Overview
overview
10Static
static
33f631a363d...63.exe
windows10-2004-x64
10498a26c182...6f.exe
windows10-2004-x64
104b34c552db...dd.exe
windows10-2004-x64
10532834d8ce...8e.exe
windows10-2004-x64
105896992807...ed.exe
windows10-2004-x64
1059c0083cd8...df.exe
windows10-2004-x64
106fc46cbdbb...5c.exe
windows7-x64
106fc46cbdbb...5c.exe
windows10-2004-x64
108433f5b093...73.exe
windows7-x64
108433f5b093...73.exe
windows10-2004-x64
1086d4877bad...f4.exe
windows10-2004-x64
109b49de72ab...8f.exe
windows10-2004-x64
10b05d662dcb...df.exe
windows10-2004-x64
10b84e93b222...f7.exe
windows10-2004-x64
10bee0ec9430...1b.exe
windows10-2004-x64
10c95a5553b1...1a.exe
windows10-2004-x64
10ca54f6dfd1...d5.exe
windows10-2004-x64
10cca7f7e048...56.exe
windows10-2004-x64
10cf9a62d5a1...b4.exe
windows10-2004-x64
10d211b73bae...c6.exe
windows10-2004-x64
10eb23946a76...29.exe
windows10-2004-x64
7f2301f9ee1...18.exe
windows10-2004-x64
10Analysis
-
max time kernel
140s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 08:22
Static task
static1
Behavioral task
behavioral1
Sample
3f631a363d36dce5c91238bcde6bb465721778887e036ad1016b185a4b4f9a63.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
498a26c182a4f66822f65140c2f38df8b9da8ced42ed08651892aa416b8e3b6f.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
4b34c552dbab5efc9560efa54f934de7c83ac3d7a313df811145ebfadf64c2dd.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
532834d8ce7000d8e7eb38c91e27411e3b18295ef7db64dc83c3982ac0a9ae8e.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
5896992807f979d7483ac37e3ec58f2b7816d71d0c0cc96def5c78ddb0301ded.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
59c0083cd89906e6947197abc27233f2d2fdeb0cc852b57cd3a6e42063bc2adf.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
6fc46cbdbb6e435050e052f67ee83426ac1f65c26e34bc81e339bbb10d07a55c.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
6fc46cbdbb6e435050e052f67ee83426ac1f65c26e34bc81e339bbb10d07a55c.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
8433f5b093e4f920b53f3456df2f996e8f480ad451bdcdc88ebaddda4abd8a73.exe
Resource
win7-20240215-en
Behavioral task
behavioral10
Sample
8433f5b093e4f920b53f3456df2f996e8f480ad451bdcdc88ebaddda4abd8a73.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
86d4877badbdcb1c02fdb785b5cb78ec9c4f17f7845781fd0b7513dbfb2bbff4.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral12
Sample
9b49de72ab9ae9caaaf0da01fbe6d5bef6546c46b1e0c0b4c4c3f211eaec728f.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
b05d662dcb605a8af070c2bd5fadda687e65adad15dca9ac32982db6ebd36bdf.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
b84e93b22256809e5241bcee59acc31b9865bdae579891d641826e1e159b15f7.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
bee0ec94302af9baabb3e2b4d22397424e0fa315031f65258b35135c92ff0b1b.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
c95a5553b1a709f22bba8f3f68e6c4c0eef94f99fcf143faebfb68ead35a0f1a.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
ca54f6dfd1d165cc099fcff983a1e0d5045ab7589a3cefbb07c34deaf08e0dd5.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
cca7f7e048cad1d80a1eeb878d27b78386889bd305ac5dd66bcf6ab8499b2256.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
cf9a62d5a117aaa03d348685a49a3a176c6dd3ef98e68cdcecaabe67cee3aab4.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
d211b73bae9760b12d1e027c009a4d8f4dbdb34ba630703d65ca56fc612e45c6.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
eb23946a76bf1590eafdacfb8f44604c986536b0b24a3b11f0aa7f8eb4722829.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral22
Sample
f2301f9ee1f258528e83f30f1d7ea7bb59faa2f5d97139ddf14e0b5a805cd018.exe
Resource
win10v2004-20240426-en
General
-
Target
86d4877badbdcb1c02fdb785b5cb78ec9c4f17f7845781fd0b7513dbfb2bbff4.exe
-
Size
826KB
-
MD5
30b6a63464e5c3c721abfd7eb4412bb8
-
SHA1
45a11c3a7f3aa12282027ed8a147e0f96735c480
-
SHA256
86d4877badbdcb1c02fdb785b5cb78ec9c4f17f7845781fd0b7513dbfb2bbff4
-
SHA512
2dafd947ceb398df19d7149cbc86688d72156693a3a02355b7aa34617de335a2dc2dd1f11b41bad5f66b0bbc99ac64503b3a250e494aa28f61fa4343d5c7dcdc
-
SSDEEP
12288:FMrny90tZN3wv3qLsF3RUBaR4Ocar3t9wZO6L3VGhr8dbVpR/G478h+mtfrAj/w/:+ysZN3w/TFBmOfku8dZG44dtcws5i
Malware Config
Extracted
redline
tuxiu
77.91.124.82:19071
-
auth_value
29610cdad07e7187eec70685a04b89fe
Signatures
-
Detect Mystic stealer payload 5 IoCs
resource yara_rule behavioral11/memory/2160-21-0x0000000000400000-0x000000000042C000-memory.dmp mystic_family behavioral11/memory/2160-22-0x0000000000400000-0x000000000042C000-memory.dmp mystic_family behavioral11/memory/2160-23-0x0000000000400000-0x000000000042C000-memory.dmp mystic_family behavioral11/memory/2160-25-0x0000000000400000-0x000000000042C000-memory.dmp mystic_family behavioral11/memory/2160-26-0x0000000000400000-0x000000000042C000-memory.dmp mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral11/files/0x0007000000023281-28.dat family_redline behavioral11/memory/872-30-0x00000000007B0000-0x00000000007E0000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 5004 x1871808.exe 536 x4825320.exe 2604 g4568712.exe 872 h7368957.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x4825320.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 86d4877badbdcb1c02fdb785b5cb78ec9c4f17f7845781fd0b7513dbfb2bbff4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x1871808.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2604 set thread context of 2160 2604 g4568712.exe 93 -
Program crash 1 IoCs
pid pid_target Process procid_target 4900 2604 WerFault.exe 91 -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 4908 wrote to memory of 5004 4908 86d4877badbdcb1c02fdb785b5cb78ec9c4f17f7845781fd0b7513dbfb2bbff4.exe 89 PID 4908 wrote to memory of 5004 4908 86d4877badbdcb1c02fdb785b5cb78ec9c4f17f7845781fd0b7513dbfb2bbff4.exe 89 PID 4908 wrote to memory of 5004 4908 86d4877badbdcb1c02fdb785b5cb78ec9c4f17f7845781fd0b7513dbfb2bbff4.exe 89 PID 5004 wrote to memory of 536 5004 x1871808.exe 90 PID 5004 wrote to memory of 536 5004 x1871808.exe 90 PID 5004 wrote to memory of 536 5004 x1871808.exe 90 PID 536 wrote to memory of 2604 536 x4825320.exe 91 PID 536 wrote to memory of 2604 536 x4825320.exe 91 PID 536 wrote to memory of 2604 536 x4825320.exe 91 PID 2604 wrote to memory of 1752 2604 g4568712.exe 92 PID 2604 wrote to memory of 1752 2604 g4568712.exe 92 PID 2604 wrote to memory of 1752 2604 g4568712.exe 92 PID 2604 wrote to memory of 2160 2604 g4568712.exe 93 PID 2604 wrote to memory of 2160 2604 g4568712.exe 93 PID 2604 wrote to memory of 2160 2604 g4568712.exe 93 PID 2604 wrote to memory of 2160 2604 g4568712.exe 93 PID 2604 wrote to memory of 2160 2604 g4568712.exe 93 PID 2604 wrote to memory of 2160 2604 g4568712.exe 93 PID 2604 wrote to memory of 2160 2604 g4568712.exe 93 PID 2604 wrote to memory of 2160 2604 g4568712.exe 93 PID 2604 wrote to memory of 2160 2604 g4568712.exe 93 PID 2604 wrote to memory of 2160 2604 g4568712.exe 93 PID 536 wrote to memory of 872 536 x4825320.exe 97 PID 536 wrote to memory of 872 536 x4825320.exe 97 PID 536 wrote to memory of 872 536 x4825320.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\86d4877badbdcb1c02fdb785b5cb78ec9c4f17f7845781fd0b7513dbfb2bbff4.exe"C:\Users\Admin\AppData\Local\Temp\86d4877badbdcb1c02fdb785b5cb78ec9c4f17f7845781fd0b7513dbfb2bbff4.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1871808.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1871808.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4825320.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4825320.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4568712.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4568712.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵PID:1752
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵PID:2160
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 5885⤵
- Program crash
PID:4900
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h7368957.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h7368957.exe4⤵
- Executes dropped EXE
PID:872
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2604 -ip 26041⤵PID:2152
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1044 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:81⤵PID:2376
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
566KB
MD52655eb8bb6336e1a109d925bf49f99bf
SHA1e351f899a979849170a346ebf2245a5f1ad1f817
SHA25617117bb6a2c105d513d666994b3e4d6bccf7f5ba7f29d1f5cfb92040990e3030
SHA5122a054cd42b8859f074938db99c317e5e0529aafb0530eed0862426fc42936c85117e4dfbfc2d494e68442be954654cd2b763348ea67c7d21f4bc577e4f853c11
-
Filesize
390KB
MD51b8927b5bcb9ece169dfff99e02ca11e
SHA12eaa33329ab949ac94b4689ef99b07b270d673bd
SHA256aa3f1499f10ea19b3a98ee86e30d5928c3503f1a545f69d5d7009e57cd58ae96
SHA51220606206beaf9b345aefebc7b72d5a6725e1b112ac753a478f1a53cdfb9628d4ce3c8ae2e6122a98dfc1466d2956d09dadd6a4f055b92482a1aa180b7ff82988
-
Filesize
364KB
MD53fa43f5059ef361430a721571a192cc2
SHA1c7b9e7abec5dea32cbfc650def0a8c2dd2b7ad1c
SHA256de9b8fd598e75ec8a5a65c0af51bfcb15b36932e96fec11f13f72543e9f10b42
SHA512e1ae0cb13d0bdb9132ef046d036d1870251cefdd3943b80d596fa855048bd16c6e99e84a3dca81ddf9d0ebc0ebfd95122d13e482ad631824f9d4027bcc317abb
-
Filesize
174KB
MD5e336ad30f188105141cf43ed19e4259a
SHA15909d35d36dc24f9034e81e9558ae6a9a5fd18f8
SHA2566664ef957e18438dbe7b1c23c4c4bbb921181590ea5c729e8d1a2a59325095f0
SHA512e2c8320145735f36c3c723fb2e22f69d5f4ddd5b2ce336a6eac8dc872fb4cfd8a6daf1d3a673e1bbf43813508a45adaf4b01658b7dca4171ecf723299e8269d9