Overview

overview

10

Static

static

3

131b47af99...32.exe

windows10-2004-x64

10

227ab56ef5...eb.exe

windows10-2004-x64

10

4537f51b0d...4c.exe

windows10-2004-x64

10

4852dcede8...5b.exe

windows7-x64

10

4852dcede8...5b.exe

windows10-2004-x64

10

4d68d381e4...34.exe

windows10-2004-x64

10

62d27d23e1...d0.exe

windows10-2004-x64

10

6f4e5c3b3a...2b.exe

windows10-2004-x64

10

775b7a0479...3d.exe

windows10-2004-x64

10

80a8dab579...f7.exe

windows10-2004-x64

10

a28852a355...af.exe

windows10-2004-x64

7

d02a87f385...3a.exe

windows10-2004-x64

10

d0c1074be1...1f.exe

windows10-2004-x64

10

d427832084...e1.exe

windows10-2004-x64

10

d53f5a64de...d1.exe

windows10-2004-x64

10

d62198c81d...0d.exe

windows10-2004-x64

10

dd0f820c33...a3.exe

windows10-2004-x64

10

e3c377dc6b...f7.exe

windows10-2004-x64

10

e9172c1691...86.exe

windows10-2004-x64

10

f6c86e8cbc...da.exe

windows10-2004-x64

10

fbd8d72f7e...0c.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/05/2024, 08:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d53f5a64de740270c801f8951781be9743b4ec40b8b353271cb0cbf0a4c8b8d1.exe

  • Size

    383KB

  • MD5

    1b5eb87432b4697dac2f152e9d5be6b4

  • SHA1

    f0750a31de57e8343d78a74db781a6c68cb9af96

  • SHA256

    d53f5a64de740270c801f8951781be9743b4ec40b8b353271cb0cbf0a4c8b8d1

  • SHA512

    3a1d09762eb036305cf7ba74062c4071f7c055980443ea240ddd8fefe84a1d5f6d9c7808dc1b36f698a792ced50e5f27c133e0c5ef0aae85283b91f65b0129ef

  • SSDEEP

    6144:Kgy+bnr+Dp0yN90QE/j6LJ7Yxxs4CiSlttmxxk70t7iFuK5V67ufgSx:8Mrry90t69CTx8i7iNU7xy

Score
10/10
mysticredlinekukishinfostealerpersistencestealer

Malware Config

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d53f5a64de740270c801f8951781be9743b4ec40b8b353271cb0cbf0a4c8b8d1.exe
    "C:\Users\Admin\AppData\Local\Temp\d53f5a64de740270c801f8951781be9743b4ec40b8b353271cb0cbf0a4c8b8d1.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4124
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1CU10lV4.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1CU10lV4.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:5012
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
          PID:2928
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 540
            4⤵
            • Program crash
            PID:4968
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 580
          3⤵
          • Program crash
          PID:3220
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2qn084TN.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2qn084TN.exe
        2⤵
        • Executes dropped EXE
        PID:3144
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2928 -ip 2928
      1⤵
        PID:2592
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5012 -ip 5012
        1⤵
          PID:4316

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1CU10lV4.exe
          Filesize

          298KB

          MD5

          3363d32f83f0ca5aba710af4eb769c99

          SHA1

          941ae1b9c0879457793019c01c0a9ba0497a22c1

          SHA256

          9f2629cde2a7991043a74771918d4417bd026ceb4ca389953e3c11c15b59cecb

          SHA512

          54cee54dfd076c6cc45ecf2a84bce6c214bf2851e7d88071bde82f76244fcb0113f3679993ba2685b15dcfcfdb2bf108b70bd775c1446be44ba481ff70470dff

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2qn084TN.exe
          Filesize

          222KB

          MD5

          38a788cea63261bc9bfd6e5baf524ef5

          SHA1

          a05b9afaf5ff9c769705fbfa4f94da4d734d38e3

          SHA256

          b5a932097aab404046b1d469e89c7f1d4b504050750973bd5ac16f26420728aa

          SHA512

          2b08515ec3154833ef3e62f4c4d1717850042586f33a61be9f07eb78b3dd6b0e26d5a5ebc7be1b19fdf5091bbb1d546818b7bd391c99780128a5587e894ce21a

          Download Submit

        • memory/2928-8-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

          Download

        • memory/2928-9-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

          Download

        • memory/2928-11-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

          Download

        • memory/2928-7-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

          Download

        • memory/3144-17-0x0000000007420000-0x00000000079C4000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/3144-16-0x0000000000190000-0x00000000001CE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/3144-15-0x0000000073FBE000-0x0000000073FBF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3144-18-0x0000000006F10000-0x0000000006FA2000-memory.dmp

          Filesize

          584KB

          Download

        • memory/3144-19-0x0000000004510000-0x000000000451A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/3144-20-0x0000000073FB0000-0x0000000074760000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3144-21-0x0000000007FF0000-0x0000000008608000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/3144-22-0x00000000072C0000-0x00000000073CA000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3144-23-0x0000000007140000-0x0000000007152000-memory.dmp

          Filesize

          72KB

          Download

        • memory/3144-24-0x00000000071A0000-0x00000000071DC000-memory.dmp

          Filesize

          240KB

          Download

        • memory/3144-25-0x00000000071E0000-0x000000000722C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/3144-26-0x0000000073FBE000-0x0000000073FBF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3144-27-0x0000000073FB0000-0x0000000074760000-memory.dmp

          Filesize

          7.7MB

          Download