Overview

overview

10

Static

static

3

0bbde9df88...20.exe

windows10-2004-x64

10

14381f89f8...62.exe

windows10-2004-x64

10

1c09c6faad...a0.exe

windows7-x64

3

1c09c6faad...a0.exe

windows10-2004-x64

10

1c8308039a...16.exe

windows7-x64

3

1c8308039a...16.exe

windows10-2004-x64

10

1fe4c883d2...6d.exe

windows10-2004-x64

10

234b8aa959...d8.exe

windows10-2004-x64

10

410e72302d...e8.exe

windows7-x64

3

410e72302d...e8.exe

windows10-2004-x64

10

4431aa7413...8c.exe

windows7-x64

3

4431aa7413...8c.exe

windows10-2004-x64

10

68f997d58c...e5.exe

windows10-2004-x64

10

812ce70322...27.exe

windows10-2004-x64

10

88a3f8285d...ab.exe

windows10-2004-x64

10

90fdeaf3f0...a8.exe

windows7-x64

3

90fdeaf3f0...a8.exe

windows10-2004-x64

10

9d92aedf9d...9d.exe

windows7-x64

3

9d92aedf9d...9d.exe

windows10-2004-x64

10

9ff2fb6bb8...32.exe

windows10-2004-x64

10

ac4e2e3d9d...dd.exe

windows7-x64

3

ac4e2e3d9d...dd.exe

windows10-2004-x64

10

b62483116d...b6.exe

windows10-2004-x64

10

c901122f00...70.exe

windows10-2004-x64

10

cfda8adb75...7f.exe

windows10-2004-x64

10

dfe8591c80...49.exe

windows10-2004-x64

10

f5659ff4e2...ff.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 10:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f5659ff4e2e2c4f553f6a9f59f406907a29545e4ca9d61810be718d9619a8dff.exe

  • Size

    409KB

  • MD5

    528c55db5f8cbf3442a3729e685d9f0d

  • SHA1

    ba7ed8fcf8e39667743f812d9c5fa1d82d025f26

  • SHA256

    f5659ff4e2e2c4f553f6a9f59f406907a29545e4ca9d61810be718d9619a8dff

  • SHA512

    12c8b016e7b6ca2d357d2fc770ea72fdb195dce19357ec9acdc44fcfd5cd808474a88eef2c7ef39c93a468ddbddf371993d02c43175ea4546086ca4863751221

  • SSDEEP

    6144:Kry+bnr+Vp0yN90QEXnD5+uPpwDYJAQEf2vFn8wRVVl/DFLblDH/:9Mrhy90j+Mof2J8wP3FVDf

Score
10/10
mysticredlinekukishinfostealerpersistencestealer

Malware Config

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f5659ff4e2e2c4f553f6a9f59f406907a29545e4ca9d61810be718d9619a8dff.exe
    "C:\Users\Admin\AppData\Local\Temp\f5659ff4e2e2c4f553f6a9f59f406907a29545e4ca9d61810be718d9619a8dff.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4208
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1lC31zb8.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1lC31zb8.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3956
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
          PID:3520
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 540
            4⤵
            • Program crash
            PID:4676
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2YI909rR.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2YI909rR.exe
        2⤵
        • Executes dropped EXE
        PID:2920
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3520 -ip 3520
      1⤵
        PID:4108

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1lC31zb8.exe
        Filesize

        340KB

        MD5

        ec3819defcb1def0479459a07cf02070

        SHA1

        0d46c5bab631e6a66bf617d8f92cfb4fe36ea2ed

        SHA256

        c91e019691a909fc6499991d551db9fbdbb7880e596a2d078a0b9e1bc6e58092

        SHA512

        60f4cb6ec74df86d3ffde51e09968297d5a9277f58d4829b53e07e4d49b5500a7a08ba2ef35326388daad158b2608bdd3591ad98e793934a3c8be6a8dea839d3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2YI909rR.exe
        Filesize

        222KB

        MD5

        71bbd8e9a4a2bd30862e98336d976a81

        SHA1

        eb3e0c9368f8ac4611e6ea409217a5cdb6363bf1

        SHA256

        1fb936858df4cadd7fba4393ffc5b9e8872eeb8b3dc63139bda3665d0066f040

        SHA512

        c9c901affe493166c1a1a16409a2e8f09d2f9c649722ad6ad115540fade1b4bcff19286c35cc76a2ca62316d940277939a3e4ec45f0ef43faba5e56cf90b4dd3

        Download Submit

      • memory/2920-21-0x0000000008BB0000-0x00000000091C8000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/2920-20-0x00000000741F0000-0x00000000749A0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2920-27-0x00000000741F0000-0x00000000749A0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2920-26-0x00000000741FE000-0x00000000741FF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2920-15-0x00000000741FE000-0x00000000741FF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2920-16-0x0000000000D60000-0x0000000000D9E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2920-17-0x0000000007FE0000-0x0000000008584000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2920-18-0x0000000007B20000-0x0000000007BB2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/2920-19-0x0000000002F90000-0x0000000002F9A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2920-25-0x0000000007DB0000-0x0000000007DFC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2920-24-0x0000000007D70000-0x0000000007DAC000-memory.dmp

        Filesize

        240KB

        Download

      • memory/2920-23-0x0000000007C10000-0x0000000007C22000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2920-22-0x0000000008590000-0x000000000869A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/3520-7-0x0000000000400000-0x0000000000432000-memory.dmp

        Filesize

        200KB

        Download

      • memory/3520-8-0x0000000000400000-0x0000000000432000-memory.dmp

        Filesize

        200KB

        Download

      • memory/3520-10-0x0000000000400000-0x0000000000432000-memory.dmp

        Filesize

        200KB

        Download

      • memory/3520-11-0x0000000000400000-0x0000000000432000-memory.dmp

        Filesize

        200KB

        Download