Overview
overview
10Static
static
304a87b8f05...aa.exe
windows10-2004-x64
10114af5c13b...fd.exe
windows10-2004-x64
101e8dd381c7...01.exe
windows10-2004-x64
1022e22c4ac4...b8.exe
windows10-2004-x64
102539ef3c9e...7a.exe
windows10-2004-x64
1028e3223b75...cb.exe
windows10-2004-x64
102a370f0b1b...d2.exe
windows10-2004-x64
10312eee3369...2a.exe
windows10-2004-x64
1049fe85c527...13.exe
windows10-2004-x64
105b3b69df98...46.exe
windows10-2004-x64
1073935ea9dd...cf.exe
windows10-2004-x64
107afbfc55db...35.exe
windows10-2004-x64
107b920ad0a6...fd.exe
windows10-2004-x64
10867a7ac357...10.exe
windows10-2004-x64
10a69474bf18...5d.exe
windows10-2004-x64
10c1509297f2...7d.exe
windows10-2004-x64
10c1821fe13b...86.exe
windows10-2004-x64
10d431e54eb0...f6.exe
windows10-2004-x64
10e0e0fe767a...79.exe
windows10-2004-x64
10f1372b1a09...cc.exe
windows10-2004-x64
10Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 17:43
Static task
static1
Behavioral task
behavioral1
Sample
04a87b8f058d7530d2e2d860d9792e27ac4a33a3865644f618340a1614a011aa.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
114af5c13b66325340fcc0e38e22cb3c0a2f713ad1346010b0a9fc80f025e1fd.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
1e8dd381c7b2d8b87f2596a2bfbccc3c813d8571fdbe788e678c3a733a5cae01.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
22e22c4ac4de60508d13a9152534da8f1fe27d387785252b3e90c5daa1939eb8.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
2539ef3c9ef568b60de04a70266f168cf5565fa88027d7d88812aed2417d527a.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
28e3223b75032745af45a606afdbd1788365c7af9b20cc01d5892478c17d91cb.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
2a370f0b1b44ffdfd5105d8de5cdb127afee410219b503b0620c23343a163ad2.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
312eee33696f223c1d77f63d4f4fa6692b492a19e1815f424ea276db2dfa312a.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
49fe85c527d85f575f10ffaacbea94923608dbe00ee181347f30f31686a10513.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
5b3b69df98aea93f199289802070d29f0815829817936cfd60b3b627e0d20146.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
73935ea9dd223123d7d2e2b97d297ba24e82bd39f8b4e6004027a7cc1b07ffcf.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
7afbfc55db219ad6f0335344f7e4d1119a281a9e98656ca51496a2ccedc75d35.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
7b920ad0a6eced7be30fccab39067587eeb4a839174adbe7371d2a0ebb0206fd.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
867a7ac357adfff48d6fc2820efa7db93b3c2303fa2c5f2570c1760004b2a310.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
a69474bf18a7cca7eda490dd3a0e3f56de60989fbd935adbc91521cc640dd35d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
c1509297f254a9c327f8d2f138ec5907931f396cedb4bb4796c5057e78cda87d.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
c1821fe13b3b9c1fc3fe603dfd3668b199fd7d6f671e0f72b8a9fff5a38fd286.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
d431e54eb05e1ec91d96e56b56b50a6e510a259b69f7c5c8254a8954192e94f6.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
e0e0fe767a4d28c22c9164941b937ca32139dda9a5ac00b380e14f39f0bc2e79.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
f1372b1a0961a0c57fe69d716e6992ea2a6a82ef2944465f88c1a99f117de4cc.exe
Resource
win10v2004-20240426-en
General
-
Target
c1821fe13b3b9c1fc3fe603dfd3668b199fd7d6f671e0f72b8a9fff5a38fd286.exe
-
Size
326KB
-
MD5
82258baf5fd7b18e47c8dd949b380183
-
SHA1
71a30fae26f446b7e5bab3f44e39aa7aac1b8c90
-
SHA256
c1821fe13b3b9c1fc3fe603dfd3668b199fd7d6f671e0f72b8a9fff5a38fd286
-
SHA512
d22f01b9ffb26a2dcf434e2e94b0d00228535f9493d83ac117b9d06f328ebd4ff53a3c7964eac5256d95651985a9973f763bb63c292d7021e7bcbf829e8ac713
-
SSDEEP
6144:Kqy+bnr+Jp0yN90QEJgX6VOwPBIAy+hy8vlvZgRkajW1HV6/1:SMrxy903g+OnA4q2i1161
Malware Config
Extracted
redline
lutyr
77.91.124.55:19071
Signatures
-
Detect Mystic stealer payload 1 IoCs
resource yara_rule behavioral17/files/0x00090000000233c9-5.dat mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral17/files/0x00070000000233e2-8.dat family_redline behavioral17/memory/3372-11-0x0000000000020000-0x000000000005E000-memory.dmp family_redline -
Executes dropped EXE 2 IoCs
pid Process 2872 1uv05oe6.exe 3372 2Qx346vD.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c1821fe13b3b9c1fc3fe603dfd3668b199fd7d6f671e0f72b8a9fff5a38fd286.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4480 wrote to memory of 2872 4480 c1821fe13b3b9c1fc3fe603dfd3668b199fd7d6f671e0f72b8a9fff5a38fd286.exe 81 PID 4480 wrote to memory of 2872 4480 c1821fe13b3b9c1fc3fe603dfd3668b199fd7d6f671e0f72b8a9fff5a38fd286.exe 81 PID 4480 wrote to memory of 2872 4480 c1821fe13b3b9c1fc3fe603dfd3668b199fd7d6f671e0f72b8a9fff5a38fd286.exe 81 PID 4480 wrote to memory of 3372 4480 c1821fe13b3b9c1fc3fe603dfd3668b199fd7d6f671e0f72b8a9fff5a38fd286.exe 82 PID 4480 wrote to memory of 3372 4480 c1821fe13b3b9c1fc3fe603dfd3668b199fd7d6f671e0f72b8a9fff5a38fd286.exe 82 PID 4480 wrote to memory of 3372 4480 c1821fe13b3b9c1fc3fe603dfd3668b199fd7d6f671e0f72b8a9fff5a38fd286.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1821fe13b3b9c1fc3fe603dfd3668b199fd7d6f671e0f72b8a9fff5a38fd286.exe"C:\Users\Admin\AppData\Local\Temp\c1821fe13b3b9c1fc3fe603dfd3668b199fd7d6f671e0f72b8a9fff5a38fd286.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1uv05oe6.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1uv05oe6.exe2⤵
- Executes dropped EXE
PID:2872
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Qx346vD.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Qx346vD.exe2⤵
- Executes dropped EXE
PID:3372
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
190KB
MD5a6656e3d6d06c8ce9cbb4b6952553c20
SHA1af45103616dc896da5ee4268fd5f9483b5b97c1c
SHA256fec303b128c44607654c078736b96d2762722f51b6c473dfe5415158fd83718b
SHA512f53f2214d3f192a352b2a93c66d91988a41a5ab9dbf15edd62ea8ce38da8a732114e3c46526d4dc6f3132330913b1acb90fa11ff454a1520d117149a86678d84
-
Filesize
221KB
MD55d0ac3dd6e980c49c7d7801f955e5d47
SHA112c30489bb3cade179bb0ae727c48f59092b3d10
SHA256d5073e7629c7adfb27b082da4dceb037b28023a193373945a23935731ebd2642
SHA512720d8a87e088e9a5f40c7b354fc31b303ccc54937f72b34aee369931d6fcb8ecdc6526d55b561ca0555b8996f12304f9589f088906e32d17f6bffddc36c566e0