Overview

overview

10

Static

static

3

0e266a7216...9f.exe

windows10-2004-x64

10

0fed7be9f1...18.exe

windows10-2004-x64

10

16ac715816...ea.exe

windows10-2004-x64

10

26c470a8b0...9a.exe

windows10-2004-x64

10

2d47818e79...79.exe

windows10-2004-x64

10

2e6c446801...a5.exe

windows7-x64

10

2e6c446801...a5.exe

windows10-2004-x64

10

2f02d9074f...e7.exe

windows10-2004-x64

10

4d1fc94da1...dc.exe

windows10-2004-x64

10

521f6870a3...07.exe

windows10-2004-x64

10

5e01d698ad...d1.exe

windows10-2004-x64

10

7dc4ebbe25...36.exe

windows10-2004-x64

10

862a8f43d1...32.exe

windows10-2004-x64

10

ba494624ee...0c.exe

windows10-2004-x64

10

ba4c5213c0...28.exe

windows10-2004-x64

10

bbfb7f577d...dc.exe

windows10-2004-x64

10

be3d316058...ca.exe

windows10-2004-x64

10

e1d166047d...d0.exe

windows10-2004-x64

10

e56b24cbcd...10.exe

windows10-2004-x64

10

ef4487829b...03.exe

windows10-2004-x64

10

fdbb9a49cd...e7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 19:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    26c470a8b0d923529cb630dee55e87b901f38e0ee675c3213b68e8b1db239e9a.exe

  • Size

    383KB

  • MD5

    93833fe8aab95b2c03057b727f4cf1e4

  • SHA1

    035778f8574072c91b0f24e884b81fb04307d267

  • SHA256

    26c470a8b0d923529cb630dee55e87b901f38e0ee675c3213b68e8b1db239e9a

  • SHA512

    df64baedc559146652d0463b8164f0c546c8c6ada13b66b1e5adc47a5391d6b1894d46ad3563e839072144296786c90b1658686058207646f779a563afddfb52

  • SSDEEP

    6144:Kuy+bnr+Tp0yN90QEkRT1NJ2MDrinQh/Jm4w6eN9jf1MjqFrDuAmjH3UK+c7:yMr/y90cTTJDriuk449jSjqlaLUKD

Score
10/10
mysticredlinekukishinfostealerpersistencestealer

Malware Config

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\26c470a8b0d923529cb630dee55e87b901f38e0ee675c3213b68e8b1db239e9a.exe
    "C:\Users\Admin\AppData\Local\Temp\26c470a8b0d923529cb630dee55e87b901f38e0ee675c3213b68e8b1db239e9a.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3544
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1UZ83nq3.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1UZ83nq3.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1520
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
          PID:856
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 564
            4⤵
            • Program crash
            PID:4472
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 148
          3⤵
          • Program crash
          PID:4160
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2SI637GC.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2SI637GC.exe
        2⤵
        • Executes dropped EXE
        PID:3692
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1520 -ip 1520
      1⤵
        PID:1540
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 856 -ip 856
        1⤵
          PID:1784

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1UZ83nq3.exe
          Filesize

          298KB

          MD5

          4537b33120339c8cd45fdfaca6e2ba28

          SHA1

          d8e3aa200f29478769eb9ba985e62755c2c2ddf2

          SHA256

          f204bf582b6fcf0e28397ba3e40ba16eb2af1756d20ae2caf1e64b3c1870ece8

          SHA512

          337dd140c442ca3bf34d071a7ff454cee5340ad5ea85cdff1e27678a89b98c0a0ff4a4bfe7296a2766decf4de0bb4ca1cce76503c05a1b0e1a31d7a8b8f2eb1c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2SI637GC.exe
          Filesize

          222KB

          MD5

          6fa7339f30118f8861b9c0e60bc7680e

          SHA1

          379f2426b2f25c401783a13fcf245cefdd8f7b6d

          SHA256

          dd4dd74c6f607744352dbafccf31ee23126ad9dbf8eebbc91c7847cb5368910b

          SHA512

          a907dd11a640e9a8a1c671b7c963c09f138b14c8c0d13374ca3a09a3a9960356a4183a33ae5f18cc56037556637873bfdf8c2e5080adfe0edc126e40c86c192a

          Download Submit

        • memory/856-7-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

          Download

        • memory/856-11-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

          Download

        • memory/856-8-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

          Download

        • memory/856-9-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

          Download

        • memory/3692-17-0x0000000007740000-0x0000000007CE4000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/3692-16-0x00000000004F0000-0x000000000052E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/3692-15-0x0000000073C9E000-0x0000000073C9F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3692-18-0x0000000007270000-0x0000000007302000-memory.dmp

          Filesize

          584KB

          Download

        • memory/3692-19-0x0000000002700000-0x000000000270A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/3692-20-0x0000000073C90000-0x0000000074440000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3692-21-0x0000000008310000-0x0000000008928000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/3692-22-0x0000000007CF0000-0x0000000007DFA000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3692-23-0x00000000074E0000-0x00000000074F2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/3692-24-0x0000000007650000-0x000000000768C000-memory.dmp

          Filesize

          240KB

          Download

        • memory/3692-25-0x0000000007690000-0x00000000076DC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/3692-26-0x0000000073C9E000-0x0000000073C9F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3692-27-0x0000000073C90000-0x0000000074440000-memory.dmp

          Filesize

          7.7MB

          Download