Overview

overview

10

Static

static

3

2681e868e3...01.exe

windows10-2004-x64

10

446a34b8c4...be.exe

windows10-2004-x64

10

472b4c438a...4d.exe

windows7-x64

10

472b4c438a...4d.exe

windows10-2004-x64

10

4bd9740942...ae.exe

windows10-2004-x64

10

522ef7ed5d...cb.exe

windows10-2004-x64

7

8682bf8baa...91.exe

windows10-2004-x64

10

88242c8054...22.exe

windows10-2004-x64

10

8f02e0ba42...1b.exe

windows10-2004-x64

10

97f490d9d1...9d.exe

windows10-2004-x64

10

982ac80dc3...af.exe

windows10-2004-x64

10

9cef0fe263...ed.exe

windows10-2004-x64

10

a35e73743d...46.exe

windows10-2004-x64

10

abb426fc0b...a0.exe

windows10-2004-x64

7

b108a8edf9...f5.exe

windows10-2004-x64

10

b654b42011...45.exe

windows10-2004-x64

10

cb020fc0d9...1b.exe

windows10-2004-x64

10

d2da12ea26...83.exe

windows10-2004-x64

10

efd69f2941...a6.exe

windows10-2004-x64

10

f093fc4510...2a.exe

windows10-2004-x64

10

fde0e8258c...78.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 10:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fde0e8258ce7f85dd1a300cd7964ca02580d162769083c1df9c9dcbbe96d9678.exe

  • Size

    640KB

  • MD5

    5d02cc2cafd8d15fe7d9332511fd154b

  • SHA1

    19fd38f620c5238c4f077afad97392541b20ebbe

  • SHA256

    fde0e8258ce7f85dd1a300cd7964ca02580d162769083c1df9c9dcbbe96d9678

  • SHA512

    6ff1639be7a478f7a3a335f03612d500d469b27c653b3016cff79b3ce14a224bac4deadcbc2c057f37d1c66159191dbfd08bf9a8dd273cb75dc794d95743770e

  • SSDEEP

    12288:/MrJy90iMpEEp5yKTLK3uJv/stegD79NkaUEvGAke/JLEFeBgq+ZXqw15:qyTsnXAuqDDRN41TWJgeZ+9qwv

Score
10/10
mysticredlinelutyrinfostealerpersistencestealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

C2

77.91.124.55:19071

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fde0e8258ce7f85dd1a300cd7964ca02580d162769083c1df9c9dcbbe96d9678.exe
    "C:\Users\Admin\AppData\Local\Temp\fde0e8258ce7f85dd1a300cd7964ca02580d162769083c1df9c9dcbbe96d9678.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1128
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Iv9qI7cu.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Iv9qI7cu.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1468
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1CO84aT9.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1CO84aT9.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1804
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:4996
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 540
              5⤵
              • Program crash
              PID:4612
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 588
            4⤵
            • Program crash
            PID:1028
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BF979EV.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BF979EV.exe
          3⤵
          • Executes dropped EXE
          PID:4256
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 4996 -ip 4996
      1⤵
        PID:5008
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1804 -ip 1804
        1⤵
          PID:688

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Iv9qI7cu.exe
          Filesize

          444KB

          MD5

          3b07c3d04bb47eb2cc50a09de47eb373

          SHA1

          3bc0461291ba905686c3914160cfa9c0926675a7

          SHA256

          981ec1d26139faa8a91ab244112984c2580f533ae87dc789da708236a98ef033

          SHA512

          f25b3364f4cd62f2671237dd4af988f1dc8e9e4f68c3df3fa50d83be6396854780d4c868ec2149eccb651654f6e282af5a3c1c86f9b32be97d670828eec2941f

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1CO84aT9.exe
          Filesize

          423KB

          MD5

          7a1315485d181f9281782717240dab7a

          SHA1

          bf64abf85ffcbd07de7bfe04449cccc41675e282

          SHA256

          aabf8d32f47143671394533fad750837abc508527951ce46b05d9e0c76b46ec8

          SHA512

          c85167b371b34750aad7a929bec58747862b2e486f8ee7b0d914fcd081ae2214828cc312d7b87458178506a1a1da8ba28346e361b06f3aedba046b0b0e8c5532

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BF979EV.exe
          Filesize

          221KB

          MD5

          4f94fcdbc4454fadaebb849f72091e45

          SHA1

          e9d7913162e07f4ac71807296e4ce6d6ee84033b

          SHA256

          6c34c606ae2e763c842f32ff617fb4a647fd1ead79caf30b19f36738b7deb8c6

          SHA512

          47cf785cd87ba1b280028e77da9ff00b3f2ad493eb6c45e1a3fd3191b4c2a1807a94dd16aeb79d840796f436aa05ac9485c1392501c15038c8fdebc048c6ec9a

          Download Submit
        • memory/4256-27-0x0000000007DF0000-0x0000000007EFA000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/4256-22-0x00000000003E0000-0x000000000041E000-memory.dmp
          Filesize

          248KB

          Download
        • memory/4256-23-0x0000000007840000-0x0000000007DE4000-memory.dmp
          Filesize

          5.6MB

          Download
        • memory/4256-24-0x0000000007330000-0x00000000073C2000-memory.dmp
          Filesize

          584KB

          Download
        • memory/4256-25-0x00000000028B0000-0x00000000028BA000-memory.dmp
          Filesize

          40KB

          Download
        • memory/4256-26-0x0000000008410000-0x0000000008A28000-memory.dmp
          Filesize

          6.1MB

          Download
        • memory/4256-28-0x00000000073D0000-0x00000000073E2000-memory.dmp
          Filesize

          72KB

          Download
        • memory/4256-29-0x0000000007430000-0x000000000746C000-memory.dmp
          Filesize

          240KB

          Download
        • memory/4256-30-0x00000000075B0000-0x00000000075FC000-memory.dmp
          Filesize

          304KB

          Download
        • memory/4996-18-0x0000000000400000-0x0000000000433000-memory.dmp
          Filesize

          204KB

          Download
        • memory/4996-15-0x0000000000400000-0x0000000000433000-memory.dmp
          Filesize

          204KB

          Download
        • memory/4996-16-0x0000000000400000-0x0000000000433000-memory.dmp
          Filesize

          204KB

          Download
        • memory/4996-14-0x0000000000400000-0x0000000000433000-memory.dmp
          Filesize

          204KB

          Download