mystic | ee55b8cdb9ccdaf77038f607915be87182334677f6efd2275c662e4a62606f35

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2023 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee55b8cdb9ccdaf77038f607915be87182334677f6efd2275c662e4a62606f35.exe
Size

1.1MB
MD5

192f2ee45389d75a4d328a0d61f01ab4
SHA1

16d455fe68909f3aef6bc57824eed0fa13810074
SHA256

ee55b8cdb9ccdaf77038f607915be87182334677f6efd2275c662e4a62606f35
SHA512

0f39cfa9c9dd11f35f23ad66dc40a118407e334cb6da47d378a576fb03c02831abe7f247b64bda3bcb8ba60b4b74c3a0bc87abdd205e2d0de3beed3e63f55e7d
SSDEEP

24576:VyRe8JlgeVfwugP++nFFZJqBUVb8FMymlDTQl:wRLlfVYugPJMMyeD

Score

10^/10

mystic redline larek infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

larek

77.91.124.55:19071

Signatures

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0006000000023092-36.dat	family_redline
behavioral1/files/0x0006000000023092-37.dat	family_redline
behavioral1/memory/4712-39-0x0000000000EA0000-0x0000000000EDE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
3612	zL5oE5XD.exe
4776	BX9AV5yq.exe
2404	KY3gq4At.exe
3736	iz4yu4rG.exe
2312	du1xW13.exe
4712	Oi199mT.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ee55b8cdb9ccdaf77038f607915be87182334677f6efd2275c662e4a62606f35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zL5oE5XD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	BX9AV5yq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	KY3gq4At.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	iz4yu4rG.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 3612	2752	ee55b8cdb9ccdaf77038f607915be87182334677f6efd2275c662e4a62606f35.exe	85
PID 2752 wrote to memory of 3612	2752	ee55b8cdb9ccdaf77038f607915be87182334677f6efd2275c662e4a62606f35.exe	85
PID 2752 wrote to memory of 3612	2752	ee55b8cdb9ccdaf77038f607915be87182334677f6efd2275c662e4a62606f35.exe	85
PID 3612 wrote to memory of 4776	3612	zL5oE5XD.exe	87
PID 3612 wrote to memory of 4776	3612	zL5oE5XD.exe	87
PID 3612 wrote to memory of 4776	3612	zL5oE5XD.exe	87
PID 4776 wrote to memory of 2404	4776	BX9AV5yq.exe	89
PID 4776 wrote to memory of 2404	4776	BX9AV5yq.exe	89
PID 4776 wrote to memory of 2404	4776	BX9AV5yq.exe	89
PID 2404 wrote to memory of 3736	2404	KY3gq4At.exe	90
PID 2404 wrote to memory of 3736	2404	KY3gq4At.exe	90
PID 2404 wrote to memory of 3736	2404	KY3gq4At.exe	90
PID 3736 wrote to memory of 2312	3736	iz4yu4rG.exe	91
PID 3736 wrote to memory of 2312	3736	iz4yu4rG.exe	91
PID 3736 wrote to memory of 2312	3736	iz4yu4rG.exe	91
PID 3736 wrote to memory of 4712	3736	iz4yu4rG.exe	94
PID 3736 wrote to memory of 4712	3736	iz4yu4rG.exe	94
PID 3736 wrote to memory of 4712	3736	iz4yu4rG.exe	94

C:\Users\Admin\AppData\Local\Temp\ee55b8cdb9ccdaf77038f607915be87182334677f6efd2275c662e4a62606f35.exe
"C:\Users\Admin\AppData\Local\Temp\ee55b8cdb9ccdaf77038f607915be87182334677f6efd2275c662e4a62606f35.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zL5oE5XD.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zL5oE5XD.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BX9AV5yq.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BX9AV5yq.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4776
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\KY3gq4At.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\KY3gq4At.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2404
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iz4yu4rG.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iz4yu4rG.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3736
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\du1xW13.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\du1xW13.exe
        6⤵
        Executes dropped EXE
        
        PID:2312
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Oi199mT.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Oi199mT.exe
        6⤵
        Executes dropped EXE
        
        PID:4712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zL5oE5XD.exe

Filesize
961KB

MD5
852d976afaefb2f687f154083c03adbc

SHA1
a04f3b18f772324b5021f2303978a5975b83d1df

SHA256
b31a62383887472217301e5979026a4201f35c388fdb2d1365b28c13fa7d9675

SHA512
3b2db88ceaf4d67432089aaba18788d5b8007f46595d28066953f5ce87f1b85d6862dfaf669ebc4b63129096b842b7c591d865542a7ddc7417297028c5c39b19

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zL5oE5XD.exe

Filesize
961KB

MD5
852d976afaefb2f687f154083c03adbc

SHA1
a04f3b18f772324b5021f2303978a5975b83d1df

SHA256
b31a62383887472217301e5979026a4201f35c388fdb2d1365b28c13fa7d9675

SHA512
3b2db88ceaf4d67432089aaba18788d5b8007f46595d28066953f5ce87f1b85d6862dfaf669ebc4b63129096b842b7c591d865542a7ddc7417297028c5c39b19

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BX9AV5yq.exe

Filesize
719KB

MD5
d03b2d1a008cbb038bef849753624ca4

SHA1
b76c78447d3ad58c7ecbd02abd1b33f70ccd6bc5

SHA256
771a333a7e66ea13e8e749e4351998ae6a0abd63776ed64e9eae3fba0bfb200a

SHA512
b316ce4b760bb4c6ad7ce51ae70df71d39b1208ea70f014a8199b3a66c50c7d08cb9f5dd4d1626713daa8b4e12b873bba5be8280934e4d2e68e4d32bf423927b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BX9AV5yq.exe

Filesize
719KB

MD5
d03b2d1a008cbb038bef849753624ca4

SHA1
b76c78447d3ad58c7ecbd02abd1b33f70ccd6bc5

SHA256
771a333a7e66ea13e8e749e4351998ae6a0abd63776ed64e9eae3fba0bfb200a

SHA512
b316ce4b760bb4c6ad7ce51ae70df71d39b1208ea70f014a8199b3a66c50c7d08cb9f5dd4d1626713daa8b4e12b873bba5be8280934e4d2e68e4d32bf423927b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\KY3gq4At.exe

Filesize
537KB

MD5
f70d3054632feb330ff712002b5cd889

SHA1
2ac901bf8992119d98b70067eb4c1932b6c4773a

SHA256
63b0e638b60b6cf4f44ba17a79e1cbb23ba3e96f2d17258b2506b981a25d0a13

SHA512
67db35dd4bca15894ed65fbf7dea70e9653bb2bbcf5847f8f3cfbb91fbc136424c2e4b2eaa76bb0c0d15ae6aeaacaa42286a0659dace6c199c088e53c0d6c1e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\KY3gq4At.exe

Filesize
537KB

MD5
f70d3054632feb330ff712002b5cd889

SHA1
2ac901bf8992119d98b70067eb4c1932b6c4773a

SHA256
63b0e638b60b6cf4f44ba17a79e1cbb23ba3e96f2d17258b2506b981a25d0a13

SHA512
67db35dd4bca15894ed65fbf7dea70e9653bb2bbcf5847f8f3cfbb91fbc136424c2e4b2eaa76bb0c0d15ae6aeaacaa42286a0659dace6c199c088e53c0d6c1e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iz4yu4rG.exe

Filesize
289KB

MD5
49e50ebbf1a426419c5a418621efb366

SHA1
a602fd80f52ae379822e93422e8c064322cedbcd

SHA256
75a3769bd13585f717fa900416a4e39c26ca1c875d1456461008cf3672478ff2

SHA512
46f30d707e43d5aa219c174d1c769062922f6e97e7d7c2ed6b2a7f15ceb38e47fd63d943337d7e910d644fb8e5464fdf060b9d549abc29c713e1be7808452254

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iz4yu4rG.exe

Filesize
289KB

MD5
49e50ebbf1a426419c5a418621efb366

SHA1
a602fd80f52ae379822e93422e8c064322cedbcd

SHA256
75a3769bd13585f717fa900416a4e39c26ca1c875d1456461008cf3672478ff2

SHA512
46f30d707e43d5aa219c174d1c769062922f6e97e7d7c2ed6b2a7f15ceb38e47fd63d943337d7e910d644fb8e5464fdf060b9d549abc29c713e1be7808452254

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Oi199mT.exe

Filesize
221KB

MD5
9cc8d7691211535a362c3c88eb62a57a

SHA1
156cfdae994e0001723b53a2fd5fb01d830a6695

SHA256
0b565cd5aa9e2434c70d94c1cd067a7beac52c2011d7aca43054c13cb12381c0

SHA512
826483813fb00fa11ffa84acfb2cd0ea4aeb4dd6aea8cfaa9b4758e2a1f23ec9e803198c4955826e555a26f8cdaedadbf8c71ea29fd47ba0986158258bf8878a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Oi199mT.exe

Filesize
221KB

MD5
9cc8d7691211535a362c3c88eb62a57a

SHA1
156cfdae994e0001723b53a2fd5fb01d830a6695

SHA256
0b565cd5aa9e2434c70d94c1cd067a7beac52c2011d7aca43054c13cb12381c0

SHA512
826483813fb00fa11ffa84acfb2cd0ea4aeb4dd6aea8cfaa9b4758e2a1f23ec9e803198c4955826e555a26f8cdaedadbf8c71ea29fd47ba0986158258bf8878a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\du1xW13.exe

Filesize
140KB

MD5
3e6967ca542941cd32696b8253f73f91

SHA1
9d3c97ef9b0197d75bd809eb3543a444a53c23db

SHA256
2449ee0a0219e04fe89e2cd2fe919ae133c1695fdff92e4ab2e01711a2f140e1

SHA512
a109141dbba81fccdd5fc8bc3754810f48286259fd36530c83b5087411e92bce356bc45979ee6c90ad3736bddef49d6fdfa96960311410d4a8df689fbd248bf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\du1xW13.exe

Filesize
140KB

MD5
3e6967ca542941cd32696b8253f73f91

SHA1
9d3c97ef9b0197d75bd809eb3543a444a53c23db

SHA256
2449ee0a0219e04fe89e2cd2fe919ae133c1695fdff92e4ab2e01711a2f140e1

SHA512
a109141dbba81fccdd5fc8bc3754810f48286259fd36530c83b5087411e92bce356bc45979ee6c90ad3736bddef49d6fdfa96960311410d4a8df689fbd248bf1

Download Submit
memory/4712-38-0x0000000073FB0000-0x0000000074760000-memory.dmp

Filesize
7.7MB

Download
memory/4712-39-0x0000000000EA0000-0x0000000000EDE000-memory.dmp

Filesize
248KB

Download
memory/4712-40-0x00000000081A0000-0x0000000008744000-memory.dmp

Filesize
5.6MB

Download
memory/4712-41-0x0000000007C90000-0x0000000007D22000-memory.dmp

Filesize
584KB

Download
memory/4712-42-0x0000000007C50000-0x0000000007C60000-memory.dmp

Filesize
64KB

Download
memory/4712-43-0x0000000007D30000-0x0000000007D3A000-memory.dmp

Filesize
40KB

Download
memory/4712-44-0x0000000008D70000-0x0000000009388000-memory.dmp

Filesize
6.1MB

Download
memory/4712-45-0x0000000007FE0000-0x00000000080EA000-memory.dmp

Filesize
1.0MB

Download
memory/4712-46-0x0000000007F00000-0x0000000007F12000-memory.dmp

Filesize
72KB

Download
memory/4712-47-0x0000000007F60000-0x0000000007F9C000-memory.dmp

Filesize
240KB

Download
memory/4712-48-0x00000000080F0000-0x000000000813C000-memory.dmp

Filesize
304KB

Download
memory/4712-49-0x0000000073FB0000-0x0000000074760000-memory.dmp

Filesize
7.7MB

Download
memory/4712-50-0x0000000007C50000-0x0000000007C60000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads