redtiger | myst[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

myst.exe
Size

2.4MB
MD5

b82a76863cdc66f920fcddac994e7c02
SHA1

d50f34a775d032027a3c3829f6bac4ba6488dc57
SHA256

cefa12803b7cc26ef06e2d2a51257a3e3fd3766b3597c3b7189bc1427edb4bfb
SHA512

42cf2285e667de746f9283a08f0b20af320c0cb660d5af6b64451971118d183d78281e2a10073505ac0df25afb33d6bb669ccc4746e05da01376748f63c8e61f
SSDEEP

49152:qe1xa04Cc0LwNo0KbHLNEKJKStbmJD3pWlGQXkwnXtd0M7xWV:q28cmo/8StbmJD3pWlGQXkW0

Score

10^/10

stealer redtiger

Malware Config

Signatures

Detects RedTiger Stealer 7 IoCs

stealer

resource	yara_rule
sample	redtigerv122
sample	redtigerv22
sample	redtiger_stealer_detection
sample	redtiger_stealer_detection_v2
sample	staticSred
sample	staticred
sample	redtiger_stealer_detection_v1

Redtiger family
redtiger

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
myst.exe

Files

myst.exe
.exe windows:6 windows x64 arch:x64

039f0ec9367ac42b0f34ffe412342ff7

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

d3d11

D3D11CreateDeviceAndSwapChain

d3dcompiler_47

D3DCompile

dwmapi

DwmExtendFrameIntoClientArea

ws2_32

WSAEnumNetworkEvents
WSAEventSelect
send
WSACreateEvent
WSAResetEvent
WSAWaitForMultipleEvents
WSAGetLastError
inet_pton
ntohs
WSASetLastError
inet_ntop
WSAStartup
WSACleanup
bind
connect
getpeername
getsockname
closesocket
WSACloseEvent
htons
gethostname
ioctlsocket
sendto
recvfrom
recv
freeaddrinfo
getaddrinfo
listen
htonl
accept
getsockopt
select
__WSAFDIsSet
WSAIoctl
socket
setsockopt

advapi32

OpenProcessToken
AddAccessAllowedAce
GetLengthSid
GetTokenInformation
InitializeAcl
IsValidSid
SetSecurityInfo
CopySid
ConvertSidToStringSidA
CryptAcquireContextW
CryptReleaseContext
CryptGetHashParam
CryptCreateHash
CryptHashData
CryptDestroyHash
SystemFunction036
CryptDestroyKey
CryptImportKey
RegCreateKeyExA
CryptEncrypt

crypt32

CertOpenStore
CertCloseStore
CertEnumCertificatesInStore
CertFreeCertificateContext
CryptStringToBinaryW
PFXImportCertStore
CryptDecodeObjectEx
CertAddCertificateContextToStore
CertFindExtension
CertGetNameStringW
CryptQueryObject
CertCreateCertificateChainEngine
CertFreeCertificateChainEngine
CertGetCertificateChain
CertFreeCertificateChain
CertFindCertificateInStore

kernel32

GetFileAttributesExW
FindFirstFileW
FindClose
CreateDirectoryW
GetCurrentDirectoryW
GetLocaleInfoEx
InitializeSListHead
GetSystemTimeAsFileTime
GetCurrentThreadId
IsDebuggerPresent
SleepConditionVariableSRW
WakeAllConditionVariable
IsProcessorFeaturePresent
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetModuleFileNameA
LoadLibraryExA
GetLastError
GetProcAddress
FreeLibrary
FormatMessageA
DeviceIoControl
SetThreadPriority
RtlVirtualUnwind
Sleep
Process32First
Thread32Next
Thread32First
CreateToolhelp32Snapshot
Process32Next
CloseHandle
GetThreadContext
OpenThread
GetConsoleWindow
MultiByteToWideChar
GlobalAlloc
GlobalFree
GlobalLock
WideCharToMultiByte
GlobalUnlock
GetModuleHandleA
GetLocaleInfoA
LoadLibraryA
QueryPerformanceFrequency
QueryPerformanceCounter
GetCurrentProcessId
CreateThread
ExitProcess
SetConsoleScreenBufferSize
GetStdHandle
SetConsoleWindowInfo
CreateFileW
lstrcmpiA
GlobalFindAtomA
AddVectoredExceptionHandler
HeapDestroy
HeapAlloc
HeapReAlloc
HeapFree
HeapSize
GetProcessHeap
InitializeCriticalSectionEx
DeleteCriticalSection
GetCurrentProcess
VirtualProtect
CreateFileMappingW
MapViewOfFile
UnmapViewOfFile
GetModuleFileNameW
GetModuleHandleW
QueryFullProcessImageNameW
SetLastError
FormatMessageW
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
LocalFree
GetSystemDirectoryW
LoadLibraryW
SleepEx
GetSystemInfo
GetTickCount
MoveFileExW
WaitForSingleObjectEx
GetEnvironmentVariableA
GetFileType
ReadFile
PeekNamedPipe
WaitForMultipleObjects
VerifyVersionInfoW
GetFileSizeEx
RtlLookupFunctionEntry
AreFileApisANSI
GetFileInformationByHandleEx
OutputDebugStringW
VerSetConditionMask
RtlCaptureContext
GetCurrentThread

user32

GetAsyncKeyState
SetWindowPos
DispatchMessageA
GetWindowRect
GetSystemMetrics
SetWindowLongA
GetWindowLongA
SetWindowDisplayAffinity
GetMonitorInfoA
MoveWindow
DefWindowProcA
CreateWindowExA
SetLayeredWindowAttributes
TranslateMessage
PeekMessageA
UnregisterClassA
PostQuitMessage
FindWindowA
RegisterClassExA
GetKeyState
GetMessageExtraInfo
LoadCursorA
MonitorFromWindow
GetCapture
ClientToScreen
TrackMouseEvent
GetKeyboardLayout
SetCapture
SetCursor
GetClientRect
IsWindowUnicode
ReleaseCapture
GetCursorPos
ScreenToClient
GetForegroundWindow
ShowWindow
OpenClipboard
CloseClipboard
EmptyClipboard
GetClipboardData
SendInput
GetDesktopWindow
SetClipboardData
MessageBoxA
SetCursorPos

shell32

ShellExecuteA

ole32

CoCreateInstance
CoInitialize
CoUninitialize

msvcp140

?always_noconv@codecvt_base@std@@QEBA_NXZ
?get@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAHXZ
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?_Syserror_map@std@@YAPEBDH@Z
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Xbad_function_call@std@@YAXXZ
?_Winerror_map@std@@YAHH@Z
?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z
?_Random_device@std@@YAIXZ
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
?put@?$time_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@QEBA?AV?$ostreambuf_iterator@DU?$char_traits@D@std@@@2@V32@AEAVios_base@2@DPEBUtm@@PEBD3@Z
?_Getcat@?$time_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
??7ios_base@std@@QEBA_NXZ
?_Xinvalid_argument@std@@YAXPEBD@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?id@?$time_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@2V0locale@2@A
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
_Query_perf_frequency
?_Throw_Cpp_error@std@@YAXH@Z
?_Xbad_alloc@std@@YAXXZ
?_Xlength_error@std@@YAXPEBD@Z
_Cnd_do_broadcast_at_thread_exit
_Query_perf_counter
_Thrd_detach
_Mtx_lock
_Mtx_unlock
?uncaught_exceptions@std@@YAHXZ
?_Xout_of_range@std@@YAXPEBD@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@M@Z
?good@ios_base@std@@QEBA_NXZ
_Strxfrm
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z
?id@?$ctype@D@std@@2V0locale@2@A
?id@?$collate@D@std@@2V0locale@2@A
_Strcoll
_Xtime_get_ticks
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?tolower@?$ctype@D@std@@QEBAPEBDPEADPEBD@Z
?tolower@?$ctype@D@std@@QEBADD@Z
??1facet@locale@std@@MEAA@XZ
??0facet@locale@std@@IEAA@_K@Z
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
?_Incref@facet@locale@std@@UEAAXXZ
??Bid@locale@std@@QEAA_KXZ
?_Getcoll@_Locinfo@std@@QEBA?AU_Collvec@@XZ
??1_Locinfo@std@@QEAA@XZ
??0_Locinfo@std@@QEAA@PEBD@Z
?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A

winmm

PlaySoundA
waveOutSetVolume

imm32

ImmReleaseContext
ImmSetCandidateWindow
ImmGetContext
ImmSetCompositionWindow

shlwapi

PathFindFileNameW

psapi

GetModuleInformation

userenv

UnloadUserProfile

bcrypt

BCryptGenRandom

vcruntime140

__intrinsic_setjmp
__current_exception
wcschr
memset
__current_exception_context
memcmp
memmove
memcpy
strstr
strchr
longjmp
strrchr
__std_exception_destroy
memchr
__std_exception_copy
__std_terminate
__C_specific_handler
_purecall
_CxxThrowException

vcruntime140_1

__CxxFrameHandler4

api-ms-win-crt-stdio-l1-1-0

fsetpos
_get_stream_buffer_pointers
fgetpos
fgetc
__p__commode
fclose
_read
_write
getc
fputc
_fileno
_close
freopen
__stdio_common_vfprintf
__stdio_common_vsscanf
feof
_set_fmode
fread
_wfopen
ferror
fputs
fopen
fseek
__acrt_iob_func
ftell
fwrite
fgets
__stdio_common_vsprintf_s
_lseeki64
clearerr
_wopen
_pclose
tmpfile
setvbuf
_popen
ungetc
_ftelli64
_fseeki64
fflush
__stdio_common_vsprintf
tmpnam

api-ms-win-crt-heap-l1-1-0

_callnewh
_set_new_mode
malloc
realloc
free
calloc

api-ms-win-crt-string-l1-1-0

_strdup
strcmp
strncmp
strcspn
wcsncpy
wcspbrk
strncpy
strpbrk
toupper
isupper
tolower
isspace
isalpha
iscntrl
ispunct
islower
isxdigit
strcoll
wcsncmp
_wcsdup
_stricmp
isdigit
strspn
isblank
isalnum
isgraph

api-ms-win-crt-runtime-l1-1-0

_resetstkoflw
_errno
strerror
abort
exit
system
_beginthreadex
__sys_nerr
__sys_errlist
terminate
_invalid_parameter_noinfo_noreturn
_invalid_parameter_noinfo
_register_thread_local_exe_atexit_callback
_configure_narrow_argv
_initialize_narrow_environment
_initialize_onexit_table
_register_onexit_function
_crt_atexit
_cexit
_seh_filter_exe
_set_app_type
_c_exit
_get_initial_narrow_environment
_initterm
_initterm_e
_exit
__p___argv
__p___argc

api-ms-win-crt-math-l1-1-0

sin
sinf
llround
sqrt
sqrtf
ldexp
acos
acosf
powf
pow
asin
atan2
frexp
_fdopen
_dsign
atan2f
ceil
ceilf
cos
cosf
floor
floorf
roundf
__setusermatherr
fmod
_dclass
log10
log
tan
exp
fmodf

api-ms-win-crt-locale-l1-1-0

localeconv
setlocale
___lc_codepage_func
_configthreadlocale

api-ms-win-crt-time-l1-1-0

_difftime64
_localtime64
clock
_mktime64
strftime
_localtime64_s
_gmtime64
_time64

api-ms-win-crt-environment-l1-1-0

getenv

api-ms-win-crt-convert-l1-1-0

strtoll
wcstombs
atoi
strtol
strtod
strtoull
strtoul
atof

api-ms-win-crt-filesystem-l1-1-0

_fstat64
_unlink
_unlock_file
rename
_lock_file
_wstat64
remove

api-ms-win-crt-utility-l1-1-0

qsort
rand

Sections

.text
Size: 1.6MB - Virtual size: 1.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 521KB - Virtual size: 520KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 217KB - Virtual size: 228KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 69KB - Virtual size: 69KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 488B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

039f0ec9367ac42b0f34ffe412342ff7

Headers

DLL Characteristics

File Characteristics

Imports

d3d11

d3dcompiler_47

dwmapi

ws2_32

advapi32

crypt32

kernel32

user32

shell32

ole32

msvcp140

winmm

imm32

shlwapi

psapi

userenv

bcrypt

vcruntime140

vcruntime140_1

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-utility-l1-1-0

Sections

.text Size: 1.6MB - Virtual size: 1.6MB

.rdata Size: 521KB - Virtual size: 520KB

.data Size: 217KB - Virtual size: 228KB

.pdata Size: 69KB - Virtual size: 69KB

.rsrc Size: 512B - Virtual size: 488B

.reloc Size: 6KB - Virtual size: 6KB

.text
Size: 1.6MB - Virtual size: 1.6MB

.rdata
Size: 521KB - Virtual size: 520KB

.data
Size: 217KB - Virtual size: 228KB

.pdata
Size: 69KB - Virtual size: 69KB

.rsrc
Size: 512B - Virtual size: 488B

.reloc
Size: 6KB - Virtual size: 6KB