Overview

overview

10

Static

static

3

131b47af99...32.exe

windows10-2004-x64

10

227ab56ef5...eb.exe

windows10-2004-x64

10

4537f51b0d...4c.exe

windows10-2004-x64

10

4852dcede8...5b.exe

windows7-x64

10

4852dcede8...5b.exe

windows10-2004-x64

10

4d68d381e4...34.exe

windows10-2004-x64

10

62d27d23e1...d0.exe

windows10-2004-x64

10

6f4e5c3b3a...2b.exe

windows10-2004-x64

10

775b7a0479...3d.exe

windows10-2004-x64

10

80a8dab579...f7.exe

windows10-2004-x64

10

a28852a355...af.exe

windows10-2004-x64

7

d02a87f385...3a.exe

windows10-2004-x64

10

d0c1074be1...1f.exe

windows10-2004-x64

10

d427832084...e1.exe

windows10-2004-x64

10

d53f5a64de...d1.exe

windows10-2004-x64

10

d62198c81d...0d.exe

windows10-2004-x64

10

dd0f820c33...a3.exe

windows10-2004-x64

10

e3c377dc6b...f7.exe

windows10-2004-x64

10

e9172c1691...86.exe

windows10-2004-x64

10

f6c86e8cbc...da.exe

windows10-2004-x64

10

fbd8d72f7e...0c.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 08:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f6c86e8cbc27556d873bb54eaa4778cf8529fe90df5c8b3070e8ed040254afda.exe

  • Size

    381KB

  • MD5

    6989654d4a8e854885b551c22957d828

  • SHA1

    ff366f5fcb1208c106f4415722c3dfdc83e5cbbf

  • SHA256

    f6c86e8cbc27556d873bb54eaa4778cf8529fe90df5c8b3070e8ed040254afda

  • SHA512

    2ac699e41092271a137ea2609d9b556a493f2ab1bd3afd5b7a4300a5a3a90e8639451a10c04a48f07d4053ac9091670a3353b223f109e7f81332cb5569cff161

  • SSDEEP

    6144:KBy+bnr+np0yN90QEBgipOiI8821AgFFBKmbrIkqlq8HCtYpJUnfCKM52U:DMrby90DgWOW8sEmbrIDlq8Hh7UnKKMr

Score
10/10
mysticredlinekukishinfostealerpersistencestealer

Malware Config

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f6c86e8cbc27556d873bb54eaa4778cf8529fe90df5c8b3070e8ed040254afda.exe
    "C:\Users\Admin\AppData\Local\Temp\f6c86e8cbc27556d873bb54eaa4778cf8529fe90df5c8b3070e8ed040254afda.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3936
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Je03YS9.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Je03YS9.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1364
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
          PID:4628
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 196
            4⤵
            • Program crash
            PID:1368
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 592
          3⤵
          • Program crash
          PID:3848
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2GU496eR.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2GU496eR.exe
        2⤵
        • Executes dropped EXE
        PID:2924
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1364 -ip 1364
      1⤵
        PID:3696
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4628 -ip 4628
        1⤵
          PID:1992

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Je03YS9.exe
          Filesize

          295KB

          MD5

          0529c686977164266fff181fe5624365

          SHA1

          8a93fbc6e534c48da1e7e13918bbfa33e1d7ded4

          SHA256

          01b70ff1f32a06a5257c26adb2ac368f8249fee48ce32ea55d19b5ca8cfc1523

          SHA512

          152fe9d0fd9b1b7df9f68f6089fea360cfc9246f33dcba772649d484ec31ceb4c174a17629638a978be772d3e6cc35d559d4e7d087c0c77d7900bfc6c0b841cf

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2GU496eR.exe
          Filesize

          222KB

          MD5

          1304c12cc2e666e92459f841f2926155

          SHA1

          4bb156a852c19dda9b8eed9ef9f4d5637d0d5d18

          SHA256

          b033b5fbe1b0c129ad84a9e42cda574b88e0ed22d896c25c19ce6ab9fbf855c0

          SHA512

          8542eab775db888a8e28c24a25e1176f8836bc514cddd955afd8c3a659c12b3de5b5399a590a82400a60b4a5000920dfd443ae36674d2434468664b59abd6b7c

          Download Submit
        • memory/2924-21-0x0000000008B20000-0x0000000009138000-memory.dmp
          Filesize

          6.1MB

          Download
        • memory/2924-20-0x0000000005010000-0x000000000501A000-memory.dmp
          Filesize

          40KB

          Download
        • memory/2924-27-0x0000000073C20000-0x00000000743D0000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/2924-26-0x0000000073C2E000-0x0000000073C2F000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2924-15-0x0000000073C2E000-0x0000000073C2F000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2924-16-0x0000000000C50000-0x0000000000C8E000-memory.dmp
          Filesize

          248KB

          Download
        • memory/2924-17-0x0000000007F50000-0x00000000084F4000-memory.dmp
          Filesize

          5.6MB

          Download
        • memory/2924-18-0x0000000007A40000-0x0000000007AD2000-memory.dmp
          Filesize

          584KB

          Download
        • memory/2924-19-0x0000000073C20000-0x00000000743D0000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/2924-25-0x0000000007CC0000-0x0000000007D0C000-memory.dmp
          Filesize

          304KB

          Download
        • memory/2924-24-0x0000000007C80000-0x0000000007CBC000-memory.dmp
          Filesize

          240KB

          Download
        • memory/2924-22-0x0000000007DD0000-0x0000000007EDA000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/2924-23-0x0000000007BF0000-0x0000000007C02000-memory.dmp
          Filesize

          72KB

          Download
        • memory/4628-7-0x0000000000400000-0x0000000000432000-memory.dmp
          Filesize

          200KB

          Download
        • memory/4628-11-0x0000000000400000-0x0000000000432000-memory.dmp
          Filesize

          200KB

          Download
        • memory/4628-9-0x0000000000400000-0x0000000000432000-memory.dmp
          Filesize

          200KB

          Download
        • memory/4628-8-0x0000000000400000-0x0000000000432000-memory.dmp
          Filesize

          200KB

          Download