Analysis
-
max time kernel
165s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2023, 12:46
Static task
static1
Behavioral task
behavioral1
Sample
9da7f30d54632e48b35fe2cb1ac12208eeff3f39f737e3840c0c0853f70c0ef9.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
9da7f30d54632e48b35fe2cb1ac12208eeff3f39f737e3840c0c0853f70c0ef9.exe
Resource
win10v2004-20230915-en
General
-
Target
9da7f30d54632e48b35fe2cb1ac12208eeff3f39f737e3840c0c0853f70c0ef9.exe
-
Size
942KB
-
MD5
5d5ebc7e0ba580b44caaa751f7da5965
-
SHA1
91cbb2a41d5bcacd64a228dbadb8ad2eadd50acd
-
SHA256
9da7f30d54632e48b35fe2cb1ac12208eeff3f39f737e3840c0c0853f70c0ef9
-
SHA512
fd88845fc9aeb0ffda094188f0393b80c3c67ce1d40be433532f8263bd8ad5e6ea3fc487c022101a5a20801adbf14a135cf33980e8819f192fc1e6c371cb80c9
-
SSDEEP
12288:fMrQy90LsXhBgI5ol9HFRLm8mdpVNLwsSMXAMyuCuAlzsvaGQixSg+SrofLx74oR:PySsLi97Lmf5wACOiGvY2iLJ4oKtvHw
Malware Config
Extracted
redline
ramos
77.91.124.82:19071
-
auth_value
42c0ec91d63648bb7119ab787aa3fb94
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral2/memory/3516-28-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/3516-29-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/3516-30-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/3516-32-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 5 IoCs
pid Process 936 x1016529.exe 3956 x1516362.exe 4124 x9564736.exe 2768 g2570099.exe 4348 h8632078.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9da7f30d54632e48b35fe2cb1ac12208eeff3f39f737e3840c0c0853f70c0ef9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x1016529.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x1516362.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" x9564736.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2768 set thread context of 3516 2768 g2570099.exe 92 -
Program crash 2 IoCs
pid pid_target Process procid_target 3544 3516 WerFault.exe 92 4992 2768 WerFault.exe 91 -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 4824 wrote to memory of 936 4824 9da7f30d54632e48b35fe2cb1ac12208eeff3f39f737e3840c0c0853f70c0ef9.exe 88 PID 4824 wrote to memory of 936 4824 9da7f30d54632e48b35fe2cb1ac12208eeff3f39f737e3840c0c0853f70c0ef9.exe 88 PID 4824 wrote to memory of 936 4824 9da7f30d54632e48b35fe2cb1ac12208eeff3f39f737e3840c0c0853f70c0ef9.exe 88 PID 936 wrote to memory of 3956 936 x1016529.exe 89 PID 936 wrote to memory of 3956 936 x1016529.exe 89 PID 936 wrote to memory of 3956 936 x1016529.exe 89 PID 3956 wrote to memory of 4124 3956 x1516362.exe 90 PID 3956 wrote to memory of 4124 3956 x1516362.exe 90 PID 3956 wrote to memory of 4124 3956 x1516362.exe 90 PID 4124 wrote to memory of 2768 4124 x9564736.exe 91 PID 4124 wrote to memory of 2768 4124 x9564736.exe 91 PID 4124 wrote to memory of 2768 4124 x9564736.exe 91 PID 2768 wrote to memory of 3516 2768 g2570099.exe 92 PID 2768 wrote to memory of 3516 2768 g2570099.exe 92 PID 2768 wrote to memory of 3516 2768 g2570099.exe 92 PID 2768 wrote to memory of 3516 2768 g2570099.exe 92 PID 2768 wrote to memory of 3516 2768 g2570099.exe 92 PID 2768 wrote to memory of 3516 2768 g2570099.exe 92 PID 2768 wrote to memory of 3516 2768 g2570099.exe 92 PID 2768 wrote to memory of 3516 2768 g2570099.exe 92 PID 2768 wrote to memory of 3516 2768 g2570099.exe 92 PID 2768 wrote to memory of 3516 2768 g2570099.exe 92 PID 4124 wrote to memory of 4348 4124 x9564736.exe 99 PID 4124 wrote to memory of 4348 4124 x9564736.exe 99 PID 4124 wrote to memory of 4348 4124 x9564736.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\9da7f30d54632e48b35fe2cb1ac12208eeff3f39f737e3840c0c0853f70c0ef9.exe"C:\Users\Admin\AppData\Local\Temp\9da7f30d54632e48b35fe2cb1ac12208eeff3f39f737e3840c0c0853f70c0ef9.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1016529.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1016529.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1516362.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1516362.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9564736.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9564736.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2570099.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2570099.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:3516
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 5407⤵
- Program crash
PID:3544
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 5646⤵
- Program crash
PID:4992
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h8632078.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h8632078.exe5⤵
- Executes dropped EXE
PID:4348
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2768 -ip 27681⤵PID:2924
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3516 -ip 35161⤵PID:4672
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
840KB
MD5d58e531fe14e081a3487aa0217bea776
SHA1aff688a495cd11adcc8bc72408daf68449b8c7af
SHA256edad8e439c3f2f5f6048a2981c70f18ee5c75e3b1138f5ef074db5e1d4c4e29d
SHA5124c67c6c06cc1f8fc4b5638fb384dcdda50244af150a0aa6136cfea38a1fc2a372f06dd8ee5fb5348bcde85ef274ec48299c8a1bd0d5ea6470c4fc3625506fd55
-
Filesize
840KB
MD5d58e531fe14e081a3487aa0217bea776
SHA1aff688a495cd11adcc8bc72408daf68449b8c7af
SHA256edad8e439c3f2f5f6048a2981c70f18ee5c75e3b1138f5ef074db5e1d4c4e29d
SHA5124c67c6c06cc1f8fc4b5638fb384dcdda50244af150a0aa6136cfea38a1fc2a372f06dd8ee5fb5348bcde85ef274ec48299c8a1bd0d5ea6470c4fc3625506fd55
-
Filesize
562KB
MD5ee54b1196dc84dbce0dde1520a3f7684
SHA1599091311e1df6476d37cca87f912fa1b101107c
SHA256511f2cae1f9b7e71e244d17db11e01070e0801fcfd14f8908e784ef5909f1743
SHA51267df098dad6e15c3c0e2dcab99015f564fdcedb2a35d3d455a3c6763913735d95d228f5193ef3d46cc97a4d5885c4a5d3974eb02fb69316b9764ff69d1038124
-
Filesize
562KB
MD5ee54b1196dc84dbce0dde1520a3f7684
SHA1599091311e1df6476d37cca87f912fa1b101107c
SHA256511f2cae1f9b7e71e244d17db11e01070e0801fcfd14f8908e784ef5909f1743
SHA51267df098dad6e15c3c0e2dcab99015f564fdcedb2a35d3d455a3c6763913735d95d228f5193ef3d46cc97a4d5885c4a5d3974eb02fb69316b9764ff69d1038124
-
Filesize
396KB
MD50e0dd7d2d24831b3d7d92418cbb9f612
SHA163857e22eb4fcdd614982da1b9257569929da5b6
SHA256c08f31e22aa7a06918a7ec37f58138cab06b9ae9dab84016216615a56c352ea7
SHA5124ab7be88c5736a6a96cdcf0166e43f95c6781d07564581488c3635a79513d453cab988052da050ef28ab40d302449a55a6091ee660b1da52172fc89a79257871
-
Filesize
396KB
MD50e0dd7d2d24831b3d7d92418cbb9f612
SHA163857e22eb4fcdd614982da1b9257569929da5b6
SHA256c08f31e22aa7a06918a7ec37f58138cab06b9ae9dab84016216615a56c352ea7
SHA5124ab7be88c5736a6a96cdcf0166e43f95c6781d07564581488c3635a79513d453cab988052da050ef28ab40d302449a55a6091ee660b1da52172fc89a79257871
-
Filesize
379KB
MD53842b43cab0215976e1bb12f498a320d
SHA1b3b2b679f5b573d6d7c61a726f3a16f49ebdcc89
SHA256767ff488adb690d860af9cd23645350a69f1b0efaee985ec16abdb8d33732ec2
SHA512ff49e6adb2ebe1849e5fd530abafd71d5c690b4f8cdba32f6a62c62603edddf701c0a4286fca4254c182178606f54161df5f8e5f5d6ef289e9ef9068d695798c
-
Filesize
379KB
MD53842b43cab0215976e1bb12f498a320d
SHA1b3b2b679f5b573d6d7c61a726f3a16f49ebdcc89
SHA256767ff488adb690d860af9cd23645350a69f1b0efaee985ec16abdb8d33732ec2
SHA512ff49e6adb2ebe1849e5fd530abafd71d5c690b4f8cdba32f6a62c62603edddf701c0a4286fca4254c182178606f54161df5f8e5f5d6ef289e9ef9068d695798c
-
Filesize
174KB
MD52f53fba949ae81f4641d3ec43b0e6fd0
SHA1c211be0128fcfa598b9600842d5809f1567b0c4b
SHA2569e1f55484f4d038b9f674de5c64250534bffd5de6640104d14c2c319b5b4be32
SHA512a9654a5211e67fa73691fcd1dcaa1047270c4d83dc09351d047632a789823ae8dc53c4ee7e57cf4e7d48802cf11cb5aad7f7355ad952a9984884227c48495bb4
-
Filesize
174KB
MD52f53fba949ae81f4641d3ec43b0e6fd0
SHA1c211be0128fcfa598b9600842d5809f1567b0c4b
SHA2569e1f55484f4d038b9f674de5c64250534bffd5de6640104d14c2c319b5b4be32
SHA512a9654a5211e67fa73691fcd1dcaa1047270c4d83dc09351d047632a789823ae8dc53c4ee7e57cf4e7d48802cf11cb5aad7f7355ad952a9984884227c48495bb4