Overview

overview

10

Static

static

3

3f631a363d...63.exe

windows10-2004-x64

10

498a26c182...6f.exe

windows10-2004-x64

10

4b34c552db...dd.exe

windows10-2004-x64

10

532834d8ce...8e.exe

windows10-2004-x64

10

5896992807...ed.exe

windows10-2004-x64

10

59c0083cd8...df.exe

windows10-2004-x64

10

6fc46cbdbb...5c.exe

windows7-x64

10

6fc46cbdbb...5c.exe

windows10-2004-x64

10

8433f5b093...73.exe

windows7-x64

10

8433f5b093...73.exe

windows10-2004-x64

10

86d4877bad...f4.exe

windows10-2004-x64

10

9b49de72ab...8f.exe

windows10-2004-x64

10

b05d662dcb...df.exe

windows10-2004-x64

10

b84e93b222...f7.exe

windows10-2004-x64

10

bee0ec9430...1b.exe

windows10-2004-x64

10

c95a5553b1...1a.exe

windows10-2004-x64

10

ca54f6dfd1...d5.exe

windows10-2004-x64

10

cca7f7e048...56.exe

windows10-2004-x64

10

cf9a62d5a1...b4.exe

windows10-2004-x64

10

d211b73bae...c6.exe

windows10-2004-x64

10

eb23946a76...29.exe

windows10-2004-x64

7

f2301f9ee1...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 08:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    86d4877badbdcb1c02fdb785b5cb78ec9c4f17f7845781fd0b7513dbfb2bbff4.exe

  • Size

    826KB

  • MD5

    30b6a63464e5c3c721abfd7eb4412bb8

  • SHA1

    45a11c3a7f3aa12282027ed8a147e0f96735c480

  • SHA256

    86d4877badbdcb1c02fdb785b5cb78ec9c4f17f7845781fd0b7513dbfb2bbff4

  • SHA512

    2dafd947ceb398df19d7149cbc86688d72156693a3a02355b7aa34617de335a2dc2dd1f11b41bad5f66b0bbc99ac64503b3a250e494aa28f61fa4343d5c7dcdc

  • SSDEEP

    12288:FMrny90tZN3wv3qLsF3RUBaR4Ocar3t9wZO6L3VGhr8dbVpR/G478h+mtfrAj/w/:+ysZN3w/TFBmOfku8dZG44dtcws5i

Score
10/10
mysticredlinetuxiuinfostealerpersistencestealer

Malware Config

Extracted

Family

redline

Botnet

tuxiu

C2

77.91.124.82:19071

Attributes
  • auth_value

    29610cdad07e7187eec70685a04b89fe

Signatures

  • Detect Mystic stealer payload 5 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\86d4877badbdcb1c02fdb785b5cb78ec9c4f17f7845781fd0b7513dbfb2bbff4.exe
    "C:\Users\Admin\AppData\Local\Temp\86d4877badbdcb1c02fdb785b5cb78ec9c4f17f7845781fd0b7513dbfb2bbff4.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4908
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1871808.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1871808.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:5004
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4825320.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4825320.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:536
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4568712.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4568712.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:2604
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            5⤵
              PID:1752
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              5⤵
                PID:2160
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 588
                5⤵
                • Program crash
                PID:4900
            • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h7368957.exe
              C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h7368957.exe
              4⤵
              • Executes dropped EXE
              PID:872
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2604 -ip 2604
        1⤵
          PID:2152
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1044 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
          1⤵
            PID:2376

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1871808.exe
            Filesize

            566KB

            MD5

            2655eb8bb6336e1a109d925bf49f99bf

            SHA1

            e351f899a979849170a346ebf2245a5f1ad1f817

            SHA256

            17117bb6a2c105d513d666994b3e4d6bccf7f5ba7f29d1f5cfb92040990e3030

            SHA512

            2a054cd42b8859f074938db99c317e5e0529aafb0530eed0862426fc42936c85117e4dfbfc2d494e68442be954654cd2b763348ea67c7d21f4bc577e4f853c11

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4825320.exe
            Filesize

            390KB

            MD5

            1b8927b5bcb9ece169dfff99e02ca11e

            SHA1

            2eaa33329ab949ac94b4689ef99b07b270d673bd

            SHA256

            aa3f1499f10ea19b3a98ee86e30d5928c3503f1a545f69d5d7009e57cd58ae96

            SHA512

            20606206beaf9b345aefebc7b72d5a6725e1b112ac753a478f1a53cdfb9628d4ce3c8ae2e6122a98dfc1466d2956d09dadd6a4f055b92482a1aa180b7ff82988

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4568712.exe
            Filesize

            364KB

            MD5

            3fa43f5059ef361430a721571a192cc2

            SHA1

            c7b9e7abec5dea32cbfc650def0a8c2dd2b7ad1c

            SHA256

            de9b8fd598e75ec8a5a65c0af51bfcb15b36932e96fec11f13f72543e9f10b42

            SHA512

            e1ae0cb13d0bdb9132ef046d036d1870251cefdd3943b80d596fa855048bd16c6e99e84a3dca81ddf9d0ebc0ebfd95122d13e482ad631824f9d4027bcc317abb

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h7368957.exe
            Filesize

            174KB

            MD5

            e336ad30f188105141cf43ed19e4259a

            SHA1

            5909d35d36dc24f9034e81e9558ae6a9a5fd18f8

            SHA256

            6664ef957e18438dbe7b1c23c4c4bbb921181590ea5c729e8d1a2a59325095f0

            SHA512

            e2c8320145735f36c3c723fb2e22f69d5f4ddd5b2ce336a6eac8dc872fb4cfd8a6daf1d3a673e1bbf43813508a45adaf4b01658b7dca4171ecf723299e8269d9

            Download Submit

          • memory/872-33-0x000000000A760000-0x000000000A86A000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/872-30-0x00000000007B0000-0x00000000007E0000-memory.dmp

            Filesize

            192KB

            Download

          • memory/872-31-0x00000000050D0000-0x00000000050D6000-memory.dmp

            Filesize

            24KB

            Download

          • memory/872-32-0x000000000AC30000-0x000000000B248000-memory.dmp

            Filesize

            6.1MB

            Download

          • memory/872-34-0x000000000A6A0000-0x000000000A6B2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/872-35-0x000000000A700000-0x000000000A73C000-memory.dmp

            Filesize

            240KB

            Download

          • memory/872-36-0x000000000A870000-0x000000000A8BC000-memory.dmp

            Filesize

            304KB

            Download

          • memory/2160-23-0x0000000000400000-0x000000000042C000-memory.dmp

            Filesize

            176KB

            Download

          • memory/2160-25-0x0000000000400000-0x000000000042C000-memory.dmp

            Filesize

            176KB

            Download

          • memory/2160-26-0x0000000000400000-0x000000000042C000-memory.dmp

            Filesize

            176KB

            Download

          • memory/2160-22-0x0000000000400000-0x000000000042C000-memory.dmp

            Filesize

            176KB

            Download

          • memory/2160-21-0x0000000000400000-0x000000000042C000-memory.dmp

            Filesize

            176KB

            Download