Overview
overview
10Static
static
30d301494f1...b9.exe
windows10-2004-x64
1017123cde24...76.exe
windows10-2004-x64
103513e5a1be...0b.exe
windows10-2004-x64
103548eb3ee0...c3.exe
windows10-2004-x64
1037bb007e1a...b5.exe
windows10-2004-x64
103b8019115c...d8.exe
windows10-2004-x64
103ba16fdd2a...8a.exe
windows10-2004-x64
103c47d4d72a...e8.exe
windows10-2004-x64
105598d9028e...fd.exe
windows7-x64
105598d9028e...fd.exe
windows10-2004-x64
105d95f47641...f4.exe
windows10-2004-x64
1061d857a524...a5.exe
windows10-2004-x64
1064f004d4a2...36.exe
windows10-2004-x64
107787b07a17...49.exe
windows10-2004-x64
107cc3996906...7e.exe
windows10-2004-x64
10825d0619a8...ce.exe
windows10-2004-x64
109e6f3fd3f7...c2.exe
windows10-2004-x64
10a49c96afc3...92.exe
windows10-2004-x64
10e2945d600c...9e.exe
windows10-2004-x64
10eb8cedd00b...3b.exe
windows10-2004-x64
10f9bdee7f3d...5b.exe
windows10-2004-x64
10Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 11:07
Static task
static1
Behavioral task
behavioral1
Sample
0d301494f1fd79496a102de54faf16772306d560cc125b858d5e57a6e12787b9.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
17123cde248bf04440dd66e0818e707111a27baaf0a0f8b46803653840d0f776.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
3513e5a1bef31ae0f1858b98a4a405bb6b73e0c22654ea595cfe351e68560d0b.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
3548eb3ee082140f111579d722d1924acef2c914601158aa407cc48e37e04dc3.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
37bb007e1a7b802fb160d31d43e6ee29920fb53b1d37beda1c042d893778cab5.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
3b8019115c4ceca7cbcfddbb6bbe680cac9c8811275a16616d40ff294ceb6ed8.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
3ba16fdd2a3366af19641ad21ef4ff828edfd310b6fd8c6b4e24aa854d8a668a.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
3c47d4d72a38e9bc6761e47d9e0e51429f2c67ffdd939c07a664efe29c9cd5e8.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
5598d9028e8f5dbcce57fc5044a12a3e254972b90687bd0e2d8e20298065c3fd.exe
Resource
win7-20240215-en
Behavioral task
behavioral10
Sample
5598d9028e8f5dbcce57fc5044a12a3e254972b90687bd0e2d8e20298065c3fd.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
5d95f476419d3a3135715f2eed0aa6de69b130436772d29100fd7870a2c450f4.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
61d857a52459b5cf9779c58c6ee28d8e2760da3fe873785eb0afcffa6b0680a5.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
64f004d4a260338ba4eea50516df52087bab791fd6eb50d0b4eb189e6e13bb36.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral14
Sample
7787b07a1719f5524402ec7cf71fb92a7177ee85b0a424e2b97f619ba2b32e49.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
7cc399690625fe51c1b469f7e049782a493baa3a1ef701d932c57888bd5d237e.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
825d0619a846701eef20b8c0a10ac730a81fefda0f8afdbe06a54bd4251541ce.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
9e6f3fd3f785137a445cbe56ff06c292a6df24180f53811fc86132a2bd4859c2.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
a49c96afc3e1c86dfaa9e2002f5ce95dbdee44cf71bf78474eaa2ab199a57f92.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
e2945d600c8d0d3d77a8528637dcb944f9c51be150c7dd4e619a249b7b9a309e.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral20
Sample
eb8cedd00b7ab240f275eb4069c500fbebe244ecae84cca8f1700815583b7f3b.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
f9bdee7f3daff1675551aa7b8f0eba683dba4df9a9998cc5de0b9da0a577135b.exe
Resource
win10v2004-20240426-en
General
-
Target
3513e5a1bef31ae0f1858b98a4a405bb6b73e0c22654ea595cfe351e68560d0b.exe
-
Size
632KB
-
MD5
8ea60cfcbddf1b7448d201f4556c7a20
-
SHA1
d1ecb779d9b7a916c627c143646b17f8332ae03b
-
SHA256
3513e5a1bef31ae0f1858b98a4a405bb6b73e0c22654ea595cfe351e68560d0b
-
SHA512
589bbb1c61d27b82897d7b20246b7dc436b349e849157cd49b4dfc3aecf4917c04ae2a5bb5346c03532585b02e332a840f42f675002ee2fbf27df50dcbfe8cbc
-
SSDEEP
12288:NMr0y90D2sd8jFNudzpwt4gelVvENE1CL3hErv1AP9:ZyycqZimXKE1CNEL1AP9
Malware Config
Extracted
redline
jokes
77.91.124.82:19071
-
auth_value
fb7b36b70ae30fb2b72f789037350cdb
Signatures
-
Detect Mystic stealer payload 1 IoCs
resource yara_rule behavioral3/files/0x000800000002343e-19.dat mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral3/files/0x000700000002343f-22.dat family_redline behavioral3/memory/2940-24-0x0000000000CE0000-0x0000000000D10000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 1260 y3648686.exe 1304 y5762863.exe 4392 m4701334.exe 2940 n4349609.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3513e5a1bef31ae0f1858b98a4a405bb6b73e0c22654ea595cfe351e68560d0b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y3648686.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" y5762863.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3724 wrote to memory of 1260 3724 3513e5a1bef31ae0f1858b98a4a405bb6b73e0c22654ea595cfe351e68560d0b.exe 83 PID 3724 wrote to memory of 1260 3724 3513e5a1bef31ae0f1858b98a4a405bb6b73e0c22654ea595cfe351e68560d0b.exe 83 PID 3724 wrote to memory of 1260 3724 3513e5a1bef31ae0f1858b98a4a405bb6b73e0c22654ea595cfe351e68560d0b.exe 83 PID 1260 wrote to memory of 1304 1260 y3648686.exe 84 PID 1260 wrote to memory of 1304 1260 y3648686.exe 84 PID 1260 wrote to memory of 1304 1260 y3648686.exe 84 PID 1304 wrote to memory of 4392 1304 y5762863.exe 85 PID 1304 wrote to memory of 4392 1304 y5762863.exe 85 PID 1304 wrote to memory of 4392 1304 y5762863.exe 85 PID 1304 wrote to memory of 2940 1304 y5762863.exe 86 PID 1304 wrote to memory of 2940 1304 y5762863.exe 86 PID 1304 wrote to memory of 2940 1304 y5762863.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\3513e5a1bef31ae0f1858b98a4a405bb6b73e0c22654ea595cfe351e68560d0b.exe"C:\Users\Admin\AppData\Local\Temp\3513e5a1bef31ae0f1858b98a4a405bb6b73e0c22654ea595cfe351e68560d0b.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3648686.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3648686.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5762863.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5762863.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4701334.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4701334.exe4⤵
- Executes dropped EXE
PID:4392
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4349609.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4349609.exe4⤵
- Executes dropped EXE
PID:2940
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
530KB
MD5ec64dae8c6ab85285cba66c2bd4f7678
SHA1879deab6ab8a625588826befc5d2d24af7900a79
SHA256b8646e9fed15d5e156655e490d81d2c43cea2d3222278cd00cfe244f606daa8d
SHA5120bcf38962fbd7d0bed6b7281ec5b18bd671b71df7b975e248762f550ede6d02dfd116af9ca1eada4c5345469c5d991ff9c990321b118a9cd2dfc9b6a97ee4af6
-
Filesize
272KB
MD56999331ecf0313d532d0a1ef67b5f909
SHA15d1127ce376182a7e061ad6e7874c40f0721fbde
SHA256aca16bd1637b2077311aa031d85f29c8061c70d0b20407af58a0c9ba62d11439
SHA512b58cd50abb54fff6ae8ca249f11cbcbb909ed1b791ee771800aa00ff6d6851b9a92aa8703f493916b470a71f1c43e6febbda5e56ce33c47fafc1e88b4cd605e2
-
Filesize
140KB
MD5e9b49847444f0aad6df34e532a1184bb
SHA1f4a5b8d8f97f1afee0f1d3e8b3a1b283a0cb0fab
SHA2568a8f7acfb1a98c296a4cbbc00ff7ff5f88664c69a8b7231975f37deb63bfbe10
SHA51293bc35576b7965b5a9e60fd263246493c218e85155ff7ef227947eb204aa58938153e5cc224642d08176a1de1b73155a9d2e95607a8c1e6225a3b9079b6257c0
-
Filesize
174KB
MD5d1272d9e16b2f4ffee6a2778db1fb5d4
SHA1e261c467fba1c3191d49736e19047a793ca35c83
SHA256489e55f13774c3192cc2ccc4069c8518af806647749b8306e16cbad8f4ca04bd
SHA51275a61ce843f70dd6d1b5e211f4ea4ae5fceaeba6ee74d658a2c0f8cde8ecc1c2b600462611ed0bd8589436673148f1f6d9d48939c17a7fc726e7f6c4c2306126