Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2023 22:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    82e3f6609a70db99ce5665b721eb287ee4d7d270661728e0d6cb4eeaea882bfa.exe

  • Size

    886KB

  • MD5

    8ecaf353e7045fc511ae4dc69e7ed597

  • SHA1

    fad1515b8efb456fb1f19e3f6bd28c889d246cc7

  • SHA256

    82e3f6609a70db99ce5665b721eb287ee4d7d270661728e0d6cb4eeaea882bfa

  • SHA512

    24fd573513abcf4917ab5461fef3768aab95672906a91dcf7e107742d04473a707977735e6af3a3a1de8c53def32baac20d3e3f3f870f93cf4467deddcd4e1f5

  • SSDEEP

    12288:UMrHy90glCgRVirR9XZAbM1ckX9e/mIHkPCR3tPHVaZ0gjHYusq/H3i3DzJf4:LyFncfXZ+UDkltP1aZ0gLbHyDza

Score
10/10
mysticredlinetaigainfostealerpersistencespywarestealer

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\82e3f6609a70db99ce5665b721eb287ee4d7d270661728e0d6cb4eeaea882bfa.exe
    "C:\Users\Admin\AppData\Local\Temp\82e3f6609a70db99ce5665b721eb287ee4d7d270661728e0d6cb4eeaea882bfa.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3116
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LH2Zl23.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LH2Zl23.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:8
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11tx5599.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11tx5599.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2736
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:4348
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            4⤵
              PID:3772
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 208
                5⤵
                • Program crash
                PID:1808
          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12va741.exe
            C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12va741.exe
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:4292
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              4⤵
                PID:4456
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                4⤵
                  PID:5092
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                  4⤵
                    PID:4396
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                    4⤵
                      PID:1396
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13xY613.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13xY613.exe
                  2⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Suspicious use of WriteProcessMemory
                  PID:5088
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                    3⤵
                      PID:956
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                      3⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1384
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3772 -ip 3772
                  1⤵
                    PID:4356

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13xY613.exe
                    Filesize

                    724KB

                    MD5

                    d8b2bb61fcde3a2c2588e3076690e744

                    SHA1

                    9d4098edbe7667e325afeda43d6420907d862c2c

                    SHA256

                    cc59726dba3eb2ace7bdecd275a7735177537efd84933fd0c683007b700279d2

                    SHA512

                    fd05da6bf9b853e40c203ef2ada641dbe3aceeb3bd1c6aad4d7d0207833ab0f55b250e350f4187f806792dc28d50719acb3fb505e986ed45e231e3273fe5ad68

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13xY613.exe
                    Filesize

                    724KB

                    MD5

                    d8b2bb61fcde3a2c2588e3076690e744

                    SHA1

                    9d4098edbe7667e325afeda43d6420907d862c2c

                    SHA256

                    cc59726dba3eb2ace7bdecd275a7735177537efd84933fd0c683007b700279d2

                    SHA512

                    fd05da6bf9b853e40c203ef2ada641dbe3aceeb3bd1c6aad4d7d0207833ab0f55b250e350f4187f806792dc28d50719acb3fb505e986ed45e231e3273fe5ad68

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LH2Zl23.exe
                    Filesize

                    422KB

                    MD5

                    f363022f1d374ae10669feb231e6c7a8

                    SHA1

                    802fa5386cacb35b8284988bd61d7060fac0b306

                    SHA256

                    4437caacde19efc363b4b4502c2d04b3d3387f19c98cc1d7db1343f8f4a7d6b0

                    SHA512

                    df018b43d083c47a9864cd00e946f5eb9b61f14a619c86ee88a1295b2f31914979bad0b383d16b0cd5b13d6f619e98aadf87e128a0c6ecb2bdfd3772ecb8fc0b

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LH2Zl23.exe
                    Filesize

                    422KB

                    MD5

                    f363022f1d374ae10669feb231e6c7a8

                    SHA1

                    802fa5386cacb35b8284988bd61d7060fac0b306

                    SHA256

                    4437caacde19efc363b4b4502c2d04b3d3387f19c98cc1d7db1343f8f4a7d6b0

                    SHA512

                    df018b43d083c47a9864cd00e946f5eb9b61f14a619c86ee88a1295b2f31914979bad0b383d16b0cd5b13d6f619e98aadf87e128a0c6ecb2bdfd3772ecb8fc0b

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11tx5599.exe
                    Filesize

                    376KB

                    MD5

                    73e2990aa2c74766a2a01fd6d69f19ab

                    SHA1

                    8d141bf78c6668752dbd367f64fb5274e382dc4f

                    SHA256

                    84576038375e2d314019ae00b7066dc487a462e97a897017c06872ba868b85b0

                    SHA512

                    633cf2bb8fa55eb73b698fbaa2c33c985090cf0adf6ef20592a05298f95ff9df37a88620782b9109e39b713505a0983e5d73e9932016e75fc0dd6b06cd3a3b35

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11tx5599.exe
                    Filesize

                    376KB

                    MD5

                    73e2990aa2c74766a2a01fd6d69f19ab

                    SHA1

                    8d141bf78c6668752dbd367f64fb5274e382dc4f

                    SHA256

                    84576038375e2d314019ae00b7066dc487a462e97a897017c06872ba868b85b0

                    SHA512

                    633cf2bb8fa55eb73b698fbaa2c33c985090cf0adf6ef20592a05298f95ff9df37a88620782b9109e39b713505a0983e5d73e9932016e75fc0dd6b06cd3a3b35

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12va741.exe
                    Filesize

                    415KB

                    MD5

                    10e90e25d502c7461c0717dec1c82cb4

                    SHA1

                    62284eaa977f13b2dd1163c26fcfc803ce7861fd

                    SHA256

                    7ed6b7e9f52b5708ef77c5709c9f021351571248b192bcbc2d073e8301b8d9fb

                    SHA512

                    7d92b4c57a681822ced3e80ecb9721cad31471433a72e030fce1d0bdd4e94fcba3659eb43a952c91f13a2f709d801a12210626054b3b6cf4371c0895208a9d09

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12va741.exe
                    Filesize

                    415KB

                    MD5

                    10e90e25d502c7461c0717dec1c82cb4

                    SHA1

                    62284eaa977f13b2dd1163c26fcfc803ce7861fd

                    SHA256

                    7ed6b7e9f52b5708ef77c5709c9f021351571248b192bcbc2d073e8301b8d9fb

                    SHA512

                    7d92b4c57a681822ced3e80ecb9721cad31471433a72e030fce1d0bdd4e94fcba3659eb43a952c91f13a2f709d801a12210626054b3b6cf4371c0895208a9d09

                    Download Submit

                  • memory/1384-42-0x0000000000400000-0x0000000000488000-memory.dmp

                    Filesize

                    544KB

                    Download

                  • memory/1384-40-0x0000000000400000-0x0000000000488000-memory.dmp

                    Filesize

                    544KB

                    Download

                  • memory/1384-39-0x0000000000400000-0x0000000000488000-memory.dmp

                    Filesize

                    544KB

                    Download

                  • memory/1384-38-0x0000000000400000-0x0000000000488000-memory.dmp

                    Filesize

                    544KB

                    Download

                  • memory/1396-34-0x0000000007D20000-0x0000000007D5C000-memory.dmp

                    Filesize

                    240KB

                    Download

                  • memory/1396-22-0x0000000000400000-0x000000000043C000-memory.dmp

                    Filesize

                    240KB

                    Download

                  • memory/1396-27-0x0000000007F10000-0x00000000084B4000-memory.dmp

                    Filesize

                    5.6MB

                    Download

                  • memory/1396-28-0x0000000007A00000-0x0000000007A92000-memory.dmp

                    Filesize

                    584KB

                    Download

                  • memory/1396-29-0x0000000007B80000-0x0000000007B90000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/1396-30-0x0000000007AD0000-0x0000000007ADA000-memory.dmp

                    Filesize

                    40KB

                    Download

                  • memory/1396-31-0x0000000008AE0000-0x00000000090F8000-memory.dmp

                    Filesize

                    6.1MB

                    Download

                  • memory/1396-32-0x0000000007DF0000-0x0000000007EFA000-memory.dmp

                    Filesize

                    1.0MB

                    Download

                  • memory/1396-33-0x0000000007CA0000-0x0000000007CB2000-memory.dmp

                    Filesize

                    72KB

                    Download

                  • memory/1396-26-0x0000000073D30000-0x00000000744E0000-memory.dmp

                    Filesize

                    7.7MB

                    Download

                  • memory/1396-35-0x0000000007D60000-0x0000000007DAC000-memory.dmp

                    Filesize

                    304KB

                    Download

                  • memory/1396-36-0x0000000073D30000-0x00000000744E0000-memory.dmp

                    Filesize

                    7.7MB

                    Download

                  • memory/1396-37-0x0000000007B80000-0x0000000007B90000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/3772-18-0x0000000000400000-0x0000000000433000-memory.dmp

                    Filesize

                    204KB

                    Download

                  • memory/3772-15-0x0000000000400000-0x0000000000433000-memory.dmp

                    Filesize

                    204KB

                    Download

                  • memory/3772-16-0x0000000000400000-0x0000000000433000-memory.dmp

                    Filesize

                    204KB

                    Download

                  • memory/3772-14-0x0000000000400000-0x0000000000433000-memory.dmp

                    Filesize

                    204KB

                    Download