Overview
overview
10Static
static
31b7cbee30e...8d.exe
windows10-2004-x64
101cb2277eea...2a.exe
windows10-2004-x64
1026dae86d00...a2.exe
windows10-2004-x64
1035cd974b16...ec.exe
windows10-2004-x64
1045e7028a78...91.exe
windows10-2004-x64
104cd2f124df...48.exe
windows10-2004-x64
105fdef2b38d...0a.exe
windows10-2004-x64
107284e9e031...c7.exe
windows10-2004-x64
10781c022afd...54.exe
windows10-2004-x64
1084163f9b0d...a5.exe
windows10-2004-x64
1090251e43cd...e4.exe
windows10-2004-x64
109a3023ff33...37.exe
windows10-2004-x64
10b4b999d8f3...50.exe
windows7-x64
10b4b999d8f3...50.exe
windows10-2004-x64
10bdd93956fe...8b.exe
windows10-2004-x64
10cf840721c0...70.exe
windows10-2004-x64
10e52fb58b8a...f1.exe
windows10-2004-x64
10ecfbac56ff...9e.exe
windows10-2004-x64
10f0f492b9b0...9a.exe
windows10-2004-x64
10f921df4c23...0d.exe
windows10-2004-x64
10Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 18:55
Static task
static1
Behavioral task
behavioral1
Sample
1b7cbee30e4459916b5b164befe5e20b7a876df411fdb5d2d2cd7c073a28b18d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
1cb2277eead0aab1238acbbff542f7d6307542e95025dda95856efeb7bc12a2a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
26dae86d0011ac84e93abfd2169b28a6dee3498b8be9c3b84f657506d4e2a9a2.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
35cd974b16f79c47cbb0de20c8a1ff5494093da28e9909d73df1cc40bc1e6dec.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
45e7028a78d903a8ece02b9d51f82b76972b2b5e64db0bc12aa6cb69f53a2291.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
4cd2f124dfaf247a46d235c0823069c1056a2efb67c0f74547fb75dcfb603748.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
5fdef2b38d6a927d590cbceb6a8c3f4e278c41ce01d872925603603cd7d0bc0a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
7284e9e031d95f98bb1c673f3691adb26e5acc31e6d2c745b85bc97fc82edec7.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
781c022afdd03ecc97a7195986c14b7a81fc5a02d1b0e8c7561a1a1ff3406754.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
84163f9b0d959067de44eac4cb117f34b55119476a35c8291d0be25585618ea5.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
90251e43cdd68d8c070a8180eb78fdfc113d4e2ff40733af3a3332c51744eae4.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
9a3023ff334b34f4bea043eedeced95c41485b4799d3c2d56c0cb04b60143937.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
b4b999d8f3fb923a4d4cd17b173ba8474c698443430fdc63b8da6ad6eae57d50.exe
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
b4b999d8f3fb923a4d4cd17b173ba8474c698443430fdc63b8da6ad6eae57d50.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
bdd93956feba699c1eac73030a5ce8e55ae51fab4852062d8e46e8ed460a2b8b.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
cf840721c08fa286313bd7ac68fc5bac88559652036dfbdcc7b3c6f0cfa13d70.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
e52fb58b8a7d4f8b7eea558e3f50385d34e76f92baeede9698343046ba3273f1.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral18
Sample
ecfbac56ff2c59238da4332d5cd1561d05a08ac0d65b57b9caf329f063fc939e.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
f0f492b9b0439f9df9e575d91555b387484582434a05ee11e543b6cd24ed979a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
f921df4c23777a797ffd956196cd2ea4805eaf3eefcc839de781c7e6af836f0d.exe
Resource
win10v2004-20240508-en
General
-
Target
5fdef2b38d6a927d590cbceb6a8c3f4e278c41ce01d872925603603cd7d0bc0a.exe
-
Size
547KB
-
MD5
ff3fc3b57f2e1ef457d7ce7e7c273716
-
SHA1
54b6241c92f97be696ae599391a2ce0dfe9e7e44
-
SHA256
5fdef2b38d6a927d590cbceb6a8c3f4e278c41ce01d872925603603cd7d0bc0a
-
SHA512
e198c3d34f25cc5f2c24286b4e5a5de944322f3fdd4746c364ddcde0835129e7cdbda89d8166f2ce2590744aa35e5deaef0528107031387ba6d2edda2b0a5c63
-
SSDEEP
12288:JMrgy905aKrXt7d3Hl/HtIlrQItcqbfA:xyNKzddXl/6rVCwA
Malware Config
Extracted
redline
luate
77.91.124.55:19071
-
auth_value
e45cd419aba6c9d372088ffe5629308b
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral7/memory/64-14-0x0000000000400000-0x0000000000428000-memory.dmp mystic_family behavioral7/memory/64-18-0x0000000000400000-0x0000000000428000-memory.dmp mystic_family behavioral7/memory/64-16-0x0000000000400000-0x0000000000428000-memory.dmp mystic_family behavioral7/memory/64-15-0x0000000000400000-0x0000000000428000-memory.dmp mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral7/files/0x0007000000023424-20.dat family_redline behavioral7/memory/1688-22-0x0000000000390000-0x00000000003C0000-memory.dmp family_redline -
Executes dropped EXE 3 IoCs
pid Process 2436 x5392284.exe 4908 g4953753.exe 1688 h2394542.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5fdef2b38d6a927d590cbceb6a8c3f4e278c41ce01d872925603603cd7d0bc0a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x5392284.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4908 set thread context of 64 4908 g4953753.exe 87 -
Program crash 2 IoCs
pid pid_target Process procid_target 2032 64 WerFault.exe 87 1068 4908 WerFault.exe 83 -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 4016 wrote to memory of 2436 4016 5fdef2b38d6a927d590cbceb6a8c3f4e278c41ce01d872925603603cd7d0bc0a.exe 82 PID 4016 wrote to memory of 2436 4016 5fdef2b38d6a927d590cbceb6a8c3f4e278c41ce01d872925603603cd7d0bc0a.exe 82 PID 4016 wrote to memory of 2436 4016 5fdef2b38d6a927d590cbceb6a8c3f4e278c41ce01d872925603603cd7d0bc0a.exe 82 PID 2436 wrote to memory of 4908 2436 x5392284.exe 83 PID 2436 wrote to memory of 4908 2436 x5392284.exe 83 PID 2436 wrote to memory of 4908 2436 x5392284.exe 83 PID 4908 wrote to memory of 64 4908 g4953753.exe 87 PID 4908 wrote to memory of 64 4908 g4953753.exe 87 PID 4908 wrote to memory of 64 4908 g4953753.exe 87 PID 4908 wrote to memory of 64 4908 g4953753.exe 87 PID 4908 wrote to memory of 64 4908 g4953753.exe 87 PID 4908 wrote to memory of 64 4908 g4953753.exe 87 PID 4908 wrote to memory of 64 4908 g4953753.exe 87 PID 4908 wrote to memory of 64 4908 g4953753.exe 87 PID 4908 wrote to memory of 64 4908 g4953753.exe 87 PID 4908 wrote to memory of 64 4908 g4953753.exe 87 PID 2436 wrote to memory of 1688 2436 x5392284.exe 94 PID 2436 wrote to memory of 1688 2436 x5392284.exe 94 PID 2436 wrote to memory of 1688 2436 x5392284.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\5fdef2b38d6a927d590cbceb6a8c3f4e278c41ce01d872925603603cd7d0bc0a.exe"C:\Users\Admin\AppData\Local\Temp\5fdef2b38d6a927d590cbceb6a8c3f4e278c41ce01d872925603603cd7d0bc0a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5392284.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5392284.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4953753.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4953753.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:64
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 5405⤵
- Program crash
PID:2032
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1404⤵
- Program crash
PID:1068
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2394542.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2394542.exe3⤵
- Executes dropped EXE
PID:1688
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 64 -ip 641⤵PID:4684
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4908 -ip 49081⤵PID:4168
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
381KB
MD5d9a69262f6e89052240d96531cce6e40
SHA1676bfa0847f1df213d77730526b0b2da0bfe52c6
SHA25626bd29130b9fe73fae25b9c746fe0e340c54806f98362f004aab36cf2dde5cfb
SHA512ec302a26541857fd32be602be4b461e673fd51ed3e27806c995ad57f9b1266ae11edb40d5f3570803ee2c1bad94364b3a2d4fc4220b480dbc7a199e0672a91d9
-
Filesize
346KB
MD5bb7e58fc7793b5aaa83dd824e2310bae
SHA151da0f82095eed6e4a57bb01f410cfaed927ea87
SHA25614046248663fec768b4be6b4cc31e292413c61ce562a15790a9bc07d52572468
SHA5127cfcf8a455a4e5801dae484c73625351c4e6fbf3a9e5ee46bbc8d42548c01305b3977cdd10f1647edc418ceda39a160329edc89e9a8193314b7826f93c7f8c20
-
Filesize
174KB
MD5b5651381dd0d132d2d75b4b126622d1c
SHA1b6eac550e778a7a5d325a48278784acbdab6cd0c
SHA2566f59b8113505dd48834c657a57667217e69f89baffca98e92444488bbdfdc822
SHA5120564b525d4b39110f6803a2ecfe22d580205cca067df2fb13bf04cf70666d5d13af9efe660710d1bfd1a7053d34a01c6cc18938b894a8a973f65f33e5fa13dbf