Analysis
-
max time kernel
140s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
07/10/2023, 05:50
Static task
static1
Behavioral task
behavioral1
Sample
3b25010716254931851928e53873ec833ddac68b17eb86475d05bfbfa4ed1a5f.exe
Resource
win10v2004-20230915-en
General
-
Target
3b25010716254931851928e53873ec833ddac68b17eb86475d05bfbfa4ed1a5f.exe
-
Size
1.2MB
-
MD5
10979edc4e35922e92b0bd45923da9a6
-
SHA1
10aa1898f6873a7f3ef9bf3729e230c97b8b07dc
-
SHA256
3b25010716254931851928e53873ec833ddac68b17eb86475d05bfbfa4ed1a5f
-
SHA512
22096f839de2766101245a5de49da61647af917992f2b9192b2b67039c369ca446f61de775e9e17224c47a6945a435e43d41ad0610ed86e2516a39ed96430560
-
SSDEEP
24576:WyBPhdcyC4hamjTnIXBe+0wZUgC4yxj7Ms/yPHHpZp6VxYX:lBcf4hb/nIXM2OgO5yvJZpy
Malware Config
Extracted
redline
gigant
77.91.124.55:19071
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral1/memory/1012-35-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/1012-36-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/1012-37-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/1012-39-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/files/0x0006000000023266-41.dat family_redline behavioral1/files/0x0006000000023266-42.dat family_redline behavioral1/memory/4136-43-0x00000000004B0000-0x00000000004EE000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 1520 bK6MM6iC.exe 212 RB2kt7oI.exe 2000 lw3cy0bM.exe 3488 vo3Re0sw.exe 1020 1Zj47kq4.exe 4136 2at668dL.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" bK6MM6iC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" RB2kt7oI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" lw3cy0bM.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" vo3Re0sw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3b25010716254931851928e53873ec833ddac68b17eb86475d05bfbfa4ed1a5f.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1020 set thread context of 1012 1020 1Zj47kq4.exe 90 -
Program crash 2 IoCs
pid pid_target Process procid_target 4976 1020 WerFault.exe 87 1448 1012 WerFault.exe 90 -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 3132 wrote to memory of 1520 3132 3b25010716254931851928e53873ec833ddac68b17eb86475d05bfbfa4ed1a5f.exe 83 PID 3132 wrote to memory of 1520 3132 3b25010716254931851928e53873ec833ddac68b17eb86475d05bfbfa4ed1a5f.exe 83 PID 3132 wrote to memory of 1520 3132 3b25010716254931851928e53873ec833ddac68b17eb86475d05bfbfa4ed1a5f.exe 83 PID 1520 wrote to memory of 212 1520 bK6MM6iC.exe 84 PID 1520 wrote to memory of 212 1520 bK6MM6iC.exe 84 PID 1520 wrote to memory of 212 1520 bK6MM6iC.exe 84 PID 212 wrote to memory of 2000 212 RB2kt7oI.exe 85 PID 212 wrote to memory of 2000 212 RB2kt7oI.exe 85 PID 212 wrote to memory of 2000 212 RB2kt7oI.exe 85 PID 2000 wrote to memory of 3488 2000 lw3cy0bM.exe 86 PID 2000 wrote to memory of 3488 2000 lw3cy0bM.exe 86 PID 2000 wrote to memory of 3488 2000 lw3cy0bM.exe 86 PID 3488 wrote to memory of 1020 3488 vo3Re0sw.exe 87 PID 3488 wrote to memory of 1020 3488 vo3Re0sw.exe 87 PID 3488 wrote to memory of 1020 3488 vo3Re0sw.exe 87 PID 1020 wrote to memory of 1012 1020 1Zj47kq4.exe 90 PID 1020 wrote to memory of 1012 1020 1Zj47kq4.exe 90 PID 1020 wrote to memory of 1012 1020 1Zj47kq4.exe 90 PID 1020 wrote to memory of 1012 1020 1Zj47kq4.exe 90 PID 1020 wrote to memory of 1012 1020 1Zj47kq4.exe 90 PID 1020 wrote to memory of 1012 1020 1Zj47kq4.exe 90 PID 1020 wrote to memory of 1012 1020 1Zj47kq4.exe 90 PID 1020 wrote to memory of 1012 1020 1Zj47kq4.exe 90 PID 1020 wrote to memory of 1012 1020 1Zj47kq4.exe 90 PID 1020 wrote to memory of 1012 1020 1Zj47kq4.exe 90 PID 3488 wrote to memory of 4136 3488 vo3Re0sw.exe 98 PID 3488 wrote to memory of 4136 3488 vo3Re0sw.exe 98 PID 3488 wrote to memory of 4136 3488 vo3Re0sw.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b25010716254931851928e53873ec833ddac68b17eb86475d05bfbfa4ed1a5f.exe"C:\Users\Admin\AppData\Local\Temp\3b25010716254931851928e53873ec833ddac68b17eb86475d05bfbfa4ed1a5f.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bK6MM6iC.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bK6MM6iC.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RB2kt7oI.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RB2kt7oI.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lw3cy0bM.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lw3cy0bM.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vo3Re0sw.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vo3Re0sw.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zj47kq4.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zj47kq4.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:1012
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 5448⤵
- Program crash
PID:1448
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 1567⤵
- Program crash
PID:4976
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2at668dL.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2at668dL.exe6⤵
- Executes dropped EXE
PID:4136
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1020 -ip 10201⤵PID:2440
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1012 -ip 10121⤵PID:3212
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD51a2a4274e09d2c54cda31cfc5f448be7
SHA1f98a016ad37847254d4c0cbcbd4eb1062697baf2
SHA256bf1557f0eec4ec3c50019cb6297288bcdeb7e5fc22c9342213b18d36b861f8d6
SHA51228bc5e0465bdb80c63d99255d658460d828b8cf7afeff9dabf8a7b63e0c223773e3aeae25a9da483c5962db0bc6dd454c13d09c449d13121e1e10868f991205a
-
Filesize
1.0MB
MD51a2a4274e09d2c54cda31cfc5f448be7
SHA1f98a016ad37847254d4c0cbcbd4eb1062697baf2
SHA256bf1557f0eec4ec3c50019cb6297288bcdeb7e5fc22c9342213b18d36b861f8d6
SHA51228bc5e0465bdb80c63d99255d658460d828b8cf7afeff9dabf8a7b63e0c223773e3aeae25a9da483c5962db0bc6dd454c13d09c449d13121e1e10868f991205a
-
Filesize
884KB
MD515cb8b1d25f2b0f8f6e4fdf1679fc3a3
SHA17a8de3ae1736af216ce6d77765154d234bd7f8e9
SHA25612bb20b7870fe0669536c152d4d56089cc12d77d886c84263c604acf89402f77
SHA512600a1545350e1b7ce699281e53387f94ffa533f45135cc3dc7e46c561f358c32f71865b76ff53a470b280504f7c4202f02aab860e59d1c9231162055f1117156
-
Filesize
884KB
MD515cb8b1d25f2b0f8f6e4fdf1679fc3a3
SHA17a8de3ae1736af216ce6d77765154d234bd7f8e9
SHA25612bb20b7870fe0669536c152d4d56089cc12d77d886c84263c604acf89402f77
SHA512600a1545350e1b7ce699281e53387f94ffa533f45135cc3dc7e46c561f358c32f71865b76ff53a470b280504f7c4202f02aab860e59d1c9231162055f1117156
-
Filesize
590KB
MD542d52021278c70e39ac42b8d113515a8
SHA1f79b437c4a8927f5fe266e7094d4af31a64c6f4e
SHA2562705ab1ca508597647b7952bde0de01e27cbfc4770c5c9c1a1de02072d2be8ff
SHA512c2cdb3e90605f2d6444453bfad3aa7d38dd82212b1c6c4df4219b1168655918e0b0c616f7fc70171abef675a90030987d2e28cd9b10e4e59d0ab76c5353c3511
-
Filesize
590KB
MD542d52021278c70e39ac42b8d113515a8
SHA1f79b437c4a8927f5fe266e7094d4af31a64c6f4e
SHA2562705ab1ca508597647b7952bde0de01e27cbfc4770c5c9c1a1de02072d2be8ff
SHA512c2cdb3e90605f2d6444453bfad3aa7d38dd82212b1c6c4df4219b1168655918e0b0c616f7fc70171abef675a90030987d2e28cd9b10e4e59d0ab76c5353c3511
-
Filesize
417KB
MD5edd3be43bea3cd73d0954251636b1f9e
SHA1a5d8f137b446362cea4bd4a8a6b8af5d8e56e453
SHA256d391a13b57e2e2f484160bb6b4f7bfeb355054917d1030cc0e30a4c08c2027a4
SHA5128ed4278e3ea14aba5bdf0ced87c0f6622c24875e19cc449a4beafc12bd78752705bb90df0d8a5856eb24351f07f8ddd72789c8f751673e858fb92994ae9df8ad
-
Filesize
417KB
MD5edd3be43bea3cd73d0954251636b1f9e
SHA1a5d8f137b446362cea4bd4a8a6b8af5d8e56e453
SHA256d391a13b57e2e2f484160bb6b4f7bfeb355054917d1030cc0e30a4c08c2027a4
SHA5128ed4278e3ea14aba5bdf0ced87c0f6622c24875e19cc449a4beafc12bd78752705bb90df0d8a5856eb24351f07f8ddd72789c8f751673e858fb92994ae9df8ad
-
Filesize
378KB
MD5f0831f173733de08511f3a0739f278a6
SHA106dc809d653c5d2c97386084ae13b50a73eb5b60
SHA2568b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA51219e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3
-
Filesize
378KB
MD5f0831f173733de08511f3a0739f278a6
SHA106dc809d653c5d2c97386084ae13b50a73eb5b60
SHA2568b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA51219e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3
-
Filesize
231KB
MD5d06bb8e6a189f79df58a5919e5ca675f
SHA10deacf0fd3a885e5b0c66e09b92bec964b5f77af
SHA2567a8893aa6a53edbe61dbf29d5f13ae27932e815f116948f1c175440a238bc75b
SHA512dcd55972e60b8ad60ff79711763b802d97f0cd055bbd13839c48f21191d388553fe32673d9eec17e7080700926c7eb06bfa2b3c3095fecfb78c1a85b729f8168
-
Filesize
231KB
MD5d06bb8e6a189f79df58a5919e5ca675f
SHA10deacf0fd3a885e5b0c66e09b92bec964b5f77af
SHA2567a8893aa6a53edbe61dbf29d5f13ae27932e815f116948f1c175440a238bc75b
SHA512dcd55972e60b8ad60ff79711763b802d97f0cd055bbd13839c48f21191d388553fe32673d9eec17e7080700926c7eb06bfa2b3c3095fecfb78c1a85b729f8168