Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 11:07

General

  • Target

    3513e5a1bef31ae0f1858b98a4a405bb6b73e0c22654ea595cfe351e68560d0b.exe

  • Size

    632KB

  • MD5

    8ea60cfcbddf1b7448d201f4556c7a20

  • SHA1

    d1ecb779d9b7a916c627c143646b17f8332ae03b

  • SHA256

    3513e5a1bef31ae0f1858b98a4a405bb6b73e0c22654ea595cfe351e68560d0b

  • SHA512

    589bbb1c61d27b82897d7b20246b7dc436b349e849157cd49b4dfc3aecf4917c04ae2a5bb5346c03532585b02e332a840f42f675002ee2fbf27df50dcbfe8cbc

  • SSDEEP

    12288:NMr0y90D2sd8jFNudzpwt4gelVvENE1CL3hErv1AP9:ZyycqZimXKE1CNEL1AP9

Malware Config

Extracted

Family

redline

Botnet

jokes

C2

77.91.124.82:19071

Attributes
  • auth_value

    fb7b36b70ae30fb2b72f789037350cdb

Signatures

  • Detect Mystic stealer payload 1 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3513e5a1bef31ae0f1858b98a4a405bb6b73e0c22654ea595cfe351e68560d0b.exe
    "C:\Users\Admin\AppData\Local\Temp\3513e5a1bef31ae0f1858b98a4a405bb6b73e0c22654ea595cfe351e68560d0b.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3724
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3648686.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3648686.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1260
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5762863.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5762863.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1304
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4701334.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4701334.exe
          4⤵
          • Executes dropped EXE
          PID:4392
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4349609.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4349609.exe
          4⤵
          • Executes dropped EXE
          PID:2940

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3648686.exe

    Filesize

    530KB

    MD5

    ec64dae8c6ab85285cba66c2bd4f7678

    SHA1

    879deab6ab8a625588826befc5d2d24af7900a79

    SHA256

    b8646e9fed15d5e156655e490d81d2c43cea2d3222278cd00cfe244f606daa8d

    SHA512

    0bcf38962fbd7d0bed6b7281ec5b18bd671b71df7b975e248762f550ede6d02dfd116af9ca1eada4c5345469c5d991ff9c990321b118a9cd2dfc9b6a97ee4af6

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5762863.exe

    Filesize

    272KB

    MD5

    6999331ecf0313d532d0a1ef67b5f909

    SHA1

    5d1127ce376182a7e061ad6e7874c40f0721fbde

    SHA256

    aca16bd1637b2077311aa031d85f29c8061c70d0b20407af58a0c9ba62d11439

    SHA512

    b58cd50abb54fff6ae8ca249f11cbcbb909ed1b791ee771800aa00ff6d6851b9a92aa8703f493916b470a71f1c43e6febbda5e56ce33c47fafc1e88b4cd605e2

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4701334.exe

    Filesize

    140KB

    MD5

    e9b49847444f0aad6df34e532a1184bb

    SHA1

    f4a5b8d8f97f1afee0f1d3e8b3a1b283a0cb0fab

    SHA256

    8a8f7acfb1a98c296a4cbbc00ff7ff5f88664c69a8b7231975f37deb63bfbe10

    SHA512

    93bc35576b7965b5a9e60fd263246493c218e85155ff7ef227947eb204aa58938153e5cc224642d08176a1de1b73155a9d2e95607a8c1e6225a3b9079b6257c0

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4349609.exe

    Filesize

    174KB

    MD5

    d1272d9e16b2f4ffee6a2778db1fb5d4

    SHA1

    e261c467fba1c3191d49736e19047a793ca35c83

    SHA256

    489e55f13774c3192cc2ccc4069c8518af806647749b8306e16cbad8f4ca04bd

    SHA512

    75a61ce843f70dd6d1b5e211f4ea4ae5fceaeba6ee74d658a2c0f8cde8ecc1c2b600462611ed0bd8589436673148f1f6d9d48939c17a7fc726e7f6c4c2306126

  • memory/2940-24-0x0000000000CE0000-0x0000000000D10000-memory.dmp

    Filesize

    192KB

  • memory/2940-25-0x00000000054C0000-0x00000000054C6000-memory.dmp

    Filesize

    24KB

  • memory/2940-26-0x0000000005C30000-0x0000000006248000-memory.dmp

    Filesize

    6.1MB

  • memory/2940-27-0x0000000005730000-0x000000000583A000-memory.dmp

    Filesize

    1.0MB

  • memory/2940-28-0x0000000005670000-0x0000000005682000-memory.dmp

    Filesize

    72KB

  • memory/2940-29-0x00000000056D0000-0x000000000570C000-memory.dmp

    Filesize

    240KB

  • memory/2940-30-0x0000000005840000-0x000000000588C000-memory.dmp

    Filesize

    304KB