Overview

overview

10

Static

static

3

04079e5802...9d.exe

windows10-2004-x64

10

1c1f4eb981...3b.exe

windows10-2004-x64

10

2598a43559...cf.exe

windows10-2004-x64

10

3aa30d5528...5d.exe

windows10-2004-x64

10

46e0ffa2e7...59.exe

windows10-2004-x64

10

4cc86e1dc4...05.exe

windows10-2004-x64

10

61799398ea...0c.exe

windows10-2004-x64

10

6bfb353493...b4.exe

windows10-2004-x64

10

70f5b2bcd0...c3.exe

windows7-x64

10

70f5b2bcd0...c3.exe

windows10-2004-x64

10

7363065308...5d.exe

windows10-2004-x64

10

864fc02972...03.exe

windows10-2004-x64

10

979a085483...e6.exe

windows10-2004-x64

10

9bbc6ca861...5b.exe

windows10-2004-x64

10

a22013e24e...09.exe

windows10-2004-x64

10

c31e600a38...cd.exe

windows10-2004-x64

10

e2e852038c...e5.exe

windows10-2004-x64

10

ec4e6a678a...72.exe

windows10-2004-x64

10

f46c47981f...85.exe

windows10-2004-x64

10

f603ceb39f...6e.exe

windows10-2004-x64

10

fbe6d8ed22...1a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 08:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e2e852038c1504d54c9702b961095f0af961417103d2a5c8b10740dc188ac5e5.exe

  • Size

    398KB

  • MD5

    1efa9b18a2563ebebae8a6eabad4db7b

  • SHA1

    b95bc070b14bbb19b209b2d4413db63f79272fbc

  • SHA256

    e2e852038c1504d54c9702b961095f0af961417103d2a5c8b10740dc188ac5e5

  • SHA512

    07bf09d5fa8798b9f0d40650c180275c78e201abd9d5ebfb37d2d37dcb55e0802d6c4e35467695aeec3c930add915d200847bd13ee41bc58762f067b553de5bb

  • SSDEEP

    6144:Kqy+bnr+Dp0yN90QEI5Ngt4Ybnu7poqS394ZhT0E9P9psh7I81firb:qMrny90S8jD5NIlxVpCUv

Score
10/10
mysticredlinekukishinfostealerpersistencestealer

Malware Config

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e2e852038c1504d54c9702b961095f0af961417103d2a5c8b10740dc188ac5e5.exe
    "C:\Users\Admin\AppData\Local\Temp\e2e852038c1504d54c9702b961095f0af961417103d2a5c8b10740dc188ac5e5.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:768
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1jh48il7.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1jh48il7.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1484
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
          PID:3756
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 540
            4⤵
            • Program crash
            PID:320
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2oG933Dg.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2oG933Dg.exe
        2⤵
        • Executes dropped EXE
        PID:2576
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4232 /prefetch:8
      1⤵
        PID:2276
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3756 -ip 3756
        1⤵
          PID:3740

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1jh48il7.exe
          Filesize

          320KB

          MD5

          5d46d756761c7b1440076303beeca0ef

          SHA1

          8e50680d58c89566cf78b067aefed754d9fc4935

          SHA256

          8ef43142ccd7fbffcd0c4fa2ed3a196f7a964f71753dfc37a895d956e02e0c83

          SHA512

          19457218e35c87deade73de832140d6def871159eeec74a0df5c72dc0d56757a36c36a17327a73af6f03c6d8ca86d2f031f5d0364222dfcefc49df0d88758683

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2oG933Dg.exe
          Filesize

          222KB

          MD5

          3a2fb4ae3cb49d3452da38d13bb9a4c9

          SHA1

          b1aadf5266265ab50b01330037fec3405cf4501a

          SHA256

          f97449c137f4f454706cd578b7345a4b56fb2dd066558af125773e0ed8b2326a

          SHA512

          8d1913bf768b1e39e1eaf8ed67b9b47f2e00fb3897a767bbb665c0715bb10f551293aabdc6d6429c26455c364a686cca225596471147813cec679e522c84dcce

          Download Submit

        • memory/2576-21-0x0000000008130000-0x0000000008748000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/2576-20-0x0000000074760000-0x0000000074F10000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2576-27-0x0000000074760000-0x0000000074F10000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2576-26-0x000000007476E000-0x000000007476F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2576-15-0x000000007476E000-0x000000007476F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2576-16-0x00000000002E0000-0x000000000031E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/2576-17-0x0000000007560000-0x0000000007B04000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/2576-18-0x00000000070A0000-0x0000000007132000-memory.dmp

          Filesize

          584KB

          Download

        • memory/2576-19-0x00000000046C0000-0x00000000046CA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2576-25-0x0000000007360000-0x00000000073AC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/2576-24-0x0000000007320000-0x000000000735C000-memory.dmp

          Filesize

          240KB

          Download

        • memory/2576-22-0x00000000073F0000-0x00000000074FA000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/2576-23-0x00000000071A0000-0x00000000071B2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/3756-7-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

          Download

        • memory/3756-14-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

          Download

        • memory/3756-11-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

          Download

        • memory/3756-12-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

          Download