Overview

overview

10

Static

static

3

0a827f3afc...35.exe

windows10-2004-x64

10

18184ff5db...7a.exe

windows10-2004-x64

10

36b2548e8c...4f.exe

windows10-2004-x64

10

4105a1b5cd...10.exe

windows10-2004-x64

10

5c5167b5fa...58.exe

windows10-2004-x64

10

63e6b5c830...f8.exe

windows10-2004-x64

10

6c30cb0079...67.exe

windows7-x64

10

6c30cb0079...67.exe

windows10-2004-x64

10

6e83c409a5...45.exe

windows10-2004-x64

10

77f90e3384...ff.exe

windows10-2004-x64

10

78bd5cf504...7c.exe

windows10-2004-x64

10

7ce62a9574...e1.exe

windows10-2004-x64

10

7d2d45b593...66.exe

windows10-2004-x64

10

7d9b9686db...9b.exe

windows10-2004-x64

10

864fdfc64c...f0.exe

windows10-2004-x64

10

9607b0ce5d...c6.exe

windows10-2004-x64

10

aa524ac0a8...07.exe

windows10-2004-x64

10

b6f332f02a...85.exe

windows10-2004-x64

10

cfebef463c...dc.exe

windows10-2004-x64

10

d0feb2ba6d...72.exe

windows10-2004-x64

10

df0b96135e...51.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 17:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7ce62a9574ca774ba9c6234c75799fd5cb2c153c6f1e40a65e1bea1a9c2219e1.exe

  • Size

    444KB

  • MD5

    62cb5abe1a7a14a455b7bcbde88afee6

  • SHA1

    5761fe51f10b934d99810fdd8d051f1a0b129aa8

  • SHA256

    7ce62a9574ca774ba9c6234c75799fd5cb2c153c6f1e40a65e1bea1a9c2219e1

  • SHA512

    59f36fd993e5ef000ac8c7bb8c87583a4d99385e8eec8438345c9b26c70ffcb050734c1770f4e6449370ab0a5ce5d77ac2cf42a52cfbf6751db261642c051ece

  • SSDEEP

    12288:FMrLy90YUdatcF1R4XJp2QzCPL9ZZID6MSkLyTnLh:+yx8atcF1Ry2OcxZOXjen1

Score
10/10
mysticredlinelutyrinfostealerpersistencestealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

C2

77.91.124.55:19071

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7ce62a9574ca774ba9c6234c75799fd5cb2c153c6f1e40a65e1bea1a9c2219e1.exe
    "C:\Users\Admin\AppData\Local\Temp\7ce62a9574ca774ba9c6234c75799fd5cb2c153c6f1e40a65e1bea1a9c2219e1.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3236
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1qZ73jS6.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1qZ73jS6.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2008
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
          PID:4036
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 540
            4⤵
            • Program crash
            PID:2220
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 572
          3⤵
          • Program crash
          PID:3984
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Rs339xU.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Rs339xU.exe
        2⤵
        • Executes dropped EXE
        PID:2164
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4036 -ip 4036
      1⤵
        PID:1080
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2008 -ip 2008
        1⤵
          PID:4836

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1qZ73jS6.exe
          Filesize

          423KB

          MD5

          52a15b134a85304b9b9c9649f422f5c8

          SHA1

          50de51dff4e84c9c139462c8841c93fa873bebd7

          SHA256

          97b259b771e15d73f8634f726cd5e2aea0a1c38d640742c00051f22319625ae1

          SHA512

          4ea2707da73c53869f0d4c302d0d59b74a7234bd9165804a1255e9aec217df4c7423e818dd780b93e28f8f6680ec766096782894ff7de436509b09ff61113b30

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Rs339xU.exe
          Filesize

          221KB

          MD5

          bdb5a55d75d1c68bf43fed27715e009c

          SHA1

          d206886dd0b6642c2264f999ceb07f6bd41fb62f

          SHA256

          72c660dad0f8e21c39c8b3401904e33c04d858ca262e807fde0bbe855814d813

          SHA512

          f6f6932daeb7784dea5beb50b9f7f9d0caa6b0a239d04bcefb574dd68f08c52b81a4639899b3a799c798a2335e5711963dfc2592bfa5adb6b430e38fc7300754

          Download Submit

        • memory/2164-21-0x0000000008500000-0x0000000008B18000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/2164-19-0x00000000049D0000-0x00000000049DA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2164-27-0x00000000740B0000-0x0000000074860000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2164-26-0x00000000740BE000-0x00000000740BF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2164-15-0x00000000740BE000-0x00000000740BF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2164-16-0x0000000000650000-0x000000000068E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/2164-17-0x0000000007930000-0x0000000007ED4000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/2164-18-0x0000000007460000-0x00000000074F2000-memory.dmp

          Filesize

          584KB

          Download

        • memory/2164-20-0x00000000740B0000-0x0000000074860000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2164-25-0x00000000075B0000-0x00000000075FC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/2164-24-0x0000000007560000-0x000000000759C000-memory.dmp

          Filesize

          240KB

          Download

        • memory/2164-23-0x0000000007500000-0x0000000007512000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2164-22-0x0000000007EE0000-0x0000000007FEA000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/4036-7-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

          Download

        • memory/4036-9-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

          Download

        • memory/4036-11-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

          Download

        • memory/4036-8-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

          Download