Overview

overview

10

Static

static

3

16b785fdba...08.exe

windows10-2004-x64

10

17bfe16ecf...a7.exe

windows10-2004-x64

10

30deda44ad...a8.exe

windows10-2004-x64

10

3e348a855b...4e.exe

windows10-2004-x64

10

458df588f5...8e.exe

windows10-2004-x64

10

481a0f4fa4...b6.exe

windows10-2004-x64

10

54ca1e2099...d4.exe

windows10-2004-x64

10

5645ed9dff...fa.exe

windows10-2004-x64

10

5d8e30863d...60.exe

windows10-2004-x64

10

74646b4cce...46.exe

windows10-2004-x64

10

86e6dff72e...d8.exe

windows10-2004-x64

10

8fe46c7fa8...3b.exe

windows10-2004-x64

10

a261c92b0b...5a.exe

windows10-2004-x64

10

a67b0f00c8...14.exe

windows10-2004-x64

10

acb13f0321...3c.exe

windows10-2004-x64

10

b59f946473...f9.exe

windows10-2004-x64

10

c15c0b27fc...af.exe

windows10-2004-x64

10

dbb1ff59d8...b8.exe

windows10-2004-x64

10

e45cad29f3...cf.exe

windows10-2004-x64

10

fd708e30f7...e2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 18:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dbb1ff59d840e7c26ff269e10bbf5db72a563c700290b01fb63fd7d24ef302b8.exe

  • Size

    590KB

  • MD5

    e7d79324c286301169d5968e9ef79625

  • SHA1

    84831fde7b54a23b71c60bf6ce158fe1d95e85ec

  • SHA256

    dbb1ff59d840e7c26ff269e10bbf5db72a563c700290b01fb63fd7d24ef302b8

  • SHA512

    6e2ce2657227127e5476f735de465156c087d087847f4417f3af1aaa14a0b8d7ade1b61f5f8559c42bedc0fdb4beee4a839e712ff86d1726d7b0bd6b3a16cb85

  • SSDEEP

    12288:PMrty90JdraPKejQkiikLIWIDmG2s3TamlIn:iyYraP/YIWuN2Yauq

Score
10/10
mysticredlinegigantinfostealerpersistencestealer

Malware Config

Extracted

Family

redline

Botnet

gigant

C2

77.91.124.55:19071

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dbb1ff59d840e7c26ff269e10bbf5db72a563c700290b01fb63fd7d24ef302b8.exe
    "C:\Users\Admin\AppData\Local\Temp\dbb1ff59d840e7c26ff269e10bbf5db72a563c700290b01fb63fd7d24ef302b8.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1128
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TS4XU9KH.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TS4XU9KH.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:5064
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ix03tL5.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ix03tL5.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3352
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:1732
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            4⤵
              PID:4600
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 184
                5⤵
                • Program crash
                PID:4940
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 156
              4⤵
              • Program crash
              PID:2100
          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ey145iQ.exe
            C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ey145iQ.exe
            3⤵
            • Executes dropped EXE
            PID:3584
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4600 -ip 4600
        1⤵
          PID:1176
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3352 -ip 3352
          1⤵
            PID:4056

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Initial Access

          Execution

          Persistence

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Privilege Escalation

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Resource Development

          Reconnaissance

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TS4XU9KH.exe
            Filesize

            417KB

            MD5

            4dbefc9cbca45c11fe487bba676c75bc

            SHA1

            9ab79f8914821368626498a6377efeabd6a30974

            SHA256

            a686058fef91331af7be47ca59bb170825b171171d74ecc6c3841364c8ed31e7

            SHA512

            b727ddc72c1215dc23441ed41584d13c83b97c742b59a10be2c4b681ef25b1ceb3ca048f2ff6863e951bcc2ddf2ae15329999cf687e9ca4d9f06423e86cce23b

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ix03tL5.exe
            Filesize

            378KB

            MD5

            2ea7a6e0c2bc8807456f5361465aa218

            SHA1

            c55ba35cb779b3de159f1a16a9e65e8cd876bb94

            SHA256

            7a310a010ac8fef0116acf3209f4c52d22f2a6aae994e9cd2e709b42df27e0f5

            SHA512

            bbf62dde0a3f2d135dc40601bbcd6b2d0b51741ae7b9ddeaa665ba74f66250fedb106c3cf56c3920a80d0288c8c3713e5dd684da18d016478586d6caedb166b7

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ey145iQ.exe
            Filesize

            231KB

            MD5

            3fcb8402344765c03c2499c3af22f61f

            SHA1

            59109bce61d57d84188be59352bed0d26f76d9e5

            SHA256

            c980d2068f5aa2376b392f0a1ecdf4531f3656946e4eacaf8a13e5ee98dfdeff

            SHA512

            154240187aa0f2edd256ba9a8e30830a7b80c89ccd6e76231e93510c106c35921f2b69511647f10f3a079cd9e717faee3e9ae6972c99f83f6e9e516d790e9c73

            Download Submit
          • memory/3584-27-0x0000000008030000-0x000000000813A000-memory.dmp
            Filesize

            1.0MB

            Download
          • memory/3584-22-0x0000000000E10000-0x0000000000E4E000-memory.dmp
            Filesize

            248KB

            Download
          • memory/3584-23-0x0000000008180000-0x0000000008724000-memory.dmp
            Filesize

            5.6MB

            Download
          • memory/3584-24-0x0000000007CD0000-0x0000000007D62000-memory.dmp
            Filesize

            584KB

            Download
          • memory/3584-25-0x0000000003270000-0x000000000327A000-memory.dmp
            Filesize

            40KB

            Download
          • memory/3584-26-0x0000000008D50000-0x0000000009368000-memory.dmp
            Filesize

            6.1MB

            Download
          • memory/3584-28-0x0000000007F20000-0x0000000007F32000-memory.dmp
            Filesize

            72KB

            Download
          • memory/3584-29-0x0000000007F80000-0x0000000007FBC000-memory.dmp
            Filesize

            240KB

            Download
          • memory/3584-30-0x0000000007FC0000-0x000000000800C000-memory.dmp
            Filesize

            304KB

            Download
          • memory/4600-15-0x0000000000400000-0x0000000000428000-memory.dmp
            Filesize

            160KB

            Download
          • memory/4600-17-0x0000000000400000-0x0000000000428000-memory.dmp
            Filesize

            160KB

            Download
          • memory/4600-18-0x0000000000400000-0x0000000000428000-memory.dmp
            Filesize

            160KB

            Download
          • memory/4600-14-0x0000000000400000-0x0000000000428000-memory.dmp
            Filesize

            160KB

            Download