Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 17:46

General

  • Target

    e2d91002642b377c066dc30f757a804dc6d7ed695d4abae87af60cda84c0098e.exe

  • Size

    1.0MB

  • MD5

    8ad707306b83faab38fb449d43c45a31

  • SHA1

    725d4a61f55a820cf9349d7933ce8ecc6c24a0f0

  • SHA256

    e2d91002642b377c066dc30f757a804dc6d7ed695d4abae87af60cda84c0098e

  • SHA512

    5b6234453c239da3236cbe9fad5b2be1d56bbbed23bcb3b28c295c173dbea5af3bb7e5f7954baa7eade7ff9c7f32669c67c81ab421102cb7ce3db4c08fd2ab79

  • SSDEEP

    24576:myOPsoeMABVFFHw3Yx+1EfLLs2TqoNNIXf:1OP+MuVFFQxAAw/NNI

Malware Config

Extracted

Family

redline

Botnet

lutyr

C2

77.91.124.55:19071

Signatures

  • Detect Mystic stealer payload 1 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e2d91002642b377c066dc30f757a804dc6d7ed695d4abae87af60cda84c0098e.exe
    "C:\Users\Admin\AppData\Local\Temp\e2d91002642b377c066dc30f757a804dc6d7ed695d4abae87af60cda84c0098e.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3036
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ui4PD2Jb.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ui4PD2Jb.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1816
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kv6hK6fu.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kv6hK6fu.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2056
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1hu34BK7.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1hu34BK7.exe
          4⤵
          • Executes dropped EXE
          PID:2984
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Ro269ha.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Ro269ha.exe
          4⤵
          • Executes dropped EXE
          PID:876

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ui4PD2Jb.exe

    Filesize

    522KB

    MD5

    5e3c718f75ba98436e4b34ed19876ad3

    SHA1

    3b60a0490dbedaaaa84d567da2880240c00be81b

    SHA256

    439ab3b2d23ed021199643053a45b4a9d17e2bacd33e52275d4e22051f1164cf

    SHA512

    8e4d8969ce1acf1866df630e10a445b14d7b77dd3ba3cfc86c04b92ff7093a0175ba361f0f173985bbeac379bd9ea1755dfb04d99703a85342759251c4896cfa

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kv6hK6fu.exe

    Filesize

    326KB

    MD5

    8235284400fce37c07b00df9b786cc41

    SHA1

    9110612637a9a7b32e7db5140526b501ead40a33

    SHA256

    3efdbb0c36bf76a574b523daba5b916acf1427e2a4066efd7ee29e648de8479c

    SHA512

    6931fd0e0c269914b789c3157533a6c9e083c823596bd2a0d7b33374546aefc7f61eff89407569edfb6bde0b7e2532184674af8e1c94b8468d55a36d597aeba1

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1hu34BK7.exe

    Filesize

    190KB

    MD5

    a6656e3d6d06c8ce9cbb4b6952553c20

    SHA1

    af45103616dc896da5ee4268fd5f9483b5b97c1c

    SHA256

    fec303b128c44607654c078736b96d2762722f51b6c473dfe5415158fd83718b

    SHA512

    f53f2214d3f192a352b2a93c66d91988a41a5ab9dbf15edd62ea8ce38da8a732114e3c46526d4dc6f3132330913b1acb90fa11ff454a1520d117149a86678d84

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Ro269ha.exe

    Filesize

    221KB

    MD5

    dc4b25b7e0afb2399f935b0df995ea5b

    SHA1

    5ace7fba55806d1d8912ac0eb647fb1eed78a758

    SHA256

    65d3e5031ae5372ee1c2dc20e265a7a5590bc970b45b53249bbd2fcf4996974c

    SHA512

    2fe24924313b4d6b23c394e59be528e0f0fbef75707008ac99c17acd5f6d2a6938e72561c6e36720dbfc184a0c1173d1080bc4ab1b5aea8e74dfc9ab03844ced

  • memory/876-24-0x0000000000700000-0x000000000073E000-memory.dmp

    Filesize

    248KB

  • memory/876-25-0x0000000007BD0000-0x0000000008174000-memory.dmp

    Filesize

    5.6MB

  • memory/876-26-0x0000000007620000-0x00000000076B2000-memory.dmp

    Filesize

    584KB

  • memory/876-27-0x0000000004BF0000-0x0000000004BFA000-memory.dmp

    Filesize

    40KB

  • memory/876-28-0x00000000087A0000-0x0000000008DB8000-memory.dmp

    Filesize

    6.1MB

  • memory/876-29-0x0000000007960000-0x0000000007A6A000-memory.dmp

    Filesize

    1.0MB

  • memory/876-30-0x00000000077E0000-0x00000000077F2000-memory.dmp

    Filesize

    72KB

  • memory/876-31-0x0000000007890000-0x00000000078CC000-memory.dmp

    Filesize

    240KB

  • memory/876-32-0x00000000078D0000-0x000000000791C000-memory.dmp

    Filesize

    304KB