Malware Analysis Report

2025-01-02 05:31

Sample ID 231111-l3sg4sea95
Target NEAS.691b962af15936456c9f97a6aca492e4ca229899b68ca4b3517ab42b8f7a0594.exe
SHA256 691b962af15936456c9f97a6aca492e4ca229899b68ca4b3517ab42b8f7a0594
Tags
mystic redline taiga infostealer persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

691b962af15936456c9f97a6aca492e4ca229899b68ca4b3517ab42b8f7a0594

Threat Level: Known bad

The file NEAS.691b962af15936456c9f97a6aca492e4ca229899b68ca4b3517ab42b8f7a0594.exe was found to be: Known bad.

Malicious Activity Summary

mystic redline taiga infostealer persistence stealer

Mystic

RedLine

Detect Mystic stealer payload

RedLine payload

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-11 10:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-11 10:03

Reported

2023-11-11 10:12

Platform

win10v2004-20231023-en

Max time kernel

225s

Max time network

235s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.691b962af15936456c9f97a6aca492e4ca229899b68ca4b3517ab42b8f7a0594.exe"

Signatures

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Mystic

stealer mystic

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5xl24uw.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\NEAS.691b962af15936456c9f97a6aca492e4ca229899b68ca4b3517ab42b8f7a0594.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cz2VK87.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2188 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.691b962af15936456c9f97a6aca492e4ca229899b68ca4b3517ab42b8f7a0594.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cz2VK87.exe
PID 2188 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.691b962af15936456c9f97a6aca492e4ca229899b68ca4b3517ab42b8f7a0594.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cz2VK87.exe
PID 2188 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.691b962af15936456c9f97a6aca492e4ca229899b68ca4b3517ab42b8f7a0594.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cz2VK87.exe
PID 4220 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cz2VK87.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3fB893Zd.exe
PID 4220 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cz2VK87.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3fB893Zd.exe
PID 4220 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cz2VK87.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3fB893Zd.exe
PID 1384 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3fB893Zd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1384 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3fB893Zd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1384 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3fB893Zd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1384 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3fB893Zd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1384 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3fB893Zd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1384 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3fB893Zd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1384 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3fB893Zd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1384 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3fB893Zd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1384 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3fB893Zd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1384 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3fB893Zd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4220 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cz2VK87.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Di4Zi4.exe
PID 4220 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cz2VK87.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Di4Zi4.exe
PID 4220 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cz2VK87.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Di4Zi4.exe
PID 1996 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Di4Zi4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1996 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Di4Zi4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1996 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Di4Zi4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1996 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Di4Zi4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1996 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Di4Zi4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1996 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Di4Zi4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1996 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Di4Zi4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1996 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Di4Zi4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2188 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.691b962af15936456c9f97a6aca492e4ca229899b68ca4b3517ab42b8f7a0594.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5xl24uw.exe
PID 2188 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.691b962af15936456c9f97a6aca492e4ca229899b68ca4b3517ab42b8f7a0594.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5xl24uw.exe
PID 2188 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.691b962af15936456c9f97a6aca492e4ca229899b68ca4b3517ab42b8f7a0594.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5xl24uw.exe
PID 4708 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5xl24uw.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5xl24uw.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5xl24uw.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.691b962af15936456c9f97a6aca492e4ca229899b68ca4b3517ab42b8f7a0594.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.691b962af15936456c9f97a6aca492e4ca229899b68ca4b3517ab42b8f7a0594.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cz2VK87.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cz2VK87.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3fB893Zd.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3fB893Zd.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Di4Zi4.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Di4Zi4.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3708 -ip 3708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 540

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5xl24uw.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5xl24uw.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 254.43.238.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 58.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cz2VK87.exe

MD5 610e1133a76ebd35d98e3135e0c327b0
SHA1 187bf9f5b655eaf8cb7d3ede21007af721b7d684
SHA256 f549e334d72f3ca01d4dc2d938c0f0ea236dc2657e357132e924bbe8ad953821
SHA512 3b885be010b98373262ee9b5ecb531c97cded193a83821b6de8976e4ae971fa8bab3053b99d5fb6eb184b8a301e981fb2344e07acff213fcae4a9deb818fea94

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cz2VK87.exe

MD5 610e1133a76ebd35d98e3135e0c327b0
SHA1 187bf9f5b655eaf8cb7d3ede21007af721b7d684
SHA256 f549e334d72f3ca01d4dc2d938c0f0ea236dc2657e357132e924bbe8ad953821
SHA512 3b885be010b98373262ee9b5ecb531c97cded193a83821b6de8976e4ae971fa8bab3053b99d5fb6eb184b8a301e981fb2344e07acff213fcae4a9deb818fea94

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3fB893Zd.exe

MD5 819e6388ccec6d47b9dfb7bf0756d6c9
SHA1 17833be2c50c81b74cba89933b9580e18d0dae4e
SHA256 4c9dc67e337bc91d73e84e7e6ee7151490fb1b43e945055b36934e03e6e97343
SHA512 b4de99eba6c76cc99400f1e6c18116965c071321575fef91966415280f34f498f302702a11ac536b9f789ea86d8e22b6acb692da94721b67517c0bd2e68d554c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3fB893Zd.exe

MD5 819e6388ccec6d47b9dfb7bf0756d6c9
SHA1 17833be2c50c81b74cba89933b9580e18d0dae4e
SHA256 4c9dc67e337bc91d73e84e7e6ee7151490fb1b43e945055b36934e03e6e97343
SHA512 b4de99eba6c76cc99400f1e6c18116965c071321575fef91966415280f34f498f302702a11ac536b9f789ea86d8e22b6acb692da94721b67517c0bd2e68d554c

memory/3708-14-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3708-15-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Di4Zi4.exe

MD5 ad6cfdecee19f2020682d0403e7a3ccd
SHA1 9c73edd78a901b3b1fd30991f67022b0c068f75b
SHA256 15e38af8a4cac2ce2af8a0cb68a071bd30b5cdc26a694c3eb14e20ca451d2dc2
SHA512 6e3b5a6a5b88a87401f80a8d05f970206345cda17d65ba4a08229725e149d19959906bb1def741bb2af90960ab983385ac7cba77e9ca792c2c058dcec4ac35a8

memory/3708-16-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3708-20-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Di4Zi4.exe

MD5 ad6cfdecee19f2020682d0403e7a3ccd
SHA1 9c73edd78a901b3b1fd30991f67022b0c068f75b
SHA256 15e38af8a4cac2ce2af8a0cb68a071bd30b5cdc26a694c3eb14e20ca451d2dc2
SHA512 6e3b5a6a5b88a87401f80a8d05f970206345cda17d65ba4a08229725e149d19959906bb1def741bb2af90960ab983385ac7cba77e9ca792c2c058dcec4ac35a8

memory/4164-22-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5xl24uw.exe

MD5 50705322736ed8099196eb4e6ce664d0
SHA1 aa633d48071c9e8505ef3d26c3139d519195add7
SHA256 14d2eb3be008fdf0d2f908245b11a2946dda26fa767d1b01ae43d1a090553ca2
SHA512 6d72a72b3ab2b154250462b329fe88bbac4d0b4ee8f0c62e6e871a9a37ab69ea02160083ebe128b2c161cd1da662f710585c06d7f1b5abb359410c8d2df53231

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5xl24uw.exe

MD5 50705322736ed8099196eb4e6ce664d0
SHA1 aa633d48071c9e8505ef3d26c3139d519195add7
SHA256 14d2eb3be008fdf0d2f908245b11a2946dda26fa767d1b01ae43d1a090553ca2
SHA512 6d72a72b3ab2b154250462b329fe88bbac4d0b4ee8f0c62e6e871a9a37ab69ea02160083ebe128b2c161cd1da662f710585c06d7f1b5abb359410c8d2df53231

memory/4164-28-0x0000000073EF0000-0x00000000746A0000-memory.dmp

memory/4164-30-0x00000000081D0000-0x0000000008774000-memory.dmp

memory/4164-32-0x0000000007D00000-0x0000000007D92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is64.bat

MD5 225edee1d46e0a80610db26b275d72fb
SHA1 ce206abf11aaf19278b72f5021cc64b1b427b7e8
SHA256 e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559
SHA512 4f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504

C:\Users\Admin\AppData\Local\Temp\is64.txt

MD5 a5ea0ad9260b1550a14cc58d2c39b03d
SHA1 f0aedf295071ed34ab8c6a7692223d22b6a19841
SHA256 f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04
SHA512 7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

memory/4164-37-0x0000000073EF0000-0x00000000746A0000-memory.dmp

memory/4164-38-0x0000000007E20000-0x0000000007E30000-memory.dmp

memory/4164-39-0x0000000007F40000-0x0000000007F4A000-memory.dmp

memory/4164-40-0x0000000008DA0000-0x00000000093B8000-memory.dmp

memory/4164-41-0x00000000088D0000-0x00000000089DA000-memory.dmp

memory/4164-42-0x0000000008800000-0x0000000008812000-memory.dmp

memory/4164-43-0x0000000007E20000-0x0000000007E30000-memory.dmp