Overview

overview

10

Static

static

3

16b785fdba...08.exe

windows10-2004-x64

10

17bfe16ecf...a7.exe

windows10-2004-x64

10

30deda44ad...a8.exe

windows10-2004-x64

10

3e348a855b...4e.exe

windows10-2004-x64

10

458df588f5...8e.exe

windows10-2004-x64

10

481a0f4fa4...b6.exe

windows10-2004-x64

10

54ca1e2099...d4.exe

windows10-2004-x64

10

5645ed9dff...fa.exe

windows10-2004-x64

10

5d8e30863d...60.exe

windows10-2004-x64

10

74646b4cce...46.exe

windows10-2004-x64

10

86e6dff72e...d8.exe

windows10-2004-x64

10

8fe46c7fa8...3b.exe

windows10-2004-x64

10

a261c92b0b...5a.exe

windows10-2004-x64

10

a67b0f00c8...14.exe

windows10-2004-x64

10

acb13f0321...3c.exe

windows10-2004-x64

10

b59f946473...f9.exe

windows10-2004-x64

10

c15c0b27fc...af.exe

windows10-2004-x64

10

dbb1ff59d8...b8.exe

windows10-2004-x64

10

e45cad29f3...cf.exe

windows10-2004-x64

10

fd708e30f7...e2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 18:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5d8e30863d6679d9b977e23a385bd4ab7c86293390507196e2c2a60350006a60.exe

  • Size

    884KB

  • MD5

    8747aac71d50b90e3d130826a4ac1325

  • SHA1

    37843108fccb569bc9e09e02f74e8f2c239f7a97

  • SHA256

    5d8e30863d6679d9b977e23a385bd4ab7c86293390507196e2c2a60350006a60

  • SHA512

    a2ac56f6c745bdd65f1a4331828d3b6299f5d1c579d196a485825efdbf9a59601b8f2f73afb881db17f1897d5d95ae677839e67ea52fbe061897ffb286102db0

  • SSDEEP

    24576:Nykf9GM0FvYyBo/d++og75riw6DrtBxr:okVGRFvVBoV8gNGV3tB

Score
10/10
mysticredlinegigantinfostealerpersistencestealer

Malware Config

Extracted

Family

redline

Botnet

gigant

C2

77.91.124.55:19071

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5d8e30863d6679d9b977e23a385bd4ab7c86293390507196e2c2a60350006a60.exe
    "C:\Users\Admin\AppData\Local\Temp\5d8e30863d6679d9b977e23a385bd4ab7c86293390507196e2c2a60350006a60.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4612
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cy2nX9Bh.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cy2nX9Bh.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3696
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Gs8EO4gz.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Gs8EO4gz.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:396
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1at72DO6.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1at72DO6.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:3228
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            5⤵
              PID:1532
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 164
              5⤵
              • Program crash
              PID:3452
          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ct739An.exe
            C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ct739An.exe
            4⤵
            • Executes dropped EXE
            PID:64
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3228 -ip 3228
      1⤵
        PID:3608

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cy2nX9Bh.exe
        Filesize

        590KB

        MD5

        2a63b01135d3f4a8f857df234c71da29

        SHA1

        e3cd234b6f9453e0aaf7e520590dc919f99b57ca

        SHA256

        cbdc47df4acb7bec90dbadb330f10cc090b96518f8034306810d83a9fce4057f

        SHA512

        b7baa657beb2a24c6591e7f9409d1ee475bf13ee89c2eab29881be03af83266e1148bf4f7ae744bf4b7bcd96162a43850610517a8421cb0fd052db28c501222e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Gs8EO4gz.exe
        Filesize

        417KB

        MD5

        a653cd0026823bb444bc27def3cf27b4

        SHA1

        8600c671ffdc6e02703fff5456d8a76af424a77f

        SHA256

        c2d2fca40f7e8c84e3f238bdc82cba1e2220a5dcbba1b94f9c925a8aa3aa3e62

        SHA512

        7f11d66c69cbda9483970c247f4b24f100aab730a5b93fda8e16c15a118d2429ccc5053b555d311232197b36e1ec6b577291fcd8b36a1715ee5ba2abba49e3af

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1at72DO6.exe
        Filesize

        378KB

        MD5

        f0831f173733de08511f3a0739f278a6

        SHA1

        06dc809d653c5d2c97386084ae13b50a73eb5b60

        SHA256

        8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

        SHA512

        19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ct739An.exe
        Filesize

        231KB

        MD5

        0bd71299dd4975b52678e94953e877db

        SHA1

        48e91fa816bf2d444ad80bec51c3aec4585cc5bd

        SHA256

        d2199270533f567bfe7e44512b6ddc8f02fe74d26a990974f59fb6c6ab29aa31

        SHA512

        6cf98b6ceb32a6b844a2e77cdf5f67210b56c708ca73ea16dc4ff4be51fe094edc8aefad03e43e83de869c1a36cf64c057e41ca53483b2f452100aabe60cadd7

        Download Submit

      • memory/64-33-0x0000000007BC0000-0x0000000007CCA000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/64-28-0x00000000009F0000-0x0000000000A2E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/64-29-0x0000000007E10000-0x00000000083B4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/64-30-0x0000000007900000-0x0000000007992000-memory.dmp

        Filesize

        584KB

        Download

      • memory/64-31-0x0000000002E70000-0x0000000002E7A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/64-32-0x00000000089E0000-0x0000000008FF8000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/64-34-0x0000000007AF0000-0x0000000007B02000-memory.dmp

        Filesize

        72KB

        Download

      • memory/64-35-0x0000000007B50000-0x0000000007B8C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/64-36-0x0000000007CD0000-0x0000000007D1C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/1532-24-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/1532-22-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/1532-21-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download