Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
07/10/2023, 06:23
Static task
static1
Behavioral task
behavioral1
Sample
5c5167b5fa76db29ca8ae12f128646effd9bcc1c8956371aaee13bddc98fbe58.exe
Resource
win10v2004-20230915-en
General
-
Target
5c5167b5fa76db29ca8ae12f128646effd9bcc1c8956371aaee13bddc98fbe58.exe
-
Size
1.2MB
-
MD5
34bd88866a21f46e8aac88ce27ece869
-
SHA1
9c55dc3e1bd014ca0b856b6ab8639b5a8bffeb3b
-
SHA256
5c5167b5fa76db29ca8ae12f128646effd9bcc1c8956371aaee13bddc98fbe58
-
SHA512
b6089180dfc0936be3e17868ef1d815d1cc5d6f8f346a1840649d8c4ec3d21a3a4a073f49ba444cf5a5211caf87a510f1221576799fe2ffa3a22e1d19d251e5f
-
SSDEEP
24576:9ybWjicQBao2bo3GEq+0mABw8DuA1m+2NysFED8pvxtvs6x81lqa9kb3:YWicQBP2M3Ga0xBFCA4iW/v/61lH9k
Malware Config
Extracted
redline
gigant
77.91.124.55:19071
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral1/memory/3188-35-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/3188-36-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/3188-37-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/3188-39-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/files/0x00060000000231de-41.dat family_redline behavioral1/files/0x00060000000231de-42.dat family_redline behavioral1/memory/2412-43-0x0000000000DF0000-0x0000000000E2E000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 1060 Jy9vG4vV.exe 4300 XM1sC3iy.exe 1032 yB3qe9oe.exe 4824 gI3fo3mF.exe 4192 1PY13Ks8.exe 2412 2Lw469gT.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5c5167b5fa76db29ca8ae12f128646effd9bcc1c8956371aaee13bddc98fbe58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" Jy9vG4vV.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" XM1sC3iy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" yB3qe9oe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" gI3fo3mF.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4192 set thread context of 3188 4192 1PY13Ks8.exe 92 -
Program crash 2 IoCs
pid pid_target Process procid_target 3312 4192 WerFault.exe 90 2012 3188 WerFault.exe 92 -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2700 wrote to memory of 1060 2700 5c5167b5fa76db29ca8ae12f128646effd9bcc1c8956371aaee13bddc98fbe58.exe 85 PID 2700 wrote to memory of 1060 2700 5c5167b5fa76db29ca8ae12f128646effd9bcc1c8956371aaee13bddc98fbe58.exe 85 PID 2700 wrote to memory of 1060 2700 5c5167b5fa76db29ca8ae12f128646effd9bcc1c8956371aaee13bddc98fbe58.exe 85 PID 1060 wrote to memory of 4300 1060 Jy9vG4vV.exe 86 PID 1060 wrote to memory of 4300 1060 Jy9vG4vV.exe 86 PID 1060 wrote to memory of 4300 1060 Jy9vG4vV.exe 86 PID 4300 wrote to memory of 1032 4300 XM1sC3iy.exe 87 PID 4300 wrote to memory of 1032 4300 XM1sC3iy.exe 87 PID 4300 wrote to memory of 1032 4300 XM1sC3iy.exe 87 PID 1032 wrote to memory of 4824 1032 yB3qe9oe.exe 89 PID 1032 wrote to memory of 4824 1032 yB3qe9oe.exe 89 PID 1032 wrote to memory of 4824 1032 yB3qe9oe.exe 89 PID 4824 wrote to memory of 4192 4824 gI3fo3mF.exe 90 PID 4824 wrote to memory of 4192 4824 gI3fo3mF.exe 90 PID 4824 wrote to memory of 4192 4824 gI3fo3mF.exe 90 PID 4192 wrote to memory of 3188 4192 1PY13Ks8.exe 92 PID 4192 wrote to memory of 3188 4192 1PY13Ks8.exe 92 PID 4192 wrote to memory of 3188 4192 1PY13Ks8.exe 92 PID 4192 wrote to memory of 3188 4192 1PY13Ks8.exe 92 PID 4192 wrote to memory of 3188 4192 1PY13Ks8.exe 92 PID 4192 wrote to memory of 3188 4192 1PY13Ks8.exe 92 PID 4192 wrote to memory of 3188 4192 1PY13Ks8.exe 92 PID 4192 wrote to memory of 3188 4192 1PY13Ks8.exe 92 PID 4192 wrote to memory of 3188 4192 1PY13Ks8.exe 92 PID 4192 wrote to memory of 3188 4192 1PY13Ks8.exe 92 PID 4824 wrote to memory of 2412 4824 gI3fo3mF.exe 98 PID 4824 wrote to memory of 2412 4824 gI3fo3mF.exe 98 PID 4824 wrote to memory of 2412 4824 gI3fo3mF.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c5167b5fa76db29ca8ae12f128646effd9bcc1c8956371aaee13bddc98fbe58.exe"C:\Users\Admin\AppData\Local\Temp\5c5167b5fa76db29ca8ae12f128646effd9bcc1c8956371aaee13bddc98fbe58.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jy9vG4vV.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jy9vG4vV.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XM1sC3iy.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XM1sC3iy.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\yB3qe9oe.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\yB3qe9oe.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gI3fo3mF.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gI3fo3mF.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1PY13Ks8.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1PY13Ks8.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:3188
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 5408⤵
- Program crash
PID:2012
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 6007⤵
- Program crash
PID:3312
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Lw469gT.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Lw469gT.exe6⤵
- Executes dropped EXE
PID:2412
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3188 -ip 31881⤵PID:1500
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4192 -ip 41921⤵PID:2636
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD592bcae9523fa276ff5cbec7700876fe5
SHA1308a273b3e213e1d1f77d4e8ba4c586bf6054ba8
SHA256cc1aa43c0328e4b58f784be077e6b72d9deb9079c2858217338704d5e952cb7c
SHA512f2bbb48ad972572b83a00e421714e6e0e69e24eca3f5a94996a7b06d78361c4a78e2db3411cc35c50f0994f2c5af7384a15e547d9bf012c4ea57e43275448c30
-
Filesize
1.0MB
MD592bcae9523fa276ff5cbec7700876fe5
SHA1308a273b3e213e1d1f77d4e8ba4c586bf6054ba8
SHA256cc1aa43c0328e4b58f784be077e6b72d9deb9079c2858217338704d5e952cb7c
SHA512f2bbb48ad972572b83a00e421714e6e0e69e24eca3f5a94996a7b06d78361c4a78e2db3411cc35c50f0994f2c5af7384a15e547d9bf012c4ea57e43275448c30
-
Filesize
884KB
MD5ea0ac474ffd1b5126c78f897ebf94d9d
SHA18abdd1a8911c3c4093490afd7ed89527b7670ed6
SHA256f5d2169a9ecc93fd57c081e3b609dce0d546f026584245c9b519c5c06ad0fa79
SHA51217b5a3fc6f6f87cc4f44899e902f5ecabf252c3834ba52ce718b36bf7036e096e8945a876b1c3809f1a9bc495a6a1e8e12a4edd4153d30344dc8ba200dd6d23d
-
Filesize
884KB
MD5ea0ac474ffd1b5126c78f897ebf94d9d
SHA18abdd1a8911c3c4093490afd7ed89527b7670ed6
SHA256f5d2169a9ecc93fd57c081e3b609dce0d546f026584245c9b519c5c06ad0fa79
SHA51217b5a3fc6f6f87cc4f44899e902f5ecabf252c3834ba52ce718b36bf7036e096e8945a876b1c3809f1a9bc495a6a1e8e12a4edd4153d30344dc8ba200dd6d23d
-
Filesize
590KB
MD517690c1b10bae3f34acae87975eba51e
SHA1f9c9cc016eb1158101fda934ad1f77f788714a8e
SHA256155aa6b44d63f75e82d3c8ed71c473dcc489f72f1ea888934193d6d3eeb0f7db
SHA51221585c47ffdea3750afd0d6d488036a56b72da78703e9d4dc1d1246ce67de8004c341a0f0862386a9faf8664f2add457f32c4536c3fee0ecfb64b567b03bcd4e
-
Filesize
590KB
MD517690c1b10bae3f34acae87975eba51e
SHA1f9c9cc016eb1158101fda934ad1f77f788714a8e
SHA256155aa6b44d63f75e82d3c8ed71c473dcc489f72f1ea888934193d6d3eeb0f7db
SHA51221585c47ffdea3750afd0d6d488036a56b72da78703e9d4dc1d1246ce67de8004c341a0f0862386a9faf8664f2add457f32c4536c3fee0ecfb64b567b03bcd4e
-
Filesize
417KB
MD5459be124daa7b2cee946a6e817bc4aca
SHA10a7cc81eb16d44bd4f95de294eda2fde57e66c2b
SHA2560d68190bc3532fb0efb7df9df9e3036bd6abfc1d2fdb1e20cae06941abc67abf
SHA51244e5770efcfb1c399b9c6777c28a2419f07b3b6199f73f1eacb0abc7baf8fe6618124b291dfa8428deb8ec3de1d65b52b613e4ae88d9a58710e6d0e6ac7dee3e
-
Filesize
417KB
MD5459be124daa7b2cee946a6e817bc4aca
SHA10a7cc81eb16d44bd4f95de294eda2fde57e66c2b
SHA2560d68190bc3532fb0efb7df9df9e3036bd6abfc1d2fdb1e20cae06941abc67abf
SHA51244e5770efcfb1c399b9c6777c28a2419f07b3b6199f73f1eacb0abc7baf8fe6618124b291dfa8428deb8ec3de1d65b52b613e4ae88d9a58710e6d0e6ac7dee3e
-
Filesize
378KB
MD5f0831f173733de08511f3a0739f278a6
SHA106dc809d653c5d2c97386084ae13b50a73eb5b60
SHA2568b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA51219e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3
-
Filesize
378KB
MD5f0831f173733de08511f3a0739f278a6
SHA106dc809d653c5d2c97386084ae13b50a73eb5b60
SHA2568b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA51219e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3
-
Filesize
231KB
MD50258dbe115a62667aa8a06ad3d8fd735
SHA198b2234856ef0a8adc212f03c67a7efbd77e5c96
SHA2566af2a1fafa879b054235181766ea8a987b56bff4873438da5e380dfcd11579d3
SHA512b88f519b92c80f51447e08f33ee1ca1cd3f8316ff85a9c301542d7ef79bc5b80ea41c47b2892c69796320a3702b6d88fce123cc88656ae96e9c3d90fa3fc6324
-
Filesize
231KB
MD50258dbe115a62667aa8a06ad3d8fd735
SHA198b2234856ef0a8adc212f03c67a7efbd77e5c96
SHA2566af2a1fafa879b054235181766ea8a987b56bff4873438da5e380dfcd11579d3
SHA512b88f519b92c80f51447e08f33ee1ca1cd3f8316ff85a9c301542d7ef79bc5b80ea41c47b2892c69796320a3702b6d88fce123cc88656ae96e9c3d90fa3fc6324