Overview

overview

10

Static

static

3

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows10-1703_x64
  • resource
    win10-20231020-en
  • resource tags

    arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
  • submitted
    13-11-2023 16:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    704a65fd9f971fc4ec1d6187b4f8819a49e425e22650438e01ec5906c7df7ea7.exe

  • Size

    1.3MB

  • MD5

    99240fb9c640600a826de415b9ffee34

  • SHA1

    4367e339aee8a88b72092d4b99bed1c12749b73a

  • SHA256

    704a65fd9f971fc4ec1d6187b4f8819a49e425e22650438e01ec5906c7df7ea7

  • SHA512

    fceda08d0387bbe99c31a6ca1ad3a4efeac165073432b1f5d87897c8e548040a8e92fc41ac594ddddbb6400e0c6a7d4864f20713bb1e1a49e7620912ca006aa7

  • SSDEEP

    24576:qyNL5qhuvIpaQwKHcqjbCNCSp7qidIQGDacCq0YA2EVjoLbBnAhID9B3:xNL5qIvYJjbAJd/GAYLJJMIDP

Score
10/10
mysticredlinetaigainfostealerpersistencespywarestealer

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 4 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\704a65fd9f971fc4ec1d6187b4f8819a49e425e22650438e01ec5906c7df7ea7.exe
    "C:\Users\Admin\AppData\Local\Temp\704a65fd9f971fc4ec1d6187b4f8819a49e425e22650438e01ec5906c7df7ea7.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5056
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dc6bN83.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dc6bN83.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4788
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\AD5wn52.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\AD5wn52.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4208
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\11ns7861.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\11ns7861.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:2516
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            5⤵
              PID:4340
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              5⤵
                PID:3948
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                5⤵
                  PID:4188
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 568
                    6⤵
                    • Program crash
                    PID:652
              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\12gJ168.exe
                C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\12gJ168.exe
                4⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:684
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                  5⤵
                    PID:2264
              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\13Kh800.exe
                C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\13Kh800.exe
                3⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:2164
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                  4⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2656
            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\14sq970.exe
              C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\14sq970.exe
              2⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:4596
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                3⤵
                  PID:5072
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                  3⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:792

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\14sq970.exe
              Filesize

              717KB

              MD5

              182c9731e069923fd1ccb0cb65a5dafe

              SHA1

              d84cdd5e6aac833bb3bdfdf78b93b744dbd90742

              SHA256

              11bb15e283729f8698f5c54ce73711c94c81b6e31c19d7c5177aa19ed4fe2b31

              SHA512

              5aaaad0f7fb00b1bcd624bb62b47fa41e5d28956014333f18b65b42410588728fd37118b8b0d6118af43b5e70f58b1c430283b5d60d8ef03473327be75289e2e

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\14sq970.exe
              Filesize

              717KB

              MD5

              182c9731e069923fd1ccb0cb65a5dafe

              SHA1

              d84cdd5e6aac833bb3bdfdf78b93b744dbd90742

              SHA256

              11bb15e283729f8698f5c54ce73711c94c81b6e31c19d7c5177aa19ed4fe2b31

              SHA512

              5aaaad0f7fb00b1bcd624bb62b47fa41e5d28956014333f18b65b42410588728fd37118b8b0d6118af43b5e70f58b1c430283b5d60d8ef03473327be75289e2e

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dc6bN83.exe
              Filesize

              888KB

              MD5

              fe5a6c7a762f3cdd6c3b8610e82ec6cc

              SHA1

              6480b597d57f593e9691a6d531c40bd811a8457d

              SHA256

              af646c63a6242e8763981809d0b7a7bd2015badbeb19a3dc0c41a65bd3e0630b

              SHA512

              3ce516a12deebaad00f8a97028cdd664ca3fa85dc10e3fd99f940462031f1c2f1b47799019a763a516957f7d3ce7296736f3df358a8e93723b7b35e90eaa8b44

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dc6bN83.exe
              Filesize

              888KB

              MD5

              fe5a6c7a762f3cdd6c3b8610e82ec6cc

              SHA1

              6480b597d57f593e9691a6d531c40bd811a8457d

              SHA256

              af646c63a6242e8763981809d0b7a7bd2015badbeb19a3dc0c41a65bd3e0630b

              SHA512

              3ce516a12deebaad00f8a97028cdd664ca3fa85dc10e3fd99f940462031f1c2f1b47799019a763a516957f7d3ce7296736f3df358a8e93723b7b35e90eaa8b44

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\13Kh800.exe
              Filesize

              717KB

              MD5

              daed969658181b76d8aa1f192f6b9856

              SHA1

              c9b8801a045f7a14e803d9d95061cc9d423087a4

              SHA256

              9832a7f895d4638bea3021cbedefbd2f67f2dce662607875decdf0fb4d92606e

              SHA512

              c738e13585d741c5e025f34e42d45588fe78ee468cd078d965201d262c5d8bd427feb9ef151abc784dd77405bf7a93d591a4a6621251af2eccf201732c8f18a1

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\13Kh800.exe
              Filesize

              717KB

              MD5

              daed969658181b76d8aa1f192f6b9856

              SHA1

              c9b8801a045f7a14e803d9d95061cc9d423087a4

              SHA256

              9832a7f895d4638bea3021cbedefbd2f67f2dce662607875decdf0fb4d92606e

              SHA512

              c738e13585d741c5e025f34e42d45588fe78ee468cd078d965201d262c5d8bd427feb9ef151abc784dd77405bf7a93d591a4a6621251af2eccf201732c8f18a1

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\AD5wn52.exe
              Filesize

              426KB

              MD5

              6766e43c636f6b446aba0c21b98f044d

              SHA1

              1212a9e9b483ba19f2cc58122862de8ff8d0926b

              SHA256

              d025483abfe06fea34217fee9227cabc7b6e00cd1e17ec2f4e9abcf4963a81c7

              SHA512

              3660f89d5134b5450a92c6e8c746b5924ab49eefe93634ad15aa310aa7d2f7b1c1a2e24e54dd3972238d605dcff2311649e245afc2718c3fe28aafebe93e095e

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\AD5wn52.exe
              Filesize

              426KB

              MD5

              6766e43c636f6b446aba0c21b98f044d

              SHA1

              1212a9e9b483ba19f2cc58122862de8ff8d0926b

              SHA256

              d025483abfe06fea34217fee9227cabc7b6e00cd1e17ec2f4e9abcf4963a81c7

              SHA512

              3660f89d5134b5450a92c6e8c746b5924ab49eefe93634ad15aa310aa7d2f7b1c1a2e24e54dd3972238d605dcff2311649e245afc2718c3fe28aafebe93e095e

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\11ns7861.exe
              Filesize

              369KB

              MD5

              a9679933073731a85eafb9165d45ab00

              SHA1

              aee0195c3e6169e70f0a3f95c5e24f941848f18e

              SHA256

              481f5c28f7bf1c12c15cc68f26e1318b90363b5582f493875728daf872b806d9

              SHA512

              1fca1f11bd4ce75fd81d8886781a58c81c05751411b0d48332851b22b8c568ac009c32fb205fe64914719cada6d7133725b503c559f71de0a14cf09bf4553ea8

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\11ns7861.exe
              Filesize

              369KB

              MD5

              a9679933073731a85eafb9165d45ab00

              SHA1

              aee0195c3e6169e70f0a3f95c5e24f941848f18e

              SHA256

              481f5c28f7bf1c12c15cc68f26e1318b90363b5582f493875728daf872b806d9

              SHA512

              1fca1f11bd4ce75fd81d8886781a58c81c05751411b0d48332851b22b8c568ac009c32fb205fe64914719cada6d7133725b503c559f71de0a14cf09bf4553ea8

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\12gJ168.exe
              Filesize

              408KB

              MD5

              e98bb63847d0b2f29b230f00b4a264e2

              SHA1

              cfd36efec7ba8648185c3afb81d28ffd3444ead2

              SHA256

              500f6b0d693afc3f14febcfdf090b516904ed73b06b8cf1152efb559b6a0849d

              SHA512

              7fec164d39fe5edc9021ad9c9c093aa371f755ac6c470010562241f3d9b5d165e8ecbc7572ff58a1a2ab070d8d0634cc5161ae067fd3743d3c5f150a8a011c68

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\12gJ168.exe
              Filesize

              408KB

              MD5

              e98bb63847d0b2f29b230f00b4a264e2

              SHA1

              cfd36efec7ba8648185c3afb81d28ffd3444ead2

              SHA256

              500f6b0d693afc3f14febcfdf090b516904ed73b06b8cf1152efb559b6a0849d

              SHA512

              7fec164d39fe5edc9021ad9c9c093aa371f755ac6c470010562241f3d9b5d165e8ecbc7572ff58a1a2ab070d8d0634cc5161ae067fd3743d3c5f150a8a011c68

              Download Submit

            • memory/792-61-0x0000000000400000-0x0000000000488000-memory.dmp

              Filesize

              544KB

              Download

            • memory/792-60-0x0000000000400000-0x0000000000488000-memory.dmp

              Filesize

              544KB

              Download

            • memory/792-63-0x0000000000400000-0x0000000000488000-memory.dmp

              Filesize

              544KB

              Download

            • memory/792-59-0x0000000000400000-0x0000000000488000-memory.dmp

              Filesize

              544KB

              Download

            • memory/2264-31-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

              Download

            • memory/2264-40-0x000000000BA40000-0x000000000BAD2000-memory.dmp

              Filesize

              584KB

              Download

            • memory/2264-41-0x000000000BAF0000-0x000000000BAFA000-memory.dmp

              Filesize

              40KB

              Download

            • memory/2264-42-0x000000000C9B0000-0x000000000CFB6000-memory.dmp

              Filesize

              6.0MB

              Download

            • memory/2264-43-0x000000000BD70000-0x000000000BE7A000-memory.dmp

              Filesize

              1.0MB

              Download

            • memory/2264-44-0x000000000BCA0000-0x000000000BCB2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2264-45-0x000000000BD00000-0x000000000BD3E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/2264-46-0x000000000C3A0000-0x000000000C3EB000-memory.dmp

              Filesize

              300KB

              Download

            • memory/2264-39-0x000000000BEA0000-0x000000000C39E000-memory.dmp

              Filesize

              5.0MB

              Download

            • memory/2264-38-0x0000000072A30000-0x000000007311E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/2264-70-0x0000000072A30000-0x000000007311E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/2656-51-0x0000000000400000-0x0000000000488000-memory.dmp

              Filesize

              544KB

              Download

            • memory/2656-55-0x0000000000400000-0x0000000000488000-memory.dmp

              Filesize

              544KB

              Download

            • memory/2656-57-0x0000000000400000-0x0000000000488000-memory.dmp

              Filesize

              544KB

              Download

            • memory/2656-54-0x0000000000400000-0x0000000000488000-memory.dmp

              Filesize

              544KB

              Download

            • memory/4188-29-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

              Download

            • memory/4188-24-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

              Download

            • memory/4188-27-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

              Download

            • memory/4188-21-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

              Download