Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    96s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-03-2023 09:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fca8b49ef98dc76d40daf9520c809282bbf38beaab3ea0c5c32bfb0d17b99f23.exe

  • Size

    539KB

  • MD5

    dc4e50cb8ae63c30e37bb7c719b99b07

  • SHA1

    a2418448e6097e666bf4984f4faff7ff5bfc8a73

  • SHA256

    fca8b49ef98dc76d40daf9520c809282bbf38beaab3ea0c5c32bfb0d17b99f23

  • SHA512

    a71b7819eda2aad78a394e094a4e29983bc3ff2d40bfd40ec4372fd8ff31229e9d95b6d003cc470e6bf2f32edc8031c7ba6ec7162ddda5bed2c5628517942f9f

  • SSDEEP

    12288:XMryy90zZ5nAXIM++KWKimpsYUxsI4+vn5EQUq7fm1:lyE5nYKWKi2sYkJP5EQK

Score
10/10
redlinedownherodiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

down

C2

193.233.20.31:4125

Attributes
  • auth_value

    12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

hero

C2

193.233.20.31:4125

Attributes
  • auth_value

    11f3c75a88ca461bcc8d6bf60a1193e3

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 34 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fca8b49ef98dc76d40daf9520c809282bbf38beaab3ea0c5c32bfb0d17b99f23.exe
    "C:\Users\Admin\AppData\Local\Temp\fca8b49ef98dc76d40daf9520c809282bbf38beaab3ea0c5c32bfb0d17b99f23.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3368
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio7815.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio7815.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1504
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8420.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8420.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:220
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6279.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6279.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2896
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1684
          4⤵
          • Program crash
          PID:4700
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si690483.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si690483.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2628
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2896 -ip 2896
    1⤵
      PID:4104

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si690483.exe
      Filesize

      175KB

      MD5

      7c11dfe7837f2079d50113de0e973682

      SHA1

      fae072addd4d56ab67d08ab82da4aac5d7223960

      SHA256

      442d9cc0073a6d45abbed64eb9891912091d444fe4dd368924d1b8cf7c59e65b

      SHA512

      06085d23ead5955185736af64754c343a796af98b68c8013ba20b19a5c52eb92066698b86633d54438fe6ad5455c3c3c4625cf03d15439ab486e22388bd8cab7

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si690483.exe
      Filesize

      175KB

      MD5

      7c11dfe7837f2079d50113de0e973682

      SHA1

      fae072addd4d56ab67d08ab82da4aac5d7223960

      SHA256

      442d9cc0073a6d45abbed64eb9891912091d444fe4dd368924d1b8cf7c59e65b

      SHA512

      06085d23ead5955185736af64754c343a796af98b68c8013ba20b19a5c52eb92066698b86633d54438fe6ad5455c3c3c4625cf03d15439ab486e22388bd8cab7

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio7815.exe
      Filesize

      397KB

      MD5

      ea6c5bc5a177b6311b6e79e32eb3e486

      SHA1

      92bfa1c46dbe71b194d9dd9436d9f31dfc83a40a

      SHA256

      1ae1144d7ec543e8583217a5b8a9f6ae72d744dc42d20efd4df8c512ec96c4b3

      SHA512

      a927f4068bde32123d9d059fc5435a57c25085771887c2419da6f0757ba59a59a8df111df8dab2796001e69bd8876c40698bef7999331e40a802704c95ed958e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio7815.exe
      Filesize

      397KB

      MD5

      ea6c5bc5a177b6311b6e79e32eb3e486

      SHA1

      92bfa1c46dbe71b194d9dd9436d9f31dfc83a40a

      SHA256

      1ae1144d7ec543e8583217a5b8a9f6ae72d744dc42d20efd4df8c512ec96c4b3

      SHA512

      a927f4068bde32123d9d059fc5435a57c25085771887c2419da6f0757ba59a59a8df111df8dab2796001e69bd8876c40698bef7999331e40a802704c95ed958e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8420.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8420.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6279.exe
      Filesize

      355KB

      MD5

      2567711d1825b5af28bef7a8d7d3b0b6

      SHA1

      d85f4cc5702085b2bac54b6e12e59e983b5f01e6

      SHA256

      04843079ac19f11007135e9728a59e7bc5b48531d64b11e2a4880e310db5a8a4

      SHA512

      6669248fe76afcf941e1bc666e87f4e16c1c8a300efc7f45cd606d414fa05e2d53ffde01996c414c82ac843e6dcff72b140e2833ba602be559ec71df3558ab46

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6279.exe
      Filesize

      355KB

      MD5

      2567711d1825b5af28bef7a8d7d3b0b6

      SHA1

      d85f4cc5702085b2bac54b6e12e59e983b5f01e6

      SHA256

      04843079ac19f11007135e9728a59e7bc5b48531d64b11e2a4880e310db5a8a4

      SHA512

      6669248fe76afcf941e1bc666e87f4e16c1c8a300efc7f45cd606d414fa05e2d53ffde01996c414c82ac843e6dcff72b140e2833ba602be559ec71df3558ab46

      Download Submit
    • memory/220-147-0x0000000000EA0000-0x0000000000EAA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2628-1084-0x00000000003D0000-0x0000000000402000-memory.dmp
      Filesize

      200KB

      Download
    • memory/2628-1085-0x0000000004D10000-0x0000000004D20000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2896-186-0x0000000007850000-0x000000000788E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2896-204-0x0000000007850000-0x000000000788E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2896-155-0x0000000007850000-0x000000000788E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2896-156-0x0000000007850000-0x000000000788E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2896-158-0x0000000007850000-0x000000000788E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2896-160-0x0000000007850000-0x000000000788E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2896-162-0x0000000007850000-0x000000000788E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2896-164-0x0000000007850000-0x000000000788E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2896-166-0x0000000007850000-0x000000000788E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2896-168-0x0000000007850000-0x000000000788E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2896-170-0x0000000007850000-0x000000000788E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2896-172-0x0000000007850000-0x000000000788E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2896-174-0x0000000007850000-0x000000000788E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2896-177-0x0000000007290000-0x00000000072A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2896-176-0x0000000007850000-0x000000000788E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2896-178-0x0000000007290000-0x00000000072A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2896-180-0x0000000007850000-0x000000000788E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2896-182-0x0000000007850000-0x000000000788E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2896-184-0x0000000007850000-0x000000000788E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2896-153-0x0000000002C80000-0x0000000002CCB000-memory.dmp
      Filesize

      300KB

      Download
    • memory/2896-188-0x0000000007850000-0x000000000788E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2896-190-0x0000000007850000-0x000000000788E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2896-192-0x0000000007850000-0x000000000788E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2896-194-0x0000000007850000-0x000000000788E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2896-198-0x0000000007850000-0x000000000788E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2896-154-0x00000000072A0000-0x0000000007844000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/2896-202-0x0000000007850000-0x000000000788E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2896-200-0x0000000007850000-0x000000000788E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2896-196-0x0000000007850000-0x000000000788E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2896-206-0x0000000007850000-0x000000000788E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2896-208-0x0000000007850000-0x000000000788E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2896-210-0x0000000007850000-0x000000000788E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2896-212-0x0000000007850000-0x000000000788E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2896-214-0x0000000007850000-0x000000000788E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2896-216-0x0000000007850000-0x000000000788E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2896-218-0x0000000007850000-0x000000000788E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2896-220-0x0000000007850000-0x000000000788E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2896-1063-0x00000000078D0000-0x0000000007EE8000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/2896-1064-0x0000000007F70000-0x000000000807A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/2896-1065-0x00000000080B0000-0x00000000080C2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2896-1066-0x00000000080D0000-0x000000000810C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/2896-1067-0x0000000007290000-0x00000000072A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2896-1069-0x00000000083C0000-0x0000000008452000-memory.dmp
      Filesize

      584KB

      Download
    • memory/2896-1070-0x0000000008460000-0x00000000084C6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/2896-1071-0x0000000007290000-0x00000000072A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2896-1072-0x0000000007290000-0x00000000072A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2896-1073-0x0000000007290000-0x00000000072A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2896-1074-0x0000000008C80000-0x0000000008E42000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/2896-1075-0x0000000008E60000-0x000000000938C000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/2896-1076-0x0000000009750000-0x00000000097C6000-memory.dmp
      Filesize

      472KB

      Download
    • memory/2896-1077-0x00000000097D0000-0x0000000009820000-memory.dmp
      Filesize

      320KB

      Download
    • memory/2896-1078-0x0000000007290000-0x00000000072A0000-memory.dmp
      Filesize

      64KB

      Download