Overview
overview
10Static
static
304a87b8f05...aa.exe
windows10-2004-x64
10114af5c13b...fd.exe
windows10-2004-x64
101e8dd381c7...01.exe
windows10-2004-x64
1022e22c4ac4...b8.exe
windows10-2004-x64
102539ef3c9e...7a.exe
windows10-2004-x64
1028e3223b75...cb.exe
windows10-2004-x64
102a370f0b1b...d2.exe
windows10-2004-x64
10312eee3369...2a.exe
windows10-2004-x64
1049fe85c527...13.exe
windows10-2004-x64
105b3b69df98...46.exe
windows10-2004-x64
1073935ea9dd...cf.exe
windows10-2004-x64
107afbfc55db...35.exe
windows10-2004-x64
107b920ad0a6...fd.exe
windows10-2004-x64
10867a7ac357...10.exe
windows10-2004-x64
10a69474bf18...5d.exe
windows10-2004-x64
10c1509297f2...7d.exe
windows10-2004-x64
10c1821fe13b...86.exe
windows10-2004-x64
10d431e54eb0...f6.exe
windows10-2004-x64
10e0e0fe767a...79.exe
windows10-2004-x64
10f1372b1a09...cc.exe
windows10-2004-x64
10Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 17:43
Static task
static1
Behavioral task
behavioral1
Sample
04a87b8f058d7530d2e2d860d9792e27ac4a33a3865644f618340a1614a011aa.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
114af5c13b66325340fcc0e38e22cb3c0a2f713ad1346010b0a9fc80f025e1fd.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
1e8dd381c7b2d8b87f2596a2bfbccc3c813d8571fdbe788e678c3a733a5cae01.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
22e22c4ac4de60508d13a9152534da8f1fe27d387785252b3e90c5daa1939eb8.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
2539ef3c9ef568b60de04a70266f168cf5565fa88027d7d88812aed2417d527a.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
28e3223b75032745af45a606afdbd1788365c7af9b20cc01d5892478c17d91cb.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
2a370f0b1b44ffdfd5105d8de5cdb127afee410219b503b0620c23343a163ad2.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
312eee33696f223c1d77f63d4f4fa6692b492a19e1815f424ea276db2dfa312a.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
49fe85c527d85f575f10ffaacbea94923608dbe00ee181347f30f31686a10513.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
5b3b69df98aea93f199289802070d29f0815829817936cfd60b3b627e0d20146.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
73935ea9dd223123d7d2e2b97d297ba24e82bd39f8b4e6004027a7cc1b07ffcf.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
7afbfc55db219ad6f0335344f7e4d1119a281a9e98656ca51496a2ccedc75d35.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
7b920ad0a6eced7be30fccab39067587eeb4a839174adbe7371d2a0ebb0206fd.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
867a7ac357adfff48d6fc2820efa7db93b3c2303fa2c5f2570c1760004b2a310.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
a69474bf18a7cca7eda490dd3a0e3f56de60989fbd935adbc91521cc640dd35d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
c1509297f254a9c327f8d2f138ec5907931f396cedb4bb4796c5057e78cda87d.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
c1821fe13b3b9c1fc3fe603dfd3668b199fd7d6f671e0f72b8a9fff5a38fd286.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
d431e54eb05e1ec91d96e56b56b50a6e510a259b69f7c5c8254a8954192e94f6.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
e0e0fe767a4d28c22c9164941b937ca32139dda9a5ac00b380e14f39f0bc2e79.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
f1372b1a0961a0c57fe69d716e6992ea2a6a82ef2944465f88c1a99f117de4cc.exe
Resource
win10v2004-20240426-en
General
-
Target
1e8dd381c7b2d8b87f2596a2bfbccc3c813d8571fdbe788e678c3a733a5cae01.exe
-
Size
1.3MB
-
MD5
c49e3017e606c005354d432f3f881d03
-
SHA1
0389dd7d07aec776f09223ae287d5d033198fb9a
-
SHA256
1e8dd381c7b2d8b87f2596a2bfbccc3c813d8571fdbe788e678c3a733a5cae01
-
SHA512
bdddec1ea1bec3e6b005d654ed550a22eada8a0dc8e78525e670dde8724dfe5732c96a94cdbc7be48e49bd2f4311c456cf565b4a1776d541ff485dcb3a0e45af
-
SSDEEP
24576:1y9U9byiriRkjDd3xZWxghIP9tph2ar9EFKFQJTDPglgJk:QMLriRkjD/glVFj9EFKFQJi0
Malware Config
Extracted
redline
lutyr
77.91.124.55:19071
Signatures
-
Detect Mystic stealer payload 1 IoCs
resource yara_rule behavioral3/files/0x00080000000233df-33.dat mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral3/files/0x00070000000233e0-36.dat family_redline behavioral3/memory/3624-38-0x00000000008B0000-0x00000000008EE000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 2404 oZ8sP2ZW.exe 4348 CT5Fu1Qk.exe 3948 zu9Us3rr.exe 1012 Lb4uO0ax.exe 2156 1Zz06fw3.exe 3624 2qO921Ls.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" oZ8sP2ZW.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" CT5Fu1Qk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" zu9Us3rr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" Lb4uO0ax.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1e8dd381c7b2d8b87f2596a2bfbccc3c813d8571fdbe788e678c3a733a5cae01.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3484 wrote to memory of 2404 3484 1e8dd381c7b2d8b87f2596a2bfbccc3c813d8571fdbe788e678c3a733a5cae01.exe 82 PID 3484 wrote to memory of 2404 3484 1e8dd381c7b2d8b87f2596a2bfbccc3c813d8571fdbe788e678c3a733a5cae01.exe 82 PID 3484 wrote to memory of 2404 3484 1e8dd381c7b2d8b87f2596a2bfbccc3c813d8571fdbe788e678c3a733a5cae01.exe 82 PID 2404 wrote to memory of 4348 2404 oZ8sP2ZW.exe 83 PID 2404 wrote to memory of 4348 2404 oZ8sP2ZW.exe 83 PID 2404 wrote to memory of 4348 2404 oZ8sP2ZW.exe 83 PID 4348 wrote to memory of 3948 4348 CT5Fu1Qk.exe 84 PID 4348 wrote to memory of 3948 4348 CT5Fu1Qk.exe 84 PID 4348 wrote to memory of 3948 4348 CT5Fu1Qk.exe 84 PID 3948 wrote to memory of 1012 3948 zu9Us3rr.exe 85 PID 3948 wrote to memory of 1012 3948 zu9Us3rr.exe 85 PID 3948 wrote to memory of 1012 3948 zu9Us3rr.exe 85 PID 1012 wrote to memory of 2156 1012 Lb4uO0ax.exe 86 PID 1012 wrote to memory of 2156 1012 Lb4uO0ax.exe 86 PID 1012 wrote to memory of 2156 1012 Lb4uO0ax.exe 86 PID 1012 wrote to memory of 3624 1012 Lb4uO0ax.exe 87 PID 1012 wrote to memory of 3624 1012 Lb4uO0ax.exe 87 PID 1012 wrote to memory of 3624 1012 Lb4uO0ax.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e8dd381c7b2d8b87f2596a2bfbccc3c813d8571fdbe788e678c3a733a5cae01.exe"C:\Users\Admin\AppData\Local\Temp\1e8dd381c7b2d8b87f2596a2bfbccc3c813d8571fdbe788e678c3a733a5cae01.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oZ8sP2ZW.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oZ8sP2ZW.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CT5Fu1Qk.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CT5Fu1Qk.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zu9Us3rr.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zu9Us3rr.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Lb4uO0ax.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Lb4uO0ax.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zz06fw3.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zz06fw3.exe6⤵
- Executes dropped EXE
PID:2156
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2qO921Ls.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2qO921Ls.exe6⤵
- Executes dropped EXE
PID:3624
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD56c15f866c71e1a25e71b0db145d5c3a9
SHA14593180ed2cc136c9410ec49ca4b854e8d41a7e7
SHA256fe0764d80f110c2bc34d06ffd74f0007a8e6c0a8b1c50c5d2662724d6a532d21
SHA5127e5719aa112486b41f151ab47db99bc099b20796d8fd491d91eeb9a35639be79b3516d2f06b75722193884dd3e82cb6ea40a064347339af7e403e05990272abc
-
Filesize
1.0MB
MD57e75fe60fe433663e60a7a0ed28091ee
SHA175a94eaf40aa639ba30709919dd998fcc5655d59
SHA2561d042fdd528be849963f2933cb92cde0b72fbd0977293aaa3aaa62983bc6c514
SHA512fa25bfce07608b42ec45d6d421048bd42f655ec0e8c8578edf361316bc59f1c22131c3a181d499e02594d5ac52c46241b7c6afd7b43809e3b9529743204bd14b
-
Filesize
522KB
MD51d5dd556f0cf50ecd2740d05794fcb89
SHA1c457687cca2e72815ce77c0ee233fc5f7999a321
SHA256edec722eef6449c82062159f04d673f13cf1b56729e1f7baa78476b4b034c4f6
SHA5124161e8c055bf4f7ed09448c53a3a7979d12ddd268f8e3d5b0d28a3fccd716a24a3ecfe774664a9cdc758b2b5e48f2ae43570b7f42db6a965994d1fa15ebae397
-
Filesize
326KB
MD537710e85f51e7568e64e7bbf003000a6
SHA15b8794a8273d33c128094980501b3aed7d4abc2c
SHA2566049d9a0fe850a9afdd1921259f567936ceb90dc4c38d30237197474acdfc96c
SHA5126961370d6f36c57a513e95ab22f17873fabc5606261333befcb0f1f24e39417e3ec64130d7bada1c67c74fe0bcd7b8b38cb6419376f2430262f3d5e98c32372c
-
Filesize
190KB
MD5a6656e3d6d06c8ce9cbb4b6952553c20
SHA1af45103616dc896da5ee4268fd5f9483b5b97c1c
SHA256fec303b128c44607654c078736b96d2762722f51b6c473dfe5415158fd83718b
SHA512f53f2214d3f192a352b2a93c66d91988a41a5ab9dbf15edd62ea8ce38da8a732114e3c46526d4dc6f3132330913b1acb90fa11ff454a1520d117149a86678d84
-
Filesize
221KB
MD5e5ce076cd23ed22376d3a258336a2d9f
SHA1156e7e3db6195e9891963a2c261f691e6ece83d3
SHA2561c0e49dc21a9cf848feb328c3da48d81f0ac969b3985f7fc40c1eb1582c19290
SHA51247262d0bf6a8b06b32a6e09c71dd379700de02efa4f96bda2fe96f731956ed910eb565fbf8bfa67bcc4f4175040fb34f7ad154222b24bf0bfbaff9f98e351438