Analysis
-
max time kernel
151s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2023, 14:32
Static task
static1
Behavioral task
behavioral1
Sample
b80c9ab2672602ab9d0267dbd15a2941836f3c1faaa6b913ee5d5d02272daa37.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
b80c9ab2672602ab9d0267dbd15a2941836f3c1faaa6b913ee5d5d02272daa37.exe
Resource
win10v2004-20230915-en
General
-
Target
b80c9ab2672602ab9d0267dbd15a2941836f3c1faaa6b913ee5d5d02272daa37.exe
-
Size
942KB
-
MD5
503083f2b28105f8a816cee8ac31527d
-
SHA1
1c78c5e7ac9c163c636e44562c1fb80524b4b001
-
SHA256
b80c9ab2672602ab9d0267dbd15a2941836f3c1faaa6b913ee5d5d02272daa37
-
SHA512
23c4ea6f7d343b60ba109816e825c87c9856ad9d26823aeea40978ba296bd4468142058d75cccf442a30abb7b9a781a1948fbec3b4c26ad5d8643f552e922414
-
SSDEEP
12288:yMrKy90ZNuFZEgMAKrT3qdV93OOaIz+xuiGfs+b1s057ByY8uDMKjcZlXS+1UFXc:sy4oNSadV5t+efs+n1yagofX5z91Od
Malware Config
Extracted
redline
kendo
77.91.124.82:19071
-
auth_value
5a22a881561d49941415902859b51f14
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral2/memory/4508-28-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/4508-29-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/4508-30-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/4508-32-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 5 IoCs
pid Process 4880 x1106576.exe 4224 x1003329.exe 3696 x9588010.exe 4700 g2659924.exe 848 h1995412.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" x9588010.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b80c9ab2672602ab9d0267dbd15a2941836f3c1faaa6b913ee5d5d02272daa37.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x1106576.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x1003329.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4700 set thread context of 4508 4700 g2659924.exe 92 -
Program crash 2 IoCs
pid pid_target Process procid_target 4364 4508 WerFault.exe 92 4712 4700 WerFault.exe 89 -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 1484 wrote to memory of 4880 1484 b80c9ab2672602ab9d0267dbd15a2941836f3c1faaa6b913ee5d5d02272daa37.exe 85 PID 1484 wrote to memory of 4880 1484 b80c9ab2672602ab9d0267dbd15a2941836f3c1faaa6b913ee5d5d02272daa37.exe 85 PID 1484 wrote to memory of 4880 1484 b80c9ab2672602ab9d0267dbd15a2941836f3c1faaa6b913ee5d5d02272daa37.exe 85 PID 4880 wrote to memory of 4224 4880 x1106576.exe 86 PID 4880 wrote to memory of 4224 4880 x1106576.exe 86 PID 4880 wrote to memory of 4224 4880 x1106576.exe 86 PID 4224 wrote to memory of 3696 4224 x1003329.exe 88 PID 4224 wrote to memory of 3696 4224 x1003329.exe 88 PID 4224 wrote to memory of 3696 4224 x1003329.exe 88 PID 3696 wrote to memory of 4700 3696 x9588010.exe 89 PID 3696 wrote to memory of 4700 3696 x9588010.exe 89 PID 3696 wrote to memory of 4700 3696 x9588010.exe 89 PID 4700 wrote to memory of 2236 4700 g2659924.exe 90 PID 4700 wrote to memory of 2236 4700 g2659924.exe 90 PID 4700 wrote to memory of 2236 4700 g2659924.exe 90 PID 4700 wrote to memory of 1612 4700 g2659924.exe 91 PID 4700 wrote to memory of 1612 4700 g2659924.exe 91 PID 4700 wrote to memory of 1612 4700 g2659924.exe 91 PID 4700 wrote to memory of 4508 4700 g2659924.exe 92 PID 4700 wrote to memory of 4508 4700 g2659924.exe 92 PID 4700 wrote to memory of 4508 4700 g2659924.exe 92 PID 4700 wrote to memory of 4508 4700 g2659924.exe 92 PID 4700 wrote to memory of 4508 4700 g2659924.exe 92 PID 4700 wrote to memory of 4508 4700 g2659924.exe 92 PID 4700 wrote to memory of 4508 4700 g2659924.exe 92 PID 4700 wrote to memory of 4508 4700 g2659924.exe 92 PID 4700 wrote to memory of 4508 4700 g2659924.exe 92 PID 4700 wrote to memory of 4508 4700 g2659924.exe 92 PID 3696 wrote to memory of 848 3696 x9588010.exe 98 PID 3696 wrote to memory of 848 3696 x9588010.exe 98 PID 3696 wrote to memory of 848 3696 x9588010.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\b80c9ab2672602ab9d0267dbd15a2941836f3c1faaa6b913ee5d5d02272daa37.exe"C:\Users\Admin\AppData\Local\Temp\b80c9ab2672602ab9d0267dbd15a2941836f3c1faaa6b913ee5d5d02272daa37.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1106576.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1106576.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1003329.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1003329.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9588010.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9588010.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2659924.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2659924.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:2236
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:1612
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:4508
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 5407⤵
- Program crash
PID:4364
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 6046⤵
- Program crash
PID:4712
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1995412.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1995412.exe5⤵
- Executes dropped EXE
PID:848
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4700 -ip 47001⤵PID:4380
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4508 -ip 45081⤵PID:4108
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
841KB
MD5b5a0698f280c628dbc4925ba5b8e5245
SHA1df53e1c025c5bdacc50f34a9e8ada8b6dc5b68a6
SHA25647ac7167e7624621a9cfe6b4186361fd417776e79aaf8af4ffbd9abf9f7468f5
SHA5124895d17789ccefd003545994b952f54b96968c556d0016735036fe2340a1aa92145f35e3f2014e9daf8fccf6cfaba78f2f0f5e96edc12ce1b2da13935f128f5d
-
Filesize
841KB
MD5b5a0698f280c628dbc4925ba5b8e5245
SHA1df53e1c025c5bdacc50f34a9e8ada8b6dc5b68a6
SHA25647ac7167e7624621a9cfe6b4186361fd417776e79aaf8af4ffbd9abf9f7468f5
SHA5124895d17789ccefd003545994b952f54b96968c556d0016735036fe2340a1aa92145f35e3f2014e9daf8fccf6cfaba78f2f0f5e96edc12ce1b2da13935f128f5d
-
Filesize
563KB
MD5ced399856eb2869844f5172b06db4416
SHA1a4bf98d2f08da14ce7047fc388ba4167fec73bf2
SHA256273ab4cf6b1a77c2563d1c4c30f07eb6623b506f0c4091ca88dea2298ea71e21
SHA5121d66ca1119bed78203650d4d7fbbed991abebf3eff00cf7888f748fd442a234f919b69b6888021bf261fbb9a9abd8df24d737d88d754e674cbbd7e4082e09b2b
-
Filesize
563KB
MD5ced399856eb2869844f5172b06db4416
SHA1a4bf98d2f08da14ce7047fc388ba4167fec73bf2
SHA256273ab4cf6b1a77c2563d1c4c30f07eb6623b506f0c4091ca88dea2298ea71e21
SHA5121d66ca1119bed78203650d4d7fbbed991abebf3eff00cf7888f748fd442a234f919b69b6888021bf261fbb9a9abd8df24d737d88d754e674cbbd7e4082e09b2b
-
Filesize
397KB
MD5a6646fe27b200baa5c3c566c6f5a1eb5
SHA116b7ffecb0c5d6b7fa5d8c2f8a58e1c1268bf5b8
SHA2569f1f86884874c885a95ce54be6f296d75853a174f21e9a2e7aed6c1ff3eb553f
SHA512bf7cee7bfd131d8bf905ccb4a2eb5afdd370f317d7115380b09ba0188abc9eb2d91a87acf6096540a56948665395cb1ac70adc5b5f0b4050e79ba1e6c55a85b5
-
Filesize
397KB
MD5a6646fe27b200baa5c3c566c6f5a1eb5
SHA116b7ffecb0c5d6b7fa5d8c2f8a58e1c1268bf5b8
SHA2569f1f86884874c885a95ce54be6f296d75853a174f21e9a2e7aed6c1ff3eb553f
SHA512bf7cee7bfd131d8bf905ccb4a2eb5afdd370f317d7115380b09ba0188abc9eb2d91a87acf6096540a56948665395cb1ac70adc5b5f0b4050e79ba1e6c55a85b5
-
Filesize
379KB
MD5400c1cc98151cd939061dae6b2443e8a
SHA171d6f0fca1e3f5c467506c943125a76c4f9dce6d
SHA256ea830a0b8e8c8ac1fdb14cd943a25a17a6523c4516b070ed38e5379f69b1e006
SHA512233c983e9f1edb196a354c941badbba84e64e1fd4819a561504447d96d79f69d374f1870adb1312134f13d35e38f65af2822329a9e4ce0b2125f90683711fe42
-
Filesize
379KB
MD5400c1cc98151cd939061dae6b2443e8a
SHA171d6f0fca1e3f5c467506c943125a76c4f9dce6d
SHA256ea830a0b8e8c8ac1fdb14cd943a25a17a6523c4516b070ed38e5379f69b1e006
SHA512233c983e9f1edb196a354c941badbba84e64e1fd4819a561504447d96d79f69d374f1870adb1312134f13d35e38f65af2822329a9e4ce0b2125f90683711fe42
-
Filesize
174KB
MD5d9144ae238beb610f76b95a2cc475637
SHA1d1bcd93c19200d0a5828b724f02dc20554dd02f7
SHA25663aec512bea42948e7d301e227a9d421399f2f8463243476200c3679b77088f7
SHA512367c0e2e50c5d823d42422472ddc5abb3acfd4216ff390aa35dbe7e04a2a1decea30b69abfa8bf93b7b46a430f352b6f951526425889eaffa61bd9996c1395ac
-
Filesize
174KB
MD5d9144ae238beb610f76b95a2cc475637
SHA1d1bcd93c19200d0a5828b724f02dc20554dd02f7
SHA25663aec512bea42948e7d301e227a9d421399f2f8463243476200c3679b77088f7
SHA512367c0e2e50c5d823d42422472ddc5abb3acfd4216ff390aa35dbe7e04a2a1decea30b69abfa8bf93b7b46a430f352b6f951526425889eaffa61bd9996c1395ac