mystic | dfd5ed52394a8db71e580a80f92b41d6af5890359860b4d46eb1b1e1a31acd55

Analysis

max time kernel
142s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2023, 21:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfd5ed52394a8db71e580a80f92b41d6af5890359860b4d46eb1b1e1a31acd55.exe
Size

1.6MB
MD5

2731ca8cd9dc6d779dde6387c96ee456
SHA1

c270a682cb997a86948996da255894e632ba0c0c
SHA256

dfd5ed52394a8db71e580a80f92b41d6af5890359860b4d46eb1b1e1a31acd55
SHA512

7af7f19443bd89f879e5d8ddcda86b45331e15a0f72466cf2a7cee72e5afcc48c1846b14b318e1b6bc8540343d801b11dca5741b764aa72b05c79b4cf0d999cf
SSDEEP

24576:IyyvQxvejPKAHkZHbUWPCXxFp/C0xH/YgmBlJJc3aNz0N7LZtUw+4SjqgKb5NA:Pyy0PHHkOWyH/55/YgkJJLNoN7NFnbb

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/3420-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/3420-36-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/3420-37-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/3420-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x00070000000231ff-40.dat	family_redline
behavioral1/files/0x00070000000231ff-42.dat	family_redline
behavioral1/memory/4676-43-0x0000000000C60000-0x0000000000C9E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
2944	Op3BC3WR.exe
4624	YM6nr6AI.exe
2516	Xj4dM6fr.exe
4292	TX3Yp0FN.exe
504	1rN57eR9.exe
4676	2Tr891im.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dfd5ed52394a8db71e580a80f92b41d6af5890359860b4d46eb1b1e1a31acd55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Op3BC3WR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	YM6nr6AI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Xj4dM6fr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	TX3Yp0FN.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 504 set thread context of 3420	504	1rN57eR9.exe	92

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3968	504	WerFault.exe	90
2612	3420	WerFault.exe	92

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 3232 wrote to memory of 2944	3232	dfd5ed52394a8db71e580a80f92b41d6af5890359860b4d46eb1b1e1a31acd55.exe	86
PID 3232 wrote to memory of 2944	3232	dfd5ed52394a8db71e580a80f92b41d6af5890359860b4d46eb1b1e1a31acd55.exe	86
PID 3232 wrote to memory of 2944	3232	dfd5ed52394a8db71e580a80f92b41d6af5890359860b4d46eb1b1e1a31acd55.exe	86
PID 2944 wrote to memory of 4624	2944	Op3BC3WR.exe	87
PID 2944 wrote to memory of 4624	2944	Op3BC3WR.exe	87
PID 2944 wrote to memory of 4624	2944	Op3BC3WR.exe	87
PID 4624 wrote to memory of 2516	4624	YM6nr6AI.exe	88
PID 4624 wrote to memory of 2516	4624	YM6nr6AI.exe	88
PID 4624 wrote to memory of 2516	4624	YM6nr6AI.exe	88
PID 2516 wrote to memory of 4292	2516	Xj4dM6fr.exe	89
PID 2516 wrote to memory of 4292	2516	Xj4dM6fr.exe	89
PID 2516 wrote to memory of 4292	2516	Xj4dM6fr.exe	89
PID 4292 wrote to memory of 504	4292	TX3Yp0FN.exe	90
PID 4292 wrote to memory of 504	4292	TX3Yp0FN.exe	90
PID 4292 wrote to memory of 504	4292	TX3Yp0FN.exe	90
PID 504 wrote to memory of 1284	504	1rN57eR9.exe	91
PID 504 wrote to memory of 1284	504	1rN57eR9.exe	91
PID 504 wrote to memory of 1284	504	1rN57eR9.exe	91
PID 504 wrote to memory of 3420	504	1rN57eR9.exe	92
PID 504 wrote to memory of 3420	504	1rN57eR9.exe	92
PID 504 wrote to memory of 3420	504	1rN57eR9.exe	92
PID 504 wrote to memory of 3420	504	1rN57eR9.exe	92
PID 504 wrote to memory of 3420	504	1rN57eR9.exe	92
PID 504 wrote to memory of 3420	504	1rN57eR9.exe	92
PID 504 wrote to memory of 3420	504	1rN57eR9.exe	92
PID 504 wrote to memory of 3420	504	1rN57eR9.exe	92
PID 504 wrote to memory of 3420	504	1rN57eR9.exe	92
PID 504 wrote to memory of 3420	504	1rN57eR9.exe	92
PID 4292 wrote to memory of 4676	4292	TX3Yp0FN.exe	98
PID 4292 wrote to memory of 4676	4292	TX3Yp0FN.exe	98
PID 4292 wrote to memory of 4676	4292	TX3Yp0FN.exe	98

C:\Users\Admin\AppData\Local\Temp\dfd5ed52394a8db71e580a80f92b41d6af5890359860b4d46eb1b1e1a31acd55.exe
"C:\Users\Admin\AppData\Local\Temp\dfd5ed52394a8db71e580a80f92b41d6af5890359860b4d46eb1b1e1a31acd55.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3232
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Op3BC3WR.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Op3BC3WR.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YM6nr6AI.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YM6nr6AI.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4624
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xj4dM6fr.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xj4dM6fr.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2516
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TX3Yp0FN.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TX3Yp0FN.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4292
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1rN57eR9.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1rN57eR9.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:504
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1284
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3420 -s 540
        8⤵
        Program crash
        
        PID:2612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 504 -s 608
        7⤵
        Program crash
        
        PID:3968
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Tr891im.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Tr891im.exe
        6⤵
        Executes dropped EXE
        
        PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3420 -ip 3420
1⤵
PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 504 -ip 504
1⤵
PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Op3BC3WR.exe

Filesize
1.5MB

MD5
386519fa910ce470401ac51fdaa7065a

SHA1
54ce141180225a9f9104ab1bd5afaca96dc25e8e

SHA256
76f506d0eeb376c9181ab33267f24f9fb8f8f461ab4e917217af33ca598f696c

SHA512
6dd72f95195760e06ce7fde45965e37e7d91c73e5493e09baeb4fc3a5afe77603f64f580847dae9a0d1863efa7084d44044ad3ba1cb44de4f5aa5812be73178d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Op3BC3WR.exe

Filesize
1.5MB

MD5
386519fa910ce470401ac51fdaa7065a

SHA1
54ce141180225a9f9104ab1bd5afaca96dc25e8e

SHA256
76f506d0eeb376c9181ab33267f24f9fb8f8f461ab4e917217af33ca598f696c

SHA512
6dd72f95195760e06ce7fde45965e37e7d91c73e5493e09baeb4fc3a5afe77603f64f580847dae9a0d1863efa7084d44044ad3ba1cb44de4f5aa5812be73178d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YM6nr6AI.exe

Filesize
1.3MB

MD5
8039dfb5b45c06af483f026f9e48cc12

SHA1
7a9df2ff69b7785479984035c7e49daf042dc5a6

SHA256
e4c551a588bb1da10cd0cbafdd31b74f35760435bcbd67c7e46d40328180de75

SHA512
46386ecf336dca49901753fd64c34045b65e30f5af1e81392305d25fb7263fcfc5a12fca74019fa2ae970dde776289c68e832e9fdbff68fac6ada6ed883fd986

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YM6nr6AI.exe

Filesize
1.3MB

MD5
8039dfb5b45c06af483f026f9e48cc12

SHA1
7a9df2ff69b7785479984035c7e49daf042dc5a6

SHA256
e4c551a588bb1da10cd0cbafdd31b74f35760435bcbd67c7e46d40328180de75

SHA512
46386ecf336dca49901753fd64c34045b65e30f5af1e81392305d25fb7263fcfc5a12fca74019fa2ae970dde776289c68e832e9fdbff68fac6ada6ed883fd986

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xj4dM6fr.exe

Filesize
825KB

MD5
0904d16c6f1bcb6b6bc44821a510267a

SHA1
57d59111038d7fca3b4c0096727022ecab07c10b

SHA256
604db450f0ba51959b4119f04fcec662fb16401fe59a7971498a8bc187a1d440

SHA512
c0b42899632d363217140a56f37ec50c6de21632aa552210fd78b744302271121f86204b6b4860ce6cc5f99c8ddcae51cd6c01ac65d4aaa2f089d97c1dc7dc31

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xj4dM6fr.exe

Filesize
825KB

MD5
0904d16c6f1bcb6b6bc44821a510267a

SHA1
57d59111038d7fca3b4c0096727022ecab07c10b

SHA256
604db450f0ba51959b4119f04fcec662fb16401fe59a7971498a8bc187a1d440

SHA512
c0b42899632d363217140a56f37ec50c6de21632aa552210fd78b744302271121f86204b6b4860ce6cc5f99c8ddcae51cd6c01ac65d4aaa2f089d97c1dc7dc31

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TX3Yp0FN.exe

Filesize
653KB

MD5
8d33e7d325b44e6e498d02b0f6a757df

SHA1
73f0c503b150ec673f8fc374d0eba4500fa60b13

SHA256
0f3868b7f755b0ebb9ec98e1d27c46665b604a21077fdfda63a857d813d7c5e3

SHA512
fdefbc5a912cf423b1f9871966aebcbc07a1594ca786090296ed0fefe748f40e9d22cf9e21a23dcff76ed2c25eb42ccbee55162e370de6c8708f83e61b7300fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TX3Yp0FN.exe

Filesize
653KB

MD5
8d33e7d325b44e6e498d02b0f6a757df

SHA1
73f0c503b150ec673f8fc374d0eba4500fa60b13

SHA256
0f3868b7f755b0ebb9ec98e1d27c46665b604a21077fdfda63a857d813d7c5e3

SHA512
fdefbc5a912cf423b1f9871966aebcbc07a1594ca786090296ed0fefe748f40e9d22cf9e21a23dcff76ed2c25eb42ccbee55162e370de6c8708f83e61b7300fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1rN57eR9.exe

Filesize
1.8MB

MD5
bd032be5afa292fc8ed69763de8eb291

SHA1
6ed592304dd4a21ef621dd3ff3de57801a7e1c9c

SHA256
c4e722f57977f3c8a94cadc754675ddd632db29d038b99bcae4122da7ec4b4cf

SHA512
85d43e140ff20a8c084929b4916f7ab23d614280eb5985bbf33e67d1499ef7348f92c44fd6a34b118db1afe3842800075715d7541590724a9efe8258ab688a75

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1rN57eR9.exe

Filesize
1.8MB

MD5
bd032be5afa292fc8ed69763de8eb291

SHA1
6ed592304dd4a21ef621dd3ff3de57801a7e1c9c

SHA256
c4e722f57977f3c8a94cadc754675ddd632db29d038b99bcae4122da7ec4b4cf

SHA512
85d43e140ff20a8c084929b4916f7ab23d614280eb5985bbf33e67d1499ef7348f92c44fd6a34b118db1afe3842800075715d7541590724a9efe8258ab688a75

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Tr891im.exe

Filesize
230KB

MD5
524fd61f1bfe8b00cba208f8903b446c

SHA1
25c2b9166fe80445f3de2700656f196ffa4b7ffc

SHA256
57ef1b4d3c0f3f52337b0f80c1b2477c57934c1a90f4e62f8eaaac9ac4a21b8a

SHA512
58a4c66dd1cdac3d7c75eb1deb06d18747bb3b50714e760e269bc1f092ddc1c45d2fdc6353c611f3908f417cd34adae120658774a989bcaf046f128989a6949f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Tr891im.exe

Filesize
230KB

MD5
524fd61f1bfe8b00cba208f8903b446c

SHA1
25c2b9166fe80445f3de2700656f196ffa4b7ffc

SHA256
57ef1b4d3c0f3f52337b0f80c1b2477c57934c1a90f4e62f8eaaac9ac4a21b8a

SHA512
58a4c66dd1cdac3d7c75eb1deb06d18747bb3b50714e760e269bc1f092ddc1c45d2fdc6353c611f3908f417cd34adae120658774a989bcaf046f128989a6949f

Download Submit
memory/3420-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3420-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3420-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3420-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4676-46-0x0000000007B80000-0x0000000007C12000-memory.dmp

Filesize
584KB

Download
memory/4676-43-0x0000000000C60000-0x0000000000C9E000-memory.dmp

Filesize
248KB

Download
memory/4676-45-0x0000000008090000-0x0000000008634000-memory.dmp

Filesize
5.6MB

Download
memory/4676-44-0x0000000073D50000-0x0000000074500000-memory.dmp

Filesize
7.7MB

Download
memory/4676-47-0x0000000007B10000-0x0000000007B20000-memory.dmp

Filesize
64KB

Download
memory/4676-48-0x0000000007C30000-0x0000000007C3A000-memory.dmp

Filesize
40KB

Download
memory/4676-49-0x0000000008C60000-0x0000000009278000-memory.dmp

Filesize
6.1MB

Download
memory/4676-50-0x0000000007EF0000-0x0000000007FFA000-memory.dmp

Filesize
1.0MB

Download
memory/4676-51-0x0000000007E00000-0x0000000007E12000-memory.dmp

Filesize
72KB

Download
memory/4676-52-0x0000000007E60000-0x0000000007E9C000-memory.dmp

Filesize
240KB

Download
memory/4676-53-0x0000000007EA0000-0x0000000007EEC000-memory.dmp

Filesize
304KB

Download
memory/4676-54-0x0000000073D50000-0x0000000074500000-memory.dmp

Filesize
7.7MB

Download
memory/4676-55-0x0000000007B10000-0x0000000007B20000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads