Overview

overview

10

Static

static

3

6d9b4a93f7...d4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-04-2024 10:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6d9b4a93f740f8bfcb75f34163e4a8e5eba03c0a61b187c356011f7f367246d4.exe

  • Size

    1.0MB

  • MD5

    0fc9cee6808909feddf5c8e4e30c7abb

  • SHA1

    e7498be8807c91714ebcd30d698e3ea0670ef6cb

  • SHA256

    6d9b4a93f740f8bfcb75f34163e4a8e5eba03c0a61b187c356011f7f367246d4

  • SHA512

    80eb9a7ec6826b949b76d5e24200418647e86fecf6144900e900983f50c6502fc32fc1d90b577e27dab7ed2f2e6625ec6326f690c4ab17905ac46b2469b46353

  • SSDEEP

    24576:8ygbPFjq6/rtm4RLWdXuFFFymJ5throrhUniYRHA:rgbPRq6ztxS0b/vrDnBR

Score
10/10
mysticredlinesmokeloaderbrehabackdoorevasioninfostealerpersistencestealertrojan

Malware Config

Extracted

Family

redline

Botnet

breha

C2

77.91.124.55:19071

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Signatures

  • Detect Mystic stealer payload 1 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 8 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\6d9b4a93f740f8bfcb75f34163e4a8e5eba03c0a61b187c356011f7f367246d4.exe
    "C:\Users\Admin\AppData\Local\Temp\6d9b4a93f740f8bfcb75f34163e4a8e5eba03c0a61b187c356011f7f367246d4.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4932
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aQ5NH25.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aQ5NH25.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3248
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nt1lc13.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nt1lc13.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4052
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qF3Mu50.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qF3Mu50.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:996
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IV5Fa29.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IV5Fa29.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:2952
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1qM97ry4.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1qM97ry4.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:2108
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                7⤵
                • Modifies Windows Defender Real-time Protection settings
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4568
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2hu6349.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2hu6349.exe
              6⤵
              • Executes dropped EXE
              PID:1412
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3EN55Ke.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3EN55Ke.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:736
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • Checks SCSI registry key(s)
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              PID:836
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4zE285zL.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4zE285zL.exe
          4⤵
          • Executes dropped EXE
          PID:2216

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aQ5NH25.exe
    Filesize

    893KB

    MD5

    2cc85dd4f728ce87d0f5723d459fd17f

    SHA1

    484aedca9137ccef3838383ca308629cd2fcf9a6

    SHA256

    79e6dd8ee635ee95d81a3f0f289ae8e75e2d417d0d8ff85f50c3b1058d605aa6

    SHA512

    a37793ac4e82117e03607311f6d80853d90a29b17d62080a901a657268f33972655205aeddfba7e227c34916732fd0f30fda7013a7b2bb61d637ceed7f0a2e55

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nt1lc13.exe
    Filesize

    710KB

    MD5

    d6fb442be655ebe25f52850771524172

    SHA1

    08e6d32d083d719953a2b07d2deff2ec432bb322

    SHA256

    a45229a356054f0d595beda5634c836b6c0813c562341bd291cfd0862117df07

    SHA512

    5e316b7dcc18fe97b029e805fb977e82ac67a167eff4a4080342c6816b076ff760406f21a7c178e5381577c4d608f1b6d02df06d5178392c7b4951d0fa9c13f8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4zE285zL.exe
    Filesize

    221KB

    MD5

    8905918bd7e4f4aeda3a804d81f9ee40

    SHA1

    3c488a81539116085a1c22df26085f798f7202c8

    SHA256

    0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde

    SHA512

    6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qF3Mu50.exe
    Filesize

    537KB

    MD5

    57cfb268bff8784c4098361a58553696

    SHA1

    260fdcdd2c756529bf5f5159b87ad1410d3f76be

    SHA256

    df77973133846bdecd6daca69853cdf890db6890be2633be0e52cb38dca8e910

    SHA512

    87779243903c04226e76032c13269ab97a07652577396817e498b13ab2fb09450a223ae52c08f96aafab188c8c39711201b4ef80ce5f66b5505ba2fa63d41a1a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3EN55Ke.exe
    Filesize

    252KB

    MD5

    a7908efdecfe884c4c2a753ad4e5ec64

    SHA1

    fb189c221b95d95bbcae4a8e15cc54ed0872f7a6

    SHA256

    45389dd795ef2f76f17896fea9cf5100dfd699d907c70de5ec8203843895aff8

    SHA512

    56ada87f4952ef939998a07ad56c99c9ae40db1cfb505ad4c423d3b78c0a48e5e7ff263991b7e0790d7bef7f16447e78689880636e919095895112cfd73fa243

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IV5Fa29.exe
    Filesize

    300KB

    MD5

    8fe52ca03eba6c9f7071e7b0130947db

    SHA1

    02367c857e0c0be66f3011204402d617d8ffd6bc

    SHA256

    9fd9e03a4ebaed2e4599e49018be3d31ebf24f80bfb5cc232a768b6ae0c9579e

    SHA512

    c6e9f27c3d5cf315dbeb4b12ea0d12c21ca372d1ae0efe5af5f9ebf10a9f16974565caaf22b986dc01b385c930102f9ffec2bf548d58ff25517bec72d77a0c97

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1qM97ry4.exe
    Filesize

    154KB

    MD5

    098478afedb77e3ad162dcb60ba1079e

    SHA1

    aae5fd48aaf7d271c23130197dcfdd8791307d6f

    SHA256

    9ec13c3b726ec3ca9cf66364b6db9f252c3eaaf124b53d032564aec8e9ee8541

    SHA512

    145ab134ea391792a91c746b865ac48f2cafc8cec71664b6ca7b8cfc28fe508a953a095bb26f6a69d2066b8489ce02c7b0e82eae6ae5adc0e6b03435de86b14f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2hu6349.exe
    Filesize

    180KB

    MD5

    53e28e07671d832a65fbfe3aa38b6678

    SHA1

    6f9ea0ed8109030511c2c09c848f66bd0d16d1e1

    SHA256

    5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e

    SHA512

    053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

    Download Submit

  • memory/836-63-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/836-46-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/836-45-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2216-50-0x0000000000B70000-0x0000000000BAE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2216-57-0x0000000007C80000-0x0000000007D8A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2216-51-0x0000000074570000-0x0000000074D20000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2216-69-0x0000000007B60000-0x0000000007B70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2216-52-0x0000000007DB0000-0x0000000008354000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2216-53-0x00000000078F0000-0x0000000007982000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2216-54-0x0000000007B60000-0x0000000007B70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2216-55-0x0000000004EB0000-0x0000000004EBA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2216-56-0x0000000008980000-0x0000000008F98000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2216-68-0x0000000074570000-0x0000000074D20000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2216-58-0x0000000007B10000-0x0000000007B22000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2216-59-0x0000000007BB0000-0x0000000007BEC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2216-60-0x0000000007BF0000-0x0000000007C3C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3560-61-0x0000000002F00000-0x0000000002F16000-memory.dmp

    Filesize

    88KB

    Download

  • memory/4568-35-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4568-44-0x0000000074570000-0x0000000074D20000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4568-42-0x0000000074570000-0x0000000074D20000-memory.dmp

    Filesize

    7.7MB

    Download