Overview

overview

10

Static

static

3

04a87b8f05...aa.exe

windows10-2004-x64

10

114af5c13b...fd.exe

windows10-2004-x64

10

1e8dd381c7...01.exe

windows10-2004-x64

10

22e22c4ac4...b8.exe

windows10-2004-x64

10

2539ef3c9e...7a.exe

windows10-2004-x64

10

28e3223b75...cb.exe

windows10-2004-x64

10

2a370f0b1b...d2.exe

windows10-2004-x64

10

312eee3369...2a.exe

windows10-2004-x64

10

49fe85c527...13.exe

windows10-2004-x64

10

5b3b69df98...46.exe

windows10-2004-x64

10

73935ea9dd...cf.exe

windows10-2004-x64

10

7afbfc55db...35.exe

windows10-2004-x64

10

7b920ad0a6...fd.exe

windows10-2004-x64

10

867a7ac357...10.exe

windows10-2004-x64

10

a69474bf18...5d.exe

windows10-2004-x64

10

c1509297f2...7d.exe

windows10-2004-x64

10

c1821fe13b...86.exe

windows10-2004-x64

10

d431e54eb0...f6.exe

windows10-2004-x64

10

e0e0fe767a...79.exe

windows10-2004-x64

10

f1372b1a09...cc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 17:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d431e54eb05e1ec91d96e56b56b50a6e510a259b69f7c5c8254a8954192e94f6.exe

  • Size

    879KB

  • MD5

    5c2b672966a5b08f397c249749e36103

  • SHA1

    829b694f77f4f214acc9ef3018b132fba50f1c75

  • SHA256

    d431e54eb05e1ec91d96e56b56b50a6e510a259b69f7c5c8254a8954192e94f6

  • SHA512

    35097dbd27313f2fdd16162b2d86ded90b7af56c62ae9f0e745d4824f4d006ac08d1351eec0f7a44548de164f87e362b7b0e7fc13cc8c6d0a62bdc9f138f0153

  • SSDEEP

    12288:HMrXy90w08HiILJ6XikwJVIsXyerEXiNysVUXm80ZBctoRD34FMJNW5LQDgai+p:gyf08/LJCwzFrl/VvncSkMv4QDdr

Score
10/10
mysticredlinelutyrinfostealerpersistencestealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

C2

77.91.124.55:19071

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d431e54eb05e1ec91d96e56b56b50a6e510a259b69f7c5c8254a8954192e94f6.exe
    "C:\Users\Admin\AppData\Local\Temp\d431e54eb05e1ec91d96e56b56b50a6e510a259b69f7c5c8254a8954192e94f6.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1648
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Uc9Ja2VN.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Uc9Ja2VN.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:8
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dq2wN7qZ.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dq2wN7qZ.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3480
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Py46Nj3.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Py46Nj3.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:4248
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            5⤵
              PID:3292
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 600
              5⤵
              • Program crash
              PID:2804
          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2He418an.exe
            C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2He418an.exe
            4⤵
            • Executes dropped EXE
            PID:4108
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4248 -ip 4248
      1⤵
        PID:2976

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Uc9Ja2VN.exe
        Filesize

        585KB

        MD5

        80b36d22cfcc195b87f2d11370dd5c5e

        SHA1

        1d6fa75fd66055e6b1c1f843f6972c713c3efbf1

        SHA256

        bb55f1a201fa3d3a27fc36e5a65669666d22da37d4d0e7d0a5a3356de6acbd73

        SHA512

        d6f4f109b3d83c17bb197646dc14b12deaef80bb2bb88428eaf0dc9e95994d02a1b6a6a97886fc7c1e6e71e4bfc5b13a8c5945c15752f7549ed898c94960875a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dq2wN7qZ.exe
        Filesize

        412KB

        MD5

        f0fcefc767584a8f99db7459d6214d5f

        SHA1

        1333a35c35c855262c21b8162b3e965f5ef6535e

        SHA256

        77e41885e0e648842456e181648ad8729cd7ea24b4e8e353dda20d88d3c6c552

        SHA512

        796b74fb5081478e40829becab80cf52543594477ea38641d1975b6942d468fb1c89467fb5bf6cdbda4813f022fcff44ec0b0f9d6bf582f8097df17303836124

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Py46Nj3.exe
        Filesize

        378KB

        MD5

        c8c838184e3dc920cb4accacc0c1231d

        SHA1

        ff97e857ecef259833a66aac7a51488c3f32d45c

        SHA256

        0b25b91180e180073251ca6fbf96e511b8cc13fc62c67c4c3fafe2782c1eda4a

        SHA512

        12573d5c0d039d4b8bb3b613df87e137cf3fdcaeb55cc12e7a029a004264c517bbcc9d5b6f323957e8a97d3201d103755d0c2c3aa242dc0f00793df6d1b72eb4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2He418an.exe
        Filesize

        221KB

        MD5

        7fcd3524a94e448cf45679cd4347c429

        SHA1

        9857d8ff154c8fb31ea9601ea2c13427d5d80e49

        SHA256

        a0c10987cc2f34a0373299e92b4c7c71baf278632eda5bfc1681a451412171d1

        SHA512

        173e28e665c3f056c1d824f40142c25fc4d6086415af206f9893e9578016dee21930a4f09014a5d0bff6634db6e64d0b7e319836f431acd080d0523ecd3c801d

        Download Submit

      • memory/3292-21-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/3292-24-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/3292-23-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/4108-29-0x0000000008250000-0x00000000087F4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4108-28-0x0000000000F20000-0x0000000000F5E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4108-30-0x0000000007D40000-0x0000000007DD2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4108-31-0x0000000003180000-0x000000000318A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4108-32-0x0000000008E20000-0x0000000009438000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/4108-33-0x0000000008800000-0x000000000890A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/4108-34-0x0000000007ED0000-0x0000000007EE2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4108-35-0x0000000007F30000-0x0000000007F6C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/4108-36-0x0000000007FB0000-0x0000000007FFC000-memory.dmp

        Filesize

        304KB

        Download