Analysis
-
max time kernel
149s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
14/10/2023, 02:12
Static task
static1
Behavioral task
behavioral1
Sample
2724af8206b8d7a960bebb0f79de8afdf65db65b99057a05bd9257191957aed0.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
2724af8206b8d7a960bebb0f79de8afdf65db65b99057a05bd9257191957aed0.exe
Resource
win10v2004-20230915-en
General
-
Target
2724af8206b8d7a960bebb0f79de8afdf65db65b99057a05bd9257191957aed0.exe
-
Size
742KB
-
MD5
e71b28e3bf543500ed2bffd58a5d3193
-
SHA1
5514aa60f3f9b8d9772aa46482e26873400ac286
-
SHA256
2724af8206b8d7a960bebb0f79de8afdf65db65b99057a05bd9257191957aed0
-
SHA512
6d77023f16c10b781f9bffeccba27175fd29f36f97cb6d6febd5cedbe809cc463b46930025c8006ec1774be1e9965fa194323c1f5fc7cbdb53675ff86265b960
-
SSDEEP
12288:od//yfYb5BIQZVtJa/GO3B/KZU7twYpptKWcGX4DnYcTzVbC8IbX9KamdG5j8PF9:giuBtZizZJwYfmGX4DYWAtj89XiVNO
Malware Config
Extracted
redline
moner
77.91.124.82:19071
-
auth_value
a94cd9e01643e1945b296c28a2f28707
Signatures
-
Detect Mystic stealer payload 2 IoCs
resource yara_rule behavioral2/files/0x00070000000231e1-16.dat family_mystic behavioral2/files/0x00070000000231e1-17.dat family_mystic -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
pid Process 4828 y3213497.exe 5052 m4626236.exe 2748 n5889237.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" AppLaunch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y3213497.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4920 set thread context of 2924 4920 2724af8206b8d7a960bebb0f79de8afdf65db65b99057a05bd9257191957aed0.exe 94 -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 4920 wrote to memory of 4700 4920 2724af8206b8d7a960bebb0f79de8afdf65db65b99057a05bd9257191957aed0.exe 93 PID 4920 wrote to memory of 4700 4920 2724af8206b8d7a960bebb0f79de8afdf65db65b99057a05bd9257191957aed0.exe 93 PID 4920 wrote to memory of 4700 4920 2724af8206b8d7a960bebb0f79de8afdf65db65b99057a05bd9257191957aed0.exe 93 PID 4920 wrote to memory of 2924 4920 2724af8206b8d7a960bebb0f79de8afdf65db65b99057a05bd9257191957aed0.exe 94 PID 4920 wrote to memory of 2924 4920 2724af8206b8d7a960bebb0f79de8afdf65db65b99057a05bd9257191957aed0.exe 94 PID 4920 wrote to memory of 2924 4920 2724af8206b8d7a960bebb0f79de8afdf65db65b99057a05bd9257191957aed0.exe 94 PID 4920 wrote to memory of 2924 4920 2724af8206b8d7a960bebb0f79de8afdf65db65b99057a05bd9257191957aed0.exe 94 PID 4920 wrote to memory of 2924 4920 2724af8206b8d7a960bebb0f79de8afdf65db65b99057a05bd9257191957aed0.exe 94 PID 4920 wrote to memory of 2924 4920 2724af8206b8d7a960bebb0f79de8afdf65db65b99057a05bd9257191957aed0.exe 94 PID 4920 wrote to memory of 2924 4920 2724af8206b8d7a960bebb0f79de8afdf65db65b99057a05bd9257191957aed0.exe 94 PID 4920 wrote to memory of 2924 4920 2724af8206b8d7a960bebb0f79de8afdf65db65b99057a05bd9257191957aed0.exe 94 PID 4920 wrote to memory of 2924 4920 2724af8206b8d7a960bebb0f79de8afdf65db65b99057a05bd9257191957aed0.exe 94 PID 4920 wrote to memory of 2924 4920 2724af8206b8d7a960bebb0f79de8afdf65db65b99057a05bd9257191957aed0.exe 94 PID 2924 wrote to memory of 4828 2924 AppLaunch.exe 95 PID 2924 wrote to memory of 4828 2924 AppLaunch.exe 95 PID 2924 wrote to memory of 4828 2924 AppLaunch.exe 95 PID 4828 wrote to memory of 5052 4828 y3213497.exe 96 PID 4828 wrote to memory of 5052 4828 y3213497.exe 96 PID 4828 wrote to memory of 5052 4828 y3213497.exe 96 PID 4828 wrote to memory of 2748 4828 y3213497.exe 97 PID 4828 wrote to memory of 2748 4828 y3213497.exe 97 PID 4828 wrote to memory of 2748 4828 y3213497.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\2724af8206b8d7a960bebb0f79de8afdf65db65b99057a05bd9257191957aed0.exe"C:\Users\Admin\AppData\Local\Temp\2724af8206b8d7a960bebb0f79de8afdf65db65b99057a05bd9257191957aed0.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:4700
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3213497.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3213497.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m4626236.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m4626236.exe4⤵
- Executes dropped EXE
PID:5052
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n5889237.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n5889237.exe4⤵
- Executes dropped EXE
PID:2748
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
271KB
MD520edcc73b51f3ce8d967d080dc87d472
SHA14899f1ce1063812bfe2e4416e2f36ccd0bc3f59a
SHA256a8bf8d9ccfebba12223174145530a1ec9284d6e6d9ca4b0d0e7ad85687a67291
SHA5121ace063fc394ec4288e73954a99f114dee27258cfb325c14541f9d88b1f73e3436f1d67b62e182a92a61cea93372a8983f2766e03cd563c7d0f5c3a84c4bcb61
-
Filesize
271KB
MD520edcc73b51f3ce8d967d080dc87d472
SHA14899f1ce1063812bfe2e4416e2f36ccd0bc3f59a
SHA256a8bf8d9ccfebba12223174145530a1ec9284d6e6d9ca4b0d0e7ad85687a67291
SHA5121ace063fc394ec4288e73954a99f114dee27258cfb325c14541f9d88b1f73e3436f1d67b62e182a92a61cea93372a8983f2766e03cd563c7d0f5c3a84c4bcb61
-
Filesize
140KB
MD5dff524ad2b0124d47d061ced568d63dd
SHA1f31f16fcab070a859d88b4355f8d351fca60cc35
SHA256639dec563124a2a994e9ace9a15558a9a2054c63567c933952c373ae3859a2a7
SHA512a4bf65fb724c47ff1711730b614fd67738bbfdaaf69e61cd4fe4689900a73e45323fc38f3df0139f2d068010a67502f82559fef1f8e6b1754e3b442ec7f9763e
-
Filesize
140KB
MD5dff524ad2b0124d47d061ced568d63dd
SHA1f31f16fcab070a859d88b4355f8d351fca60cc35
SHA256639dec563124a2a994e9ace9a15558a9a2054c63567c933952c373ae3859a2a7
SHA512a4bf65fb724c47ff1711730b614fd67738bbfdaaf69e61cd4fe4689900a73e45323fc38f3df0139f2d068010a67502f82559fef1f8e6b1754e3b442ec7f9763e
-
Filesize
174KB
MD5e991aecfbe160f99cbdeaf13bad97923
SHA1b4e6e8ee0b2daa7bc1689c39736cd6fad5a2f764
SHA256e7b2b3d35a2e81ee5396e07bcceae6539433ca57470f8f3ab2509d2cd84226e2
SHA512ad0c734afe13fa8c5b3cf62258e64e759b31170a6beb766d57d4bfcdbb2bd69a8276056c81c2fc91536d9c4d87c7b85790dad27e14b7ed19bd5a7cd0b32b70ce
-
Filesize
174KB
MD5e991aecfbe160f99cbdeaf13bad97923
SHA1b4e6e8ee0b2daa7bc1689c39736cd6fad5a2f764
SHA256e7b2b3d35a2e81ee5396e07bcceae6539433ca57470f8f3ab2509d2cd84226e2
SHA512ad0c734afe13fa8c5b3cf62258e64e759b31170a6beb766d57d4bfcdbb2bd69a8276056c81c2fc91536d9c4d87c7b85790dad27e14b7ed19bd5a7cd0b32b70ce