Overview

overview

10

Static

static

3

04a87b8f05...aa.exe

windows10-2004-x64

10

114af5c13b...fd.exe

windows10-2004-x64

10

1e8dd381c7...01.exe

windows10-2004-x64

10

22e22c4ac4...b8.exe

windows10-2004-x64

10

2539ef3c9e...7a.exe

windows10-2004-x64

10

28e3223b75...cb.exe

windows10-2004-x64

10

2a370f0b1b...d2.exe

windows10-2004-x64

10

312eee3369...2a.exe

windows10-2004-x64

10

49fe85c527...13.exe

windows10-2004-x64

10

5b3b69df98...46.exe

windows10-2004-x64

10

73935ea9dd...cf.exe

windows10-2004-x64

10

7afbfc55db...35.exe

windows10-2004-x64

10

7b920ad0a6...fd.exe

windows10-2004-x64

10

867a7ac357...10.exe

windows10-2004-x64

10

a69474bf18...5d.exe

windows10-2004-x64

10

c1509297f2...7d.exe

windows10-2004-x64

10

c1821fe13b...86.exe

windows10-2004-x64

10

d431e54eb0...f6.exe

windows10-2004-x64

10

e0e0fe767a...79.exe

windows10-2004-x64

10

f1372b1a09...cc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 17:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    22e22c4ac4de60508d13a9152534da8f1fe27d387785252b3e90c5daa1939eb8.exe

  • Size

    577KB

  • MD5

    d58665fa7391568983d6aeb8c552d7e9

  • SHA1

    eb08b9875d7b1768942186126e366e26390491a2

  • SHA256

    22e22c4ac4de60508d13a9152534da8f1fe27d387785252b3e90c5daa1939eb8

  • SHA512

    5e8122035acac6fae926a3a512ea677430c3f67dae62f8a093bb330963f3488be822171e0933c9664a485c5ac8e4e3fc54f74997fc0a7b3ab900fecc087b208e

  • SSDEEP

    12288:ZMrVy90ojTaOad96qpnFWC4GRRwQKo388+pDSxzj1k:YyVO6qyCVmQApDSH1k

Score
10/10
mysticredlinekukishinfostealerpersistencestealer

Malware Config

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\22e22c4ac4de60508d13a9152534da8f1fe27d387785252b3e90c5daa1939eb8.exe
    "C:\Users\Admin\AppData\Local\Temp\22e22c4ac4de60508d13a9152534da8f1fe27d387785252b3e90c5daa1939eb8.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3772
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sy1wV8ry.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sy1wV8ry.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1900
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1uO38xv5.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1uO38xv5.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1948
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:2944
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 540
              5⤵
              • Program crash
              PID:2348
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 152
            4⤵
            • Program crash
            PID:4852
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2zR101Zo.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2zR101Zo.exe
          3⤵
          • Executes dropped EXE
          PID:3836
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2944 -ip 2944
      1⤵
        PID:2468
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1948 -ip 1948
        1⤵
          PID:2988

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sy1wV8ry.exe
          Filesize

          382KB

          MD5

          830fd3a9eaa27ef60bee8982f3e28361

          SHA1

          9dcd4d1e71ee1b2567352b22b9e1bf3e735c1dee

          SHA256

          678243ce4fdc149ced130b197900f7bfbb08526082ad230cc180ea34f6b6d428

          SHA512

          6326551a3290465f9ea3f0101a59a01dfffc062481b1733307b70c6e506c9ed1f80b9ad2970c128b50d1d8b31a834ca026628802947160c7b3ae248bfabfc0a1

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1uO38xv5.exe
          Filesize

          295KB

          MD5

          904dca94bac3c280a971f38273035187

          SHA1

          19fd4efc307bc247755a1941263737a55fb81f87

          SHA256

          38a2caa15633de6c98b617579191b3e5a25fa0ad77b3576cd48a4cb6909bc229

          SHA512

          ba8b04cce5d0f3c86b5b729b35149ffe52720cc183c9dcf79c80742f9a99a6426b6b47fc9d779ef6fc40538c1a1e639ad0cd8ce9978107734b08ad33012207f9

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2zR101Zo.exe
          Filesize

          222KB

          MD5

          64897a90a5a81b106983c45ea29af6c9

          SHA1

          c802ace06c085f3a9bb90b955b1b2b652dafa7b6

          SHA256

          6e8dc7682de2676ed9c424eae5db9e0050808b8a54603a672c2834b72bb36d8c

          SHA512

          d9f4c455ebad0c8c010732042a1c6b40108e04462a54bd7ef790c441a7ea34dd411be48eb712e302832bf818861f182d781db39ff9731d6ccfd8220d1cb4212b

          Download Submit

        • memory/2944-14-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

          Download

        • memory/2944-16-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

          Download

        • memory/2944-15-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

          Download

        • memory/2944-18-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

          Download

        • memory/3836-23-0x0000000007E20000-0x00000000083C4000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/3836-22-0x0000000000A30000-0x0000000000A6E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/3836-24-0x0000000007950000-0x00000000079E2000-memory.dmp

          Filesize

          584KB

          Download

        • memory/3836-25-0x0000000004EF0000-0x0000000004EFA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/3836-26-0x00000000089F0000-0x0000000009008000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/3836-27-0x0000000007CC0000-0x0000000007DCA000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3836-28-0x0000000007B20000-0x0000000007B32000-memory.dmp

          Filesize

          72KB

          Download

        • memory/3836-29-0x0000000007BB0000-0x0000000007BEC000-memory.dmp

          Filesize

          240KB

          Download

        • memory/3836-30-0x0000000007B50000-0x0000000007B9C000-memory.dmp

          Filesize

          304KB

          Download