Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-03-2023 07:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    afde9b9115a9da1a3250589bacc078057bcc0255f579c6eeb09cb1cb17775cdb.exe

  • Size

    540KB

  • MD5

    8d1976ad3de875c280798b89d06695a0

  • SHA1

    7455d544c8738236ea14f3a76beef0d5ae8a5bc2

  • SHA256

    afde9b9115a9da1a3250589bacc078057bcc0255f579c6eeb09cb1cb17775cdb

  • SHA512

    4650a35632de875cd5d943d425c490a17ffd487fd7ffa49a9045b24fb68ab8decfb6ac8c7e0c6cb6f55581f9da24655eb83768f3dd5c3d6125a3b7d66f705b21

  • SSDEEP

    12288:qMrSy90K0Nbn4aux3KJiIaIyo7q5HvreKMIAjVCjQDAa7UW7fzZ:Eyjqbnig0IJGPrtAjcaQiN

Score
10/10
redlinedownherodiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

down

C2

193.233.20.31:4125

Attributes
  • auth_value

    12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

hero

C2

193.233.20.31:4125

Attributes
  • auth_value

    11f3c75a88ca461bcc8d6bf60a1193e3

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 32 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\afde9b9115a9da1a3250589bacc078057bcc0255f579c6eeb09cb1cb17775cdb.exe
    "C:\Users\Admin\AppData\Local\Temp\afde9b9115a9da1a3250589bacc078057bcc0255f579c6eeb09cb1cb17775cdb.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:820
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio5880.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio5880.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4416
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5297.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5297.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1384
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4688.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4688.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3012
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 1344
          4⤵
          • Program crash
          PID:1380
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si604966.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si604966.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3356
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3012 -ip 3012
    1⤵
      PID:1120

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si604966.exe
      Filesize

      175KB

      MD5

      7c11dfe7837f2079d50113de0e973682

      SHA1

      fae072addd4d56ab67d08ab82da4aac5d7223960

      SHA256

      442d9cc0073a6d45abbed64eb9891912091d444fe4dd368924d1b8cf7c59e65b

      SHA512

      06085d23ead5955185736af64754c343a796af98b68c8013ba20b19a5c52eb92066698b86633d54438fe6ad5455c3c3c4625cf03d15439ab486e22388bd8cab7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si604966.exe
      Filesize

      175KB

      MD5

      7c11dfe7837f2079d50113de0e973682

      SHA1

      fae072addd4d56ab67d08ab82da4aac5d7223960

      SHA256

      442d9cc0073a6d45abbed64eb9891912091d444fe4dd368924d1b8cf7c59e65b

      SHA512

      06085d23ead5955185736af64754c343a796af98b68c8013ba20b19a5c52eb92066698b86633d54438fe6ad5455c3c3c4625cf03d15439ab486e22388bd8cab7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio5880.exe
      Filesize

      398KB

      MD5

      385ef64cdbfe255b57bc611ea0167793

      SHA1

      9344448981392ff79a809d0acc50917e254ecf75

      SHA256

      1000bf36e12b4017fd66dfdfaf1a2da3dffa612bb9d1318bcc1004b2482b99a8

      SHA512

      92f078c649f4bbdd767fce783a8e78d865f71a8ab44bf00a7497f3896ddcdadecf22c79aa90c5df34ed05324639a972baa6403c29aba26ec5321a19e97e81593

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio5880.exe
      Filesize

      398KB

      MD5

      385ef64cdbfe255b57bc611ea0167793

      SHA1

      9344448981392ff79a809d0acc50917e254ecf75

      SHA256

      1000bf36e12b4017fd66dfdfaf1a2da3dffa612bb9d1318bcc1004b2482b99a8

      SHA512

      92f078c649f4bbdd767fce783a8e78d865f71a8ab44bf00a7497f3896ddcdadecf22c79aa90c5df34ed05324639a972baa6403c29aba26ec5321a19e97e81593

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5297.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5297.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4688.exe
      Filesize

      355KB

      MD5

      b3d19fd61010bf369f63705b0a600a84

      SHA1

      70631e03716ebaf6c24d5adeda114c52fb2b2934

      SHA256

      c3ee311c0753566554498fd9b9ecf6c4012c377c58ab6577f0551d4603342558

      SHA512

      9b4eb9a411c4a7357b6a5f9b6f4f5dc738ded7b37951cdbce5a38636e70ef8b7b4b153db469761ef62bd94b3d8f1857c46896a35b19d173626faf8866d8213f6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4688.exe
      Filesize

      355KB

      MD5

      b3d19fd61010bf369f63705b0a600a84

      SHA1

      70631e03716ebaf6c24d5adeda114c52fb2b2934

      SHA256

      c3ee311c0753566554498fd9b9ecf6c4012c377c58ab6577f0551d4603342558

      SHA512

      9b4eb9a411c4a7357b6a5f9b6f4f5dc738ded7b37951cdbce5a38636e70ef8b7b4b153db469761ef62bd94b3d8f1857c46896a35b19d173626faf8866d8213f6

      Download Submit

    • memory/1384-147-0x00000000007C0000-0x00000000007CA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1384-149-0x000000001B340000-0x000000001B48E000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3012-154-0x0000000002C60000-0x0000000002CAB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3012-155-0x00000000070E0000-0x0000000007684000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3012-156-0x00000000070D0000-0x00000000070E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3012-157-0x00000000070D0000-0x00000000070E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3012-158-0x00000000070D0000-0x00000000070E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3012-159-0x00000000076F0000-0x000000000772E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3012-160-0x00000000076F0000-0x000000000772E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3012-162-0x00000000076F0000-0x000000000772E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3012-164-0x00000000076F0000-0x000000000772E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3012-166-0x00000000076F0000-0x000000000772E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3012-168-0x00000000076F0000-0x000000000772E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3012-170-0x00000000076F0000-0x000000000772E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3012-172-0x00000000076F0000-0x000000000772E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3012-174-0x00000000076F0000-0x000000000772E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3012-176-0x00000000076F0000-0x000000000772E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3012-178-0x00000000076F0000-0x000000000772E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3012-180-0x00000000076F0000-0x000000000772E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3012-182-0x00000000076F0000-0x000000000772E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3012-184-0x00000000076F0000-0x000000000772E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3012-186-0x00000000076F0000-0x000000000772E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3012-188-0x00000000076F0000-0x000000000772E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3012-190-0x00000000076F0000-0x000000000772E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3012-192-0x00000000076F0000-0x000000000772E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3012-194-0x00000000076F0000-0x000000000772E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3012-196-0x00000000076F0000-0x000000000772E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3012-198-0x00000000076F0000-0x000000000772E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3012-200-0x00000000076F0000-0x000000000772E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3012-204-0x00000000076F0000-0x000000000772E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3012-202-0x00000000076F0000-0x000000000772E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3012-206-0x00000000076F0000-0x000000000772E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3012-208-0x00000000076F0000-0x000000000772E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3012-210-0x00000000076F0000-0x000000000772E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3012-220-0x00000000076F0000-0x000000000772E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3012-218-0x00000000076F0000-0x000000000772E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3012-216-0x00000000076F0000-0x000000000772E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3012-214-0x00000000076F0000-0x000000000772E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3012-212-0x00000000076F0000-0x000000000772E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3012-1065-0x00000000078D0000-0x0000000007EE8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3012-1066-0x0000000007F70000-0x000000000807A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3012-1067-0x00000000080B0000-0x00000000080C2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3012-1068-0x00000000070D0000-0x00000000070E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3012-1069-0x00000000080D0000-0x000000000810C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3012-1071-0x00000000083C0000-0x0000000008452000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3012-1072-0x0000000008460000-0x00000000084C6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3012-1073-0x00000000070D0000-0x00000000070E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3012-1074-0x00000000070D0000-0x00000000070E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3012-1075-0x00000000070D0000-0x00000000070E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3012-1076-0x00000000070D0000-0x00000000070E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3012-1077-0x000000000A080000-0x000000000A242000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3012-1078-0x000000000A250000-0x000000000A77C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/3012-1079-0x000000000A820000-0x000000000A896000-memory.dmp

      Filesize

      472KB

      Download

    • memory/3012-1080-0x000000000A8C0000-0x000000000A910000-memory.dmp

      Filesize

      320KB

      Download

    • memory/3356-1086-0x0000000000D30000-0x0000000000D62000-memory.dmp

      Filesize

      200KB

      Download

    • memory/3356-1087-0x0000000005640000-0x0000000005650000-memory.dmp

      Filesize

      64KB

      Download