71f02a5c70df9dfc

        SHA1

        003da0075734cd2d7f201c5b0e4779b8e1f33621

        SHA256

        cb56407367a42f61993842b66bcd24993a30c87116313c26d6af9e37bbb1b6b3

        SHA512

        25842b9df4767b16096f2bfcedc9d368a9696e6c6d9c7b2c75987769a5b338ae04b23b1e89f18eef2244e84f04e4acf6af56643a97abfe5b605f66cba0bac27f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si310724.exe
        Filesize

        175KB

        MD5

        6fbff2d7c9ba7f0a71f02a5c70df9dfc

        SHA1

        003da0075734cd2d7f201c5b0e4779b8e1f33621

        SHA256

        cb56407367a42f61993842b66bcd24993a30c87116313c26d6af9e37bbb1b6b3

        SHA512

        25842b9df4767b16096f2bfcedc9d368a9696e6c6d9c7b2c75987769a5b338ae04b23b1e89f18eef2244e84f04e4acf6af56643a97abfe5b605f66cba0bac27f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio9728.exe
        Filesize

        734KB

        MD5

        cccef3b85d1af84089bba3721390ca24

        SHA1

        e9991d20bac7896b606cccde4b2d2ff1dceb4a7e

        SHA256

        f66c3e0a24bf529e29f0d60e3f83c89bb00ae0b1f6580ba0ff4b982b504a67db

        SHA512

        5c1935c0a0fd4ecb04471038273a2396d2b044c4509bbca34d3b8e7662b0b118901dddd990f1fc43d06f1ed8bbb72512827c0bb3fcb326e0c0441ab570c20e65

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio9728.exe
        Filesize

        734KB

        MD5

        cccef3b85d1af84089bba3721390ca24

        SHA1

        e9991d20bac7896b606cccde4b2d2ff1dceb4a7e

        SHA256

        f66c3e0a24bf529e29f0d60e3f83c89bb00ae0b1f6580ba0ff4b982b504a67db

        SHA512

        5c1935c0a0fd4ecb04471038273a2396d2b044c4509bbca34d3b8e7662b0b118901dddd990f1fc43d06f1ed8bbb72512827c0bb3fcb326e0c0441ab570c20e65

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rvN09s55.exe
        Filesize

        420KB

        MD5

        816813bb08f2d457af9e6f6019a239f1

        SHA1

        19957e16a48268103b7b7329461b59fb99a40992

        SHA256

        85832017824820f193e2079ea5f684816761b45b04e99206e242eb24c8223cf1

        SHA512

        6a1dd30f51f93fc525c2d788b432752cdebcdbd4f1ed6c75916ea1a86dddb427f6fbfeb4a64e42b4ec975d7ceed35b3a406a74071337423ce28bd7a088148dca

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rvN09s55.exe
        Filesize

        420KB

        MD5

        816813bb08f2d457af9e6f6019a239f1

        SHA1

        19957e16a48268103b7b7329461b59fb99a40992

        SHA256

        85832017824820f193e2079ea5f684816761b45b04e99206e242eb24c8223cf1

        SHA512

        6a1dd30f51f93fc525c2d788b432752cdebcdbd4f1ed6c75916ea1a86dddb427f6fbfeb4a64e42b4ec975d7ceed35b3a406a74071337423ce28bd7a088148dca

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio1734.exe
        Filesize

        363KB

        MD5

        2643d8363c5b4be8d30baac7958e9d67

        SHA1

        bc9ed57e5044d9f4a467b688c2cbf61a3effcfca

        SHA256

        2d2a60ae16b5898d619276ead179ba788118712bdca61a7a3012c285bc4cfb30

        SHA512

        2b9f0f262f41750e0d8c82c067336415d713bc2bc83d3c14f1083f9e1aa95b1ccc8e9aff4f7d590a2db8eaae0c2b06fd5b93ba33c700496fde08cd5bbcd0c66e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio1734.exe
        Filesize

        363KB

        MD5

        2643d8363c5b4be8d30baac7958e9d67

        SHA1

        bc9ed57e5044d9f4a467b688c2cbf61a3effcfca

        SHA256

        2d2a60ae16b5898d619276ead179ba788118712bdca61a7a3012c285bc4cfb30

        SHA512

        2b9f0f262f41750e0d8c82c067336415d713bc2bc83d3c14f1083f9e1aa95b1ccc8e9aff4f7d590a2db8eaae0c2b06fd5b93ba33c700496fde08cd5bbcd0c66e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro9253.exe
        Filesize

        11KB

        MD5

        7e93bacbbc33e6652e147e7fe07572a0

        SHA1

        421a7167da01c8da4dc4d5234ca3dd84e319e762

        SHA256

        850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

        SHA512

        250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro9253.exe
        Filesize

        11KB

        MD5

        7e93bacbbc33e6652e147e7fe07572a0

        SHA1

        421a7167da01c8da4dc4d5234ca3dd84e319e762

        SHA256

        850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

        SHA512

        250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu4368.exe
        Filesize

        363KB

        MD5

        bea994720d03381c034d50a31a6a5f43

        SHA1

        7d666c57e0bce955c3190af345f0fd8597e32c50

        SHA256

        8d08c12713a3959688ef1de496a5756230b5332e3ff39df408f1136de16649b1

        SHA512

        f30dcf833e78327a71bac44c87a046cfba5bf1e26754804d9865d73ad19306aeeea66b3940fba06a3a12193e1a92c23ede9eff991d5488574157e17a50cbeef1

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu4368.exe
        Filesize

        363KB

        MD5

        bea994720d03381c034d50a31a6a5f43

        SHA1

        7d666c57e0bce955c3190af345f0fd8597e32c50

        SHA256

        8d08c12713a3959688ef1de496a5756230b5332e3ff39df408f1136de16649b1

        SHA512

        f30dcf833e78327a71bac44c87a046cfba5bf1e26754804d9865d73ad19306aeeea66b3940fba06a3a12193e1a92c23ede9eff991d5488574157e17a50cbeef1

        Download Submit

      • memory/1636-1134-0x0000000005090000-0x00000000050A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1636-1133-0x0000000000800000-0x0000000000832000-memory.dmp

        Filesize

        200KB

        Download

      • memory/1708-154-0x0000000000790000-0x000000000079A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3696-1112-0x0000000005480000-0x0000000005A98000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/3696-1116-0x0000000002870000-0x0000000002880000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3696-1127-0x0000000007DD0000-0x00000000082FC000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/3696-1126-0x0000000007BC0000-0x0000000007D82000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/3696-1125-0x0000000002870000-0x0000000002880000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3696-1124-0x0000000002870000-0x0000000002880000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3696-1123-0x0000000002870000-0x0000000002880000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3696-1122-0x0000000002870000-0x0000000002880000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3696-1120-0x00000000068A0000-0x00000000068F0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/3696-1119-0x0000000006820000-0x0000000006896000-memory.dmp

        Filesize

        472KB

        Download

      • memory/3696-1118-0x0000000006000000-0x0000000006066000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3696-1117-0x0000000005F60000-0x0000000005FF2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/3696-1115-0x0000000005C70000-0x0000000005CAC000-memory.dmp

        Filesize

        240KB

        Download

      • memory/3696-1114-0x0000000005C50000-0x0000000005C62000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3696-1113-0x0000000005B10000-0x0000000005C1A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/3696-239-0x00000000029C0000-0x00000000029FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3696-237-0x00000000029C0000-0x00000000029FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3696-235-0x00000000029C0000-0x00000000029FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3696-233-0x00000000029C0000-0x00000000029FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3696-231-0x00000000029C0000-0x00000000029FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3696-229-0x00000000029C0000-0x00000000029FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3696-204-0x00000000029C0000-0x00000000029FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3696-206-0x00000000029C0000-0x00000000029FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3696-203-0x00000000029C0000-0x00000000029FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3696-209-0x0000000000800000-0x000000000084B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/3696-208-0x00000000029C0000-0x00000000029FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3696-211-0x0000000002870000-0x0000000002880000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3696-212-0x00000000029C0000-0x00000000029FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3696-214-0x0000000002870000-0x0000000002880000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3696-215-0x00000000029C0000-0x00000000029FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3696-217-0x00000000029C0000-0x00000000029FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3696-219-0x00000000029C0000-0x00000000029FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3696-221-0x00000000029C0000-0x00000000029FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3696-223-0x00000000029C0000-0x00000000029FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3696-225-0x00000000029C0000-0x00000000029FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3696-227-0x00000000029C0000-0x00000000029FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4788-186-0x00000000028C0000-0x00000000028D2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4788-163-0x0000000002A80000-0x0000000002A90000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4788-198-0x0000000000400000-0x000000000071D000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/4788-196-0x0000000002A80000-0x0000000002A90000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4788-195-0x0000000002A80000-0x0000000002A90000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4788-194-0x0000000002A80000-0x0000000002A90000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4788-164-0x0000000002A80000-0x0000000002A90000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4788-193-0x0000000000400000-0x000000000071D000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/4788-192-0x00000000028C0000-0x00000000028D2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4788-190-0x00000000028C0000-0x00000000028D2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4788-168-0x00000000028C0000-0x00000000028D2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4788-188-0x00000000028C0000-0x00000000028D2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4788-166-0x00000000028C0000-0x00000000028D2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4788-182-0x00000000028C0000-0x00000000028D2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4788-165-0x00000000028C0000-0x00000000028D2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4788-180-0x00000000028C0000-0x00000000028D2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4788-178-0x00000000028C0000-0x00000000028D2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4788-176-0x00000000028C0000-0x00000000028D2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4788-174-0x00000000028C0000-0x00000000028D2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4788-172-0x00000000028C0000-0x00000000028D2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4788-170-0x00000000028C0000-0x00000000028D2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4788-184-0x00000000028C0000-0x00000000028D2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4788-162-0x0000000002A80000-0x0000000002A90000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4788-161-0x0000000000720000-0x000000000074D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/4788-160-0x0000000004EE0000-0x0000000005484000-memory.dmp

        Filesize

        5.6MB

        Download