Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
06/10/2023, 21:39
Static task
static1
Behavioral task
behavioral1
Sample
198e731935d5a9c0b26797118791b53fd76ddd1a38302cf739ad3a57f0c6b2e9.exe
Resource
win10v2004-20230915-en
General
-
Target
198e731935d5a9c0b26797118791b53fd76ddd1a38302cf739ad3a57f0c6b2e9.exe
-
Size
1.2MB
-
MD5
3e687a14033b8ba0968ce86c415abe8e
-
SHA1
c5483168957df8fb20c9587148553c01953dd750
-
SHA256
198e731935d5a9c0b26797118791b53fd76ddd1a38302cf739ad3a57f0c6b2e9
-
SHA512
b60bec6ef664945bcdef20dde1a5904e5895abdb5fb91fcd19a68dc401ae43a53f9bbd67e7b56b1966d21e19cd22ebd4633c6ba200f2de81d5c4037478b4068f
-
SSDEEP
24576:UyjbRWpNSrTSgvWiRfSWA4gskS7cY7K0PxljuzTg5ST:jjbRBXZvWiVSGgsgalPxJP
Malware Config
Extracted
redline
gigant
77.91.124.55:19071
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral1/memory/860-35-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/860-36-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/860-37-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/860-39-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/files/0x0007000000023284-41.dat family_redline behavioral1/files/0x0007000000023284-42.dat family_redline behavioral1/memory/4332-43-0x00000000003F0000-0x000000000042E000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 3984 pb2Pk7LF.exe 744 JP1JU5QT.exe 2800 jF5nI4Cy.exe 3768 xF3jq4bP.exe 3928 1GG11Kk2.exe 4332 2pP673Rw.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" JP1JU5QT.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" jF5nI4Cy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" xF3jq4bP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 198e731935d5a9c0b26797118791b53fd76ddd1a38302cf739ad3a57f0c6b2e9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" pb2Pk7LF.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3928 set thread context of 860 3928 1GG11Kk2.exe 93 -
Program crash 2 IoCs
pid pid_target Process procid_target 4452 860 WerFault.exe 93 4436 3928 WerFault.exe 90 -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 4616 wrote to memory of 3984 4616 198e731935d5a9c0b26797118791b53fd76ddd1a38302cf739ad3a57f0c6b2e9.exe 86 PID 4616 wrote to memory of 3984 4616 198e731935d5a9c0b26797118791b53fd76ddd1a38302cf739ad3a57f0c6b2e9.exe 86 PID 4616 wrote to memory of 3984 4616 198e731935d5a9c0b26797118791b53fd76ddd1a38302cf739ad3a57f0c6b2e9.exe 86 PID 3984 wrote to memory of 744 3984 pb2Pk7LF.exe 87 PID 3984 wrote to memory of 744 3984 pb2Pk7LF.exe 87 PID 3984 wrote to memory of 744 3984 pb2Pk7LF.exe 87 PID 744 wrote to memory of 2800 744 JP1JU5QT.exe 88 PID 744 wrote to memory of 2800 744 JP1JU5QT.exe 88 PID 744 wrote to memory of 2800 744 JP1JU5QT.exe 88 PID 2800 wrote to memory of 3768 2800 jF5nI4Cy.exe 89 PID 2800 wrote to memory of 3768 2800 jF5nI4Cy.exe 89 PID 2800 wrote to memory of 3768 2800 jF5nI4Cy.exe 89 PID 3768 wrote to memory of 3928 3768 xF3jq4bP.exe 90 PID 3768 wrote to memory of 3928 3768 xF3jq4bP.exe 90 PID 3768 wrote to memory of 3928 3768 xF3jq4bP.exe 90 PID 3928 wrote to memory of 4572 3928 1GG11Kk2.exe 92 PID 3928 wrote to memory of 4572 3928 1GG11Kk2.exe 92 PID 3928 wrote to memory of 4572 3928 1GG11Kk2.exe 92 PID 3928 wrote to memory of 860 3928 1GG11Kk2.exe 93 PID 3928 wrote to memory of 860 3928 1GG11Kk2.exe 93 PID 3928 wrote to memory of 860 3928 1GG11Kk2.exe 93 PID 3928 wrote to memory of 860 3928 1GG11Kk2.exe 93 PID 3928 wrote to memory of 860 3928 1GG11Kk2.exe 93 PID 3928 wrote to memory of 860 3928 1GG11Kk2.exe 93 PID 3928 wrote to memory of 860 3928 1GG11Kk2.exe 93 PID 3928 wrote to memory of 860 3928 1GG11Kk2.exe 93 PID 3928 wrote to memory of 860 3928 1GG11Kk2.exe 93 PID 3928 wrote to memory of 860 3928 1GG11Kk2.exe 93 PID 3768 wrote to memory of 4332 3768 xF3jq4bP.exe 102 PID 3768 wrote to memory of 4332 3768 xF3jq4bP.exe 102 PID 3768 wrote to memory of 4332 3768 xF3jq4bP.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\198e731935d5a9c0b26797118791b53fd76ddd1a38302cf739ad3a57f0c6b2e9.exe"C:\Users\Admin\AppData\Local\Temp\198e731935d5a9c0b26797118791b53fd76ddd1a38302cf739ad3a57f0c6b2e9.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pb2Pk7LF.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pb2Pk7LF.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JP1JU5QT.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JP1JU5QT.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jF5nI4Cy.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jF5nI4Cy.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xF3jq4bP.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xF3jq4bP.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1GG11Kk2.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1GG11Kk2.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:4572
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:860
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 5408⤵
- Program crash
PID:4452
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 6007⤵
- Program crash
PID:4436
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2pP673Rw.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2pP673Rw.exe6⤵
- Executes dropped EXE
PID:4332
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 860 -ip 8601⤵PID:2124
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3928 -ip 39281⤵PID:4340
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD550396aa17d248d8afe74cf8f19a9c33f
SHA133bdd0fea1dbc5434c5edf34106af19ad76b825c
SHA2561758bfee38a61d558e5e500b6cc4d6896eabe1b55f729591163da9a72a9f6e85
SHA512beff0f6cee774e3fb8dcfdc0ef7a443cffed16ae40ead36aa51307a52d9fa0cd3ab7da6831e9cb5db84611f2f00cd5503061d22a4d4fa77aa2f38f470db14bc0
-
Filesize
1.0MB
MD550396aa17d248d8afe74cf8f19a9c33f
SHA133bdd0fea1dbc5434c5edf34106af19ad76b825c
SHA2561758bfee38a61d558e5e500b6cc4d6896eabe1b55f729591163da9a72a9f6e85
SHA512beff0f6cee774e3fb8dcfdc0ef7a443cffed16ae40ead36aa51307a52d9fa0cd3ab7da6831e9cb5db84611f2f00cd5503061d22a4d4fa77aa2f38f470db14bc0
-
Filesize
885KB
MD5dcb7dd1183d028f3784e63f8a63dd11c
SHA10383498afbc0b7dc8405711712a18d6bb41af6f2
SHA2567869320b7c531f801f0cf245cce512fe55f1cbedd1311665c356ad6bf314ede8
SHA51283f588765502e7268d196f0a7ca1d0a27ea3330262a882712bbf2a2be33938bc2b775b59e2f9fcd7c9f12c34e5538b0f8a2b20c2b32a8509a69792377b01789f
-
Filesize
885KB
MD5dcb7dd1183d028f3784e63f8a63dd11c
SHA10383498afbc0b7dc8405711712a18d6bb41af6f2
SHA2567869320b7c531f801f0cf245cce512fe55f1cbedd1311665c356ad6bf314ede8
SHA51283f588765502e7268d196f0a7ca1d0a27ea3330262a882712bbf2a2be33938bc2b775b59e2f9fcd7c9f12c34e5538b0f8a2b20c2b32a8509a69792377b01789f
-
Filesize
590KB
MD5b02dee59706aa71090cfa2a67cc0c7ca
SHA1d869ea683c563affb2b7041fdccca5b61d1141e3
SHA2567eca710778bc8571155750f273a6fbfbd6ed218a394e95cb64620a3520bf70f2
SHA512d7ea424df02d92fbb1ac8c7d35231cf888df4a82aa35583c2c5f6a7f8c83b3ef0fa833e95a630a37906fd88655653884703996022df97b7c251b7e39cd7b529a
-
Filesize
590KB
MD5b02dee59706aa71090cfa2a67cc0c7ca
SHA1d869ea683c563affb2b7041fdccca5b61d1141e3
SHA2567eca710778bc8571155750f273a6fbfbd6ed218a394e95cb64620a3520bf70f2
SHA512d7ea424df02d92fbb1ac8c7d35231cf888df4a82aa35583c2c5f6a7f8c83b3ef0fa833e95a630a37906fd88655653884703996022df97b7c251b7e39cd7b529a
-
Filesize
417KB
MD5d6c90b9404be517719efb3e440559564
SHA1e80a31033f5152ff7c99f77b54aabad49133fc67
SHA256d57df80c79fcc09a425cbf698b5da027e320671a4def137fd8d152ca2b8b073d
SHA51259bc81d46745ac68f86cee31c483701dd4388563975f390ac6e7edba4baab5bb97abc430b33c0f44b70f8bcb74af5d4a82e2e02f1242770711c9816ad1e77295
-
Filesize
417KB
MD5d6c90b9404be517719efb3e440559564
SHA1e80a31033f5152ff7c99f77b54aabad49133fc67
SHA256d57df80c79fcc09a425cbf698b5da027e320671a4def137fd8d152ca2b8b073d
SHA51259bc81d46745ac68f86cee31c483701dd4388563975f390ac6e7edba4baab5bb97abc430b33c0f44b70f8bcb74af5d4a82e2e02f1242770711c9816ad1e77295
-
Filesize
378KB
MD595ab34f204236ba37848cc9cc95405e1
SHA1bb51007f4c622de6695c888b0ad77fd7d338d57c
SHA256699f39018aace26083e65b195f12fb9440be99f4fd86b8a6c1fa01683dbe91f6
SHA512180711f110f58ff84524075c132ca202274d5f8983aba1374b6f39dd86c572f950c36538da73b554df0b9935159a3bcbb5a39255acdc891e5d42a7d20574bf07
-
Filesize
378KB
MD595ab34f204236ba37848cc9cc95405e1
SHA1bb51007f4c622de6695c888b0ad77fd7d338d57c
SHA256699f39018aace26083e65b195f12fb9440be99f4fd86b8a6c1fa01683dbe91f6
SHA512180711f110f58ff84524075c132ca202274d5f8983aba1374b6f39dd86c572f950c36538da73b554df0b9935159a3bcbb5a39255acdc891e5d42a7d20574bf07
-
Filesize
231KB
MD50f740d8c8f3e43861d9bdd866f9af0f9
SHA1caa75992994504eda91b8b130962aa52ab922283
SHA2566e24db519479cf96182b5ca743949c1205fa5218c4a69694019b388eea8c2206
SHA51277f766ea7dd51469b7fd44fcb53b05ad2276dbcd43bb1f482d7b2b655275cf060e3cdb204ae1983aa9b48071143277d091ce62d16fde5f69bf6520169456146b
-
Filesize
231KB
MD50f740d8c8f3e43861d9bdd866f9af0f9
SHA1caa75992994504eda91b8b130962aa52ab922283
SHA2566e24db519479cf96182b5ca743949c1205fa5218c4a69694019b388eea8c2206
SHA51277f766ea7dd51469b7fd44fcb53b05ad2276dbcd43bb1f482d7b2b655275cf060e3cdb204ae1983aa9b48071143277d091ce62d16fde5f69bf6520169456146b