Overview

overview

10

Static

static

3

3f631a363d...63.exe

windows10-2004-x64

10

498a26c182...6f.exe

windows10-2004-x64

10

4b34c552db...dd.exe

windows10-2004-x64

10

532834d8ce...8e.exe

windows10-2004-x64

10

5896992807...ed.exe

windows10-2004-x64

10

59c0083cd8...df.exe

windows10-2004-x64

10

6fc46cbdbb...5c.exe

windows7-x64

10

6fc46cbdbb...5c.exe

windows10-2004-x64

10

8433f5b093...73.exe

windows7-x64

10

8433f5b093...73.exe

windows10-2004-x64

10

86d4877bad...f4.exe

windows10-2004-x64

10

9b49de72ab...8f.exe

windows10-2004-x64

10

b05d662dcb...df.exe

windows10-2004-x64

10

b84e93b222...f7.exe

windows10-2004-x64

10

bee0ec9430...1b.exe

windows10-2004-x64

10

c95a5553b1...1a.exe

windows10-2004-x64

10

ca54f6dfd1...d5.exe

windows10-2004-x64

10

cca7f7e048...56.exe

windows10-2004-x64

10

cf9a62d5a1...b4.exe

windows10-2004-x64

10

d211b73bae...c6.exe

windows10-2004-x64

10

eb23946a76...29.exe

windows10-2004-x64

7

f2301f9ee1...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 08:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f2301f9ee1f258528e83f30f1d7ea7bb59faa2f5d97139ddf14e0b5a805cd018.exe

  • Size

    819KB

  • MD5

    616b55a6e65ff99109b6d5a590cd3f9c

  • SHA1

    037a52fb3c6563eaca5280e5adf4eecaf2e0373c

  • SHA256

    f2301f9ee1f258528e83f30f1d7ea7bb59faa2f5d97139ddf14e0b5a805cd018

  • SHA512

    fc8a0a7aeac420d373523345c83be3567cb7a3e70d288501a831163eaf2dd00891be5eab8233ce51aafbd1af4d257c7f5e6d8400df7effec339afcc9d59025c9

  • SSDEEP

    24576:6yFZERTjpzjmGYPTNZ0Pd88HIEWaFJ4zd6:BFZExjp1YPTNZs8udhf4

Score
10/10
mysticredlinekukishinfostealerpersistencestealer

Malware Config

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f2301f9ee1f258528e83f30f1d7ea7bb59faa2f5d97139ddf14e0b5a805cd018.exe
    "C:\Users\Admin\AppData\Local\Temp\f2301f9ee1f258528e83f30f1d7ea7bb59faa2f5d97139ddf14e0b5a805cd018.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4048
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WB6lr8iJ.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WB6lr8iJ.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:940
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iJ9EK6sz.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iJ9EK6sz.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2428
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1WJ58se0.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1WJ58se0.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1652
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            5⤵
              PID:3676
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 580
              5⤵
              • Program crash
              PID:2280
          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2wJ503qG.exe
            C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2wJ503qG.exe
            4⤵
            • Executes dropped EXE
            PID:4304
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1652 -ip 1652
      1⤵
        PID:1148

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WB6lr8iJ.exe
        Filesize

        584KB

        MD5

        2392fa05271d89a1c78da39a4179478b

        SHA1

        3689eed03f25cb158c0e607161408eb97e8ba6d0

        SHA256

        5325fbad341b42fb02a3ed43d1b46d701b311fa73f4d3f2ae406cc5720dd1af4

        SHA512

        ce09a247fd33715c46f04214ca378bcab567869521a6a13f00fff4c38e5c944a7d620c1a003948eaea726b6bd0fa349366dddf8e5ac62007f3dd09116f668b30

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iJ9EK6sz.exe
        Filesize

        383KB

        MD5

        cd83dda3db03a0e3fbb28c0999ad05de

        SHA1

        c7b08cc0e0e9d15b28a5b4c7a261d2633ef4bfbd

        SHA256

        1e49f87dd9f0469399f29ebfbccf0e98cba576199d033b3c84a34f22621f2503

        SHA512

        e3baf5879fdcfaeaa492cb01663ccffe6130f7891c9dd9c8f9d30a04cea2d9f8396fbeaa4a4eba03c690f44c857390353eccc851e8a08ee81b56f0af9850dc64

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1WJ58se0.exe
        Filesize

        298KB

        MD5

        0a738cb7129fa4b5e83610318b5d1116

        SHA1

        3ec2d4b39dedfd02968d305b353baf64c84c7544

        SHA256

        8a6fa87a65cbfa07fd620a07c2ccdbe6ba38528119629175be953784fa3b9458

        SHA512

        913078da128ce674c74dad95b1780a89d9c8744e86d2a2b36681a6b91c6d6ec3747de9a131b0cdd87f5c0459c0546abb54d06b49765a2bdb2e610bc389d797e5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2wJ503qG.exe
        Filesize

        222KB

        MD5

        45d65fdcffe6192eb66a82e96dd40261

        SHA1

        78c54e48b44b5c8f58e4041d63bf031fcaeaf4e6

        SHA256

        7a5300ec1f733f7d1cef277bb6be66c07e05d36e06eb84680ceb8854ab17ae35

        SHA512

        4088d600458cca93c72ce9bec14183445f1d833b52959f311bc6acf5b2f2ab6afbfd693df5fa2a09aba83735556ca54cb4d866d3870fac306772fda0bef5e2ea

        Download Submit

      • memory/3676-21-0x0000000000400000-0x0000000000432000-memory.dmp

        Filesize

        200KB

        Download

      • memory/3676-23-0x0000000000400000-0x0000000000432000-memory.dmp

        Filesize

        200KB

        Download

      • memory/3676-25-0x0000000000400000-0x0000000000432000-memory.dmp

        Filesize

        200KB

        Download

      • memory/3676-22-0x0000000000400000-0x0000000000432000-memory.dmp

        Filesize

        200KB

        Download

      • memory/4304-29-0x0000000000C30000-0x0000000000C6E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4304-30-0x0000000007F60000-0x0000000008504000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4304-31-0x0000000007A50000-0x0000000007AE2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4304-32-0x0000000004FE0000-0x0000000004FEA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4304-33-0x0000000008B30000-0x0000000009148000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/4304-34-0x0000000007DC0000-0x0000000007ECA000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/4304-35-0x0000000007AF0000-0x0000000007B02000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4304-36-0x0000000007B50000-0x0000000007B8C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/4304-37-0x0000000007CB0000-0x0000000007CFC000-memory.dmp

        Filesize

        304KB

        Download