Analysis
-
max time kernel
135s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
23-05-2024 09:54
General
-
Target
80f9db396349ffd316d40f58b12121eb8671e0af591fa231cd1037ed80d55c66.exe
-
Size
1.3MB
-
MD5
95d542493374dbe6e7e9169abb4d8b9d
-
SHA1
81e518810940fc2b2992369fd314a1ef254e7e7d
-
SHA256
80f9db396349ffd316d40f58b12121eb8671e0af591fa231cd1037ed80d55c66
-
SHA512
6f4699024fbd3d76686e06f62f1d43153eec1b6be02bec68f111405e21842c81306ad3811cc574eeeb3424d052d856548590ce574b8f92669a788556d5c8aa43
-
SSDEEP
24576:VyINMxLEUjKKpiwMUvPtGcrSwppr/hzYqHmBv/Qz7GZ:wWMt1OU9JSwzr/hVcv/QzK
Malware Config
Extracted
redline
kinza
77.91.124.86:19084
Signatures
-
Detect Mystic stealer payload 3 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Executes dropped EXE 5 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\80f9db396349ffd316d40f58b12121eb8671e0af591fa231cd1037ed80d55c66.exe"C:\Users\Admin\AppData\Local\Temp\80f9db396349ffd316d40f58b12121eb8671e0af591fa231cd1037ed80d55c66.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yK7oK2ff.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yK7oK2ff.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bO9TG9et.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bO9TG9et.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oW1RC2Fh.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oW1RC2Fh.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RH44HL9.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RH44HL9.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2cp310tl.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2cp310tl.exe5⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yK7oK2ff.exeFilesize
1.2MB
MD521789b19a460866f536cd202e1c77bc2
SHA1fe3e5bf0345b18a1e3b1fd37702a510a369aa0bd
SHA25696f784e85fdd679cb2c0c0cc4ddd691bed1bfd704312f19a8bdcf9e5c8315ece
SHA512a7cf3f474255183e94189c7a628bf95f02cd18f05c715980cf23abbee54d114e98b94cd0aa83d5dc15930d21a173b7fbaeef0ce2d47cfddebad0f48a9e7e2475
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bO9TG9et.exeFilesize
761KB
MD564d90f8eaf6520a606f2c197b8de4cab
SHA15e1f96b503749bb737155019a9af47d71f8128b4
SHA2564a2bd0797f73642fac28ccb9f24ad4b0970c9f6ee7815a0bb12e9053c1aa9b40
SHA512fbc153c37bacd55c501ed2b4c20cba48ae23ee31ded05725744a0d3cba747a4a445c0b78915366b9204686bd43f1892c1d0b259f8c5aa6f8e3089332ab38e196
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oW1RC2Fh.exeFilesize
565KB
MD5268554b71790ad3b72cca954f6ecca22
SHA13f617cb3f35ab73aa8f8ee9d6a74e630f116fce3
SHA25686b91bcd603189e5967a97ed9324afed8375806d6d40228384aefc0d48f9871f
SHA51222750f43bf85e65a13b73b2df62e59d9bfe8f1816d70729103c8a56899aa0066365d091d71052f548d06e8df516aedfe3c260e81468537b503197ab59696f77e
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RH44HL9.exeFilesize
1.1MB
MD54b12348af059cb76c2d813aff0dd19b0
SHA1e302a4a3227ec7e0ac4d96e526a89d89f4c5b588
SHA25655434062bf1f7b01088e7e3ae284e74240a5a08c856ac246983b0c973541ce0e
SHA512036aad4af4d74de4ffcdeb061bfe893dda6a0f3c3a2e5d9916cfb5bba4da14f3d7d6aed68efef7d12fcf4d68a4d341572c509c1ea78ac121faf986862c4338e7
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2cp310tl.exeFilesize
221KB
MD50bee44f316c91d61109facb01662b98b
SHA1ca1abf1e3c3ce09f8cb7b36a8197fd03977ad797
SHA256c87ee7696ebd5d875e8b25b0ecee0f9850f0b873a5f2199fff76fd1e02c5ee88
SHA5128b01b744824ab307b9ddb11fbfddf4046b501b5ff77cf12f3b290333b8c208004e5ea6f15cd9a4b3344ebf097df78d00c3239fa4df32e3ffa45ecef7995e58cd
-
memory/4648-28-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/4648-31-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/4648-29-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/5012-35-0x0000000000690000-0x00000000006CE000-memory.dmpFilesize
248KB
-
memory/5012-36-0x0000000007960000-0x0000000007F04000-memory.dmpFilesize
5.6MB
-
memory/5012-37-0x0000000007490000-0x0000000007522000-memory.dmpFilesize
584KB
-
memory/5012-38-0x00000000028F0000-0x00000000028FA000-memory.dmpFilesize
40KB
-
memory/5012-39-0x0000000008530000-0x0000000008B48000-memory.dmpFilesize
6.1MB
-
memory/5012-40-0x0000000007820000-0x000000000792A000-memory.dmpFilesize
1.0MB
-
memory/5012-41-0x0000000007640000-0x0000000007652000-memory.dmpFilesize
72KB
-
memory/5012-42-0x00000000076A0000-0x00000000076DC000-memory.dmpFilesize
240KB
-
memory/5012-43-0x0000000007710000-0x000000000775C000-memory.dmpFilesize
304KB