Overview

overview

10

Static

static

3

16b785fdba...08.exe

windows10-2004-x64

10

17bfe16ecf...a7.exe

windows10-2004-x64

10

30deda44ad...a8.exe

windows10-2004-x64

10

3e348a855b...4e.exe

windows10-2004-x64

10

458df588f5...8e.exe

windows10-2004-x64

10

481a0f4fa4...b6.exe

windows10-2004-x64

10

54ca1e2099...d4.exe

windows10-2004-x64

10

5645ed9dff...fa.exe

windows10-2004-x64

10

5d8e30863d...60.exe

windows10-2004-x64

7

74646b4cce...46.exe

windows10-2004-x64

10

86e6dff72e...d8.exe

windows10-2004-x64

10

8fe46c7fa8...3b.exe

windows10-2004-x64

10

a261c92b0b...5a.exe

windows10-2004-x64

10

a67b0f00c8...14.exe

windows10-2004-x64

10

acb13f0321...3c.exe

windows10-2004-x64

10

b59f946473...f9.exe

windows10-2004-x64

10

c15c0b27fc...af.exe

windows10-2004-x64

10

dbb1ff59d8...b8.exe

windows10-2004-x64

10

e45cad29f3...cf.exe

windows10-2004-x64

10

fd708e30f7...e2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 19:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dbb1ff59d840e7c26ff269e10bbf5db72a563c700290b01fb63fd7d24ef302b8.exe

  • Size

    590KB

  • MD5

    e7d79324c286301169d5968e9ef79625

  • SHA1

    84831fde7b54a23b71c60bf6ce158fe1d95e85ec

  • SHA256

    dbb1ff59d840e7c26ff269e10bbf5db72a563c700290b01fb63fd7d24ef302b8

  • SHA512

    6e2ce2657227127e5476f735de465156c087d087847f4417f3af1aaa14a0b8d7ade1b61f5f8559c42bedc0fdb4beee4a839e712ff86d1726d7b0bd6b3a16cb85

  • SSDEEP

    12288:PMrty90JdraPKejQkiikLIWIDmG2s3TamlIn:iyYraP/YIWuN2Yauq

Score
10/10
mysticredlinegigantinfostealerpersistencestealer

Malware Config

Extracted

Family

redline

Botnet

gigant

C2

77.91.124.55:19071

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dbb1ff59d840e7c26ff269e10bbf5db72a563c700290b01fb63fd7d24ef302b8.exe
    "C:\Users\Admin\AppData\Local\Temp\dbb1ff59d840e7c26ff269e10bbf5db72a563c700290b01fb63fd7d24ef302b8.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1948
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TS4XU9KH.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TS4XU9KH.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4124
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ix03tL5.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ix03tL5.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2828
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:3048
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 204
              5⤵
              • Program crash
              PID:4956
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 596
            4⤵
            • Program crash
            PID:4940
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ey145iQ.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ey145iQ.exe
          3⤵
          • Executes dropped EXE
          PID:4044
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3048 -ip 3048
      1⤵
        PID:1668
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2828 -ip 2828
        1⤵
          PID:1820

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TS4XU9KH.exe
          Filesize

          417KB

          MD5

          4dbefc9cbca45c11fe487bba676c75bc

          SHA1

          9ab79f8914821368626498a6377efeabd6a30974

          SHA256

          a686058fef91331af7be47ca59bb170825b171171d74ecc6c3841364c8ed31e7

          SHA512

          b727ddc72c1215dc23441ed41584d13c83b97c742b59a10be2c4b681ef25b1ceb3ca048f2ff6863e951bcc2ddf2ae15329999cf687e9ca4d9f06423e86cce23b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ix03tL5.exe
          Filesize

          378KB

          MD5

          2ea7a6e0c2bc8807456f5361465aa218

          SHA1

          c55ba35cb779b3de159f1a16a9e65e8cd876bb94

          SHA256

          7a310a010ac8fef0116acf3209f4c52d22f2a6aae994e9cd2e709b42df27e0f5

          SHA512

          bbf62dde0a3f2d135dc40601bbcd6b2d0b51741ae7b9ddeaa665ba74f66250fedb106c3cf56c3920a80d0288c8c3713e5dd684da18d016478586d6caedb166b7

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ey145iQ.exe
          Filesize

          231KB

          MD5

          3fcb8402344765c03c2499c3af22f61f

          SHA1

          59109bce61d57d84188be59352bed0d26f76d9e5

          SHA256

          c980d2068f5aa2376b392f0a1ecdf4531f3656946e4eacaf8a13e5ee98dfdeff

          SHA512

          154240187aa0f2edd256ba9a8e30830a7b80c89ccd6e76231e93510c106c35921f2b69511647f10f3a079cd9e717faee3e9ae6972c99f83f6e9e516d790e9c73

          Download Submit

        • memory/3048-14-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB

          Download

        • memory/3048-16-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB

          Download

        • memory/3048-18-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB

          Download

        • memory/3048-15-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB

          Download

        • memory/4044-23-0x0000000008320000-0x00000000088C4000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4044-22-0x0000000000EC0000-0x0000000000EFE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4044-24-0x0000000007E10000-0x0000000007EA2000-memory.dmp

          Filesize

          584KB

          Download

        • memory/4044-25-0x00000000031F0000-0x00000000031FA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4044-27-0x0000000008140000-0x000000000824A000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/4044-26-0x0000000008EF0000-0x0000000009508000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/4044-28-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4044-29-0x0000000008010000-0x000000000804C000-memory.dmp

          Filesize

          240KB

          Download

        • memory/4044-30-0x0000000008050000-0x000000000809C000-memory.dmp

          Filesize

          304KB

          Download