Analysis
-
max time kernel
137s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28-10-2024 21:48
Static task
static1
Behavioral task
behavioral1
Sample
3686e746ce7172063ac3b749b5f98a3e86e422dca03472a5feba9871dd65bb5d.exe
Resource
win10v2004-20241007-en
General
-
Target
3686e746ce7172063ac3b749b5f98a3e86e422dca03472a5feba9871dd65bb5d.exe
-
Size
548KB
-
MD5
df3a1a0c571e06dbf9e9f228872b9825
-
SHA1
b3915508ea8ef4392bb50317a6686e26a47b7f21
-
SHA256
3686e746ce7172063ac3b749b5f98a3e86e422dca03472a5feba9871dd65bb5d
-
SHA512
0582b9d2c0ba09dee5357d4ddb7d15ee7d2178a1165a4168a6a874703e8c5b8f521450d66eb66b74fe2a8f5e0bf25007cfc65f9d6559c65bcf07d940db0e5df4
-
SSDEEP
12288:HMr9y90qXlWAXlb9ssmU4aAJBHrKYk7czBg+Nc:+yHWcssZ4aAJBLKX7cNg+Nc
Malware Config
Extracted
redline
virad
77.91.124.82:19071
-
auth_value
434dd63619ca8bbf10125913fb40ca28
Signatures
-
Detect Mystic stealer payload 1 IoCs
resource yara_rule behavioral1/files/0x0008000000023ce6-12.dat mystic_family -
Mystic family
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023ce7-15.dat family_redline behavioral1/memory/4596-18-0x0000000000830000-0x0000000000860000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2044 y7683518.exe 1860 m8603086.exe 4596 n7038263.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y7683518.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3686e746ce7172063ac3b749b5f98a3e86e422dca03472a5feba9871dd65bb5d.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3686e746ce7172063ac3b749b5f98a3e86e422dca03472a5feba9871dd65bb5d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language y7683518.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m8603086.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language n7038263.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1892 wrote to memory of 2044 1892 3686e746ce7172063ac3b749b5f98a3e86e422dca03472a5feba9871dd65bb5d.exe 86 PID 1892 wrote to memory of 2044 1892 3686e746ce7172063ac3b749b5f98a3e86e422dca03472a5feba9871dd65bb5d.exe 86 PID 1892 wrote to memory of 2044 1892 3686e746ce7172063ac3b749b5f98a3e86e422dca03472a5feba9871dd65bb5d.exe 86 PID 2044 wrote to memory of 1860 2044 y7683518.exe 87 PID 2044 wrote to memory of 1860 2044 y7683518.exe 87 PID 2044 wrote to memory of 1860 2044 y7683518.exe 87 PID 2044 wrote to memory of 4596 2044 y7683518.exe 88 PID 2044 wrote to memory of 4596 2044 y7683518.exe 88 PID 2044 wrote to memory of 4596 2044 y7683518.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\3686e746ce7172063ac3b749b5f98a3e86e422dca03472a5feba9871dd65bb5d.exe"C:\Users\Admin\AppData\Local\Temp\3686e746ce7172063ac3b749b5f98a3e86e422dca03472a5feba9871dd65bb5d.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7683518.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7683518.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m8603086.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m8603086.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1860
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n7038263.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n7038263.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4596
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
271KB
MD577d4759acd7711175212257e2228306d
SHA13d2dc15d2d48f96cdcea686ea957eb5c4ff23efd
SHA256d6a4d556cc6618f5ab5e016082c6286e99dd68a781afd0ba0e842797b2113e60
SHA512ce72e457995a7a1f4791fde3f896273cf2ba746d39946a503c12c29357cfd1a50b4ed9495566e3311efb9f0dae2fd16ca80b82aebe49f12b03c7996f475015ec
-
Filesize
140KB
MD502b3e551ccf7d521a0fb657cc4d10b5b
SHA145f210e99002cd003ccdb9a3ed76f0d2cc7f6d69
SHA256a5b05391ecf3aba661c2b5fda2ad2aaec6498e94d0f0cd67170c45569106ca84
SHA512727778b87d47bf6349c7503f62973532397b9e148cdb6ad9357d81c1aeabee17b7c2658860db1e1aa3fd6fea854802b88c9f248d821482d4f3e2eef846b4b28a
-
Filesize
174KB
MD5a7d3cb3678d80ee4088d15b7311d2a37
SHA1ce71d880bfaddec579477237718c29f8161d3789
SHA256d3ff00112d91a6f5bbb1907f5424f6013049321a1200744754d313441b8bc468
SHA512983169237f6787153c929b32651f1ae4751030b7fa5aae73ebbab37b1efb8b368157ae96bb769ae1613279ef6a9bf815be71b872df690b32706efe8e3719ba3c