Overview

overview

10

Static

static

3

06f1b755da...d3.exe

windows10-2004-x64

10

14b33a31c1...19.exe

windows10-2004-x64

10

16f3c19a7f...1a.exe

windows10-2004-x64

10

192ce44be6...d3.exe

windows10-2004-x64

10

208bd49be4...cf.exe

windows10-2004-x64

10

2ae8e0e720...19.exe

windows10-2004-x64

10

2b74e820a6...32.exe

windows10-2004-x64

10

396631ba37...a0.exe

windows10-2004-x64

10

777259b2de...25.exe

windows10-2004-x64

10

7f06170b1d...e6.exe

windows10-2004-x64

10

80f9db3963...66.exe

windows10-2004-x64

10

8d2837f05f...42.exe

windows10-2004-x64

10

9a7ee6b801...e4.exe

windows10-2004-x64

10

9c8e4ed081...a3.exe

windows10-2004-x64

10

a68c5e94f5...52.exe

windows10-2004-x64

10

aaed2c62a2...28.exe

windows10-2004-x64

10

e097574588...fe.exe

windows10-2004-x64

10

e256d9f4b9...eb.exe

windows10-2004-x64

10

f02caa1867...71.exe

windows10-2004-x64

10

f7447a8c0b...af.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 10:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e0975745886991171c59c0c9a7b781238f54c7dbc7be68e29315487b94f3cafe.exe

  • Size

    762KB

  • MD5

    cce0e6653ee5fa0a395399fe8afaf08c

  • SHA1

    4a4de5189ff93859b4021df87baa7b2978be0dae

  • SHA256

    e0975745886991171c59c0c9a7b781238f54c7dbc7be68e29315487b94f3cafe

  • SHA512

    ff882db3fc989c2fc6bfa3e3cb93210564a1bf4ddf2a2e670e5b33566e49f7d12239097350014b2b0f746dab55324cff2daae792c00b1c2a37c18dc72d585855

  • SSDEEP

    12288:VMrXy90LmNlxfXHTA+RpYhaaKPDXuct1VfGdrAUKhzx4ot1Qj:uyGCt0LIaiPTRGqdtM

Score
10/10
mysticredlinekinzainfostealerpersistencestealer

Malware Config

Extracted

Family

redline

Botnet

kinza

C2

77.91.124.86:19084

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e0975745886991171c59c0c9a7b781238f54c7dbc7be68e29315487b94f3cafe.exe
    "C:\Users\Admin\AppData\Local\Temp\e0975745886991171c59c0c9a7b781238f54c7dbc7be68e29315487b94f3cafe.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4456
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ox8Af2AB.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ox8Af2AB.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4960
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1cL48jR4.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1cL48jR4.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4776
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:3544
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 200
              5⤵
              • Program crash
              PID:2260
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 596
            4⤵
            • Program crash
            PID:2832
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2on701Xb.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2on701Xb.exe
          3⤵
          • Executes dropped EXE
          PID:4928
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3544 -ip 3544
      1⤵
        PID:4428
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4776 -ip 4776
        1⤵
          PID:2620

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ox8Af2AB.exe
          Filesize

          566KB

          MD5

          c6954c790a31363fb2e1b2a1ba2b5f2c

          SHA1

          8fc3e9f8838edc2020814013bf44a11d8d6ff1c6

          SHA256

          d3115c4c7eb7a7aaf705926be5abda89c761e93f71f4ed154cc6889ca65b884c

          SHA512

          2191442213f88718e76c96977b7f8f84b0210c8967094e323d55adcbf94af2da1ab075506db5ec2ed8cc9695cf2ce25189acdafcf171daa5307d455673d9f571

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1cL48jR4.exe
          Filesize

          1.1MB

          MD5

          e2974232c7104516fa1fafa6edca4644

          SHA1

          9ad3c94bbfec224d9882c147fdc8d68cef481c2f

          SHA256

          81de8a5f9c66e3b1e7f877f821bb39fdc279a4d0970457fb7cac57599a8b2b2a

          SHA512

          d4115a2d2f34c613c134189e791bb60996b5214a4563e9ce917cb62efb872a10139acf9c238b41437c0045ca4a1b1e135aaf86550f151129beba8c1dd31cb9cb

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2on701Xb.exe
          Filesize

          222KB

          MD5

          b137c6fdf594e3f65c15f668b98acdda

          SHA1

          1b3bf6689169b3eb1747eeccba7ba1fcbf504be1

          SHA256

          0fad045a93ca614c6c896a28ced633790e017432700ed849ea5cf199a4244e71

          SHA512

          75db7024feb5e9ca29e426396c1910b90dde27a4646e59e8273f7c51ec1d84b5c0082a5079f66c7fcc7974d9d65089d15636372a0c6ed8166db41f552981ec9d

          Download Submit

        • memory/3544-18-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/3544-16-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/3544-15-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/3544-14-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/4928-23-0x0000000008150000-0x00000000086F4000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4928-22-0x0000000000D70000-0x0000000000DAE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4928-24-0x0000000007C40000-0x0000000007CD2000-memory.dmp

          Filesize

          584KB

          Download

        • memory/4928-25-0x0000000003060000-0x000000000306A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4928-26-0x0000000008D20000-0x0000000009338000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/4928-27-0x0000000007FB0000-0x00000000080BA000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/4928-28-0x0000000007E60000-0x0000000007E72000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4928-29-0x0000000007EC0000-0x0000000007EFC000-memory.dmp

          Filesize

          240KB

          Download

        • memory/4928-30-0x0000000007F00000-0x0000000007F4C000-memory.dmp

          Filesize

          304KB

          Download