Overview

overview

10

Static

static

3

0e266a7216...9f.exe

windows10-2004-x64

10

0fed7be9f1...18.exe

windows10-2004-x64

10

16ac715816...ea.exe

windows10-2004-x64

10

26c470a8b0...9a.exe

windows10-2004-x64

10

2d47818e79...79.exe

windows10-2004-x64

10

2e6c446801...a5.exe

windows7-x64

10

2e6c446801...a5.exe

windows10-2004-x64

10

2f02d9074f...e7.exe

windows10-2004-x64

10

4d1fc94da1...dc.exe

windows10-2004-x64

10

521f6870a3...07.exe

windows10-2004-x64

10

5e01d698ad...d1.exe

windows10-2004-x64

10

7dc4ebbe25...36.exe

windows10-2004-x64

10

862a8f43d1...32.exe

windows10-2004-x64

10

ba494624ee...0c.exe

windows10-2004-x64

10

ba4c5213c0...28.exe

windows10-2004-x64

10

bbfb7f577d...dc.exe

windows10-2004-x64

10

be3d316058...ca.exe

windows10-2004-x64

10

e1d166047d...d0.exe

windows10-2004-x64

10

e56b24cbcd...10.exe

windows10-2004-x64

10

ef4487829b...03.exe

windows10-2004-x64

10

fdbb9a49cd...e7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 19:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5e01d698adb505dae22bf133909e0103e980c2f29ad0c1eecdf47f2487dafed1.exe

  • Size

    776KB

  • MD5

    3fb39c64bc51453caaed2cb2b02eef35

  • SHA1

    ffbabae9885bb091d068e7115fba1260c9bfc27f

  • SHA256

    5e01d698adb505dae22bf133909e0103e980c2f29ad0c1eecdf47f2487dafed1

  • SHA512

    592a798cf40420c14ed38a8bd0f9266c8296379dff6b27fbbefacfe3eb96f43327b6911d5eb4324da322f49273242cb69404336183f127a858e27b223a8a4dfa

  • SSDEEP

    12288:EMr7y900pZAtSSkb8EEcRM1It/VlAdIsINxipMkaZH/GZdC7P4KdnSd:ny/akbQ1ItTAkbl/udC7P4h

Score
10/10
mysticredlinekukishinfostealerpersistencestealer

Malware Config

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5e01d698adb505dae22bf133909e0103e980c2f29ad0c1eecdf47f2487dafed1.exe
    "C:\Users\Admin\AppData\Local\Temp\5e01d698adb505dae22bf133909e0103e980c2f29ad0c1eecdf47f2487dafed1.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4232
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qv3wt7CP.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qv3wt7CP.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3980
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1NS88EM3.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1NS88EM3.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1132
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:4144
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 540
              5⤵
              • Program crash
              PID:3928
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BL422JP.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BL422JP.exe
          3⤵
          • Executes dropped EXE
          PID:3140
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4144 -ip 4144
      1⤵
        PID:2528

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qv3wt7CP.exe
        Filesize

        580KB

        MD5

        77f18e7e1c32817b0e7d99e21d1dcdee

        SHA1

        87d03c0e975bbff5ef333d5febd0118009dba20a

        SHA256

        148702f4c26dab77fa8f8ca3a54cfcbc3ff4074618b0b4d2bcfa5923407d87f8

        SHA512

        9084438a62a999b71b37548ba9b455c569c3af5120e735df2fa80262acf38fbf3d5ff9166ad1da0c829b4252fcb69f32bfdd0c663a31abc8eed1465ab3e50179

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1NS88EM3.exe
        Filesize

        1.1MB

        MD5

        a1c1c44e837edbc2d55d33ba9620a109

        SHA1

        0ba4e08d7b6f17f968d1f7cad75d0a3885bae998

        SHA256

        4160c00350706d7630b0a8bfb47722e7ec956858ab07d5adc9345e37ccb751e5

        SHA512

        75267e9d0652e006107506457c5253fe701149888ad977d95f52d215410b18e3b145c8779ae389b718f090c5aa41d614e45deb38a96852a07a299a5b075c02bc

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BL422JP.exe
        Filesize

        222KB

        MD5

        13a1af83d438242e89a26d8fb3213856

        SHA1

        b20ac55c9801bb0f3f8237b849855ee50c3af880

        SHA256

        97525f89e9c9549b0bd51b4cce20dd38f691ff0681b49f2c4fb761c687448f68

        SHA512

        3fbab50b5e0308fc2b6a0e87efc4a5000ee86d5efe8e86a49fed02e6f4ab2e647ffcc1042150219d03eda3da6bcac692875a45a8d8173404ff5690fede4b2fc0

        Download Submit

      • memory/3140-28-0x0000000006ED0000-0x0000000006EE2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3140-22-0x0000000000010000-0x000000000004E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3140-23-0x0000000007250000-0x00000000077F4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/3140-24-0x0000000006D90000-0x0000000006E22000-memory.dmp

        Filesize

        584KB

        Download

      • memory/3140-25-0x0000000002350000-0x000000000235A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3140-26-0x0000000007E20000-0x0000000008438000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/3140-27-0x0000000007110000-0x000000000721A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/3140-29-0x0000000007040000-0x000000000707C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/3140-30-0x0000000007080000-0x00000000070CC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4144-15-0x0000000000400000-0x0000000000432000-memory.dmp

        Filesize

        200KB

        Download

      • memory/4144-18-0x0000000000400000-0x0000000000432000-memory.dmp

        Filesize

        200KB

        Download

      • memory/4144-14-0x0000000000400000-0x0000000000432000-memory.dmp

        Filesize

        200KB

        Download

      • memory/4144-16-0x0000000000400000-0x0000000000432000-memory.dmp

        Filesize

        200KB

        Download