Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    113s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-03-2023 10:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    42d72bed17a0641c4f0bad8e200e82f4b016b029e7aed1d4c634aad7da1ae9f6.exe

  • Size

    538KB

  • MD5

    b01efde9960a5f65e718f6cad76dedd0

  • SHA1

    b6c525f6e5630ae4aabc7790836f37bae31fb609

  • SHA256

    42d72bed17a0641c4f0bad8e200e82f4b016b029e7aed1d4c634aad7da1ae9f6

  • SHA512

    a5590155e8873bcf251dff97c7e515692194359956b562a831ccb55cde4a74d42d2b38088a7dd0e49d8df1d5d10409efab27b6128e0f928f845188a0104d080c

  • SSDEEP

    12288:DMrTy90/1vrjjWupydeqSe6ciCB+DsPoDYdxJI4+QWlxL4JWl0D+3bMe:oyuh/aPrPEaiYPATv4Jw0+P

Score
10/10
redlineboltdowndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

down

C2

193.233.20.31:4125

Attributes
  • auth_value

    12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

bolt

C2

193.233.20.31:4125

Attributes
  • auth_value

    29540c7bf0277243e2faf6601e15a754

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\42d72bed17a0641c4f0bad8e200e82f4b016b029e7aed1d4c634aad7da1ae9f6.exe
    "C:\Users\Admin\AppData\Local\Temp\42d72bed17a0641c4f0bad8e200e82f4b016b029e7aed1d4c634aad7da1ae9f6.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4656
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba9564.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba9564.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3284
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h21an77.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h21an77.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:756
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iuqYp82.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iuqYp82.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4216
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 1336
          4⤵
          • Program crash
          PID:4880
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l43WJ85.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l43WJ85.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2212
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4216 -ip 4216
    1⤵
      PID:2716

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l43WJ85.exe
      Filesize

      175KB

      MD5

      78efaf7292c2027da40635ca1aae855a

      SHA1

      686227a48e23b382a06c74f17d9b6f36e76042fd

      SHA256

      2f1381bbe319ee3d19b3e07704205a3d31a7ffb7b5b7c282b9d884682bc892ab

      SHA512

      19e22ec7ad2295a1a3f4cbabb2e005df674ff3731cc33b74e175e10fcc4e482c8f0ce9c8722a8d14a0f9f9ad6e37360ce6816215512bea8324cd87a9fefc852a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l43WJ85.exe
      Filesize

      175KB

      MD5

      78efaf7292c2027da40635ca1aae855a

      SHA1

      686227a48e23b382a06c74f17d9b6f36e76042fd

      SHA256

      2f1381bbe319ee3d19b3e07704205a3d31a7ffb7b5b7c282b9d884682bc892ab

      SHA512

      19e22ec7ad2295a1a3f4cbabb2e005df674ff3731cc33b74e175e10fcc4e482c8f0ce9c8722a8d14a0f9f9ad6e37360ce6816215512bea8324cd87a9fefc852a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba9564.exe
      Filesize

      396KB

      MD5

      a9609cd69bfbf3b64816275012728ef3

      SHA1

      adde4048e7714683913ec8c903cbea70aa6d0dc4

      SHA256

      002a5b068d752852e63d7c44c418b52a126f64c26fb2b07ae24810ead21d1303

      SHA512

      eaba10cfb76af4360892d4ec7f2f312625a9eee686a4c571db00277d783f520401926ad1ba4bc6a8f5589be658f1ec93b4458f5775ffd2ce6adee97faf3b69f9

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba9564.exe
      Filesize

      396KB

      MD5

      a9609cd69bfbf3b64816275012728ef3

      SHA1

      adde4048e7714683913ec8c903cbea70aa6d0dc4

      SHA256

      002a5b068d752852e63d7c44c418b52a126f64c26fb2b07ae24810ead21d1303

      SHA512

      eaba10cfb76af4360892d4ec7f2f312625a9eee686a4c571db00277d783f520401926ad1ba4bc6a8f5589be658f1ec93b4458f5775ffd2ce6adee97faf3b69f9

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h21an77.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h21an77.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iuqYp82.exe
      Filesize

      355KB

      MD5

      da8b39456bd29755afae1dbec2c3123e

      SHA1

      900589236df65ee76e7207ecec7ec3080c021843

      SHA256

      3b413b41ba5a33b8136696fd9bc09e5018ce36b9ebf8ca4c6de1a0bce80b5263

      SHA512

      4dfb73a3754e45d7a86a94fecef016a74979b704d3abae56df61075efe8d3727531d963ce00c4fd74a2fb4bc57d84043e5a919f3fdda3172d844205033b04559

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iuqYp82.exe
      Filesize

      355KB

      MD5

      da8b39456bd29755afae1dbec2c3123e

      SHA1

      900589236df65ee76e7207ecec7ec3080c021843

      SHA256

      3b413b41ba5a33b8136696fd9bc09e5018ce36b9ebf8ca4c6de1a0bce80b5263

      SHA512

      4dfb73a3754e45d7a86a94fecef016a74979b704d3abae56df61075efe8d3727531d963ce00c4fd74a2fb4bc57d84043e5a919f3fdda3172d844205033b04559

      Download Submit
    • memory/756-147-0x0000000000B50000-0x0000000000B5A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2212-1085-0x00000000009F0000-0x0000000000A22000-memory.dmp
      Filesize

      200KB

      Download
    • memory/2212-1086-0x0000000005330000-0x0000000005340000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4216-189-0x0000000007140000-0x000000000717E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/4216-201-0x0000000007140000-0x000000000717E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/4216-155-0x0000000007140000-0x000000000717E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/4216-156-0x0000000007140000-0x000000000717E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/4216-160-0x0000000007140000-0x000000000717E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/4216-158-0x0000000007140000-0x000000000717E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/4216-162-0x0000000007140000-0x000000000717E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/4216-164-0x0000000007140000-0x000000000717E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/4216-166-0x0000000007140000-0x000000000717E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/4216-168-0x0000000007140000-0x000000000717E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/4216-170-0x0000000007140000-0x000000000717E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/4216-172-0x0000000007140000-0x000000000717E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/4216-175-0x0000000007260000-0x0000000007270000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4216-177-0x0000000007140000-0x000000000717E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/4216-176-0x0000000007260000-0x0000000007270000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4216-173-0x0000000007260000-0x0000000007270000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4216-179-0x0000000007140000-0x000000000717E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/4216-181-0x0000000007140000-0x000000000717E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/4216-183-0x0000000007140000-0x000000000717E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/4216-185-0x0000000007140000-0x000000000717E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/4216-187-0x0000000007140000-0x000000000717E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/4216-153-0x0000000002CD0000-0x0000000002D1B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/4216-191-0x0000000007140000-0x000000000717E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/4216-193-0x0000000007140000-0x000000000717E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/4216-195-0x0000000007140000-0x000000000717E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/4216-197-0x0000000007140000-0x000000000717E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/4216-199-0x0000000007140000-0x000000000717E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/4216-154-0x0000000007270000-0x0000000007814000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4216-203-0x0000000007140000-0x000000000717E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/4216-205-0x0000000007140000-0x000000000717E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/4216-207-0x0000000007140000-0x000000000717E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/4216-209-0x0000000007140000-0x000000000717E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/4216-211-0x0000000007140000-0x000000000717E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/4216-213-0x0000000007140000-0x000000000717E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/4216-215-0x0000000007140000-0x000000000717E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/4216-217-0x0000000007140000-0x000000000717E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/4216-219-0x0000000007140000-0x000000000717E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/4216-221-0x0000000007140000-0x000000000717E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/4216-1064-0x0000000007820000-0x0000000007E38000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/4216-1065-0x0000000007E40000-0x0000000007F4A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/4216-1066-0x0000000007F70000-0x0000000007F82000-memory.dmp
      Filesize

      72KB

      Download
    • memory/4216-1067-0x0000000007F90000-0x0000000007FCC000-memory.dmp
      Filesize

      240KB

      Download
    • memory/4216-1068-0x0000000007260000-0x0000000007270000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4216-1070-0x0000000008280000-0x0000000008312000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4216-1071-0x0000000008320000-0x0000000008386000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4216-1072-0x0000000008A20000-0x0000000008A96000-memory.dmp
      Filesize

      472KB

      Download
    • memory/4216-1073-0x0000000008AB0000-0x0000000008B00000-memory.dmp
      Filesize

      320KB

      Download
    • memory/4216-1074-0x0000000007260000-0x0000000007270000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4216-1075-0x0000000007260000-0x0000000007270000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4216-1076-0x0000000007260000-0x0000000007270000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4216-1077-0x0000000008D70000-0x0000000008F32000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/4216-1078-0x0000000008F40000-0x000000000946C000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/4216-1080-0x0000000007260000-0x0000000007270000-memory.dmp
      Filesize

      64KB

      Download