Overview

overview

10

Static

static

3

06f1b755da...d3.exe

windows10-2004-x64

10

14b33a31c1...19.exe

windows10-2004-x64

10

16f3c19a7f...1a.exe

windows10-2004-x64

10

192ce44be6...d3.exe

windows10-2004-x64

10

208bd49be4...cf.exe

windows10-2004-x64

10

2ae8e0e720...19.exe

windows10-2004-x64

10

2b74e820a6...32.exe

windows10-2004-x64

10

396631ba37...a0.exe

windows10-2004-x64

10

777259b2de...25.exe

windows10-2004-x64

10

7f06170b1d...e6.exe

windows10-2004-x64

10

80f9db3963...66.exe

windows10-2004-x64

10

8d2837f05f...42.exe

windows10-2004-x64

10

9a7ee6b801...e4.exe

windows10-2004-x64

10

9c8e4ed081...a3.exe

windows10-2004-x64

10

a68c5e94f5...52.exe

windows10-2004-x64

10

aaed2c62a2...28.exe

windows10-2004-x64

10

e097574588...fe.exe

windows10-2004-x64

10

e256d9f4b9...eb.exe

windows10-2004-x64

10

f02caa1867...71.exe

windows10-2004-x64

10

f7447a8c0b...af.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 09:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    80f9db396349ffd316d40f58b12121eb8671e0af591fa231cd1037ed80d55c66.exe

  • Size

    1.3MB

  • MD5

    95d542493374dbe6e7e9169abb4d8b9d

  • SHA1

    81e518810940fc2b2992369fd314a1ef254e7e7d

  • SHA256

    80f9db396349ffd316d40f58b12121eb8671e0af591fa231cd1037ed80d55c66

  • SHA512

    6f4699024fbd3d76686e06f62f1d43153eec1b6be02bec68f111405e21842c81306ad3811cc574eeeb3424d052d856548590ce574b8f92669a788556d5c8aa43

  • SSDEEP

    24576:VyINMxLEUjKKpiwMUvPtGcrSwppr/hzYqHmBv/Qz7GZ:wWMt1OU9JSwzr/hVcv/QzK

Score
10/10
mysticredlinekinzainfostealerpersistencestealer

Malware Config

Extracted

Family

redline

Botnet

kinza

C2

77.91.124.86:19084

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\80f9db396349ffd316d40f58b12121eb8671e0af591fa231cd1037ed80d55c66.exe
    "C:\Users\Admin\AppData\Local\Temp\80f9db396349ffd316d40f58b12121eb8671e0af591fa231cd1037ed80d55c66.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:212
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yK7oK2ff.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yK7oK2ff.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2116
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bO9TG9et.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bO9TG9et.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4716
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oW1RC2Fh.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oW1RC2Fh.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2416
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RH44HL9.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RH44HL9.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2068
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
                PID:4648
            • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2cp310tl.exe
              C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2cp310tl.exe
              5⤵
              • Executes dropped EXE
              PID:5012

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yK7oK2ff.exe
      Filesize

      1.2MB

      MD5

      21789b19a460866f536cd202e1c77bc2

      SHA1

      fe3e5bf0345b18a1e3b1fd37702a510a369aa0bd

      SHA256

      96f784e85fdd679cb2c0c0cc4ddd691bed1bfd704312f19a8bdcf9e5c8315ece

      SHA512

      a7cf3f474255183e94189c7a628bf95f02cd18f05c715980cf23abbee54d114e98b94cd0aa83d5dc15930d21a173b7fbaeef0ce2d47cfddebad0f48a9e7e2475

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bO9TG9et.exe
      Filesize

      761KB

      MD5

      64d90f8eaf6520a606f2c197b8de4cab

      SHA1

      5e1f96b503749bb737155019a9af47d71f8128b4

      SHA256

      4a2bd0797f73642fac28ccb9f24ad4b0970c9f6ee7815a0bb12e9053c1aa9b40

      SHA512

      fbc153c37bacd55c501ed2b4c20cba48ae23ee31ded05725744a0d3cba747a4a445c0b78915366b9204686bd43f1892c1d0b259f8c5aa6f8e3089332ab38e196

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oW1RC2Fh.exe
      Filesize

      565KB

      MD5

      268554b71790ad3b72cca954f6ecca22

      SHA1

      3f617cb3f35ab73aa8f8ee9d6a74e630f116fce3

      SHA256

      86b91bcd603189e5967a97ed9324afed8375806d6d40228384aefc0d48f9871f

      SHA512

      22750f43bf85e65a13b73b2df62e59d9bfe8f1816d70729103c8a56899aa0066365d091d71052f548d06e8df516aedfe3c260e81468537b503197ab59696f77e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RH44HL9.exe
      Filesize

      1.1MB

      MD5

      4b12348af059cb76c2d813aff0dd19b0

      SHA1

      e302a4a3227ec7e0ac4d96e526a89d89f4c5b588

      SHA256

      55434062bf1f7b01088e7e3ae284e74240a5a08c856ac246983b0c973541ce0e

      SHA512

      036aad4af4d74de4ffcdeb061bfe893dda6a0f3c3a2e5d9916cfb5bba4da14f3d7d6aed68efef7d12fcf4d68a4d341572c509c1ea78ac121faf986862c4338e7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2cp310tl.exe
      Filesize

      221KB

      MD5

      0bee44f316c91d61109facb01662b98b

      SHA1

      ca1abf1e3c3ce09f8cb7b36a8197fd03977ad797

      SHA256

      c87ee7696ebd5d875e8b25b0ecee0f9850f0b873a5f2199fff76fd1e02c5ee88

      SHA512

      8b01b744824ab307b9ddb11fbfddf4046b501b5ff77cf12f3b290333b8c208004e5ea6f15cd9a4b3344ebf097df78d00c3239fa4df32e3ffa45ecef7995e58cd

      Download Submit

    • memory/4648-28-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4648-31-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4648-29-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/5012-35-0x0000000000690000-0x00000000006CE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5012-36-0x0000000007960000-0x0000000007F04000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/5012-37-0x0000000007490000-0x0000000007522000-memory.dmp

      Filesize

      584KB

      Download

    • memory/5012-38-0x00000000028F0000-0x00000000028FA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/5012-39-0x0000000008530000-0x0000000008B48000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/5012-40-0x0000000007820000-0x000000000792A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/5012-41-0x0000000007640000-0x0000000007652000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5012-42-0x00000000076A0000-0x00000000076DC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/5012-43-0x0000000007710000-0x000000000775C000-memory.dmp

      Filesize

      304KB

      Download