mystic | 2c8a69e2582f550ba1c927ed13996e49ca34bb42c4a87a9defa4fa62037001a5

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2023, 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c8a69e2582f550ba1c927ed13996e49ca34bb42c4a87a9defa4fa62037001a5.exe
Size

1.6MB
MD5

8165f588911047ccabb727675242dcdd
SHA1

500d8e0dd99b217a8e9d816c624a7ed657307f7f
SHA256

2c8a69e2582f550ba1c927ed13996e49ca34bb42c4a87a9defa4fa62037001a5
SHA512

f186801acb4dddf0751746786d7858de12b30671aa063e9b3d0b27b3063f1cd4cea6b312e4793671365592c302f4813acad3b23016a28621c1caa0ae3563ddd2
SSDEEP

49152:6TM8fW4sjX/2CjRgdkrrBredlNd3go35v:9b1gprNdwIB

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/4732-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/4732-36-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/4732-37-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/4732-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023241-41.dat	family_redline
behavioral1/files/0x0007000000023241-42.dat	family_redline
behavioral1/memory/1692-43-0x00000000007B0000-0x00000000007EE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
3408	sL7lQ3TS.exe
5100	Ur9Ea7Xr.exe
1364	MM0He7Ts.exe
4216	QN5xa3QQ.exe
4928	1YW45tn2.exe
1692	2FZ674nI.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	MM0He7Ts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	QN5xa3QQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2c8a69e2582f550ba1c927ed13996e49ca34bb42c4a87a9defa4fa62037001a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	sL7lQ3TS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Ur9Ea7Xr.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4928 set thread context of 4732	4928	1YW45tn2.exe	91

Program crash 2 IoCs

pid	pid_target	Process	procid_target
832	4928	WerFault.exe	89
4436	4732	WerFault.exe	91

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 408 wrote to memory of 3408	408	2c8a69e2582f550ba1c927ed13996e49ca34bb42c4a87a9defa4fa62037001a5.exe	85
PID 408 wrote to memory of 3408	408	2c8a69e2582f550ba1c927ed13996e49ca34bb42c4a87a9defa4fa62037001a5.exe	85
PID 408 wrote to memory of 3408	408	2c8a69e2582f550ba1c927ed13996e49ca34bb42c4a87a9defa4fa62037001a5.exe	85
PID 3408 wrote to memory of 5100	3408	sL7lQ3TS.exe	86
PID 3408 wrote to memory of 5100	3408	sL7lQ3TS.exe	86
PID 3408 wrote to memory of 5100	3408	sL7lQ3TS.exe	86
PID 5100 wrote to memory of 1364	5100	Ur9Ea7Xr.exe	87
PID 5100 wrote to memory of 1364	5100	Ur9Ea7Xr.exe	87
PID 5100 wrote to memory of 1364	5100	Ur9Ea7Xr.exe	87
PID 1364 wrote to memory of 4216	1364	MM0He7Ts.exe	88
PID 1364 wrote to memory of 4216	1364	MM0He7Ts.exe	88
PID 1364 wrote to memory of 4216	1364	MM0He7Ts.exe	88
PID 4216 wrote to memory of 4928	4216	QN5xa3QQ.exe	89
PID 4216 wrote to memory of 4928	4216	QN5xa3QQ.exe	89
PID 4216 wrote to memory of 4928	4216	QN5xa3QQ.exe	89
PID 4928 wrote to memory of 4712	4928	1YW45tn2.exe	90
PID 4928 wrote to memory of 4712	4928	1YW45tn2.exe	90
PID 4928 wrote to memory of 4712	4928	1YW45tn2.exe	90
PID 4928 wrote to memory of 4732	4928	1YW45tn2.exe	91
PID 4928 wrote to memory of 4732	4928	1YW45tn2.exe	91
PID 4928 wrote to memory of 4732	4928	1YW45tn2.exe	91
PID 4928 wrote to memory of 4732	4928	1YW45tn2.exe	91
PID 4928 wrote to memory of 4732	4928	1YW45tn2.exe	91
PID 4928 wrote to memory of 4732	4928	1YW45tn2.exe	91
PID 4928 wrote to memory of 4732	4928	1YW45tn2.exe	91
PID 4928 wrote to memory of 4732	4928	1YW45tn2.exe	91
PID 4928 wrote to memory of 4732	4928	1YW45tn2.exe	91
PID 4928 wrote to memory of 4732	4928	1YW45tn2.exe	91
PID 4216 wrote to memory of 1692	4216	QN5xa3QQ.exe	98
PID 4216 wrote to memory of 1692	4216	QN5xa3QQ.exe	98
PID 4216 wrote to memory of 1692	4216	QN5xa3QQ.exe	98

C:\Users\Admin\AppData\Local\Temp\2c8a69e2582f550ba1c927ed13996e49ca34bb42c4a87a9defa4fa62037001a5.exe
"C:\Users\Admin\AppData\Local\Temp\2c8a69e2582f550ba1c927ed13996e49ca34bb42c4a87a9defa4fa62037001a5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:408
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sL7lQ3TS.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sL7lQ3TS.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3408
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ur9Ea7Xr.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ur9Ea7Xr.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5100
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MM0He7Ts.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MM0He7Ts.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1364
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\QN5xa3QQ.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\QN5xa3QQ.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4216
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1YW45tn2.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1YW45tn2.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4712
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 540
        8⤵
        Program crash
        
        PID:4436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 592
        7⤵
        Program crash
        
        PID:832
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2FZ674nI.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2FZ674nI.exe
        6⤵
        Executes dropped EXE
        
        PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4928 -ip 4928
1⤵
PID:4040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4732 -ip 4732
1⤵
PID:4272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sL7lQ3TS.exe

Filesize
1.5MB

MD5
9c0ad29801e5b8a7b6b96d12f896f02b

SHA1
2e123755beaf3d93cc64d17d56c4e5f0c192746b

SHA256
7e13e89aacef67b0a132a1d1d091bd8c3a11de537d333d7b4ea8a1b02c74e3ae

SHA512
a695bcc4c6a0e25c5244f4d1c00e89bfa1f09c0d48a9ab64f486cf0e1da12091ea470566e4db5eba29900b2faf19696abc481e9d38a02b3168bb5158d12299f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sL7lQ3TS.exe

Filesize
1.5MB

MD5
9c0ad29801e5b8a7b6b96d12f896f02b

SHA1
2e123755beaf3d93cc64d17d56c4e5f0c192746b

SHA256
7e13e89aacef67b0a132a1d1d091bd8c3a11de537d333d7b4ea8a1b02c74e3ae

SHA512
a695bcc4c6a0e25c5244f4d1c00e89bfa1f09c0d48a9ab64f486cf0e1da12091ea470566e4db5eba29900b2faf19696abc481e9d38a02b3168bb5158d12299f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ur9Ea7Xr.exe

Filesize
1.3MB

MD5
30edb9c5192b2a047e28301127dd339f

SHA1
804aede025328efe5702be0931b326328259af35

SHA256
14fb81aafa94488f9db5d232dce9b3664e918259c66684291bad11a42241c2fd

SHA512
47049c46dc7bd47512ded695b2e82d2e53367dbd121eba1752a2753903b4e4adaf8eb5636459b55dd7255a441d47a59de6f57601e29e068e5bc48177e15ba04b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ur9Ea7Xr.exe

Filesize
1.3MB

MD5
30edb9c5192b2a047e28301127dd339f

SHA1
804aede025328efe5702be0931b326328259af35

SHA256
14fb81aafa94488f9db5d232dce9b3664e918259c66684291bad11a42241c2fd

SHA512
47049c46dc7bd47512ded695b2e82d2e53367dbd121eba1752a2753903b4e4adaf8eb5636459b55dd7255a441d47a59de6f57601e29e068e5bc48177e15ba04b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MM0He7Ts.exe

Filesize
822KB

MD5
193c13a16b871318a07751546ecb90ad

SHA1
5b5bb51f03722097938447ffad065e8fce83e5d3

SHA256
4e47fb14a65bdb5fd620650b18ffc2ee520bf354b6f7f129a873f3b38e127a01

SHA512
7ccf1510ad3f40bbdce48ae3246d4373d8c96ef72f241108e8a9c104cde71697497582841ac103001707d1e8e63f84df3d37ce5a3779e830baafdbe915ae2571

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MM0He7Ts.exe

Filesize
822KB

MD5
193c13a16b871318a07751546ecb90ad

SHA1
5b5bb51f03722097938447ffad065e8fce83e5d3

SHA256
4e47fb14a65bdb5fd620650b18ffc2ee520bf354b6f7f129a873f3b38e127a01

SHA512
7ccf1510ad3f40bbdce48ae3246d4373d8c96ef72f241108e8a9c104cde71697497582841ac103001707d1e8e63f84df3d37ce5a3779e830baafdbe915ae2571

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\QN5xa3QQ.exe

Filesize
649KB

MD5
235d129ee61a40595c2be183caeca0a3

SHA1
8870603061fbd0c9d1d722d2cc0a0e668b8b66e8

SHA256
01b28d7346f6a623d0f9429d683ef0f66072418371f5ce1db163c503c60bda78

SHA512
86b24b125388690ad569539463d36d42336054cd871c3fc0385e0ea9451efb37e9fc0cd86f6e2fd000cb21bda0ce4a577f847084e16ca380780cfe38050eb8b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\QN5xa3QQ.exe

Filesize
649KB

MD5
235d129ee61a40595c2be183caeca0a3

SHA1
8870603061fbd0c9d1d722d2cc0a0e668b8b66e8

SHA256
01b28d7346f6a623d0f9429d683ef0f66072418371f5ce1db163c503c60bda78

SHA512
86b24b125388690ad569539463d36d42336054cd871c3fc0385e0ea9451efb37e9fc0cd86f6e2fd000cb21bda0ce4a577f847084e16ca380780cfe38050eb8b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1YW45tn2.exe

Filesize
1.7MB

MD5
650023a01584cbd14548d6d3437baed3

SHA1
0870e2b34b8ace74742fa00c0b52c1703f67ba29

SHA256
ee25fbf59d04f7960837dc31da6ef7a01b424b95999b877cf3f30ac917877cb6

SHA512
8c970cd0989cd625d4ef02635f5440be38fedb41086999de07b69deb845a970371a1a192a2c61c9dbd0fc2bd0fd455e0f5360a9a72ec296d41869bb47035d0d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1YW45tn2.exe

Filesize
1.7MB

MD5
650023a01584cbd14548d6d3437baed3

SHA1
0870e2b34b8ace74742fa00c0b52c1703f67ba29

SHA256
ee25fbf59d04f7960837dc31da6ef7a01b424b95999b877cf3f30ac917877cb6

SHA512
8c970cd0989cd625d4ef02635f5440be38fedb41086999de07b69deb845a970371a1a192a2c61c9dbd0fc2bd0fd455e0f5360a9a72ec296d41869bb47035d0d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2FZ674nI.exe

Filesize
230KB

MD5
aa67451c41af3d4eb6dcf5574b9c6c28

SHA1
e9254ed43aaac366f11f7cfdabdc25123b286fa7

SHA256
51467dadb02360976f9becd5dbd52cf14e66ea9b41569e81be58584ea4f355cf

SHA512
b0d70cde8f21db4e57424cf1c6bb524f5fdf919dfb850849623c161d8374118d71aa74708e716d4ee13fecdeb8a50661ba16aa4f5ec2a8a93d8818567f41841b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2FZ674nI.exe

Filesize
230KB

MD5
aa67451c41af3d4eb6dcf5574b9c6c28

SHA1
e9254ed43aaac366f11f7cfdabdc25123b286fa7

SHA256
51467dadb02360976f9becd5dbd52cf14e66ea9b41569e81be58584ea4f355cf

SHA512
b0d70cde8f21db4e57424cf1c6bb524f5fdf919dfb850849623c161d8374118d71aa74708e716d4ee13fecdeb8a50661ba16aa4f5ec2a8a93d8818567f41841b

Download Submit
memory/1692-46-0x00000000076B0000-0x0000000007742000-memory.dmp

Filesize
584KB

Download
memory/1692-48-0x0000000007770000-0x000000000777A000-memory.dmp

Filesize
40KB

Download
memory/1692-55-0x00000000077D0000-0x00000000077E0000-memory.dmp

Filesize
64KB

Download
memory/1692-54-0x00000000741E0000-0x0000000074990000-memory.dmp

Filesize
7.7MB

Download
memory/1692-43-0x00000000007B0000-0x00000000007EE000-memory.dmp

Filesize
248KB

Download
memory/1692-44-0x00000000741E0000-0x0000000074990000-memory.dmp

Filesize
7.7MB

Download
memory/1692-45-0x0000000007BC0000-0x0000000008164000-memory.dmp

Filesize
5.6MB

Download
memory/1692-53-0x0000000007B30000-0x0000000007B7C000-memory.dmp

Filesize
304KB

Download
memory/1692-52-0x00000000079B0000-0x00000000079EC000-memory.dmp

Filesize
240KB

Download
memory/1692-49-0x0000000008790000-0x0000000008DA8000-memory.dmp

Filesize
6.1MB

Download
memory/1692-47-0x00000000077D0000-0x00000000077E0000-memory.dmp

Filesize
64KB

Download
memory/1692-50-0x0000000007A20000-0x0000000007B2A000-memory.dmp

Filesize
1.0MB

Download
memory/1692-51-0x0000000007950000-0x0000000007962000-memory.dmp

Filesize
72KB

Download
memory/4732-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4732-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4732-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4732-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads