Overview

overview

10

Static

static

3

0848e1e7e1...63.exe

windows10-2004-x64

10

1106a57fdf...a5.exe

windows10-2004-x64

10

185a521367...e2.exe

windows10-2004-x64

10

1a2ed241f7...81.exe

windows10-2004-x64

10

3933af1a19...66.exe

windows10-2004-x64

10

4046412564...e5.exe

windows10-2004-x64

10

48b2c44ad3...cf.exe

windows10-2004-x64

10

6fdb50a007...59.exe

windows10-2004-x64

10

708b7d578b...65.exe

windows10-2004-x64

10

73dc042440...3f.exe

windows10-2004-x64

10

9a45e9c206...55.exe

windows10-2004-x64

10

9a8f8e9a46...09.exe

windows10-2004-x64

10

9ab135934b...fe.exe

windows10-2004-x64

10

ab010a807d...38.exe

windows10-2004-x64

10

b85fd724a0...c4.exe

windows10-2004-x64

10

d940f9b9c6...49.exe

windows10-2004-x64

10

dc87cba915...e1.exe

windows10-2004-x64

10

e7bd826b7a...05.exe

windows10-2004-x64

10

ffbf9f9530...19.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 09:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    185a521367840914ea4a144255106961422396c5ca90144e322e12b70a4598e2.exe

  • Size

    763KB

  • MD5

    c87f8ff64e9000e767665d356dbcb9ef

  • SHA1

    6da2c45e0fc331217c7c4e0c0cbe2aef2021b8bb

  • SHA256

    185a521367840914ea4a144255106961422396c5ca90144e322e12b70a4598e2

  • SHA512

    17fa5456f8eb8f27b3df49b292110ee5d39cf7f35ec35ee6c2e7ac2cfe37aea42239e369bb4d80ed54abdc4f4f7ab0f46ffc4e65392d1b8013697490b1978c4f

  • SSDEEP

    12288:bMrqy90RuT/1uY7zF2LN18cH8iysFAlFJMiu68twFZ1Pfir:hynT/1D2LN1UsFKMikcfir

Score
10/10
mysticredlinekinzainfostealerpersistencestealer

Malware Config

Extracted

Family

redline

Botnet

kinza

C2

77.91.124.86:19084

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\185a521367840914ea4a144255106961422396c5ca90144e322e12b70a4598e2.exe
    "C:\Users\Admin\AppData\Local\Temp\185a521367840914ea4a144255106961422396c5ca90144e322e12b70a4598e2.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2624
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oa9qu3wg.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oa9qu3wg.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3504
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1gc11fK7.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1gc11fK7.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1168
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:2424
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 540
              5⤵
              • Program crash
              PID:4664
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 568
            4⤵
            • Program crash
            PID:544
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Nk608iY.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Nk608iY.exe
          3⤵
          • Executes dropped EXE
          PID:4948
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2424 -ip 2424
      1⤵
        PID:3236
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1168 -ip 1168
        1⤵
          PID:364

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oa9qu3wg.exe
          Filesize

          566KB

          MD5

          c0e15fd2b70a0d31a61baae21ca98da3

          SHA1

          bdc0eda01d18a2b1f4fe1a3eec8e977ad8631071

          SHA256

          3bb0dd5361f8412ee0071c580efe8a1ddf4d8b833b3a53e728619739e7314308

          SHA512

          69aa787c8c80e84fac0162add14127deb13b01525e78b8e322759da367ab8d9cbf3b45782dadf6cdca1c1e16f23dd579bfdcf1d970dd784c69f420240d62b38a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1gc11fK7.exe
          Filesize

          1.1MB

          MD5

          b8f6f08b3c1df72c710b63f85bd7acfa

          SHA1

          aee1b2968230077009e79b2ec21f263753a7eeee

          SHA256

          bc42ba2462570f6c07f55ed6f3171dd17a6e42422e82c6e1b9a91e9022726c64

          SHA512

          36eb888915b98465131509f9d412da494cdd0c4ffc88b08e8424b84701a479871c0ae8558ffc7a6c10983115742405afff248c0dc83e184703333630abe39714

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Nk608iY.exe
          Filesize

          222KB

          MD5

          5d8e6f8083e1371cda6e3bbbe0124372

          SHA1

          2b2caa7c815b8def29ccd3789bf7ad97ac881773

          SHA256

          78d4e97e89563e8d2bd570097fe869b959bbe286db2d8cf4ba64ca97c7f40da3

          SHA512

          a47ab55c790e3a5ec69de45d796e08a13fbd8d73f5b4502b9db3f08d2ea4a823046fccbab212ea819ff077c0acbc8f2935e6135da018de38dc94916d61576a42

          Download Submit

        • memory/2424-14-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2424-15-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2424-18-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2424-16-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/4948-23-0x0000000007E90000-0x0000000008434000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4948-22-0x00000000009D0000-0x0000000000A0E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4948-24-0x00000000078E0000-0x0000000007972000-memory.dmp

          Filesize

          584KB

          Download

        • memory/4948-25-0x0000000004EB0000-0x0000000004EBA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4948-26-0x0000000008A60000-0x0000000009078000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/4948-27-0x0000000007BE0000-0x0000000007CEA000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/4948-28-0x0000000007AD0000-0x0000000007AE2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4948-29-0x0000000007B30000-0x0000000007B6C000-memory.dmp

          Filesize

          240KB

          Download

        • memory/4948-30-0x0000000007B70000-0x0000000007BBC000-memory.dmp

          Filesize

          304KB

          Download