Overview

overview

10

Static

static

3

0314c3cf58...62.exe

windows10-2004-x64

10

142ed11f80...59.exe

windows10-2004-x64

10

1f54336cee...4f.exe

windows10-2004-x64

10

2470f02746...37.exe

windows10-2004-x64

10

357dca1dd0...e2.exe

windows7-x64

10

357dca1dd0...e2.exe

windows10-2004-x64

10

367729c840...03.exe

windows10-2004-x64

10

3ae8cc733e...e3.exe

windows10-2004-x64

10

3ff87c5bd0...30.exe

windows10-2004-x64

10

4157cda315...a6.exe

windows10-2004-x64

10

5f318080c6...ea.exe

windows10-2004-x64

10

620f9ee1b4...8f.exe

windows10-2004-x64

10

6817354347...3a.exe

windows10-2004-x64

10

753cdc12b9...91.exe

windows10-2004-x64

10

a4215d26b6...74.exe

windows10-2004-x64

10

a4375e040f...82.exe

windows10-2004-x64

10

a619ae77d5...2e.exe

windows10-2004-x64

10

aaab139650...12.exe

windows10-2004-x64

10

aefec08eba...49.exe

windows10-2004-x64

10

d12f5fa25c...70.exe

windows10-2004-x64

7

e5b42981fd...65.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 09:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aefec08ebaf1c6b975dbf83df5257e52d7efcbaf569ea4b633cec392af828049.exe

  • Size

    401KB

  • MD5

    c70da63f44a116fe349e06b38cafb3fa

  • SHA1

    cb0d169c46a5e96d933da8ff43d1e057ea2d5ced

  • SHA256

    aefec08ebaf1c6b975dbf83df5257e52d7efcbaf569ea4b633cec392af828049

  • SHA512

    d558fa35f52738065c6d4602f968f22dae8dc33f900d71afb69fb52705e105befee8e786926c174cca498af2e55a109fae972acb3ab5ccc4dd26ff41e5066993

  • SSDEEP

    6144:KUy+bnr+sp0yN90QEHbTG8sXOfBZjC+qn5gwV4y5P08f7DjWLMRPPq2knPEVowLc:kMrAy90tbXsOjFKFrOMti21awLc

Score
10/10
mysticredlinekukishinfostealerpersistencestealer

Malware Config

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aefec08ebaf1c6b975dbf83df5257e52d7efcbaf569ea4b633cec392af828049.exe
    "C:\Users\Admin\AppData\Local\Temp\aefec08ebaf1c6b975dbf83df5257e52d7efcbaf569ea4b633cec392af828049.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1048
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1GG94Iy1.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1GG94Iy1.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:496
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
          PID:1380
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 540
            4⤵
            • Program crash
            PID:4456
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2XV410DF.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2XV410DF.exe
        2⤵
        • Executes dropped EXE
        PID:2228
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1380 -ip 1380
      1⤵
        PID:2188

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1GG94Iy1.exe
        Filesize

        328KB

        MD5

        01b6c7325417fc02ba2a94a9a63d19d3

        SHA1

        40289b7eddb508217e9e4e6e1217fab3d440fbc0

        SHA256

        84e51fa3d61208ef78ebfcf98278a447806df307fd4331c6b4e79768ccf64dd0

        SHA512

        f73d1846da99136461245e6f02566fc5fcdff318d3333ddb13d4e3c590697b1a30ca95e60047d54a25c2e4a5d1dec7bd379115ca16cdd88c3497855374866bfa

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2XV410DF.exe
        Filesize

        222KB

        MD5

        6d80262e654cda95522cecd7a9e18bd6

        SHA1

        15a8b69a3ff3c28edc83e2bff7c1a3ecc6982014

        SHA256

        67e3d9d3299079a929edd1554ce3fd11558b816fcf63e1436a8b2b0123f80d08

        SHA512

        91f3558c779e26659ba977decf7b23e3ae698a2a96b543646dab12d24795745e82a38b005edb9fe839361f7d8ac527c125481a448eb0d2e824f785bfa6db6e04

        Download Submit

      • memory/1380-7-0x0000000000400000-0x0000000000432000-memory.dmp

        Filesize

        200KB

        Download

      • memory/1380-9-0x0000000000400000-0x0000000000432000-memory.dmp

        Filesize

        200KB

        Download

      • memory/1380-11-0x0000000000400000-0x0000000000432000-memory.dmp

        Filesize

        200KB

        Download

      • memory/1380-8-0x0000000000400000-0x0000000000432000-memory.dmp

        Filesize

        200KB

        Download

      • memory/2228-17-0x0000000007530000-0x0000000007AD4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2228-16-0x0000000000270000-0x00000000002AE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2228-15-0x00000000741EE000-0x00000000741EF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2228-18-0x0000000007020000-0x00000000070B2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/2228-20-0x00000000741E0000-0x0000000074990000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2228-19-0x00000000025C0000-0x00000000025CA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2228-21-0x0000000008100000-0x0000000008718000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/2228-22-0x0000000007300000-0x000000000740A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/2228-23-0x0000000007230000-0x0000000007242000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2228-24-0x0000000007290000-0x00000000072CC000-memory.dmp

        Filesize

        240KB

        Download

      • memory/2228-25-0x0000000007410000-0x000000000745C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2228-26-0x00000000741EE000-0x00000000741EF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2228-27-0x00000000741E0000-0x0000000074990000-memory.dmp

        Filesize

        7.7MB

        Download