Overview
overview
10Static
static
30d17733c30...5d.exe
windows10-2004-x64
1012afd6aace...a7.exe
windows10-2004-x64
101a9919325d...ce.exe
windows10-2004-x64
101b565f7ed3...1d.exe
windows10-2004-x64
102c58ee5805...6e.exe
windows10-2004-x64
1033598ea86e...12.exe
windows10-2004-x64
104e5d421522...cb.exe
windows10-2004-x64
104ff3477e4f...b7.exe
windows10-2004-x64
106ee2a56c58...f5.exe
windows10-2004-x64
10803bdeb4bc...3b.exe
windows10-2004-x64
1082c26e730c...f6.exe
windows10-2004-x64
1092d5779e2c...c1.exe
windows10-2004-x64
10b0845c677f...61.exe
windows10-2004-x64
10b82c1f093a...b3.exe
windows10-2004-x64
10c52f1aa452...c1.exe
windows10-2004-x64
10c7bf16d19a...5c.exe
windows10-2004-x64
10d85805160c...b3.exe
windows10-2004-x64
10e4e49b8568...6d.exe
windows10-2004-x64
10e5ef76e6dd...ba.exe
windows10-2004-x64
10fac8fce7e3...0e.exe
windows10-2004-x64
10Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 17:09
Static task
static1
Behavioral task
behavioral1
Sample
0d17733c3019d71570f413fb2cf93247ef44984d57c0d378e5853597b1efcc5d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
12afd6aace975903b46162ca80f43ceaeffd722715cf2a23433c1c09c4bdf7a7.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
1a9919325da63b8484a6bd765fb24e43189e13130d5740306b71aac0ea7178ce.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
1b565f7ed39bcb3768a8d15009e2ee03870984f6900010642cd696ee9c5efc1d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
2c58ee580588f3af770bfbe1f4b90e3f3abc1db0635b5db9df6dc396c7e7666e.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
33598ea86e5fb6e4703678ac412886ef6b59161a6c845c900d25dda182afa112.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
4e5d421522773b4acede9491200eb6a0479ef03a8892230b81ba0d0ed10d98cb.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
4ff3477e4f6bd6e3e862b79ae405c63df8d69b707138781208fb58578b8246b7.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
6ee2a56c58d7b91b6debe8aed2285fcef3c3e50613fe3c8b6f7d5a94968b59f5.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
803bdeb4bc4493002015ca620d956227797f6d2e1f4fb5f4b09b86d3c2be303b.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
82c26e730c449cb8fa3b24eb4cad396dfb875eecd3ee1ccbb1d8fe29530d3ef6.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
92d5779e2c52f5941931dde42396f724a8986970826adad853ad885da3caccc1.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
b0845c677fbb6f6769b22ee306bf30e9c9d49caa3bfd274fceb91e91bd6ee061.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
b82c1f093a07f8365a76b180a16ceba720e598167e3d606f93fedc39de6692b3.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
c52f1aa4527983452b72bfcc7c7498055116825e436d192acbb7b799124415c1.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
c7bf16d19af53ce0e356ff0a03ca5f2bf14034d9e265c438dc88513cd09cf55c.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
d85805160cf3294fe4b79968f7cee19fdaf73c0a9ed5ab8fffa11fa7fd3bddb3.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
e4e49b8568937c43bba5621fcfe9e3762efb9c4078b3287603ef249c522d126d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
e5ef76e6dd861b064544fe5f0400d8d476e07d29a56f78d564dd2a73252e39ba.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral20
Sample
fac8fce7e33f863be353a7bbf44a4fc673ab60a051fa66cebe5511a000ee1a0e.exe
Resource
win10v2004-20240226-en
General
-
Target
4ff3477e4f6bd6e3e862b79ae405c63df8d69b707138781208fb58578b8246b7.exe
-
Size
272KB
-
MD5
879e06303a2636b4c3b88503f6cd952d
-
SHA1
8b78f4c17f8dffb2228370cd0b529fa815938848
-
SHA256
4ff3477e4f6bd6e3e862b79ae405c63df8d69b707138781208fb58578b8246b7
-
SHA512
37322096ded08c4fc7caba304546f228af2046e166bd128107a12de4dad5bf2734470fec537df33b32e2d03cf656444ab383fb64b211e96dcec938d9ceadb95f
-
SSDEEP
6144:KVy+bnr+gp0yN90QEvd3Y9nO/kYADFwomNsRjq1jGjg:PMrMy90Vdo9nOqDFwomNi4jGjg
Malware Config
Extracted
redline
moner
77.91.124.82:19071
-
auth_value
a94cd9e01643e1945b296c28a2f28707
Signatures
-
Detect Mystic stealer payload 1 IoCs
resource yara_rule behavioral8/files/0x000800000002340f-4.dat mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral8/files/0x0007000000023410-8.dat family_redline behavioral8/memory/3232-11-0x00000000007F0000-0x0000000000820000-memory.dmp family_redline -
Executes dropped EXE 2 IoCs
pid Process 4956 m1193163.exe 3232 n5349986.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4ff3477e4f6bd6e3e862b79ae405c63df8d69b707138781208fb58578b8246b7.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2924 wrote to memory of 4956 2924 4ff3477e4f6bd6e3e862b79ae405c63df8d69b707138781208fb58578b8246b7.exe 84 PID 2924 wrote to memory of 4956 2924 4ff3477e4f6bd6e3e862b79ae405c63df8d69b707138781208fb58578b8246b7.exe 84 PID 2924 wrote to memory of 4956 2924 4ff3477e4f6bd6e3e862b79ae405c63df8d69b707138781208fb58578b8246b7.exe 84 PID 2924 wrote to memory of 3232 2924 4ff3477e4f6bd6e3e862b79ae405c63df8d69b707138781208fb58578b8246b7.exe 85 PID 2924 wrote to memory of 3232 2924 4ff3477e4f6bd6e3e862b79ae405c63df8d69b707138781208fb58578b8246b7.exe 85 PID 2924 wrote to memory of 3232 2924 4ff3477e4f6bd6e3e862b79ae405c63df8d69b707138781208fb58578b8246b7.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ff3477e4f6bd6e3e862b79ae405c63df8d69b707138781208fb58578b8246b7.exe"C:\Users\Admin\AppData\Local\Temp\4ff3477e4f6bd6e3e862b79ae405c63df8d69b707138781208fb58578b8246b7.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m1193163.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m1193163.exe2⤵
- Executes dropped EXE
PID:4956
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n5349986.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n5349986.exe2⤵
- Executes dropped EXE
PID:3232
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
142KB
MD5616731d9183297d6db5b7335d8e16dc6
SHA1855242f52398c850bc5c36fffd381f25df4199e2
SHA2566067181e030c53b76935fdf2a4743abd7bfb3372d813bb951814a8e2b8a101f2
SHA5126278b65b370507089ce13e452d880a5833b46736f6cdd858fb7f971674f9fea15c674eba6b82facc6f99d0eba014121fa9b825a87e32ab6d3caa099eea64d31d
-
Filesize
174KB
MD5881614486f8ddb4fc8c1eb2fe69f16ac
SHA11787622c9ef7aeb342d29357f03f984bf3997163
SHA2564e23c2e491c16c6718e160e9a7c2430359ca72e3254471370ae8b20400aabd7d
SHA51281742a3573f2180072ce4d6fe4263945b9186a275ef7af56759f5637047388812c1a8ee912d9440cba70544b2e2d204dccce4a0b6ec37a2e18bdf6c1fb5bf1f6