Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
06/10/2023, 21:47
Static task
static1
Behavioral task
behavioral1
Sample
fb8a184cade7544ea1ec897b679edff542000cf31934900525f12e02f85eb9cb.exe
Resource
win10v2004-20230915-en
General
-
Target
fb8a184cade7544ea1ec897b679edff542000cf31934900525f12e02f85eb9cb.exe
-
Size
1.2MB
-
MD5
9e0a65a6354df7e961d797ff850db432
-
SHA1
6760ff14c6890d975c5ffb5a2cb8b6f3300ed115
-
SHA256
fb8a184cade7544ea1ec897b679edff542000cf31934900525f12e02f85eb9cb
-
SHA512
b90ae16f118333db8081b8921138425a6dfd29785c1b9ae884f590a12281d99a255b0ec3abb275ae9ec27468a07ab7393762b4edd6e32f5dcb9e608bf1f4eafb
-
SSDEEP
24576:fyMGHOJwixm0Y3ELv66HZJxHzSd6T05Efj4Rx891fFOn2bt6Anu:qjHuZY3EWEZfSd00u4qNOnYtNn
Malware Config
Extracted
redline
gigant
77.91.124.55:19071
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral1/memory/3612-35-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/3612-36-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/3612-37-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/3612-39-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/files/0x00060000000230ce-41.dat family_redline behavioral1/files/0x00060000000230ce-42.dat family_redline behavioral1/memory/3508-44-0x0000000000830000-0x000000000086E000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 4632 Gl2cZ1op.exe 2628 Jd3tw7ja.exe 3512 WM7te5go.exe 1408 LK3En3pn.exe 2140 1Jm90GG6.exe 3508 2Mr852Yb.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" fb8a184cade7544ea1ec897b679edff542000cf31934900525f12e02f85eb9cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" Gl2cZ1op.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" Jd3tw7ja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" WM7te5go.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" LK3En3pn.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2140 set thread context of 3612 2140 1Jm90GG6.exe 94 -
Program crash 2 IoCs
pid pid_target Process procid_target 476 3612 WerFault.exe 94 3432 2140 WerFault.exe 90 -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 3348 wrote to memory of 4632 3348 fb8a184cade7544ea1ec897b679edff542000cf31934900525f12e02f85eb9cb.exe 85 PID 3348 wrote to memory of 4632 3348 fb8a184cade7544ea1ec897b679edff542000cf31934900525f12e02f85eb9cb.exe 85 PID 3348 wrote to memory of 4632 3348 fb8a184cade7544ea1ec897b679edff542000cf31934900525f12e02f85eb9cb.exe 85 PID 4632 wrote to memory of 2628 4632 Gl2cZ1op.exe 87 PID 4632 wrote to memory of 2628 4632 Gl2cZ1op.exe 87 PID 4632 wrote to memory of 2628 4632 Gl2cZ1op.exe 87 PID 2628 wrote to memory of 3512 2628 Jd3tw7ja.exe 88 PID 2628 wrote to memory of 3512 2628 Jd3tw7ja.exe 88 PID 2628 wrote to memory of 3512 2628 Jd3tw7ja.exe 88 PID 3512 wrote to memory of 1408 3512 WM7te5go.exe 89 PID 3512 wrote to memory of 1408 3512 WM7te5go.exe 89 PID 3512 wrote to memory of 1408 3512 WM7te5go.exe 89 PID 1408 wrote to memory of 2140 1408 LK3En3pn.exe 90 PID 1408 wrote to memory of 2140 1408 LK3En3pn.exe 90 PID 1408 wrote to memory of 2140 1408 LK3En3pn.exe 90 PID 2140 wrote to memory of 3268 2140 1Jm90GG6.exe 93 PID 2140 wrote to memory of 3268 2140 1Jm90GG6.exe 93 PID 2140 wrote to memory of 3268 2140 1Jm90GG6.exe 93 PID 2140 wrote to memory of 3612 2140 1Jm90GG6.exe 94 PID 2140 wrote to memory of 3612 2140 1Jm90GG6.exe 94 PID 2140 wrote to memory of 3612 2140 1Jm90GG6.exe 94 PID 2140 wrote to memory of 3612 2140 1Jm90GG6.exe 94 PID 2140 wrote to memory of 3612 2140 1Jm90GG6.exe 94 PID 2140 wrote to memory of 3612 2140 1Jm90GG6.exe 94 PID 2140 wrote to memory of 3612 2140 1Jm90GG6.exe 94 PID 2140 wrote to memory of 3612 2140 1Jm90GG6.exe 94 PID 2140 wrote to memory of 3612 2140 1Jm90GG6.exe 94 PID 2140 wrote to memory of 3612 2140 1Jm90GG6.exe 94 PID 1408 wrote to memory of 3508 1408 LK3En3pn.exe 100 PID 1408 wrote to memory of 3508 1408 LK3En3pn.exe 100 PID 1408 wrote to memory of 3508 1408 LK3En3pn.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb8a184cade7544ea1ec897b679edff542000cf31934900525f12e02f85eb9cb.exe"C:\Users\Admin\AppData\Local\Temp\fb8a184cade7544ea1ec897b679edff542000cf31934900525f12e02f85eb9cb.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gl2cZ1op.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gl2cZ1op.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Jd3tw7ja.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Jd3tw7ja.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WM7te5go.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WM7te5go.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LK3En3pn.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LK3En3pn.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Jm90GG6.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Jm90GG6.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:3268
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:3612
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 5408⤵
- Program crash
PID:476
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 6007⤵
- Program crash
PID:3432
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Mr852Yb.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Mr852Yb.exe6⤵
- Executes dropped EXE
PID:3508
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3612 -ip 36121⤵PID:1732
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2140 -ip 21401⤵PID:2452
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5207e39b69d7fcde973111a1f3584b5cc
SHA1f65911bdbc34f2310aadc194def9528bb64f75d0
SHA25654b1927c8b0cd0b9a35cb91a8b444127c67d5767343e0cadbc071d60b2a873c2
SHA51221528a60fa39450a9207764d41cc75c34806a8ef66971a64af6b575e5f4589d574711deaa0960128a9a51183d4a6142057f721aadc5a82f002c021b21595bc1d
-
Filesize
1.0MB
MD5207e39b69d7fcde973111a1f3584b5cc
SHA1f65911bdbc34f2310aadc194def9528bb64f75d0
SHA25654b1927c8b0cd0b9a35cb91a8b444127c67d5767343e0cadbc071d60b2a873c2
SHA51221528a60fa39450a9207764d41cc75c34806a8ef66971a64af6b575e5f4589d574711deaa0960128a9a51183d4a6142057f721aadc5a82f002c021b21595bc1d
-
Filesize
884KB
MD50a5863d64e23c4f3ef3200779c1ebff4
SHA1e9bf567f5570e75e76b85b055cb1345a74f27ce8
SHA256cd9360589c2015aee54ccf40f997c832bf2930ab69211f5d8a4698a5886e3d63
SHA512ad4a65779b8a1991589f078b8b5016be7535b00762217612fcc5ae82864d8852f400d393b275841b336d09b29aaae501959651c4efabeba50ea1d454adb115d1
-
Filesize
884KB
MD50a5863d64e23c4f3ef3200779c1ebff4
SHA1e9bf567f5570e75e76b85b055cb1345a74f27ce8
SHA256cd9360589c2015aee54ccf40f997c832bf2930ab69211f5d8a4698a5886e3d63
SHA512ad4a65779b8a1991589f078b8b5016be7535b00762217612fcc5ae82864d8852f400d393b275841b336d09b29aaae501959651c4efabeba50ea1d454adb115d1
-
Filesize
590KB
MD5943b112749ec2b1d79d6d9dfbfbc61f6
SHA154345a752550c0fb4b7a9f7d604d6ca6e21ec8fb
SHA2569e866e22f3b5578b8badbfdcbcb9ee9d3052a5bf1c87c22569e90ba464f3c3fa
SHA512c8f30d5d0da0ff2b8abf6777fc541038e9fb9923e0b365aa0c21ab84c21593c7ba49edc640af0a3c1ae70160911be3d7a9dee4e9df0a57d97b2e41b0c4b08a7a
-
Filesize
590KB
MD5943b112749ec2b1d79d6d9dfbfbc61f6
SHA154345a752550c0fb4b7a9f7d604d6ca6e21ec8fb
SHA2569e866e22f3b5578b8badbfdcbcb9ee9d3052a5bf1c87c22569e90ba464f3c3fa
SHA512c8f30d5d0da0ff2b8abf6777fc541038e9fb9923e0b365aa0c21ab84c21593c7ba49edc640af0a3c1ae70160911be3d7a9dee4e9df0a57d97b2e41b0c4b08a7a
-
Filesize
417KB
MD5f222096f65e28b52fc018ad530a51db3
SHA10c10946b0657300cf01c7103e0f9bc3313d727e4
SHA256ba63b2fb09ce0756ebbb4f972c35c0cea4079ab86292ac3651960fe46c0173f1
SHA512047b915ec2ad4fbb6e41a51bd0b9c8672d72d74c3e97851b87150a27891671225303bb0efb660db91653f4256bedf1fbd847fda6cde94391b8e42119750dfb94
-
Filesize
417KB
MD5f222096f65e28b52fc018ad530a51db3
SHA10c10946b0657300cf01c7103e0f9bc3313d727e4
SHA256ba63b2fb09ce0756ebbb4f972c35c0cea4079ab86292ac3651960fe46c0173f1
SHA512047b915ec2ad4fbb6e41a51bd0b9c8672d72d74c3e97851b87150a27891671225303bb0efb660db91653f4256bedf1fbd847fda6cde94391b8e42119750dfb94
-
Filesize
378KB
MD5057684fdcfa64b387fd4c84e88123632
SHA12ec62abf9fe6673ef75748a0d89e201907608297
SHA25691cd87b4da0609ef7b600b7d349deffdae7fcd863ddaf4bb5da0c5dfae1fc986
SHA512bfccf7d1ee9f070c4b12ecb1062e4ba48b40a738d30b6bf0ee0bfb183021903ee775568ba3015d8be1af0686c16e2ebf610410c2061ec105a2bdf3221f0404b1
-
Filesize
378KB
MD5057684fdcfa64b387fd4c84e88123632
SHA12ec62abf9fe6673ef75748a0d89e201907608297
SHA25691cd87b4da0609ef7b600b7d349deffdae7fcd863ddaf4bb5da0c5dfae1fc986
SHA512bfccf7d1ee9f070c4b12ecb1062e4ba48b40a738d30b6bf0ee0bfb183021903ee775568ba3015d8be1af0686c16e2ebf610410c2061ec105a2bdf3221f0404b1
-
Filesize
231KB
MD50e26b34a4953bad439184ed9df9144aa
SHA1470b2e126601928eaf3a1f9aafe4f59884ea07ab
SHA2569bb4c8ad8de9222070fbd129e7d7b24224d5fe58522f16a896e4614eddb940c8
SHA5123d0d3799fff587cb703ea40b121d7d5f3713d521cacb7c42d818349d12d2e9f6f44ffe33e25d8a232acd9a18234d8ea8cbb8eb20174c11c53f4122798e9ad3b0
-
Filesize
231KB
MD50e26b34a4953bad439184ed9df9144aa
SHA1470b2e126601928eaf3a1f9aafe4f59884ea07ab
SHA2569bb4c8ad8de9222070fbd129e7d7b24224d5fe58522f16a896e4614eddb940c8
SHA5123d0d3799fff587cb703ea40b121d7d5f3713d521cacb7c42d818349d12d2e9f6f44ffe33e25d8a232acd9a18234d8ea8cbb8eb20174c11c53f4122798e9ad3b0