mystic | 19f6c3c2a3ef47c00d7ed7b6fdbcad3d4697755f747daf56384adf39ade0b8af

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
05-10-2023 16:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19f6c3c2a3ef47c00d7ed7b6fdbcad3d4697755f747daf56384adf39ade0b8af_JC.exe
Size

1.6MB
MD5

4394688b530b0877db9bb4dcefc8140a
SHA1

f4dc549c339540d793c2e6fb9cdabd3905f757ea
SHA256

19f6c3c2a3ef47c00d7ed7b6fdbcad3d4697755f747daf56384adf39ade0b8af
SHA512

9d08f223ab748689d83da3f82ed42a50c5b28433c6797bef633f9139db8d6371e2e9f26685e64a68c091922c68bcc6e7f8ec22212907e400a183cc815bceaaa5
SSDEEP

49152:mF1BiGjRHglYmqdOisVhOOQ3gci462IpJOhok:u1Biq+HqdBsV4Au9UJHk

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/3656-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3656-36-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3656-37-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3656-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000600000002327a-41.dat	family_redline
behavioral2/files/0x000600000002327a-42.dat	family_redline
behavioral2/memory/3816-43-0x00000000007F0000-0x000000000082E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
4316	Zr2eE0PT.exe
4376	KB3he5tC.exe
5012	QU0Ps2ie.exe
1280	Sx2Oc1GS.exe
1560	1XT59Rl4.exe
3816	2AG012ky.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	19f6c3c2a3ef47c00d7ed7b6fdbcad3d4697755f747daf56384adf39ade0b8af_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Zr2eE0PT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	KB3he5tC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	QU0Ps2ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Sx2Oc1GS.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1560 set thread context of 3656	1560	1XT59Rl4.exe	91

Program crash 2 IoCs

pid	pid_target	Process	procid_target
776	1560	WerFault.exe	90
3248	3656	WerFault.exe	91

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4068 wrote to memory of 4316	4068	19f6c3c2a3ef47c00d7ed7b6fdbcad3d4697755f747daf56384adf39ade0b8af_JC.exe	85
PID 4068 wrote to memory of 4316	4068	19f6c3c2a3ef47c00d7ed7b6fdbcad3d4697755f747daf56384adf39ade0b8af_JC.exe	85
PID 4068 wrote to memory of 4316	4068	19f6c3c2a3ef47c00d7ed7b6fdbcad3d4697755f747daf56384adf39ade0b8af_JC.exe	85
PID 4316 wrote to memory of 4376	4316	Zr2eE0PT.exe	86
PID 4316 wrote to memory of 4376	4316	Zr2eE0PT.exe	86
PID 4316 wrote to memory of 4376	4316	Zr2eE0PT.exe	86
PID 4376 wrote to memory of 5012	4376	KB3he5tC.exe	88
PID 4376 wrote to memory of 5012	4376	KB3he5tC.exe	88
PID 4376 wrote to memory of 5012	4376	KB3he5tC.exe	88
PID 5012 wrote to memory of 1280	5012	QU0Ps2ie.exe	89
PID 5012 wrote to memory of 1280	5012	QU0Ps2ie.exe	89
PID 5012 wrote to memory of 1280	5012	QU0Ps2ie.exe	89
PID 1280 wrote to memory of 1560	1280	Sx2Oc1GS.exe	90
PID 1280 wrote to memory of 1560	1280	Sx2Oc1GS.exe	90
PID 1280 wrote to memory of 1560	1280	Sx2Oc1GS.exe	90
PID 1560 wrote to memory of 3656	1560	1XT59Rl4.exe	91
PID 1560 wrote to memory of 3656	1560	1XT59Rl4.exe	91
PID 1560 wrote to memory of 3656	1560	1XT59Rl4.exe	91
PID 1560 wrote to memory of 3656	1560	1XT59Rl4.exe	91
PID 1560 wrote to memory of 3656	1560	1XT59Rl4.exe	91
PID 1560 wrote to memory of 3656	1560	1XT59Rl4.exe	91
PID 1560 wrote to memory of 3656	1560	1XT59Rl4.exe	91
PID 1560 wrote to memory of 3656	1560	1XT59Rl4.exe	91
PID 1560 wrote to memory of 3656	1560	1XT59Rl4.exe	91
PID 1560 wrote to memory of 3656	1560	1XT59Rl4.exe	91
PID 1280 wrote to memory of 3816	1280	Sx2Oc1GS.exe	100
PID 1280 wrote to memory of 3816	1280	Sx2Oc1GS.exe	100
PID 1280 wrote to memory of 3816	1280	Sx2Oc1GS.exe	100

C:\Users\Admin\AppData\Local\Temp\19f6c3c2a3ef47c00d7ed7b6fdbcad3d4697755f747daf56384adf39ade0b8af_JC.exe
"C:\Users\Admin\AppData\Local\Temp\19f6c3c2a3ef47c00d7ed7b6fdbcad3d4697755f747daf56384adf39ade0b8af_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Zr2eE0PT.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Zr2eE0PT.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4316
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KB3he5tC.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KB3he5tC.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4376
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\QU0Ps2ie.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\QU0Ps2ie.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:5012
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Sx2Oc1GS.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Sx2Oc1GS.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1280
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1XT59Rl4.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1XT59Rl4.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 540
        8⤵
        Program crash
        
        PID:3248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 580
        7⤵
        Program crash
        
        PID:776
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2AG012ky.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2AG012ky.exe
        6⤵
        Executes dropped EXE
        
        PID:3816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3656 -ip 3656
1⤵
PID:740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1560 -ip 1560
1⤵
PID:4984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Zr2eE0PT.exe

Filesize
1.5MB

MD5
178cb248355f2bbdb97a6038528c0784

SHA1
07227f202b02b92bb91264be527e017e233d0a5d

SHA256
b3558a63fc6c98dff2d2c02efaaaf6758799297b182575fb9a092f1eae3c06fb

SHA512
3e574f4f5b872fa238dc0dfde84a926debc833a3e21c4b90e87dd08312c8e03ddb4744cf9ca62e2371f782142de54a847812dce6dec411a5c30764813066af69

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Zr2eE0PT.exe

Filesize
1.5MB

MD5
178cb248355f2bbdb97a6038528c0784

SHA1
07227f202b02b92bb91264be527e017e233d0a5d

SHA256
b3558a63fc6c98dff2d2c02efaaaf6758799297b182575fb9a092f1eae3c06fb

SHA512
3e574f4f5b872fa238dc0dfde84a926debc833a3e21c4b90e87dd08312c8e03ddb4744cf9ca62e2371f782142de54a847812dce6dec411a5c30764813066af69

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KB3he5tC.exe

Filesize
1.3MB

MD5
cd5c2f5c66c7116d4293fbba690f3ac7

SHA1
f56dfc8a11904f6295faf8ff71f932f8bc2a2a52

SHA256
4f7e615c9671794a6d43a4a021d4b1b176630f5d262542b781c5c4115dcb60eb

SHA512
d97d11ddd515f4e48374e49cdfc374df8199b3cc48a248d348e963c11f7daea15f30a587ca65a28aed050c81fe77c7d04d180a5bff724f062f0a334e52d2a169

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KB3he5tC.exe

Filesize
1.3MB

MD5
cd5c2f5c66c7116d4293fbba690f3ac7

SHA1
f56dfc8a11904f6295faf8ff71f932f8bc2a2a52

SHA256
4f7e615c9671794a6d43a4a021d4b1b176630f5d262542b781c5c4115dcb60eb

SHA512
d97d11ddd515f4e48374e49cdfc374df8199b3cc48a248d348e963c11f7daea15f30a587ca65a28aed050c81fe77c7d04d180a5bff724f062f0a334e52d2a169

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\QU0Ps2ie.exe

Filesize
822KB

MD5
c809faf67b75538e0a1eff1a64ebebd8

SHA1
ee75b795f8df6dfaa688565fdf8cf2fa0a2e2c93

SHA256
7d07d0dcb9dc267d0d287e28abec0b450f272329fde081b2cf302399cc5c6049

SHA512
88dbe22c244dba62087241bbe477702939539484faa405a755a15e68b549eb058bb29c4c65c6a52db502c30dbac1d84b75e7e6e4c05f930d9eba974bf042b894

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\QU0Ps2ie.exe

Filesize
822KB

MD5
c809faf67b75538e0a1eff1a64ebebd8

SHA1
ee75b795f8df6dfaa688565fdf8cf2fa0a2e2c93

SHA256
7d07d0dcb9dc267d0d287e28abec0b450f272329fde081b2cf302399cc5c6049

SHA512
88dbe22c244dba62087241bbe477702939539484faa405a755a15e68b549eb058bb29c4c65c6a52db502c30dbac1d84b75e7e6e4c05f930d9eba974bf042b894

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Sx2Oc1GS.exe

Filesize
649KB

MD5
5ee7842008bad07fe3d24fdc89857028

SHA1
e2785b7b991ac383c4b99aab1107f70ef0082338

SHA256
acb156c180149853b9cc6243f4a37ef431c1cce8fa9eaf8d2037f33a60ef2bdd

SHA512
11a5bbc7bd43b3b401725c8fcb65a9fe9ff96588bac172546e1bdcaf79bf26432d292d995a1bec4bcf068f5fa8d573f011d7c099c0a59ae0c89dc6a7432acc27

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Sx2Oc1GS.exe

Filesize
649KB

MD5
5ee7842008bad07fe3d24fdc89857028

SHA1
e2785b7b991ac383c4b99aab1107f70ef0082338

SHA256
acb156c180149853b9cc6243f4a37ef431c1cce8fa9eaf8d2037f33a60ef2bdd

SHA512
11a5bbc7bd43b3b401725c8fcb65a9fe9ff96588bac172546e1bdcaf79bf26432d292d995a1bec4bcf068f5fa8d573f011d7c099c0a59ae0c89dc6a7432acc27

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1XT59Rl4.exe

Filesize
1.7MB

MD5
99fc4bdcd5af447edfa5369de89e7340

SHA1
e18a61c421550c48d482ed501408a2920dac5464

SHA256
5f29fbdbe40fca4387eaa45f45ac336a0e3fd6b18e78548d5be9e01f12ea9302

SHA512
b77304c9a14a16cb303d5ff65afb8870e3402c9e5fe45abd3a160d2c94b8b5e1c0b37669233107b0c7c98877282c9042079f62588e3bd9c9ca01738cdce5517b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1XT59Rl4.exe

Filesize
1.7MB

MD5
99fc4bdcd5af447edfa5369de89e7340

SHA1
e18a61c421550c48d482ed501408a2920dac5464

SHA256
5f29fbdbe40fca4387eaa45f45ac336a0e3fd6b18e78548d5be9e01f12ea9302

SHA512
b77304c9a14a16cb303d5ff65afb8870e3402c9e5fe45abd3a160d2c94b8b5e1c0b37669233107b0c7c98877282c9042079f62588e3bd9c9ca01738cdce5517b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2AG012ky.exe

Filesize
230KB

MD5
21739c88ff1c1ed50f1d07cd75e20a62

SHA1
d5ca4305aa2548f83743f0c7e87af59b74b9975c

SHA256
c659c52ebc18080daad6388178dd345a875d0bfd554def51f4b53288440373e2

SHA512
e34aa06bf38c7af1dfabac8eac67b65149114972d23b4effdd1eb04fc5e2935e30e0aafd9e8608ad4c2bfd4bd498f35e25a2d4f0e4cba4d77702bb5ec977bb25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2AG012ky.exe

Filesize
230KB

MD5
21739c88ff1c1ed50f1d07cd75e20a62

SHA1
d5ca4305aa2548f83743f0c7e87af59b74b9975c

SHA256
c659c52ebc18080daad6388178dd345a875d0bfd554def51f4b53288440373e2

SHA512
e34aa06bf38c7af1dfabac8eac67b65149114972d23b4effdd1eb04fc5e2935e30e0aafd9e8608ad4c2bfd4bd498f35e25a2d4f0e4cba4d77702bb5ec977bb25

Download Submit
memory/3656-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3656-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3656-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3656-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3816-46-0x0000000007740000-0x00000000077D2000-memory.dmp

Filesize
584KB

Download
memory/3816-43-0x00000000007F0000-0x000000000082E000-memory.dmp

Filesize
248KB

Download
memory/3816-45-0x0000000007C50000-0x00000000081F4000-memory.dmp

Filesize
5.6MB

Download
memory/3816-44-0x00000000743A0000-0x0000000074B50000-memory.dmp

Filesize
7.7MB

Download
memory/3816-47-0x00000000078E0000-0x00000000078F0000-memory.dmp

Filesize
64KB

Download
memory/3816-48-0x0000000007710000-0x000000000771A000-memory.dmp

Filesize
40KB

Download
memory/3816-49-0x0000000008820000-0x0000000008E38000-memory.dmp

Filesize
6.1MB

Download
memory/3816-50-0x0000000007B30000-0x0000000007C3A000-memory.dmp

Filesize
1.0MB

Download
memory/3816-51-0x0000000007980000-0x0000000007992000-memory.dmp

Filesize
72KB

Download
memory/3816-52-0x0000000007A20000-0x0000000007A5C000-memory.dmp

Filesize
240KB

Download
memory/3816-53-0x00000000079B0000-0x00000000079FC000-memory.dmp

Filesize
304KB

Download
memory/3816-54-0x00000000743A0000-0x0000000074B50000-memory.dmp

Filesize
7.7MB

Download
memory/3816-55-0x00000000078E0000-0x00000000078F0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads