Overview

overview

10

Static

static

3

0e266a7216...9f.exe

windows10-2004-x64

10

0fed7be9f1...18.exe

windows10-2004-x64

10

16ac715816...ea.exe

windows10-2004-x64

10

26c470a8b0...9a.exe

windows10-2004-x64

10

2d47818e79...79.exe

windows10-2004-x64

10

2e6c446801...a5.exe

windows7-x64

10

2e6c446801...a5.exe

windows10-2004-x64

10

2f02d9074f...e7.exe

windows10-2004-x64

10

4d1fc94da1...dc.exe

windows10-2004-x64

10

521f6870a3...07.exe

windows10-2004-x64

10

5e01d698ad...d1.exe

windows10-2004-x64

10

7dc4ebbe25...36.exe

windows10-2004-x64

10

862a8f43d1...32.exe

windows10-2004-x64

10

ba494624ee...0c.exe

windows10-2004-x64

10

ba4c5213c0...28.exe

windows10-2004-x64

10

bbfb7f577d...dc.exe

windows10-2004-x64

10

be3d316058...ca.exe

windows10-2004-x64

10

e1d166047d...d0.exe

windows10-2004-x64

10

e56b24cbcd...10.exe

windows10-2004-x64

10

ef4487829b...03.exe

windows10-2004-x64

10

fdbb9a49cd...e7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 19:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    521f6870a363ff65470792799f32a31b9a55349765195a9c0e5e0d64ffa38307.exe

  • Size

    1.1MB

  • MD5

    5ecf660444c5950f928f231c59e01ccf

  • SHA1

    e92ba6431c28dd0280de17dce1c27baa987cf6b4

  • SHA256

    521f6870a363ff65470792799f32a31b9a55349765195a9c0e5e0d64ffa38307

  • SHA512

    0d08a5e0668491ff40ea5d88664d1b7c8dd2d38e458c9650da98187c404d11743ddbe984cb43f417fa940ccf1574ee4d3ffc2c3ac3ab6fe045dbb51a722a9aca

  • SSDEEP

    24576:UysGSudEAJQDdDAltf4x0WBCeDsRJh5bnzE6kwA24HgoHAYOKj:j9ldbJQBDAltf4xweWhZzbAd5N

Score
10/10
mysticredlinekukishinfostealerpersistencestealer

Malware Config

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\521f6870a363ff65470792799f32a31b9a55349765195a9c0e5e0d64ffa38307.exe
    "C:\Users\Admin\AppData\Local\Temp\521f6870a363ff65470792799f32a31b9a55349765195a9c0e5e0d64ffa38307.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3636
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PY7xi2EX.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PY7xi2EX.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3684
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Gq5LF2NL.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Gq5LF2NL.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4164
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GL2UB3gT.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GL2UB3gT.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4220
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Er1Jb6pC.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Er1Jb6pC.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:628
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fJ09tq5.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fJ09tq5.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:5564
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                7⤵
                  PID:1116
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 220
                  7⤵
                  • Program crash
                  PID:5100
              • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2gA840Qk.exe
                C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2gA840Qk.exe
                6⤵
                • Executes dropped EXE
                PID:3164
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5564 -ip 5564
      1⤵
        PID:5680

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PY7xi2EX.exe
        Filesize

        1000KB

        MD5

        fa74448a1606535fa9a3b88bdb8da11a

        SHA1

        69d7a5deb58d80fb10385db3ca067e671827b0a8

        SHA256

        64fe6ea989722a37b55c0911bca6d3ad5b5ffa04a643223c82bf7a247e85fb33

        SHA512

        c8a0ff76876e30a6570138bb1c2867f5cd67c7a1614babbfff6e4f7e67c417197c7ddfe6833daa723b4898605ed9527d57db8fd93eddf048629e4ee7ee1637fb

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Gq5LF2NL.exe
        Filesize

        811KB

        MD5

        26cc005cb9fd1a174a6918f0ae152e9d

        SHA1

        9f24dcb866b25e8352955fa8ee824d1eaeade486

        SHA256

        040350051a8ebe1bc763d8eb4d493bee7ade9499bcbdc6abd0b299cc02a01995

        SHA512

        fa1fd14dd50223c2b7c9d1e48968f0991fc25035ced629287e35ce9123d45285b0154c11bb17e079f74b92756d64467a2fb5002550294dc39ce65877d8dd63cd

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GL2UB3gT.exe
        Filesize

        577KB

        MD5

        6f7a74a4a37fdd1828703d70ff2ee808

        SHA1

        de13b8d649635b04e15520a935207b69a7f8f652

        SHA256

        aa54e32bda477030edb9ff09131668c2be8b610f845720d75b3278feb0cf2ac3

        SHA512

        01937e248ba445f8447730c7057b83cace767a5dd4f1e91be8adfef735b2630f67191092f5d6e6959700f1eb52bfd92abe225c2ce09dfa9323d87c7a796ef79c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Er1Jb6pC.exe
        Filesize

        382KB

        MD5

        049066f06e5f41ceeea64cd948f95bc4

        SHA1

        4d2d2d8bfa6134992c1f7217435445bc5af3f526

        SHA256

        5e4beedbcaec2307b46433b6f29be36c650f4214b7078b3f0b55c1fa4a81635c

        SHA512

        35dc2047d269b1eb7d91e1fdd39f11c8c520e88eadc24e2c0096effdb0b54ee66d89a626ac5f8c9da4bebab13be318bdca1883d01eaf4bd24a9c2d0a51d3be3b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fJ09tq5.exe
        Filesize

        295KB

        MD5

        e1fb9c32ee188e153ec4219285a696c2

        SHA1

        0f160b5ac9ffc7cd9079080f54601f70d05570de

        SHA256

        32baaeeebd843aebcbe2fc4943bd1185149c1b59c7af315a57a8024dbdb31be5

        SHA512

        4cdfb7dd31e765abff55bd2cc755c66e2ef99732c04141093269b3bc174a79bd47dbff541b1767a14c236c67c8c45a554acfa1df16cf1c5813d8de243eda82eb

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2gA840Qk.exe
        Filesize

        222KB

        MD5

        c7747b2f03c656c810bb2860db64bc9b

        SHA1

        7ac109f6b54a916cc50b13f21dd25afdf96b4c6f

        SHA256

        9d64dd96fec38e41895e114650bcb3eabc27b6e4298798139bb718e5f579675a

        SHA512

        259805152ec02c071aa2da2cf3d512a19d3b58be221579dcac47dda7986e8b1ec7dbff704907309a99549e48466a6547af64ab9dfab771aa22a254621bbe1ab1

        Download Submit

      • memory/1116-36-0x0000000000400000-0x0000000000432000-memory.dmp

        Filesize

        200KB

        Download

      • memory/1116-38-0x0000000000400000-0x0000000000432000-memory.dmp

        Filesize

        200KB

        Download

      • memory/1116-35-0x0000000000400000-0x0000000000432000-memory.dmp

        Filesize

        200KB

        Download

      • memory/3164-42-0x0000000000A60000-0x0000000000A9E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3164-43-0x0000000007E40000-0x00000000083E4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/3164-44-0x0000000007970000-0x0000000007A02000-memory.dmp

        Filesize

        584KB

        Download

      • memory/3164-45-0x0000000002DE0000-0x0000000002DEA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3164-46-0x0000000008A10000-0x0000000009028000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/3164-47-0x0000000007CB0000-0x0000000007DBA000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/3164-48-0x0000000007B50000-0x0000000007B62000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3164-49-0x0000000007BB0000-0x0000000007BEC000-memory.dmp

        Filesize

        240KB

        Download

      • memory/3164-50-0x0000000007BF0000-0x0000000007C3C000-memory.dmp

        Filesize

        304KB

        Download