Overview
overview
10Static
static
30d301494f1...b9.exe
windows10-2004-x64
1017123cde24...76.exe
windows10-2004-x64
103513e5a1be...0b.exe
windows10-2004-x64
103548eb3ee0...c3.exe
windows10-2004-x64
1037bb007e1a...b5.exe
windows10-2004-x64
103b8019115c...d8.exe
windows10-2004-x64
103ba16fdd2a...8a.exe
windows10-2004-x64
103c47d4d72a...e8.exe
windows10-2004-x64
105598d9028e...fd.exe
windows7-x64
105598d9028e...fd.exe
windows10-2004-x64
105d95f47641...f4.exe
windows10-2004-x64
1061d857a524...a5.exe
windows10-2004-x64
1064f004d4a2...36.exe
windows10-2004-x64
107787b07a17...49.exe
windows10-2004-x64
107cc3996906...7e.exe
windows10-2004-x64
10825d0619a8...ce.exe
windows10-2004-x64
109e6f3fd3f7...c2.exe
windows10-2004-x64
10a49c96afc3...92.exe
windows10-2004-x64
10e2945d600c...9e.exe
windows10-2004-x64
10eb8cedd00b...3b.exe
windows10-2004-x64
10f9bdee7f3d...5b.exe
windows10-2004-x64
10Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 16:40
Static task
static1
Behavioral task
behavioral1
Sample
0d301494f1fd79496a102de54faf16772306d560cc125b858d5e57a6e12787b9.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
17123cde248bf04440dd66e0818e707111a27baaf0a0f8b46803653840d0f776.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
3513e5a1bef31ae0f1858b98a4a405bb6b73e0c22654ea595cfe351e68560d0b.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
3548eb3ee082140f111579d722d1924acef2c914601158aa407cc48e37e04dc3.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
37bb007e1a7b802fb160d31d43e6ee29920fb53b1d37beda1c042d893778cab5.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
3b8019115c4ceca7cbcfddbb6bbe680cac9c8811275a16616d40ff294ceb6ed8.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
3ba16fdd2a3366af19641ad21ef4ff828edfd310b6fd8c6b4e24aa854d8a668a.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
3c47d4d72a38e9bc6761e47d9e0e51429f2c67ffdd939c07a664efe29c9cd5e8.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
5598d9028e8f5dbcce57fc5044a12a3e254972b90687bd0e2d8e20298065c3fd.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
5598d9028e8f5dbcce57fc5044a12a3e254972b90687bd0e2d8e20298065c3fd.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
5d95f476419d3a3135715f2eed0aa6de69b130436772d29100fd7870a2c450f4.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
61d857a52459b5cf9779c58c6ee28d8e2760da3fe873785eb0afcffa6b0680a5.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
64f004d4a260338ba4eea50516df52087bab791fd6eb50d0b4eb189e6e13bb36.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
7787b07a1719f5524402ec7cf71fb92a7177ee85b0a424e2b97f619ba2b32e49.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
7cc399690625fe51c1b469f7e049782a493baa3a1ef701d932c57888bd5d237e.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
825d0619a846701eef20b8c0a10ac730a81fefda0f8afdbe06a54bd4251541ce.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
9e6f3fd3f785137a445cbe56ff06c292a6df24180f53811fc86132a2bd4859c2.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral18
Sample
a49c96afc3e1c86dfaa9e2002f5ce95dbdee44cf71bf78474eaa2ab199a57f92.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
e2945d600c8d0d3d77a8528637dcb944f9c51be150c7dd4e619a249b7b9a309e.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral20
Sample
eb8cedd00b7ab240f275eb4069c500fbebe244ecae84cca8f1700815583b7f3b.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
f9bdee7f3daff1675551aa7b8f0eba683dba4df9a9998cc5de0b9da0a577135b.exe
Resource
win10v2004-20240508-en
General
-
Target
825d0619a846701eef20b8c0a10ac730a81fefda0f8afdbe06a54bd4251541ce.exe
-
Size
1.2MB
-
MD5
af9935a5730feb37c4978612c4edf672
-
SHA1
372775e1dd875989d6a340045c4751b3a8240daa
-
SHA256
825d0619a846701eef20b8c0a10ac730a81fefda0f8afdbe06a54bd4251541ce
-
SHA512
37a5cd9dd4ad956c4de847584d414c7025fba4bcefcf55745df352674a911d58f7dcdf24caee628a71efd9878dc5c387d1c45f34246032fe939cfa809e47261f
-
SSDEEP
24576:iy8cCiOZdnMRXmt+VyAxtnrPo+DzCfo336ABzS0fe+T6TqciV:JEMIt0zrQWv6A1P6mci
Malware Config
Extracted
redline
gigant
77.91.124.55:19071
Signatures
-
Detect Mystic stealer payload 3 IoCs
resource yara_rule behavioral16/memory/4540-36-0x0000000000400000-0x0000000000428000-memory.dmp mystic_family behavioral16/memory/4540-38-0x0000000000400000-0x0000000000428000-memory.dmp mystic_family behavioral16/memory/4540-35-0x0000000000400000-0x0000000000428000-memory.dmp mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral16/files/0x000700000002345a-41.dat family_redline behavioral16/memory/3108-42-0x00000000006A0000-0x00000000006DE000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 3756 En3mi5kd.exe 2408 sV8So6oi.exe 3936 rA2ke2Lm.exe 992 YV0uq1IQ.exe 1172 1Yg24GF1.exe 3108 2ZI453MP.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 825d0619a846701eef20b8c0a10ac730a81fefda0f8afdbe06a54bd4251541ce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" En3mi5kd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" sV8So6oi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" rA2ke2Lm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" YV0uq1IQ.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1172 set thread context of 4540 1172 1Yg24GF1.exe 90 -
Program crash 1 IoCs
pid pid_target Process procid_target 2376 1172 WerFault.exe 86 -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 4368 wrote to memory of 3756 4368 825d0619a846701eef20b8c0a10ac730a81fefda0f8afdbe06a54bd4251541ce.exe 82 PID 4368 wrote to memory of 3756 4368 825d0619a846701eef20b8c0a10ac730a81fefda0f8afdbe06a54bd4251541ce.exe 82 PID 4368 wrote to memory of 3756 4368 825d0619a846701eef20b8c0a10ac730a81fefda0f8afdbe06a54bd4251541ce.exe 82 PID 3756 wrote to memory of 2408 3756 En3mi5kd.exe 83 PID 3756 wrote to memory of 2408 3756 En3mi5kd.exe 83 PID 3756 wrote to memory of 2408 3756 En3mi5kd.exe 83 PID 2408 wrote to memory of 3936 2408 sV8So6oi.exe 84 PID 2408 wrote to memory of 3936 2408 sV8So6oi.exe 84 PID 2408 wrote to memory of 3936 2408 sV8So6oi.exe 84 PID 3936 wrote to memory of 992 3936 rA2ke2Lm.exe 85 PID 3936 wrote to memory of 992 3936 rA2ke2Lm.exe 85 PID 3936 wrote to memory of 992 3936 rA2ke2Lm.exe 85 PID 992 wrote to memory of 1172 992 YV0uq1IQ.exe 86 PID 992 wrote to memory of 1172 992 YV0uq1IQ.exe 86 PID 992 wrote to memory of 1172 992 YV0uq1IQ.exe 86 PID 1172 wrote to memory of 4540 1172 1Yg24GF1.exe 90 PID 1172 wrote to memory of 4540 1172 1Yg24GF1.exe 90 PID 1172 wrote to memory of 4540 1172 1Yg24GF1.exe 90 PID 1172 wrote to memory of 4540 1172 1Yg24GF1.exe 90 PID 1172 wrote to memory of 4540 1172 1Yg24GF1.exe 90 PID 1172 wrote to memory of 4540 1172 1Yg24GF1.exe 90 PID 1172 wrote to memory of 4540 1172 1Yg24GF1.exe 90 PID 1172 wrote to memory of 4540 1172 1Yg24GF1.exe 90 PID 1172 wrote to memory of 4540 1172 1Yg24GF1.exe 90 PID 1172 wrote to memory of 4540 1172 1Yg24GF1.exe 90 PID 992 wrote to memory of 3108 992 YV0uq1IQ.exe 95 PID 992 wrote to memory of 3108 992 YV0uq1IQ.exe 95 PID 992 wrote to memory of 3108 992 YV0uq1IQ.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\825d0619a846701eef20b8c0a10ac730a81fefda0f8afdbe06a54bd4251541ce.exe"C:\Users\Admin\AppData\Local\Temp\825d0619a846701eef20b8c0a10ac730a81fefda0f8afdbe06a54bd4251541ce.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\En3mi5kd.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\En3mi5kd.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sV8So6oi.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sV8So6oi.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rA2ke2Lm.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rA2ke2Lm.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YV0uq1IQ.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YV0uq1IQ.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Yg24GF1.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Yg24GF1.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:4540
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 1567⤵
- Program crash
PID:2376
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZI453MP.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZI453MP.exe6⤵
- Executes dropped EXE
PID:3108
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1172 -ip 11721⤵PID:1152
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD593be75e8a3816193f546cbde869c2e0d
SHA1d31f57488d1c6b1c75469f0ca488a2ea4d2f59f7
SHA2562c97a0aec7bd7f754afa0f3f5ddc293e08541e1366a8aaee24b2ea95275932ac
SHA51210374d6e29304825ac9fdfefd7d3e7f4bacb9effa18ffdfe50218169092e0d02bb5e8ffed24fc15be5c379bd814232a29d05d3c4b69eb8a37196fc2e761cd357
-
Filesize
884KB
MD557bbe47a3df8488ade37b772e4d03233
SHA1a8ab7edc5bf51733a57a5f1ddf626dd154c0cde4
SHA2568c9c5a5acd23cc2ad72a340ae890e4192429cc52c4240250c3ecca9cb3677b90
SHA51285814dcbc5259927c56da1719273725c7ea62a6d29fc7334080bb0b5757c7dd21751b565926c9bf5f5589cc74f65f4e5326e05924a6442feb0ba6f9b2b85aefc
-
Filesize
590KB
MD5775f3cf2413fa3e3276da74df020fa51
SHA1735e5e3e13edfcb389dfc749c30f8043d28a76c6
SHA256051278c62a75606978acf746f55d1a6662e14305f3a9c793f7fa3f61d6276183
SHA512bca5a61488e57471224062ee413e6b58419718fdf9d13f4c0e887214a7310158c685bfa245231ae26cddaae9eafb1256c30ecb106f3deb4f0a7fecb1ec8155da
-
Filesize
417KB
MD51359765780e39000eefce6916f75e3b2
SHA1c7fad61183241c5f99f906a419b77d9d5385ac10
SHA256b5e6fbe56dd2f1805c90861f6f34be2a58202685bd4f775bfa213e158f12c6ac
SHA512ac2890301b601bc7c162d582f02ad21958a50bc79e58e2d909238e209b4f1a019926013a63104861cf12a997717491f829ebefa7ef655211df9a819b9eaa1fcd
-
Filesize
378KB
MD5f0831f173733de08511f3a0739f278a6
SHA106dc809d653c5d2c97386084ae13b50a73eb5b60
SHA2568b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA51219e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3
-
Filesize
231KB
MD55cbbf70b11d1f6776addc964c4ceddd7
SHA19301e9a63d43dbbc0ca1dd5f84912b80e67ce99a
SHA256c83de57c35f4636aa2182a3675132155cd3b757bfb14f57bda270ef0a4249b2a
SHA512d17da9467b5460f6fccd89b2196fa29dbd0004edfc50f66ccc2ac83fc2386e818215ea248a55f40e49ebaec3c6399cc780b4b753ee8f5cc66049b866f3ea10ae