mystic | 598471c286035cefc0e31d3a3f7626e6842d05497155eba7b1483f8a08862b17

Analysis

max time kernel
143s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2023, 15:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

598471c286035cefc0e31d3a3f7626e6842d05497155eba7b1483f8a08862b17.exe
Size

1.6MB
MD5

779291f87592584538220c5287542ca0
SHA1

f2e415566f1896f2eb39d0dc80d8d72dcae9ed36
SHA256

598471c286035cefc0e31d3a3f7626e6842d05497155eba7b1483f8a08862b17
SHA512

7a79d2d2b813468470dd2f4c9813f59d8949d11587ad11523212a3d503038cc3c2af56f4cf850e2875fce8f89f30b6ec66a2d0fd68996ce46de3158e9e31421d
SSDEEP

49152:Bplchvxx63aes4b+Yv/bbFugBbpV10wdHmBly:7lchvxxwDXXbbdFV10wU

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/1708-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1708-36-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1708-37-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1708-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x00060000000231d3-41.dat	family_redline
behavioral1/files/0x00060000000231d3-42.dat	family_redline
behavioral1/memory/1236-43-0x00000000007D0000-0x000000000080E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
2548	dw2bN7rp.exe
4120	kG7xM8nI.exe
3548	ad1Fj3XK.exe
3736	aH8xz7wB.exe
1960	1mY22MC8.exe
1236	2tf567do.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	598471c286035cefc0e31d3a3f7626e6842d05497155eba7b1483f8a08862b17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	dw2bN7rp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kG7xM8nI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	ad1Fj3XK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	aH8xz7wB.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1960 set thread context of 1708	1960	1mY22MC8.exe	92

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1864	1960	WerFault.exe	87
1100	1708	WerFault.exe	92

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4136 wrote to memory of 2548	4136	598471c286035cefc0e31d3a3f7626e6842d05497155eba7b1483f8a08862b17.exe	83
PID 4136 wrote to memory of 2548	4136	598471c286035cefc0e31d3a3f7626e6842d05497155eba7b1483f8a08862b17.exe	83
PID 4136 wrote to memory of 2548	4136	598471c286035cefc0e31d3a3f7626e6842d05497155eba7b1483f8a08862b17.exe	83
PID 2548 wrote to memory of 4120	2548	dw2bN7rp.exe	84
PID 2548 wrote to memory of 4120	2548	dw2bN7rp.exe	84
PID 2548 wrote to memory of 4120	2548	dw2bN7rp.exe	84
PID 4120 wrote to memory of 3548	4120	kG7xM8nI.exe	85
PID 4120 wrote to memory of 3548	4120	kG7xM8nI.exe	85
PID 4120 wrote to memory of 3548	4120	kG7xM8nI.exe	85
PID 3548 wrote to memory of 3736	3548	ad1Fj3XK.exe	86
PID 3548 wrote to memory of 3736	3548	ad1Fj3XK.exe	86
PID 3548 wrote to memory of 3736	3548	ad1Fj3XK.exe	86
PID 3736 wrote to memory of 1960	3736	aH8xz7wB.exe	87
PID 3736 wrote to memory of 1960	3736	aH8xz7wB.exe	87
PID 3736 wrote to memory of 1960	3736	aH8xz7wB.exe	87
PID 1960 wrote to memory of 1708	1960	1mY22MC8.exe	92
PID 1960 wrote to memory of 1708	1960	1mY22MC8.exe	92
PID 1960 wrote to memory of 1708	1960	1mY22MC8.exe	92
PID 1960 wrote to memory of 1708	1960	1mY22MC8.exe	92
PID 1960 wrote to memory of 1708	1960	1mY22MC8.exe	92
PID 1960 wrote to memory of 1708	1960	1mY22MC8.exe	92
PID 1960 wrote to memory of 1708	1960	1mY22MC8.exe	92
PID 1960 wrote to memory of 1708	1960	1mY22MC8.exe	92
PID 1960 wrote to memory of 1708	1960	1mY22MC8.exe	92
PID 1960 wrote to memory of 1708	1960	1mY22MC8.exe	92
PID 3736 wrote to memory of 1236	3736	aH8xz7wB.exe	98
PID 3736 wrote to memory of 1236	3736	aH8xz7wB.exe	98
PID 3736 wrote to memory of 1236	3736	aH8xz7wB.exe	98

C:\Users\Admin\AppData\Local\Temp\598471c286035cefc0e31d3a3f7626e6842d05497155eba7b1483f8a08862b17.exe
"C:\Users\Admin\AppData\Local\Temp\598471c286035cefc0e31d3a3f7626e6842d05497155eba7b1483f8a08862b17.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dw2bN7rp.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dw2bN7rp.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kG7xM8nI.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kG7xM8nI.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4120
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ad1Fj3XK.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ad1Fj3XK.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3548
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aH8xz7wB.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aH8xz7wB.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3736
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1mY22MC8.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1mY22MC8.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 204
        8⤵
        Program crash
        
        PID:1100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 568
        7⤵
        Program crash
        
        PID:1864
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2tf567do.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2tf567do.exe
        6⤵
        Executes dropped EXE
        
        PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1960 -ip 1960
1⤵
PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1708 -ip 1708
1⤵
PID:3856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dw2bN7rp.exe

Filesize
1.5MB

MD5
2250122bae011df7291803fa67381c98

SHA1
e625752d812f844a94405dedbcdf25a419a97fca

SHA256
0fcff74fa3e950845fdc00a77a93a4553098840ce3c144977f1a5fd22fe127cc

SHA512
be3717489d36972b146ba7f182618cdb30f770f8abe660acbcf663dd156153cfb37986e95aa69ffcf3550f44c5d3f9716337975bf4765a986d272fb064d61278

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dw2bN7rp.exe

Filesize
1.5MB

MD5
2250122bae011df7291803fa67381c98

SHA1
e625752d812f844a94405dedbcdf25a419a97fca

SHA256
0fcff74fa3e950845fdc00a77a93a4553098840ce3c144977f1a5fd22fe127cc

SHA512
be3717489d36972b146ba7f182618cdb30f770f8abe660acbcf663dd156153cfb37986e95aa69ffcf3550f44c5d3f9716337975bf4765a986d272fb064d61278

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kG7xM8nI.exe

Filesize
1.3MB

MD5
5796f40f9aacab4bea63f4a632c82ff2

SHA1
a2a9bcc34dc19aa2be0786df61d851ecdc0316b1

SHA256
26163795d90da8a98a738615263977ce390f78857ba3376ef4e7ba75eac9baca

SHA512
babff3c00eca4b7176a04eb80343cbcce4f2716b3dc8133fdf28a8afddf4cf1f7ff85de915f1a841445f76d35efd9b0913bdadd48027bcaa2dfb5f18634bcebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kG7xM8nI.exe

Filesize
1.3MB

MD5
5796f40f9aacab4bea63f4a632c82ff2

SHA1
a2a9bcc34dc19aa2be0786df61d851ecdc0316b1

SHA256
26163795d90da8a98a738615263977ce390f78857ba3376ef4e7ba75eac9baca

SHA512
babff3c00eca4b7176a04eb80343cbcce4f2716b3dc8133fdf28a8afddf4cf1f7ff85de915f1a841445f76d35efd9b0913bdadd48027bcaa2dfb5f18634bcebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ad1Fj3XK.exe

Filesize
825KB

MD5
4a9d62db08c6f47ccffd087f70baecf7

SHA1
f3a55c0f103d806b22cacabf5cfc7d622088c043

SHA256
22929f541176a7024926157841be3cb3f9f581de15676a1d9b60f9a6c9be4a75

SHA512
d4406eedafa4edf001b76e285d9e3cd93584787879aa141188dd47d5e697c9088b749dcef8d823d85ff1ccfd10e7e59f35cb9349f3bfb4c910e9cfab5d28361e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ad1Fj3XK.exe

Filesize
825KB

MD5
4a9d62db08c6f47ccffd087f70baecf7

SHA1
f3a55c0f103d806b22cacabf5cfc7d622088c043

SHA256
22929f541176a7024926157841be3cb3f9f581de15676a1d9b60f9a6c9be4a75

SHA512
d4406eedafa4edf001b76e285d9e3cd93584787879aa141188dd47d5e697c9088b749dcef8d823d85ff1ccfd10e7e59f35cb9349f3bfb4c910e9cfab5d28361e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aH8xz7wB.exe

Filesize
653KB

MD5
952388012f4720b4aafa668a300e4b57

SHA1
0c98c78015807f1d7a7afbf1c66299533d5c0995

SHA256
b34ba90924afdb8762f1ecd05a03b025be74346a6de4c32fa316bb8f652aeb4f

SHA512
44579d418bf1afb4d9db0be0d20756ac6d6597d3094c65a7daa234bcb86f67c6bfb85a7868e8a2cad127e29a223707983a84078bf60176ef7475ac5d4c1aa75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aH8xz7wB.exe

Filesize
653KB

MD5
952388012f4720b4aafa668a300e4b57

SHA1
0c98c78015807f1d7a7afbf1c66299533d5c0995

SHA256
b34ba90924afdb8762f1ecd05a03b025be74346a6de4c32fa316bb8f652aeb4f

SHA512
44579d418bf1afb4d9db0be0d20756ac6d6597d3094c65a7daa234bcb86f67c6bfb85a7868e8a2cad127e29a223707983a84078bf60176ef7475ac5d4c1aa75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1mY22MC8.exe

Filesize
1.8MB

MD5
e4a6b7c65f05b57051a96cfed910128d

SHA1
c4ba101c9efa07283a5b82af2820639852f6f40d

SHA256
d171180ac04f5deca1ba57def0a03431bac654429eaa6e0a6a48e9d1a761294f

SHA512
981ee577cb00398cb89035ba7b5c18315f4752a1272ee01e3b04b97aef7e115ec4be10453868ed94f174d7b72503538acb1280d1471dec08cbe5a213cc00415c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1mY22MC8.exe

Filesize
1.8MB

MD5
e4a6b7c65f05b57051a96cfed910128d

SHA1
c4ba101c9efa07283a5b82af2820639852f6f40d

SHA256
d171180ac04f5deca1ba57def0a03431bac654429eaa6e0a6a48e9d1a761294f

SHA512
981ee577cb00398cb89035ba7b5c18315f4752a1272ee01e3b04b97aef7e115ec4be10453868ed94f174d7b72503538acb1280d1471dec08cbe5a213cc00415c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2tf567do.exe

Filesize
230KB

MD5
bbe29d23fb446916a96829fe26d0d1b3

SHA1
53c498eee6ee26fa86be522d11fca87f2f599547

SHA256
50b92357799ae61846da7efe68328eead11f015f6761a99a4e19e76c2c06d4d5

SHA512
9143b354da32b6f4ad8d4f42af00a206363c9b2b7da80e6d1c98f499024fffbf5903a84282ef56c2ecb41519270a349e2e52f363c11dd835a56f87d363545115

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2tf567do.exe

Filesize
230KB

MD5
bbe29d23fb446916a96829fe26d0d1b3

SHA1
53c498eee6ee26fa86be522d11fca87f2f599547

SHA256
50b92357799ae61846da7efe68328eead11f015f6761a99a4e19e76c2c06d4d5

SHA512
9143b354da32b6f4ad8d4f42af00a206363c9b2b7da80e6d1c98f499024fffbf5903a84282ef56c2ecb41519270a349e2e52f363c11dd835a56f87d363545115

Download Submit
memory/1236-46-0x00000000076B0000-0x0000000007742000-memory.dmp

Filesize
584KB

Download
memory/1236-48-0x0000000007880000-0x000000000788A000-memory.dmp

Filesize
40KB

Download
memory/1236-55-0x00000000078B0000-0x00000000078C0000-memory.dmp

Filesize
64KB

Download
memory/1236-54-0x00000000745F0000-0x0000000074DA0000-memory.dmp

Filesize
7.7MB

Download
memory/1236-43-0x00000000007D0000-0x000000000080E000-memory.dmp

Filesize
248KB

Download
memory/1236-44-0x00000000745F0000-0x0000000074DA0000-memory.dmp

Filesize
7.7MB

Download
memory/1236-45-0x0000000007BC0000-0x0000000008164000-memory.dmp

Filesize
5.6MB

Download
memory/1236-53-0x0000000007A00000-0x0000000007A4C000-memory.dmp

Filesize
304KB

Download
memory/1236-52-0x00000000079C0000-0x00000000079FC000-memory.dmp

Filesize
240KB

Download
memory/1236-49-0x0000000008790000-0x0000000008DA8000-memory.dmp

Filesize
6.1MB

Download
memory/1236-47-0x00000000078B0000-0x00000000078C0000-memory.dmp

Filesize
64KB

Download
memory/1236-50-0x0000000008170000-0x000000000827A000-memory.dmp

Filesize
1.0MB

Download
memory/1236-51-0x0000000007960000-0x0000000007972000-memory.dmp

Filesize
72KB

Download
memory/1708-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1708-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1708-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1708-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads