Overview

overview

10

Static

static

3

0805913f50...13.exe

windows10-2004-x64

10

11eba51293...3a.exe

windows10-2004-x64

10

17a0568b20...3a.exe

windows10-2004-x64

10

346c46bc82...26.exe

windows10-2004-x64

10

4867af9d5d...1f.exe

windows10-2004-x64

10

5f2f269e1f...9a.exe

windows10-2004-x64

10

64e73ef21d...a1.exe

windows10-2004-x64

10

7c556f6f80...61.exe

windows10-2004-x64

10

8c970cc94c...d3.exe

windows10-2004-x64

10

9296923f57...24.exe

windows10-2004-x64

10

ae96a881fd...69.exe

windows10-2004-x64

10

b150b2b6ed...d5.exe

windows10-2004-x64

10

c1b0ce286b...51.exe

windows10-2004-x64

10

c1d1b117a2...35.exe

windows10-2004-x64

10

d876400b35...04.exe

windows10-2004-x64

10

eb3bd6af82...52.exe

windows10-2004-x64

10

eb7c2e9dc2...28.exe

windows10-2004-x64

10

ed2eb0d5dc...bf.exe

windows10-2004-x64

10

fc2a396813...13.exe

windows10-2004-x64

10

fd4ce916b7...90.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/05/2024, 19:04 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    64e73ef21d2b9d5819334be729f07ac670e6fa83111bc1b666abffc261bc2da1.exe

  • Size

    563KB

  • MD5

    b1cad70cea703c95c6bf90d74c4bfd89

  • SHA1

    1a08e9ad7c417a5011915ccda1a1ec130cd7d3ac

  • SHA256

    64e73ef21d2b9d5819334be729f07ac670e6fa83111bc1b666abffc261bc2da1

  • SHA512

    4f7c7367da4b3009f5f1691832f88de0a7df9103ba16ff43c92fb3d0eec813005a6f6f31e0b3853b2ce07e2d5c9d0be331f1e60bed9bf8f3b3ebcbcab9a4b2de

  • SSDEEP

    12288:KMrxy90uoiqvTegFhHXzNOI+74h82WRiHJ1CVVVV:nyKEgXHDNn+487Ry4VV

Score
10/10
mysticredlinekendoinfostealerpersistencestealer

Malware Config

Extracted

Family

redline

Botnet

kendo

C2

77.91.124.82:19071

Attributes
  • auth_value

    5a22a881561d49941415902859b51f14

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\64e73ef21d2b9d5819334be729f07ac670e6fa83111bc1b666abffc261bc2da1.exe
    "C:\Users\Admin\AppData\Local\Temp\64e73ef21d2b9d5819334be729f07ac670e6fa83111bc1b666abffc261bc2da1.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5096
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5112215.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5112215.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1440
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1240082.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1240082.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4504
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:1456
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 540
              5⤵
              • Program crash
              PID:752
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 568
            4⤵
            • Program crash
            PID:3688
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7567252.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7567252.exe
          3⤵
          • Executes dropped EXE
          PID:3140
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4504 -ip 4504
      1⤵
        PID:3860
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1456 -ip 1456
        1⤵
          PID:828

        Network

        • flag-us
          DNS
          8.8.8.8.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          8.8.8.8.in-addr.arpa
          IN PTR
          Response
          8.8.8.8.in-addr.arpa
          IN PTR
          dnsgoogle
        • flag-us
          DNS
          97.17.167.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          97.17.167.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          240.221.184.93.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          240.221.184.93.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          4.159.190.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          4.159.190.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          95.221.229.192.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          95.221.229.192.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          149.220.183.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          149.220.183.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          50.23.12.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          50.23.12.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          171.39.242.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          171.39.242.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          14.227.111.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          14.227.111.52.in-addr.arpa
          IN PTR
          Response
        • 77.91.124.82:19071
          h7567252.exe
          260 B
           5
        • 77.91.124.82:19071
          h7567252.exe
          260 B
           5
        • 77.91.124.82:19071
          h7567252.exe
          260 B
           5
        • 77.91.124.82:19071
          h7567252.exe
          260 B
           5
        • 77.91.124.82:19071
          h7567252.exe
          260 B
           5
        • 77.91.124.82:19071
          h7567252.exe
          260 B
           5
        • 8.8.8.8:53
          8.8.8.8.in-addr.arpa
          dns
          66 B
           90 B
           1
          1

          DNS Request

          8.8.8.8.in-addr.arpa

        • 8.8.8.8:53
          97.17.167.52.in-addr.arpa
          dns
          71 B
           145 B
           1
          1

          DNS Request

          97.17.167.52.in-addr.arpa

        • 8.8.8.8:53
          240.221.184.93.in-addr.arpa
          dns
          73 B
           144 B
           1
          1

          DNS Request

          240.221.184.93.in-addr.arpa

        • 8.8.8.8:53
          4.159.190.20.in-addr.arpa
          dns
          71 B
           157 B
           1
          1

          DNS Request

          4.159.190.20.in-addr.arpa

        • 8.8.8.8:53
          95.221.229.192.in-addr.arpa
          dns
          73 B
           144 B
           1
          1

          DNS Request

          95.221.229.192.in-addr.arpa

        • 8.8.8.8:53
          149.220.183.52.in-addr.arpa
          dns
          73 B
           147 B
           1
          1

          DNS Request

          149.220.183.52.in-addr.arpa

        • 8.8.8.8:53
          50.23.12.20.in-addr.arpa
          dns
          70 B
           156 B
           1
          1

          DNS Request

          50.23.12.20.in-addr.arpa

        • 8.8.8.8:53
          171.39.242.20.in-addr.arpa
          dns
          72 B
           158 B
           1
          1

          DNS Request

          171.39.242.20.in-addr.arpa

        • 8.8.8.8:53
          14.227.111.52.in-addr.arpa
          dns
          72 B
           158 B
           1
          1

          DNS Request

          14.227.111.52.in-addr.arpa

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5112215.exe
          Filesize

          397KB

          MD5

          b2df6c5958efbdbc123148c627bb41d3

          SHA1

          fee833e9d20ba95a4fcad101b661315c65c0a4da

          SHA256

          101390dd16f1eac4157fdecbec16f38454803a89cf0599bfeef301bc6f0ca7a9

          SHA512

          a584aeae7d51d998e6a3f4803863b1aa7c867b5a6db90a64318ab8ceb5db54233b165394e324f52e0a0296ef35cb216a72a82be632f41c9963d698d3b3a0fec9

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1240082.exe
          Filesize

          379KB

          MD5

          d5cf94dd77a8375c5145e566609bb0c9

          SHA1

          ae8dba7cb8ebf33368aab97ec5f150831fd40823

          SHA256

          b36053dda1b1c85bde6a04a395a6e5b08d76298beaa32183eaed4b9d26787ba1

          SHA512

          1dffe0772e113fb38515755d4f3fb5938e24698bc26efccc38547e8f08c4673b7e7dd2c26f4af628c7c1745d41f59d26a0f269062638b9ec1ec60a5daf2dec00

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7567252.exe
          Filesize

          174KB

          MD5

          8e1c9385ea1a727897547ab26f729562

          SHA1

          52e8c50fded14c4b40a303af8b2e730d8ea40879

          SHA256

          2abb2c0b109b138ffbdd22abdb8921dca6790eabf870405bd491c4194d34ec07

          SHA512

          b5f60aab2c3f7ed632adebf5f71a77b3606df9da283219b965151d99e9173d4e2d02eb8d0ea514f13ff7c9f5e44ecb6325d8f7b24ee7b0c67dc707dd19a8778f

          Download Submit

        • memory/1456-15-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB

          Download

        • memory/1456-18-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB

          Download

        • memory/1456-16-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB

          Download

        • memory/1456-14-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB

          Download

        • memory/3140-22-0x0000000000720000-0x0000000000750000-memory.dmp

          Filesize

          192KB

          Download

        • memory/3140-23-0x0000000002A90000-0x0000000002A96000-memory.dmp

          Filesize

          24KB

          Download

        • memory/3140-24-0x000000000AC30000-0x000000000B248000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/3140-25-0x000000000A720000-0x000000000A82A000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3140-26-0x000000000A610000-0x000000000A622000-memory.dmp

          Filesize

          72KB

          Download

        • memory/3140-27-0x000000000A670000-0x000000000A6AC000-memory.dmp

          Filesize

          240KB

          Download

        • memory/3140-28-0x0000000004BE0000-0x0000000004C2C000-memory.dmp

          Filesize

          304KB

          Download

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.