Overview

overview

10

Static

static

3

1b7cbee30e...8d.exe

windows10-2004-x64

10

1cb2277eea...2a.exe

windows10-2004-x64

10

26dae86d00...a2.exe

windows10-2004-x64

10

35cd974b16...ec.exe

windows10-2004-x64

10

45e7028a78...91.exe

windows10-2004-x64

10

4cd2f124df...48.exe

windows10-2004-x64

10

5fdef2b38d...0a.exe

windows10-2004-x64

10

7284e9e031...c7.exe

windows10-2004-x64

10

781c022afd...54.exe

windows10-2004-x64

10

84163f9b0d...a5.exe

windows10-2004-x64

10

90251e43cd...e4.exe

windows10-2004-x64

10

9a3023ff33...37.exe

windows10-2004-x64

10

b4b999d8f3...50.exe

windows7-x64

10

b4b999d8f3...50.exe

windows10-2004-x64

10

bdd93956fe...8b.exe

windows10-2004-x64

10

cf840721c0...70.exe

windows10-2004-x64

10

e52fb58b8a...f1.exe

windows10-2004-x64

10

ecfbac56ff...9e.exe

windows10-2004-x64

10

f0f492b9b0...9a.exe

windows10-2004-x64

10

f921df4c23...0d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 18:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f921df4c23777a797ffd956196cd2ea4805eaf3eefcc839de781c7e6af836f0d.exe

  • Size

    571KB

  • MD5

    9333ac50afdfd0f4841ce14109290cb0

  • SHA1

    4b87ae7a51fd402f57eec512302336848dda5efc

  • SHA256

    f921df4c23777a797ffd956196cd2ea4805eaf3eefcc839de781c7e6af836f0d

  • SHA512

    8a1ac62aaf5531a95a1cbb2496b60b86c50e7b406483db0fcfe35ea910c2a5a726de4374507d8aee76eb07d67bd8b6d188d56c866c2657b9c4d71835b2e99c03

  • SSDEEP

    12288:3MrPy90PkK06Ds5RF6ImOxhgnLHNKLvFtzNyd:UyKp06Ds5RiOb3HzId

Score
10/10
mysticredlinekukishinfostealerpersistencestealer

Malware Config

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f921df4c23777a797ffd956196cd2ea4805eaf3eefcc839de781c7e6af836f0d.exe
    "C:\Users\Admin\AppData\Local\Temp\f921df4c23777a797ffd956196cd2ea4805eaf3eefcc839de781c7e6af836f0d.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1648
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1hU59RW6.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1hU59RW6.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3152
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
          PID:1168
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 540
            4⤵
            • Program crash
            PID:2420
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Oz172KQ.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Oz172KQ.exe
        2⤵
        • Executes dropped EXE
        PID:1636
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1168 -ip 1168
      1⤵
        PID:2320

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1hU59RW6.exe
        Filesize

        1.1MB

        MD5

        0c332b116b3b9c3e373137d227f9274b

        SHA1

        bd1d8bdb2d66ae6f322515a322a012311a8932c7

        SHA256

        8df8445ea37afc6e4bb34bb9a3ddc0445cc6621f8a353829f63a9864411202c8

        SHA512

        925e9e0e38f80f3279f7e4cd411c3d9835df8964868b6ac40348cfadbfc64239054a81a1449b9985482cf847ca2f68d3743bd83323af7bd551ecf11b86a18abe

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Oz172KQ.exe
        Filesize

        223KB

        MD5

        df52490a04237bd429a7a0949f030ffd

        SHA1

        d53f765cee7c2245f799b29a829abdc5a75b4a7c

        SHA256

        f17e56d3dda97d462609b3e69cbf0e40961e077862e9b820d802a2e6121de82f

        SHA512

        5fccb362059338ad0b4eeb20fe551d8e85463a6e6e136612cb37b44a983a546e0cb4febb2b0ba105795624edd2fdcaee46ba41238d2bd3fa81bfcaf3ce5ca94a

        Download Submit

      • memory/1168-7-0x0000000000400000-0x0000000000432000-memory.dmp

        Filesize

        200KB

        Download

      • memory/1168-12-0x0000000000400000-0x0000000000432000-memory.dmp

        Filesize

        200KB

        Download

      • memory/1168-9-0x0000000000400000-0x0000000000432000-memory.dmp

        Filesize

        200KB

        Download

      • memory/1168-11-0x0000000000400000-0x0000000000432000-memory.dmp

        Filesize

        200KB

        Download

      • memory/1636-17-0x00000000079B0000-0x0000000007F54000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1636-16-0x0000000000640000-0x000000000067E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/1636-15-0x00000000742EE000-0x00000000742EF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1636-18-0x0000000007400000-0x0000000007492000-memory.dmp

        Filesize

        584KB

        Download

      • memory/1636-19-0x0000000000E30000-0x0000000000E3A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1636-20-0x00000000742E0000-0x0000000074A90000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1636-21-0x0000000008580000-0x0000000008B98000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/1636-22-0x00000000077B0000-0x00000000078BA000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/1636-23-0x0000000007600000-0x0000000007612000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1636-24-0x00000000076A0000-0x00000000076DC000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1636-25-0x0000000007620000-0x000000000766C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/1636-26-0x00000000742EE000-0x00000000742EF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1636-27-0x00000000742E0000-0x0000000074A90000-memory.dmp

        Filesize

        7.7MB

        Download