Overview
overview
10Static
static
30fd60696a3...b2.exe
windows7-x64
100fd60696a3...b2.exe
windows10-2004-x64
102996639955...59.exe
windows10-2004-x64
102acc7bf3a0...77.exe
windows10-2004-x64
10526be697bf...a7.exe
windows10-2004-x64
10537d35bac5...43.exe
windows10-2004-x64
1063e7ea0ef8...61.exe
windows10-2004-x64
106ba7aab10c...ba.exe
windows10-2004-x64
106be7b83314...78.exe
windows10-2004-x64
108155bd24d1...a2.exe
windows10-2004-x64
1098093b29a1...be.exe
windows10-2004-x64
10a03054b15e...e0.exe
windows10-2004-x64
10a6ac7e6221...44.exe
windows10-2004-x64
10b4bd81eed4...04.exe
windows10-2004-x64
10bc3d05e882...1f.exe
windows10-2004-x64
10c423201e38...8d.exe
windows10-2004-x64
10c5e42a3a50...3e.exe
windows10-2004-x64
10cfb43a8521...b2.exe
windows10-2004-x64
10e50cb48894...49.exe
windows10-2004-x64
10e8168dd5ed...47.exe
windows10-2004-x64
10f674a21edd...53.exe
windows10-2004-x64
10Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 18:30
Static task
static1
Behavioral task
behavioral1
Sample
0fd60696a37853b9112e009b88f4a66eb9d6f837b4b77cfe28e58110267409b2.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
0fd60696a37853b9112e009b88f4a66eb9d6f837b4b77cfe28e58110267409b2.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
299663995567ce7e8d92c1a76f6910056efcce778fe83d664f85a3ca9b2e2059.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
2acc7bf3a0c9793fa35ddb267e569c575a7a142b0722a61a3c49c2e87e994477.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
526be697bff16798a7b0db1272f29ee6e6e4a0d2f8779f857ebe162729e247a7.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
537d35bac51656a3d24c96fd5d730dbd1b3aa1e40870063892a5c0f247669243.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
63e7ea0ef874b72273a3ea2e8d37753b642423f278258c8297d28ce3024ecc61.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
6ba7aab10ca9c6b1705b9de79a2e324a956c2ef5b8210ba6a6fff04274d5a4ba.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
6be7b83314dc014eebc2d7cc17ce0021ea7d66e03bf91c49ddd8050fdb95b478.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
8155bd24d116c57eab78ae836bd626ad73ea195b6cd88928129bb6fd1f3a80a2.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
98093b29a1c396935c62384ecd9e854458334f30f82f78a59ce3c0db9ddc54be.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
a03054b15e4fddd11bf2396780295da4431da23bddbec73b70a011da6d19a8e0.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
a6ac7e6221ae1940e4e6faa06a2e255b4e9e7a811c7b3e3859feeaccca699844.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
b4bd81eed44be3f83a4d778d3fe1bc914c1e5bca98bb8217707f964f5e0b0904.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
bc3d05e882eb83b7ad915dd2d33d3be8e73bb42e53f26b9662f99e79511e361f.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
c423201e3826daee29004ed5dcf47d914f79b9e35aabb7cda630e407b4d2888d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
c5e42a3a502b792f98bf1c2a5548dcfe3d99699a1ebd3b1dbbc5eebb02e0e13e.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral18
Sample
cfb43a8521b91093cc4c585e28556ea093351fade2937e840921fbc278f763b2.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
e50cb4889413649fb6e1cca1572c73dae745fb6ad9c37514bfa16650aacbaa49.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral20
Sample
e8168dd5edaf1e8b049e5f5e7c1241a1e9e3c746375080bfc3d7dabb994bc847.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
f674a21edded6b58ee18fe72f4241798a2dc4a04eebb177a73f1ddde8cde4f53.exe
Resource
win10v2004-20240508-en
General
-
Target
98093b29a1c396935c62384ecd9e854458334f30f82f78a59ce3c0db9ddc54be.exe
-
Size
1.1MB
-
MD5
689af04893939e7333c5ab54564327ac
-
SHA1
b5a3cb2db8caf56327c79b1378e69a8ee8ddc764
-
SHA256
98093b29a1c396935c62384ecd9e854458334f30f82f78a59ce3c0db9ddc54be
-
SHA512
5220957905fbe451ab40d31194e1515fc814fec6fe4284d77085dc1ba14285124d3bb37554f104db87d076341a07d84d2fd68938a5c042adf18c87f0e570e04f
-
SSDEEP
24576:Dy9FhmM9/epbOxTHMVL6Ehz/XKGts/RYUPVTtSMoxICJ626P0mW9P:W9fmM92pbYsVLnDK/qUV8Moc0
Malware Config
Extracted
redline
kukish
77.91.124.55:19071
Signatures
-
Detect Mystic stealer payload 1 IoCs
resource yara_rule behavioral11/files/0x0008000000023443-25.dat mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral11/files/0x0007000000023444-29.dat family_redline behavioral11/memory/4508-31-0x0000000000020000-0x000000000005E000-memory.dmp family_redline -
Executes dropped EXE 5 IoCs
pid Process 2668 YB1FF8Wt.exe 2344 Tk1Rz2Ys.exe 1868 aj2bZ3Op.exe 4948 1Al63to5.exe 4508 2By534Ok.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 98093b29a1c396935c62384ecd9e854458334f30f82f78a59ce3c0db9ddc54be.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" YB1FF8Wt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" Tk1Rz2Ys.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" aj2bZ3Op.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4308 wrote to memory of 2668 4308 98093b29a1c396935c62384ecd9e854458334f30f82f78a59ce3c0db9ddc54be.exe 82 PID 4308 wrote to memory of 2668 4308 98093b29a1c396935c62384ecd9e854458334f30f82f78a59ce3c0db9ddc54be.exe 82 PID 4308 wrote to memory of 2668 4308 98093b29a1c396935c62384ecd9e854458334f30f82f78a59ce3c0db9ddc54be.exe 82 PID 2668 wrote to memory of 2344 2668 YB1FF8Wt.exe 83 PID 2668 wrote to memory of 2344 2668 YB1FF8Wt.exe 83 PID 2668 wrote to memory of 2344 2668 YB1FF8Wt.exe 83 PID 2344 wrote to memory of 1868 2344 Tk1Rz2Ys.exe 84 PID 2344 wrote to memory of 1868 2344 Tk1Rz2Ys.exe 84 PID 2344 wrote to memory of 1868 2344 Tk1Rz2Ys.exe 84 PID 1868 wrote to memory of 4948 1868 aj2bZ3Op.exe 85 PID 1868 wrote to memory of 4948 1868 aj2bZ3Op.exe 85 PID 1868 wrote to memory of 4948 1868 aj2bZ3Op.exe 85 PID 1868 wrote to memory of 4508 1868 aj2bZ3Op.exe 86 PID 1868 wrote to memory of 4508 1868 aj2bZ3Op.exe 86 PID 1868 wrote to memory of 4508 1868 aj2bZ3Op.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\98093b29a1c396935c62384ecd9e854458334f30f82f78a59ce3c0db9ddc54be.exe"C:\Users\Admin\AppData\Local\Temp\98093b29a1c396935c62384ecd9e854458334f30f82f78a59ce3c0db9ddc54be.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YB1FF8Wt.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YB1FF8Wt.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tk1Rz2Ys.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tk1Rz2Ys.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aj2bZ3Op.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aj2bZ3Op.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Al63to5.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Al63to5.exe5⤵
- Executes dropped EXE
PID:4948
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2By534Ok.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2By534Ok.exe5⤵
- Executes dropped EXE
PID:4508
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
942KB
MD58165c03c6616550d5ebf0c39078245f2
SHA19000769858b4ba3d7b8df471d1512de379b1b784
SHA256f0b6714b88c1a70c4d0b74cc6b8902923bf5960e14ee97e868a2502617b3d335
SHA512076d5b62824f63cb76f45b02a07903cb657d5b9ea5667ec9101886bc5d54775255c5e4ff981a420dc25cee6ce18b417c3ff4545545fa07d69a6bc74beccc27a0
-
Filesize
515KB
MD50eedf9996b8c26f52d71896009d0cc50
SHA1f31ba9e5031f8c262eaf311a08371ba34c4aa2bc
SHA256558b03ab429c0a7fc8f69ced013873e821e5e834b37deb130e80e09ade932896
SHA512440a5038f3ed17181822526ad0d3b73545c54e4b8fe04ba945102e0cbf3bcfd591f766753603a7aeb6bb75e2903e12ca20e39ac09420e4dcbd00f600548c93ba
-
Filesize
319KB
MD5f12604f3cc88a105f73d023dffa8d94c
SHA1143deb9c9f92f1e29b28f9ac6751fba2a9866f70
SHA256e41316564962a634fdeccd6bb286bc0c00067058978b3bc9dceca9e3ed9d1ac4
SHA51237a2dc2312c1a0f1f82fe1394a767a96326e3034fc4ba60224eefc5024d4d1e50186b32e183d23c6ba43ed2850513886ff3860029b6029d931159736b889e678
-
Filesize
180KB
MD53f305144feb3040cf41b216841537ec2
SHA1ae9066cc3b40be6250e7e6a90bcc2de160067b84
SHA25689fec546032f1fc58fb08e79ab626d7e2401a5958b81a928ab5e0c1540e180b1
SHA512ca3993ad5d0a376809e304a49eaf81c8ba3ecbe40e7085573698b1870291034f9bbfdec552b640b32d92b2f0b359f33c40f694f401abaf81d70ab7a6484a798e
-
Filesize
222KB
MD5b6ebd2573815be66b0f7fcbfdbdc0695
SHA1696a0d9d89c74ec57b228943af8c544ce6b4ba54
SHA256d79f5b1589fcf17335af0ddf757d65edf1b7df2d9d7808c04363acc997190ba2
SHA51278a0ab12e3a4c2c950efe0d2f51092ed78e5b23ceef7dd718181454fe8f0ec0ebc5662896d44d43164c6cc8e68bfef5ec0b4496273fa4f476a6e323a3bfa3f7f