Overview

overview

10

Static

static

3

f8ef4d4677...6N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-10-2024 10:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f8ef4d4677aa86895d48bc1fc4e3955db7e59c93107e5588ed39edac25435826N.exe

  • Size

    821KB

  • MD5

    d041772bcb0d99fcb2920e2fc68a8b80

  • SHA1

    25c01049e5b270365058834d5cb0d4946bcccc11

  • SHA256

    f8ef4d4677aa86895d48bc1fc4e3955db7e59c93107e5588ed39edac25435826

  • SHA512

    f2356b7edac1969fa292d4cad18a5355acc67dcc7347745ff83eae19595cad883b5d41e84e977768a5627657b0d4ce48170e7afb2f22dce44a0c18b595122601

  • SSDEEP

    12288:JMrsy905ZMxOCAA2uXf6omB8sMyyNnrr2sfxpaNdtyDmzj99Z4b1/+ARQN:FymZ7CAEdeImwaADujq/HU

Score
10/10
mysticredlinegigantdiscoveryinfostealerpersistencestealer

Malware Config

Extracted

Family

redline

Botnet

gigant

C2

77.91.124.55:19071

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • Mystic family
    mystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f8ef4d4677aa86895d48bc1fc4e3955db7e59c93107e5588ed39edac25435826N.exe
    "C:\Users\Admin\AppData\Local\Temp\f8ef4d4677aa86895d48bc1fc4e3955db7e59c93107e5588ed39edac25435826N.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:728
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iz6Kx7MP.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iz6Kx7MP.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4000
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ft39Fy6.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ft39Fy6.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:876
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1140
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 540
            5⤵
            • Program crash
            PID:4476
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 580
          4⤵
          • Program crash
          PID:4896
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2oe365ml.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2oe365ml.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2348
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 876 -ip 876
    1⤵
      PID:4736
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1140 -ip 1140
      1⤵
        PID:3512

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iz6Kx7MP.exe
        Filesize

        649KB

        MD5

        64f56891866a12c4bcd501923df63fa1

        SHA1

        fe9f13754c498cc8b2f8ee6d6ce4e3d7bd640116

        SHA256

        63a0f263294087701b5f1703a91ae6e96a929bb4bb33e0f5384d6e4e88194f94

        SHA512

        3f3fbaffb798512638fe3c74d8180af204ace37000167d362a08e4e8a61b44ba3bf224cbe9fda25e16053ebaaa114f588ad964e6f5c821281c2a7ac89451bca4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ft39Fy6.exe
        Filesize

        1.7MB

        MD5

        144dc3c0a5275a93ff86f00b5c61b9ec

        SHA1

        784168ab3c4711737656ca13dc4cb59ca267fa45

        SHA256

        179649325e561f83a53c5cba99cd8f1f589064c8d0f2029fb8e06f61ae986787

        SHA512

        9af6a9870077621eb046d6fed0fac88eba35edd4cd5e60f49c46018ab633d5cc77ddb9a93886178544198099a4e3b20726a32729ec9d1cf89524b4a579afb783

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2oe365ml.exe
        Filesize

        231KB

        MD5

        bff287305ff9109fdbdd423dd114e70a

        SHA1

        79530fa7a89daa1f1f3b709b1d55a9debfa47855

        SHA256

        aa97dc294e8415b6123770299c2080409660b804c17d437c7ef345dacace1b9f

        SHA512

        c1a8d8ae480d974a737d1db3d51f1f409484808cf2074fc7e46372f33beb42da9160756cf15283c5d0acfed81dddbf19130639d62607d746b27bc63610811ab2

        Download Submit

      • memory/1140-14-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/1140-16-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/1140-15-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/1140-18-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/2348-23-0x0000000007890000-0x0000000007E34000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2348-22-0x00000000005B0000-0x00000000005EE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2348-24-0x0000000007380000-0x0000000007412000-memory.dmp

        Filesize

        584KB

        Download

      • memory/2348-25-0x0000000004930000-0x000000000493A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2348-26-0x0000000008460000-0x0000000008A78000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/2348-27-0x0000000007640000-0x000000000774A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/2348-28-0x0000000007570000-0x0000000007582000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2348-29-0x00000000075D0000-0x000000000760C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/2348-30-0x0000000007750000-0x000000000779C000-memory.dmp

        Filesize

        304KB

        Download