mystic | b03b503a0c971f9e0fd75d3864b811145e79187eeb7e0fc2ba46e2062adf9381

Analysis

max time kernel
136s
max time network
154s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
02/10/2023, 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b03b503a0c971f9e0fd75d3864b811145e79187eeb7e0fc2ba46e2062adf9381.exe
Size

1.1MB
MD5

cdb281a8f0cdeeb0c36b07f9eb3f5d38
SHA1

e3206b7483186fed5c7d8ab4dcf507f8431b392d
SHA256

b03b503a0c971f9e0fd75d3864b811145e79187eeb7e0fc2ba46e2062adf9381
SHA512

d347e95152c1ddfca12f01790b525bbece977e9997f7e6489396f40d6dedf11ae46bd0255d2d6a1f361764bd4410f32955c48b38225ffd34204563c8210edb02
SSDEEP

24576:NySjnNklu2oGQA0QORLjvLz0N9LhdBZL8VLvD3TCqy:oGNkc5JfjK3/l8VLvbTB

Score

10^/10

mystic redline genda infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

genda

77.91.124.55:19071

Signatures

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/5044-38-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
4484	Yu7fD7cw.exe
4640	QA6EU8bI.exe
2320	AD2Sp5AI.exe
1868	RT1Of9FP.exe
1588	am3Vw68.exe
2264	ft086Bl.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Yu7fD7cw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	QA6EU8bI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	AD2Sp5AI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	RT1Of9FP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b03b503a0c971f9e0fd75d3864b811145e79187eeb7e0fc2ba46e2062adf9381.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2264 set thread context of 5044	2264	ft086Bl.exe	78

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3592	2264	WerFault.exe	76

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4432 wrote to memory of 4484	4432	b03b503a0c971f9e0fd75d3864b811145e79187eeb7e0fc2ba46e2062adf9381.exe	71
PID 4432 wrote to memory of 4484	4432	b03b503a0c971f9e0fd75d3864b811145e79187eeb7e0fc2ba46e2062adf9381.exe	71
PID 4432 wrote to memory of 4484	4432	b03b503a0c971f9e0fd75d3864b811145e79187eeb7e0fc2ba46e2062adf9381.exe	71
PID 4484 wrote to memory of 4640	4484	Yu7fD7cw.exe	72
PID 4484 wrote to memory of 4640	4484	Yu7fD7cw.exe	72
PID 4484 wrote to memory of 4640	4484	Yu7fD7cw.exe	72
PID 4640 wrote to memory of 2320	4640	QA6EU8bI.exe	73
PID 4640 wrote to memory of 2320	4640	QA6EU8bI.exe	73
PID 4640 wrote to memory of 2320	4640	QA6EU8bI.exe	73
PID 2320 wrote to memory of 1868	2320	AD2Sp5AI.exe	74
PID 2320 wrote to memory of 1868	2320	AD2Sp5AI.exe	74
PID 2320 wrote to memory of 1868	2320	AD2Sp5AI.exe	74
PID 1868 wrote to memory of 1588	1868	RT1Of9FP.exe	75
PID 1868 wrote to memory of 1588	1868	RT1Of9FP.exe	75
PID 1868 wrote to memory of 1588	1868	RT1Of9FP.exe	75
PID 1868 wrote to memory of 2264	1868	RT1Of9FP.exe	76
PID 1868 wrote to memory of 2264	1868	RT1Of9FP.exe	76
PID 1868 wrote to memory of 2264	1868	RT1Of9FP.exe	76
PID 2264 wrote to memory of 5044	2264	ft086Bl.exe	78
PID 2264 wrote to memory of 5044	2264	ft086Bl.exe	78
PID 2264 wrote to memory of 5044	2264	ft086Bl.exe	78
PID 2264 wrote to memory of 5044	2264	ft086Bl.exe	78
PID 2264 wrote to memory of 5044	2264	ft086Bl.exe	78
PID 2264 wrote to memory of 5044	2264	ft086Bl.exe	78
PID 2264 wrote to memory of 5044	2264	ft086Bl.exe	78
PID 2264 wrote to memory of 5044	2264	ft086Bl.exe	78

C:\Users\Admin\AppData\Local\Temp\b03b503a0c971f9e0fd75d3864b811145e79187eeb7e0fc2ba46e2062adf9381.exe
"C:\Users\Admin\AppData\Local\Temp\b03b503a0c971f9e0fd75d3864b811145e79187eeb7e0fc2ba46e2062adf9381.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4432
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yu7fD7cw.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yu7fD7cw.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\QA6EU8bI.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\QA6EU8bI.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4640
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AD2Sp5AI.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AD2Sp5AI.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2320
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\RT1Of9FP.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\RT1Of9FP.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1868
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\am3Vw68.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\am3Vw68.exe
        6⤵
        Executes dropped EXE
        
        PID:1588
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ft086Bl.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ft086Bl.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 204
        7⤵
        Program crash
        
        PID:3592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yu7fD7cw.exe

Filesize
932KB

MD5
c54ae63df6899397f9fbabdb752b198b

SHA1
7d3b89afa84e2cce37411a57791332737f88ef74

SHA256
b6c614e7c38a450282cba780b140c386962a41f9d1a3298ceb5545ef4f370731

SHA512
f3e888c66fc9fda0ac22f66cd4788d6ec9ed3e577456334f3f7a9ab2521fdf10e15ee4ebc5e6b741a57d35e9e234df3a2a81f1c40b93e9bfceb63f2b2bf6354e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yu7fD7cw.exe

Filesize
932KB

MD5
c54ae63df6899397f9fbabdb752b198b

SHA1
7d3b89afa84e2cce37411a57791332737f88ef74

SHA256
b6c614e7c38a450282cba780b140c386962a41f9d1a3298ceb5545ef4f370731

SHA512
f3e888c66fc9fda0ac22f66cd4788d6ec9ed3e577456334f3f7a9ab2521fdf10e15ee4ebc5e6b741a57d35e9e234df3a2a81f1c40b93e9bfceb63f2b2bf6354e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\QA6EU8bI.exe

Filesize
792KB

MD5
1beb58b5d33562a9c1f5fb5c17c50cf8

SHA1
39457c8319a8fee6ce5fa0c050e210ae7ff2e096

SHA256
113ce3a082cc0cebe247d52437c4534c05d644d6c0dcae966e23454d99b4e88d

SHA512
9d608445f2409d166be8966da97435a4141cc99577ff23c75094d2089b456a1bba807998078c07a187ee1fee675f53aeae1d8c0f3e9c00b952195abc24420117

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\QA6EU8bI.exe

Filesize
792KB

MD5
1beb58b5d33562a9c1f5fb5c17c50cf8

SHA1
39457c8319a8fee6ce5fa0c050e210ae7ff2e096

SHA256
113ce3a082cc0cebe247d52437c4534c05d644d6c0dcae966e23454d99b4e88d

SHA512
9d608445f2409d166be8966da97435a4141cc99577ff23c75094d2089b456a1bba807998078c07a187ee1fee675f53aeae1d8c0f3e9c00b952195abc24420117

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AD2Sp5AI.exe

Filesize
534KB

MD5
6e11366a475c6df40ce03e296c07c0d7

SHA1
c105bc160758eeb886cf8c87b3f8b8c5d59525fd

SHA256
92f0aa1db064aebe85780c28d38101e7a1c3ac88151b0aafd5bb8c7cb192ceeb

SHA512
041d64dce09e0652b57803beb11b2cbda002751988ccb4819da39965a733167b3052f473fe9517d51e42eb971e4a0f07629a380d0be4623d2dfbddc00addcf5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AD2Sp5AI.exe

Filesize
534KB

MD5
6e11366a475c6df40ce03e296c07c0d7

SHA1
c105bc160758eeb886cf8c87b3f8b8c5d59525fd

SHA256
92f0aa1db064aebe85780c28d38101e7a1c3ac88151b0aafd5bb8c7cb192ceeb

SHA512
041d64dce09e0652b57803beb11b2cbda002751988ccb4819da39965a733167b3052f473fe9517d51e42eb971e4a0f07629a380d0be4623d2dfbddc00addcf5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\RT1Of9FP.exe

Filesize
352KB

MD5
170a8f1ecdcc7a62a478e38a39456ad7

SHA1
766d1aa79a81f0766d58313951cf8c8a475a7101

SHA256
146494c15d62af3b10293eef52ac59713a83862ed1100186bae4f323da40413d

SHA512
e1a3666fa1c0e246c816c166dc90927f5b936c3cf5969d88e5065c3335137534d23ec3889a599f3d85c1483f9ccd57b1d38541fc260f5948ed20e7774ba52b76

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\RT1Of9FP.exe

Filesize
352KB

MD5
170a8f1ecdcc7a62a478e38a39456ad7

SHA1
766d1aa79a81f0766d58313951cf8c8a475a7101

SHA256
146494c15d62af3b10293eef52ac59713a83862ed1100186bae4f323da40413d

SHA512
e1a3666fa1c0e246c816c166dc90927f5b936c3cf5969d88e5065c3335137534d23ec3889a599f3d85c1483f9ccd57b1d38541fc260f5948ed20e7774ba52b76

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\am3Vw68.exe

Filesize
140KB

MD5
10ad2bafcf425f003256c6462a88fd7f

SHA1
f5f362f93b4637ff39119e70bbd3556fb4fa81df

SHA256
b6276c6759352e70ed880d2a57ce5aa8346298e026f2cb894f8186e7ca0d9c75

SHA512
429a7f56209b44cab4369f45c4added47ce59b3a08170d4ffdb6525d025242e29d1eb4c648d29282f6dc71b35ec5dc2ec6a796ee02e656e9a1ea2fba752d8829

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\am3Vw68.exe

Filesize
140KB

MD5
10ad2bafcf425f003256c6462a88fd7f

SHA1
f5f362f93b4637ff39119e70bbd3556fb4fa81df

SHA256
b6276c6759352e70ed880d2a57ce5aa8346298e026f2cb894f8186e7ca0d9c75

SHA512
429a7f56209b44cab4369f45c4added47ce59b3a08170d4ffdb6525d025242e29d1eb4c648d29282f6dc71b35ec5dc2ec6a796ee02e656e9a1ea2fba752d8829

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ft086Bl.exe

Filesize
386KB

MD5
e416810d89cd0a81c11924947a1ac6f6

SHA1
83e465530390ce243554116d899747f2683acc11

SHA256
d67a1988de433dcaeea49e4b40d732d6a6f18da33246e77329d72b70d6ca7f38

SHA512
6e160654ea51777170ed0932b57254eeddf6d418b99d4df3d914797883c78e49d5eb90147fe6c141773678facd62b324e395cb0f6a1af062236f3ac3eaff1e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ft086Bl.exe

Filesize
386KB

MD5
e416810d89cd0a81c11924947a1ac6f6

SHA1
83e465530390ce243554116d899747f2683acc11

SHA256
d67a1988de433dcaeea49e4b40d732d6a6f18da33246e77329d72b70d6ca7f38

SHA512
6e160654ea51777170ed0932b57254eeddf6d418b99d4df3d914797883c78e49d5eb90147fe6c141773678facd62b324e395cb0f6a1af062236f3ac3eaff1e9c

Download Submit
memory/5044-38-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5044-42-0x0000000073390000-0x0000000073A7E000-memory.dmp

Filesize
6.9MB

Download
memory/5044-43-0x000000000B8E0000-0x000000000BDDE000-memory.dmp

Filesize
5.0MB

Download
memory/5044-44-0x000000000B4D0000-0x000000000B562000-memory.dmp

Filesize
584KB

Download
memory/5044-45-0x000000000B650000-0x000000000B65A000-memory.dmp

Filesize
40KB

Download
memory/5044-46-0x000000000C3F0000-0x000000000C9F6000-memory.dmp

Filesize
6.0MB

Download
memory/5044-47-0x000000000BDE0000-0x000000000BEEA000-memory.dmp

Filesize
1.0MB

Download
memory/5044-48-0x000000000B750000-0x000000000B762000-memory.dmp

Filesize
72KB

Download
memory/5044-49-0x000000000B7B0000-0x000000000B7EE000-memory.dmp

Filesize
248KB

Download
memory/5044-50-0x000000000B7F0000-0x000000000B83B000-memory.dmp

Filesize
300KB

Download
memory/5044-55-0x0000000073390000-0x0000000073A7E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads