Malware Analysis Report

2025-01-02 05:30

Sample ID 231111-ma7xrsec56
Target NEAS.92fcba02829079940f3b9eb68d51f5ec8a7d24415061c1e055a266cf50c39af8.exe
SHA256 92fcba02829079940f3b9eb68d51f5ec8a7d24415061c1e055a266cf50c39af8
Tags
mystic redline taiga infostealer persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

92fcba02829079940f3b9eb68d51f5ec8a7d24415061c1e055a266cf50c39af8

Threat Level: Known bad

The file NEAS.92fcba02829079940f3b9eb68d51f5ec8a7d24415061c1e055a266cf50c39af8.exe was found to be: Known bad.

Malicious Activity Summary

mystic redline taiga infostealer persistence stealer

Detect Mystic stealer payload

Mystic

RedLine

RedLine payload

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-11 10:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-11 10:16

Reported

2023-11-11 10:19

Platform

win10v2004-20231023-en

Max time kernel

142s

Max time network

170s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.92fcba02829079940f3b9eb68d51f5ec8a7d24415061c1e055a266cf50c39af8.exe"

Signatures

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Mystic

stealer mystic

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5NH30Va.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\NEAS.92fcba02829079940f3b9eb68d51f5ec8a7d24415061c1e055a266cf50c39af8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NF5zF76.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4740 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.92fcba02829079940f3b9eb68d51f5ec8a7d24415061c1e055a266cf50c39af8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NF5zF76.exe
PID 4740 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.92fcba02829079940f3b9eb68d51f5ec8a7d24415061c1e055a266cf50c39af8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NF5zF76.exe
PID 4740 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.92fcba02829079940f3b9eb68d51f5ec8a7d24415061c1e055a266cf50c39af8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NF5zF76.exe
PID 4300 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NF5zF76.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3GR339YR.exe
PID 4300 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NF5zF76.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3GR339YR.exe
PID 4300 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NF5zF76.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3GR339YR.exe
PID 2392 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3GR339YR.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2392 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3GR339YR.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2392 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3GR339YR.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2392 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3GR339YR.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2392 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3GR339YR.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2392 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3GR339YR.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2392 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3GR339YR.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2392 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3GR339YR.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2392 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3GR339YR.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2392 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3GR339YR.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4300 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NF5zF76.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Cd2Eb5.exe
PID 4300 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NF5zF76.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Cd2Eb5.exe
PID 4300 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NF5zF76.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Cd2Eb5.exe
PID 4768 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Cd2Eb5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4768 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Cd2Eb5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4768 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Cd2Eb5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4768 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Cd2Eb5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4768 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Cd2Eb5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4768 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Cd2Eb5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4768 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Cd2Eb5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4768 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Cd2Eb5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4740 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.92fcba02829079940f3b9eb68d51f5ec8a7d24415061c1e055a266cf50c39af8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5NH30Va.exe
PID 4740 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.92fcba02829079940f3b9eb68d51f5ec8a7d24415061c1e055a266cf50c39af8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5NH30Va.exe
PID 4740 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.92fcba02829079940f3b9eb68d51f5ec8a7d24415061c1e055a266cf50c39af8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5NH30Va.exe
PID 1920 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5NH30Va.exe C:\Windows\SysWOW64\cmd.exe
PID 1920 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5NH30Va.exe C:\Windows\SysWOW64\cmd.exe
PID 1920 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5NH30Va.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.92fcba02829079940f3b9eb68d51f5ec8a7d24415061c1e055a266cf50c39af8.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.92fcba02829079940f3b9eb68d51f5ec8a7d24415061c1e055a266cf50c39af8.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NF5zF76.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NF5zF76.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3GR339YR.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3GR339YR.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Cd2Eb5.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Cd2Eb5.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5064 -ip 5064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5NH30Va.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5NH30Va.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 254.43.238.8.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
RU 5.42.92.51:19057 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
RU 5.42.92.51:19057 tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 126.24.238.8.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
RU 5.42.92.51:19057 tcp
RU 5.42.92.51:19057 tcp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp
RU 5.42.92.51:19057 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NF5zF76.exe

MD5 e77056154234792f28d3592e6fdc1721
SHA1 8e03ba7e4fdcad961d48eabac42adb892b3134f8
SHA256 348eb80e4b319f71d356670f17caf521c99fdd5231bc9a7d19645d2823da0567
SHA512 b2279d0cf6133f60309f340980307e7d9d5767c15df2b4ce4cba7cc197dca0c77e0b4b7750717529f5165cc0e235d7383ab87559c7d30dcf9e90977d1d948daf

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NF5zF76.exe

MD5 e77056154234792f28d3592e6fdc1721
SHA1 8e03ba7e4fdcad961d48eabac42adb892b3134f8
SHA256 348eb80e4b319f71d356670f17caf521c99fdd5231bc9a7d19645d2823da0567
SHA512 b2279d0cf6133f60309f340980307e7d9d5767c15df2b4ce4cba7cc197dca0c77e0b4b7750717529f5165cc0e235d7383ab87559c7d30dcf9e90977d1d948daf

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3GR339YR.exe

MD5 91cc05f030208de23b079cbe82aaef0c
SHA1 d15ae75d12ed4c0f79437c495f1f83e63d1ffc7b
SHA256 12cc053e5a9e10f0b92f8686af41b12b07473600e75c8245256fef575b9262ac
SHA512 73860c4289d338bfbc98d5e5478521c67e9ba76d2c88c3c89a7d1b11e72d2f362de040f22e312b5621e13bd9662f53f27f456b06854c2051031237f361f0b331

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3GR339YR.exe

MD5 91cc05f030208de23b079cbe82aaef0c
SHA1 d15ae75d12ed4c0f79437c495f1f83e63d1ffc7b
SHA256 12cc053e5a9e10f0b92f8686af41b12b07473600e75c8245256fef575b9262ac
SHA512 73860c4289d338bfbc98d5e5478521c67e9ba76d2c88c3c89a7d1b11e72d2f362de040f22e312b5621e13bd9662f53f27f456b06854c2051031237f361f0b331

memory/5064-14-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5064-15-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5064-16-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5064-18-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Cd2Eb5.exe

MD5 857a2c0ee66b49fcc334f9b95449597d
SHA1 44bbdb08cca695a151db4ffafdc9bf57f9893054
SHA256 60fcc159b86d37334d5a3b37e4d41203d2348894d023f6cbdda511dfd4b6fe82
SHA512 807a58b3345ac54688f8d0d75951feb2f348775ac3c5132bd0fdebe67eaef080c748ef9be02d1224ee977aa8b52d1a460c45620a76be72778acd7d2a0b7cd94f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Cd2Eb5.exe

MD5 857a2c0ee66b49fcc334f9b95449597d
SHA1 44bbdb08cca695a151db4ffafdc9bf57f9893054
SHA256 60fcc159b86d37334d5a3b37e4d41203d2348894d023f6cbdda511dfd4b6fe82
SHA512 807a58b3345ac54688f8d0d75951feb2f348775ac3c5132bd0fdebe67eaef080c748ef9be02d1224ee977aa8b52d1a460c45620a76be72778acd7d2a0b7cd94f

memory/1456-22-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5NH30Va.exe

MD5 dc9634d7bd290eef66f99e1484614449
SHA1 842a9b8a739fbd2e55e111b18249cf18add0e5da
SHA256 80e91d414f0db8e29c451c39f27790e3995eeadd491e781187257192365b90ef
SHA512 e907f8e3578434b93afb48f7f5ac9b6be98cd0e5e75e0df1f0a14c218b83931889f10dda189faf8545af1192626bdef39c91f2ff79c7d95618ee54986b0b300e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5NH30Va.exe

MD5 dc9634d7bd290eef66f99e1484614449
SHA1 842a9b8a739fbd2e55e111b18249cf18add0e5da
SHA256 80e91d414f0db8e29c451c39f27790e3995eeadd491e781187257192365b90ef
SHA512 e907f8e3578434b93afb48f7f5ac9b6be98cd0e5e75e0df1f0a14c218b83931889f10dda189faf8545af1192626bdef39c91f2ff79c7d95618ee54986b0b300e

memory/1456-28-0x0000000074270000-0x0000000074A20000-memory.dmp

memory/1456-29-0x00000000076D0000-0x0000000007C74000-memory.dmp

memory/1456-31-0x0000000007200000-0x0000000007292000-memory.dmp

memory/1456-33-0x00000000073B0000-0x00000000073C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is64.bat

MD5 225edee1d46e0a80610db26b275d72fb
SHA1 ce206abf11aaf19278b72f5021cc64b1b427b7e8
SHA256 e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559
SHA512 4f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504

C:\Users\Admin\AppData\Local\Temp\is64.txt

MD5 a5ea0ad9260b1550a14cc58d2c39b03d
SHA1 f0aedf295071ed34ab8c6a7692223d22b6a19841
SHA256 f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04
SHA512 7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

memory/1456-38-0x00000000072A0000-0x00000000072AA000-memory.dmp

memory/1456-39-0x00000000082A0000-0x00000000088B8000-memory.dmp

memory/1456-40-0x00000000075C0000-0x00000000076CA000-memory.dmp

memory/1456-41-0x0000000007380000-0x0000000007392000-memory.dmp

memory/1456-42-0x00000000074F0000-0x000000000752C000-memory.dmp

memory/1456-43-0x0000000007530000-0x000000000757C000-memory.dmp

memory/1456-44-0x0000000074270000-0x0000000074A20000-memory.dmp

memory/1456-45-0x00000000073B0000-0x00000000073C0000-memory.dmp