Analysis

  • max time kernel
    139s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 18:47

General

  • Target

    17a0568b2023370d14f35371e9d7c372589b91d4098eecace76d78c9a7587d3a.exe

  • Size

    604KB

  • MD5

    4a49f25c21c373471295f4badcee8cd5

  • SHA1

    dc1871d02c5f5af9ae2a0e24ff0c1cce6ef48b58

  • SHA256

    17a0568b2023370d14f35371e9d7c372589b91d4098eecace76d78c9a7587d3a

  • SHA512

    95261235a51c77f85d1751907cea517529a9bc6179af76ab2c494ff2f702cf265f8bee8fb60b74ab7bb8094432fa9572bed065078a133480ff3c93069347d69c

  • SSDEEP

    12288:hMray90lso2v9t6ehpXEtFyGjjCYfHGp1Pu5UJK6PYwqbPa3Vr:vySX2v9t6lyGmm5UE6PYPbSB

Malware Config

Extracted

Family

redline

Botnet

mrak

C2

77.91.124.82:19071

Attributes
  • auth_value

    7d9a335ab5dfd42d374867c96fe25302

Signatures

  • Detect Mystic stealer payload 1 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\17a0568b2023370d14f35371e9d7c372589b91d4098eecace76d78c9a7587d3a.exe
    "C:\Users\Admin\AppData\Local\Temp\17a0568b2023370d14f35371e9d7c372589b91d4098eecace76d78c9a7587d3a.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2324
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9132069.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9132069.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2364
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5858526.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5858526.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2268
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4249757.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4249757.exe
          4⤵
          • Executes dropped EXE
          PID:3928
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7689082.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7689082.exe
          4⤵
          • Executes dropped EXE
          PID:4064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9132069.exe

    Filesize

    502KB

    MD5

    25e3bca86360bf2bb73c7b70061a59c3

    SHA1

    1cd97c06a7ccbc2358b98d0bf3af621e908f7e6f

    SHA256

    647ada02fb7f8a8a7faba9d10d2f777fc67b996528ff6d71abf8a2ea0b834dae

    SHA512

    27d057942d932005dbfd0ff1a6858e498745213bc180826d72350bc7d0d81845f5620deff3451e821d4dd1646ad4bc5d0b339dd2500f82a30ee64e60ab200ddb

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5858526.exe

    Filesize

    271KB

    MD5

    139bb4edad53da946c1a60ea71f03baf

    SHA1

    59849c83d51d256c2754887d285639bc8573a643

    SHA256

    05eaf997c36b1e89bff34628335e547b0a9aa8f25865630ee05eeb9bacc07c72

    SHA512

    22d9b28876fac7d48aaf5fd8e6bdc494acedf510a8bd740a3c85e5ae127148029bb358247c99186f30d4980af4d4f82ad131e74bc42ca38fd469c4a64879805f

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4249757.exe

    Filesize

    140KB

    MD5

    c8f4393642b24557d6017f13187f9aae

    SHA1

    e0a1c6a30b6e231d058203ad23c3e0c354280a86

    SHA256

    b89c878c7ef7437c591d3879e7f3d78e9219551ad031f749efed6776df808061

    SHA512

    b42e05231ff54ca16b8d0c5cc88fa9884895d72f987ab8b150e76a6504c62b4c73c6cda84f2a2a78d1d5a529b4b1454a8b527988d227b4daa472af88585982f0

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7689082.exe

    Filesize

    176KB

    MD5

    f47c0c4e7087bbf69b4cfca759c3d415

    SHA1

    c330561512ff8cb20054fca477262fa3484294af

    SHA256

    a53d48e6d0b462026a551feb3535a1a8c76fb0f8a6b482a384e59b1a470ed172

    SHA512

    29d033c7de833ea20f26ef701681f13ea41a12d00f65a91ed742f3ebb19467ab49fda47ee4c19e89a166566a12a8dab1f533f306271578d9dd5324104fc55176

  • memory/4064-24-0x0000000000830000-0x0000000000860000-memory.dmp

    Filesize

    192KB

  • memory/4064-25-0x0000000002B20000-0x0000000002B26000-memory.dmp

    Filesize

    24KB

  • memory/4064-26-0x000000000AC80000-0x000000000B298000-memory.dmp

    Filesize

    6.1MB

  • memory/4064-27-0x000000000A7E0000-0x000000000A8EA000-memory.dmp

    Filesize

    1.0MB

  • memory/4064-28-0x000000000A710000-0x000000000A722000-memory.dmp

    Filesize

    72KB

  • memory/4064-29-0x000000000A770000-0x000000000A7AC000-memory.dmp

    Filesize

    240KB

  • memory/4064-30-0x0000000004B70000-0x0000000004BBC000-memory.dmp

    Filesize

    304KB