Malware Analysis Report

2025-03-15 01:30

Sample ID 250221-3ef8lssngv
Target 477922325633bfc1def1ea2d953349f4e417896d7f49e067fe6bc5de05ab7698
SHA256 477922325633bfc1def1ea2d953349f4e417896d7f49e067fe6bc5de05ab7698
Tags
mystic redline kinza discovery infostealer persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

477922325633bfc1def1ea2d953349f4e417896d7f49e067fe6bc5de05ab7698

Threat Level: Known bad

The file 477922325633bfc1def1ea2d953349f4e417896d7f49e067fe6bc5de05ab7698 was found to be: Known bad.

Malicious Activity Summary

mystic redline kinza discovery infostealer persistence stealer

Mystic

Detect Mystic stealer payload

Mystic family

RedLine payload

Redline family

RedLine

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-21 23:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-21 23:25

Reported

2025-02-21 23:28

Platform

win10v2004-20250217-en

Max time kernel

133s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\477922325633bfc1def1ea2d953349f4e417896d7f49e067fe6bc5de05ab7698.exe"

Signatures

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Mystic

stealer mystic

Mystic family

mystic

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Vq88Ph3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2wf123ea.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\477922325633bfc1def1ea2d953349f4e417896d7f49e067fe6bc5de05ab7698.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4708 set thread context of 3380 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Vq88Ph3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\477922325633bfc1def1ea2d953349f4e417896d7f49e067fe6bc5de05ab7698.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Vq88Ph3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2wf123ea.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2836 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\477922325633bfc1def1ea2d953349f4e417896d7f49e067fe6bc5de05ab7698.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Vq88Ph3.exe
PID 2836 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\477922325633bfc1def1ea2d953349f4e417896d7f49e067fe6bc5de05ab7698.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Vq88Ph3.exe
PID 2836 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\477922325633bfc1def1ea2d953349f4e417896d7f49e067fe6bc5de05ab7698.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Vq88Ph3.exe
PID 4708 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Vq88Ph3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4708 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Vq88Ph3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4708 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Vq88Ph3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4708 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Vq88Ph3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4708 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Vq88Ph3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4708 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Vq88Ph3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4708 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Vq88Ph3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4708 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Vq88Ph3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4708 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Vq88Ph3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4708 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Vq88Ph3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4708 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Vq88Ph3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4708 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Vq88Ph3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4708 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Vq88Ph3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2836 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\477922325633bfc1def1ea2d953349f4e417896d7f49e067fe6bc5de05ab7698.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2wf123ea.exe
PID 2836 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\477922325633bfc1def1ea2d953349f4e417896d7f49e067fe6bc5de05ab7698.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2wf123ea.exe
PID 2836 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\477922325633bfc1def1ea2d953349f4e417896d7f49e067fe6bc5de05ab7698.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2wf123ea.exe

Processes

C:\Users\Admin\AppData\Local\Temp\477922325633bfc1def1ea2d953349f4e417896d7f49e067fe6bc5de05ab7698.exe

"C:\Users\Admin\AppData\Local\Temp\477922325633bfc1def1ea2d953349f4e417896d7f49e067fe6bc5de05ab7698.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Vq88Ph3.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Vq88Ph3.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2wf123ea.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2wf123ea.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3380 -ip 3380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 540

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
DE 77.91.124.86:19084 tcp
DE 77.91.124.86:19084 tcp
DE 77.91.124.86:19084 tcp
DE 77.91.124.86:19084 tcp
DE 77.91.124.86:19084 tcp
DE 77.91.124.86:19084 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Vq88Ph3.exe

MD5 7e88670e893f284a13a2d88af7295317
SHA1 4bc0d76245e9d6ca8fe69daa23c46b2b8f770f1a
SHA256 d5e9e8612572f4586bc94b4475503558b7c4cd9329d3ade5b86f45018957deb9
SHA512 01541840ee2aa44de1f5f41bee31409560c481c10ed07d854239c0c9bdb648c86857a6a83a907e23f3b2865043b175689aa5f4f13fd0fd5f5444756b9ddfcdc2

memory/3380-7-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3380-11-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3380-9-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3380-8-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2wf123ea.exe

MD5 6f5d21b3141b3c3baf8c824cfbba293f
SHA1 3bdecffd2f13ea667b5398a1d830216500bf9324
SHA256 761181f215413041dc70c4e908a996f4579cb90724ec1c638f778e51683ca484
SHA512 ef0482db23ee7962bddfad8f7c9c486b487a1944776591500d16af7793b3cdd96320ed9bdf113c6eae98f133f54cad0c4951b955c84ed4c05bae2b0cbef490ed

memory/1956-15-0x0000000073CAE000-0x0000000073CAF000-memory.dmp

memory/1956-16-0x00000000001A0000-0x00000000001DE000-memory.dmp

memory/1956-17-0x0000000007420000-0x00000000079C4000-memory.dmp

memory/1956-18-0x0000000006F10000-0x0000000006FA2000-memory.dmp

memory/1956-19-0x0000000073CA0000-0x0000000074450000-memory.dmp

memory/1956-20-0x00000000044E0000-0x00000000044EA000-memory.dmp

memory/1956-21-0x0000000007FF0000-0x0000000008608000-memory.dmp

memory/1956-22-0x00000000079D0000-0x0000000007ADA000-memory.dmp

memory/1956-23-0x0000000007290000-0x00000000072A2000-memory.dmp

memory/1956-24-0x00000000072F0000-0x000000000732C000-memory.dmp

memory/1956-25-0x0000000007330000-0x000000000737C000-memory.dmp

memory/1956-26-0x0000000073CAE000-0x0000000073CAF000-memory.dmp

memory/1956-27-0x0000000073CA0000-0x0000000074450000-memory.dmp