Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-03-2023 09:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6f59694cb2a4fe0af61f24b036ec7f901ed239f6d200cb9d684bccbf46b91c73.exe

  • Size

    538KB

  • MD5

    f93483c4361a095210dfae536eee273e

  • SHA1

    c976057048f60bd7a495cbefcb95195debb5b4f2

  • SHA256

    6f59694cb2a4fe0af61f24b036ec7f901ed239f6d200cb9d684bccbf46b91c73

  • SHA512

    ed92766ced1e9161f9f5e994da2bc9c55bee39f0d74fbb6f6f48214aeada10f29e34220441d8eaa98afd39a51093a9193fa71bf1325ff4ddd77a2ba66099c83f

  • SSDEEP

    12288:EMrey902IP9kIw4RS9BQ2ractbFex4I4+MPEkq4fvkB:qysPamEWCtbFuFQG4f8B

Score
10/10
redlinedownherodiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

down

C2

193.233.20.31:4125

Attributes
  • auth_value

    12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

hero

C2

193.233.20.31:4125

Attributes
  • auth_value

    11f3c75a88ca461bcc8d6bf60a1193e3

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6f59694cb2a4fe0af61f24b036ec7f901ed239f6d200cb9d684bccbf46b91c73.exe
    "C:\Users\Admin\AppData\Local\Temp\6f59694cb2a4fe0af61f24b036ec7f901ed239f6d200cb9d684bccbf46b91c73.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:624
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio2047.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio2047.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2472
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0420.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0420.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3500
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6576.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6576.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2348
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 1904
          4⤵
          • Program crash
          PID:5060
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si877869.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si877869.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4872
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2348 -ip 2348
    1⤵
      PID:3508

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si877869.exe
      Filesize

      175KB

      MD5

      7c11dfe7837f2079d50113de0e973682

      SHA1

      fae072addd4d56ab67d08ab82da4aac5d7223960

      SHA256

      442d9cc0073a6d45abbed64eb9891912091d444fe4dd368924d1b8cf7c59e65b

      SHA512

      06085d23ead5955185736af64754c343a796af98b68c8013ba20b19a5c52eb92066698b86633d54438fe6ad5455c3c3c4625cf03d15439ab486e22388bd8cab7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si877869.exe
      Filesize

      175KB

      MD5

      7c11dfe7837f2079d50113de0e973682

      SHA1

      fae072addd4d56ab67d08ab82da4aac5d7223960

      SHA256

      442d9cc0073a6d45abbed64eb9891912091d444fe4dd368924d1b8cf7c59e65b

      SHA512

      06085d23ead5955185736af64754c343a796af98b68c8013ba20b19a5c52eb92066698b86633d54438fe6ad5455c3c3c4625cf03d15439ab486e22388bd8cab7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio2047.exe
      Filesize

      396KB

      MD5

      45224266db6f6f0e5c272bc4d7813e66

      SHA1

      bc8d89e68b94ab08d314c3b026b8fbb58a03f2a6

      SHA256

      b18e7cfdffe921642189c06e053513228e11340bb8afe4fbdebee4277007e900

      SHA512

      4da768c630820dbe2e91bc86101822c28d415605b1dd0941a14bad1d6fd7c1e7fd77ff0a567d70921cd81d253864d8c206db99249a7064cef39e5e61fa1d1511

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio2047.exe
      Filesize

      396KB

      MD5

      45224266db6f6f0e5c272bc4d7813e66

      SHA1

      bc8d89e68b94ab08d314c3b026b8fbb58a03f2a6

      SHA256

      b18e7cfdffe921642189c06e053513228e11340bb8afe4fbdebee4277007e900

      SHA512

      4da768c630820dbe2e91bc86101822c28d415605b1dd0941a14bad1d6fd7c1e7fd77ff0a567d70921cd81d253864d8c206db99249a7064cef39e5e61fa1d1511

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0420.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0420.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6576.exe
      Filesize

      355KB

      MD5

      373faeb807e3ec74f8773c2b60203673

      SHA1

      167555058831977764aa5997796b47c225334a03

      SHA256

      f0590f84244c1de92f554ffc668b651ce54c5a4db8a47c51a7c19b239a1c839a

      SHA512

      9d046098a95db7a290aa7e6c0613d35518acc139c7e71710b40c642e04601b6e2f0a070dc747650fdb155ecf5f30309a0d5a873cae0631cfd74014f0e02bc24c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6576.exe
      Filesize

      355KB

      MD5

      373faeb807e3ec74f8773c2b60203673

      SHA1

      167555058831977764aa5997796b47c225334a03

      SHA256

      f0590f84244c1de92f554ffc668b651ce54c5a4db8a47c51a7c19b239a1c839a

      SHA512

      9d046098a95db7a290aa7e6c0613d35518acc139c7e71710b40c642e04601b6e2f0a070dc747650fdb155ecf5f30309a0d5a873cae0631cfd74014f0e02bc24c

      Download Submit

    • memory/2348-153-0x00000000073C0000-0x0000000007964000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2348-154-0x0000000002CF0000-0x0000000002D3B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2348-155-0x00000000073B0000-0x00000000073C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2348-156-0x00000000073B0000-0x00000000073C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2348-157-0x00000000073B0000-0x00000000073C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2348-158-0x0000000007280000-0x00000000072BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2348-161-0x0000000007280000-0x00000000072BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2348-159-0x0000000007280000-0x00000000072BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2348-165-0x0000000007280000-0x00000000072BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2348-167-0x0000000007280000-0x00000000072BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2348-163-0x0000000007280000-0x00000000072BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2348-169-0x0000000007280000-0x00000000072BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2348-171-0x0000000007280000-0x00000000072BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2348-173-0x0000000007280000-0x00000000072BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2348-175-0x0000000007280000-0x00000000072BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2348-177-0x0000000007280000-0x00000000072BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2348-179-0x0000000007280000-0x00000000072BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2348-181-0x0000000007280000-0x00000000072BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2348-183-0x0000000007280000-0x00000000072BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2348-185-0x0000000007280000-0x00000000072BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2348-187-0x0000000007280000-0x00000000072BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2348-189-0x0000000007280000-0x00000000072BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2348-191-0x0000000007280000-0x00000000072BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2348-193-0x0000000007280000-0x00000000072BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2348-195-0x0000000007280000-0x00000000072BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2348-197-0x0000000007280000-0x00000000072BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2348-199-0x0000000007280000-0x00000000072BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2348-201-0x0000000007280000-0x00000000072BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2348-203-0x0000000007280000-0x00000000072BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2348-205-0x0000000007280000-0x00000000072BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2348-207-0x0000000007280000-0x00000000072BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2348-209-0x0000000007280000-0x00000000072BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2348-211-0x0000000007280000-0x00000000072BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2348-213-0x0000000007280000-0x00000000072BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2348-215-0x0000000007280000-0x00000000072BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2348-217-0x0000000007280000-0x00000000072BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2348-219-0x0000000007280000-0x00000000072BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2348-221-0x0000000007280000-0x00000000072BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2348-1064-0x0000000007970000-0x0000000007F88000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2348-1065-0x0000000007F90000-0x000000000809A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2348-1066-0x00000000080B0000-0x00000000080C2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2348-1067-0x00000000080D0000-0x000000000810C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2348-1068-0x00000000073B0000-0x00000000073C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2348-1070-0x00000000083C0000-0x0000000008426000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2348-1071-0x0000000008A80000-0x0000000008B12000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2348-1072-0x00000000073B0000-0x00000000073C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2348-1073-0x00000000073B0000-0x00000000073C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2348-1074-0x00000000073B0000-0x00000000073C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2348-1075-0x0000000008FA0000-0x0000000009016000-memory.dmp

      Filesize

      472KB

      Download

    • memory/2348-1076-0x0000000009030000-0x0000000009080000-memory.dmp

      Filesize

      320KB

      Download

    • memory/2348-1077-0x00000000073B0000-0x00000000073C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2348-1078-0x000000000A3A0000-0x000000000A562000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2348-1079-0x000000000A570000-0x000000000AA9C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/3500-147-0x0000000000250000-0x000000000025A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4872-1085-0x0000000000330000-0x0000000000362000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4872-1086-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

      Filesize

      64KB

      Download