Overview
overview
10Static
static
30a7a53ccfc...4d.exe
windows10-2004-x64
1015fd14ba21...b7.exe
windows10-2004-x64
101ded3ef8a6...eb.exe
windows10-2004-x64
10211c4e6a11...13.exe
windows10-2004-x64
102143b79ffb...90.exe
windows10-2004-x64
10262bcbb295...79.exe
windows10-2004-x64
102db3eb661b...10.exe
windows10-2004-x64
1038f672e7cb...04.exe
windows10-2004-x64
103a8f22ea92...1f.exe
windows10-2004-x64
104ad2507250...50.exe
windows10-2004-x64
104d264f872f...4d.exe
windows10-2004-x64
105dcad04e9c...98.exe
windows10-2004-x64
10838e53197e...9e.exe
windows10-2004-x64
109fb3613b82...eb.exe
windows10-2004-x64
10ada5308889...6d.exe
windows10-2004-x64
10b7edb218fe...67.exe
windows10-2004-x64
10c7a8b128f1...e0.exe
windows7-x64
10c7a8b128f1...e0.exe
windows10-2004-x64
10d0c2f16d85...04.exe
windows10-2004-x64
10d686e13696...c7.exe
windows10-2004-x64
10f2cce909ec...10.exe
windows10-2004-x64
10Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 17:10
Static task
static1
Behavioral task
behavioral1
Sample
0a7a53ccfce8285cb27448942f3d9d7ebbb0f13842117794de0c0f0400ce0e4d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
15fd14ba215a3a52dd8119cc0a0383f0cac34dab2c608f1481d6dac8a34084b7.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
1ded3ef8a66199255bccbc48246fb511b05dd362acee6fc379d36afee68aa1eb.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
211c4e6a11f15bd767da6f104c223571e677d598cba947fc6ecc736fb041af13.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
2143b79ffb1f51097ecfe2735d76fc401ff83d0bcaf0fd826616f6d9d198fb90.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
262bcbb295c2330c7e75858027b884202657e03c12f0537ccae57764c7e90779.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
2db3eb661bd1960f4f027053512a24f0c61f26c7314d49ff0114cec48de8d110.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
38f672e7cba986b4d9af3c51220a9df7a2a858c8744e2594475ff11d2cd80504.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
3a8f22ea9247ba12276740888c7a9a8788ce979e8b28264aa64fb310a6e2d31f.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
4ad2507250fbdef342d1a5b86c7770a3cffa183db840e5cfa7a9d117b2dc0a50.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
4d264f872fb903372cc6951f97478ade2ed4cea3c43c1ac9c7b62d645b0d804d.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
5dcad04e9c2aa52649ef1e07b38e5668f57adeaa2edee41a8ec26857ee232498.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
838e53197e2b7417e755d1062885d43a64760f6d02f778afd7cca835a5a99d9e.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
9fb3613b8287cadb1f1a45c550f5b98f012dcc95bb947f3b8b3d68303b6bc3eb.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
ada5308889c1e0686823a15717a0ebb9de3bbf2d5e47447e5a340ce70ef33f6d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
b7edb218fec9ad9d3c425768ecc3c868db6dcd17f414b4c8a5337d3b4c908867.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
c7a8b128f176ee758430b94fea1f5e6ac1085905600d0d4bd333a5ff1414fae0.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
c7a8b128f176ee758430b94fea1f5e6ac1085905600d0d4bd333a5ff1414fae0.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
d0c2f16d854f2a43aa1e6953688db2ca945fdc7bb7578431f3ff430ebfa6dc04.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral20
Sample
d686e13696bd68f852ead6d9f363bc3da451cda82485f639727be0ee38b8dac7.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
f2cce909eca03fb472266113aeed9ab44c81218fb6b4de31949151b9543a1f10.exe
Resource
win10v2004-20240508-en
General
-
Target
5dcad04e9c2aa52649ef1e07b38e5668f57adeaa2edee41a8ec26857ee232498.exe
-
Size
662KB
-
MD5
c248e1517a6179b7acc3b20cce371cc0
-
SHA1
9d6252a7582d36357c043ea0be48d909897c851a
-
SHA256
5dcad04e9c2aa52649ef1e07b38e5668f57adeaa2edee41a8ec26857ee232498
-
SHA512
64795b3eab9cbe155153ff569f7281f3ebe55838d2c59a5491628d859f9e7fb725d3ccd377d5ec0b18499b029d9fd9d0227532b7ad3bfb2e1fe413b135132846
-
SSDEEP
12288:mMr0y90pS7BgRbtp98YeWbSfz7dw32LBsDImm6RZvLfF2syFhvx27shDTI/:2yqSCRzSXfzRwsBsDIoRZT4syFhThTI/
Malware Config
Extracted
redline
virad
77.91.124.82:19071
-
auth_value
434dd63619ca8bbf10125913fb40ca28
Signatures
-
Detect Mystic stealer payload 1 IoCs
resource yara_rule behavioral12/files/0x0008000000023441-20.dat mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral12/files/0x0007000000023442-22.dat family_redline behavioral12/memory/2068-24-0x0000000000730000-0x0000000000760000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 2696 y7662814.exe 1408 y0040072.exe 3960 m6359351.exe 2068 n4607363.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5dcad04e9c2aa52649ef1e07b38e5668f57adeaa2edee41a8ec26857ee232498.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y7662814.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" y0040072.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3524 wrote to memory of 2696 3524 5dcad04e9c2aa52649ef1e07b38e5668f57adeaa2edee41a8ec26857ee232498.exe 83 PID 3524 wrote to memory of 2696 3524 5dcad04e9c2aa52649ef1e07b38e5668f57adeaa2edee41a8ec26857ee232498.exe 83 PID 3524 wrote to memory of 2696 3524 5dcad04e9c2aa52649ef1e07b38e5668f57adeaa2edee41a8ec26857ee232498.exe 83 PID 2696 wrote to memory of 1408 2696 y7662814.exe 84 PID 2696 wrote to memory of 1408 2696 y7662814.exe 84 PID 2696 wrote to memory of 1408 2696 y7662814.exe 84 PID 1408 wrote to memory of 3960 1408 y0040072.exe 85 PID 1408 wrote to memory of 3960 1408 y0040072.exe 85 PID 1408 wrote to memory of 3960 1408 y0040072.exe 85 PID 1408 wrote to memory of 2068 1408 y0040072.exe 86 PID 1408 wrote to memory of 2068 1408 y0040072.exe 86 PID 1408 wrote to memory of 2068 1408 y0040072.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\5dcad04e9c2aa52649ef1e07b38e5668f57adeaa2edee41a8ec26857ee232498.exe"C:\Users\Admin\AppData\Local\Temp\5dcad04e9c2aa52649ef1e07b38e5668f57adeaa2edee41a8ec26857ee232498.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7662814.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7662814.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0040072.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0040072.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6359351.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6359351.exe4⤵
- Executes dropped EXE
PID:3960
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4607363.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4607363.exe4⤵
- Executes dropped EXE
PID:2068
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
560KB
MD58b5a884ba6bc639a9392a03df8e06dc4
SHA186c0f0fa5f1a854810cd735ac717da5445eace22
SHA256c63c5e64af0297aa006cfacb0410f990e18042f833fe6ead4c1209209e696808
SHA5124f5b83eec805d4edc6fcbfa79b286b83f3a46fc3d4e5510828b52fae1244aaac0000c08283decedb44b0a06dfea44ce922b973725707e03cd1ae6a47cdd886da
-
Filesize
271KB
MD58a35c043df876ccaf7ac3c430d30916d
SHA1f3b74468da3b223626e64dd8d118e6055cbbb9c1
SHA2567522ea0e3e470c74ced327e8610b7d2bf30f7e9d38ea336345cc5100c66b38b5
SHA512b11da9184134480594ab9136cf4d9cb4c7bd012b1165d2e8c54a6dcccba7fc555125d35d2f6ec85df031abeeba7a5683931a4d9283bd26b390cf26adc6b73ee9
-
Filesize
141KB
MD5f563a37218e268e5604c20af88919931
SHA1cefe0fc72600e979c3eb7296dd12e0939d1ddfe8
SHA2562325b6b089cfe41cb165423e9ef26ca89cc6925584042ef5e99b0d7bdcd1b855
SHA512a0763d2764216a597bd00fd680cf6babfa5a76ba4d52168657c6da6db480ca56ace02ece2f2a6c5ff29ce5abf21b4b8a94de6cd373a9ebdc1167e146b3024699
-
Filesize
175KB
MD5b7df343c23997a08ba74199b5870f23c
SHA1f3ee6567b3dda137218b3716d56a6e82dae7a01d
SHA25691fc0b3067a4e495cebf79b6026ca1a887bcab248a478f6f0e3b373d40f7ebd1
SHA51265c74545dc4f6910ab7e57c82397538bfd93f067237795d26ecb5d58e772b111b509fb4056270b907bf5e4fae98c1914fbea4296b780f05199308946952d9d40