Overview

overview

10

Static

static

3

06d3b7d2ba...d0.exe

windows10-2004-x64

10

08bd377a60...53.exe

windows10-2004-x64

10

2847bdc35d...e1.exe

windows10-2004-x64

10

2bed4ea70d...7f.exe

windows10-2004-x64

10

3ab0d6f60e...46.exe

windows10-2004-x64

10

3c1c5a94c5...69.exe

windows10-2004-x64

10

76530ae1ec...23.exe

windows10-2004-x64

10

7b80c0170b...d1.exe

windows10-2004-x64

10

80633f3a01...36.exe

windows10-2004-x64

10

888619cf7b...9e.exe

windows10-2004-x64

10

8db1b8c1b5...85.exe

windows10-2004-x64

10

9ea70f7e17...5f.exe

windows10-2004-x64

10

9f8dd013ec...7e.exe

windows10-2004-x64

10

aa0c9ad482...cc.exe

windows10-2004-x64

10

aaf88983ad...f6.exe

windows10-2004-x64

10

b12a5fda99...06.exe

windows10-2004-x64

10

b754f77f3f...44.exe

windows10-2004-x64

10

c6c6e2b36c...88.exe

windows10-2004-x64

10

dce2842856...6c.exe

windows10-2004-x64

10

e2d9100264...8e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 17:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aa0c9ad482b23242e3009ff55447fc1f9559ff1412e903acbc14e3ed4c4774cc.exe

  • Size

    326KB

  • MD5

    2d1c846ca0a72429e0f56b792ca019f6

  • SHA1

    5e8f7aa4cb5ae0dffcf4596c5b4e897b10403c23

  • SHA256

    aa0c9ad482b23242e3009ff55447fc1f9559ff1412e903acbc14e3ed4c4774cc

  • SHA512

    61be26f0af6cfbe5d927816737316b5da751bd1786829da07067cf8635f955ca1d8c5502c2c915752743668b7ba07ae1db0155d1d93bac5bb938e6fdf06f20fe

  • SSDEEP

    6144:KNy+bnr+vp0yN90QElAX6VOwPBIAy+hy8vlvZgRkajW1fDa/6:nMrTy90vA+OnA4q2i1ba6

Score
10/10
mysticredlinelutyrinfostealerpersistencestealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

C2

77.91.124.55:19071

Signatures

  • Detect Mystic stealer payload 1 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aa0c9ad482b23242e3009ff55447fc1f9559ff1412e903acbc14e3ed4c4774cc.exe
    "C:\Users\Admin\AppData\Local\Temp\aa0c9ad482b23242e3009ff55447fc1f9559ff1412e903acbc14e3ed4c4774cc.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5000
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1RU01FE4.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1RU01FE4.exe
      2⤵
      • Executes dropped EXE
      PID:2276
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2qV494LQ.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2qV494LQ.exe
      2⤵
      • Executes dropped EXE
      PID:64

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1RU01FE4.exe
    Filesize

    190KB

    MD5

    a6656e3d6d06c8ce9cbb4b6952553c20

    SHA1

    af45103616dc896da5ee4268fd5f9483b5b97c1c

    SHA256

    fec303b128c44607654c078736b96d2762722f51b6c473dfe5415158fd83718b

    SHA512

    f53f2214d3f192a352b2a93c66d91988a41a5ab9dbf15edd62ea8ce38da8a732114e3c46526d4dc6f3132330913b1acb90fa11ff454a1520d117149a86678d84

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2qV494LQ.exe
    Filesize

    221KB

    MD5

    7e1f98bf90bd2548561c34d1be01eef6

    SHA1

    4c326caec57a75a0a51b4fb0f7a0bc38358898cd

    SHA256

    14c7e744bd2c841fe328dd7e001856a4bbb1e38e33d4471eb8ca048cbffd85cd

    SHA512

    82fda03eab188b0c4c15f0838dc3bafa9c48f5ef81179670921e6bf9e328185f24328a2cad3fbc974cdbc5d51ed1b649e82df2ba170cd1fe352782e2661f9f7a

    Download Submit
  • memory/64-10-0x0000000073E8E000-0x0000000073E8F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/64-11-0x0000000000FB0000-0x0000000000FEE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/64-12-0x0000000008300000-0x00000000088A4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/64-13-0x0000000007DF0000-0x0000000007E82000-memory.dmp
    Filesize

    584KB

    Download
  • memory/64-14-0x0000000073E80000-0x0000000074630000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/64-15-0x00000000031D0000-0x00000000031DA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/64-16-0x0000000008ED0000-0x00000000094E8000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/64-17-0x0000000008150000-0x000000000825A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/64-18-0x0000000007DD0000-0x0000000007DE2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/64-19-0x0000000007FC0000-0x0000000007FFC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/64-20-0x0000000008040000-0x000000000808C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/64-21-0x0000000073E8E000-0x0000000073E8F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/64-22-0x0000000073E80000-0x0000000074630000-memory.dmp
    Filesize

    7.7MB

    Download