mystic | b099990af5021317f8cba7464fd6c176f7a60c37527fef0ebb6829f7fdfa3c9f

Analysis

max time kernel
141s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
06/10/2023, 04:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b099990af5021317f8cba7464fd6c176f7a60c37527fef0ebb6829f7fdfa3c9f.exe
Size

1.6MB
MD5

7da7fe2fac1183f15d9be0c88459de75
SHA1

d23b422a9e0b82380dbf00a61a61470f45215c3f
SHA256

b099990af5021317f8cba7464fd6c176f7a60c37527fef0ebb6829f7fdfa3c9f
SHA512

a52737daa41df23f866922e4cbad7336f2045ee21e1e0886348d42f30ced8775609f9cdbf8ccd7c71464011760905cacd5fc83a0d4839c44dffe4a44a87d4486
SSDEEP

24576:eyLoCPcPYyjX5F9DElIHn7tr0N+yIaTHjObuOuqIlQ6s2lyiDOLAi/:t0G2YA1RrNyrHjObu1a6ss6A

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/2408-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2408-36-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2408-37-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2408-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000600000002321d-41.dat	family_redline
behavioral1/files/0x000600000002321d-42.dat	family_redline
behavioral1/memory/1568-43-0x0000000000410000-0x000000000044E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
1244	ks6Bz4EW.exe
4612	pi6rI5zz.exe
1952	Fg7OD5bV.exe
4924	vB8pY4CH.exe
1312	1Ju05ya1.exe
1568	2Bi059Fm.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b099990af5021317f8cba7464fd6c176f7a60c37527fef0ebb6829f7fdfa3c9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ks6Bz4EW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	pi6rI5zz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Fg7OD5bV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	vB8pY4CH.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1312 set thread context of 2408	1312	1Ju05ya1.exe	92

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3692	1312	WerFault.exe	90
3632	2408	WerFault.exe	92

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 1244	1384	b099990af5021317f8cba7464fd6c176f7a60c37527fef0ebb6829f7fdfa3c9f.exe	85
PID 1384 wrote to memory of 1244	1384	b099990af5021317f8cba7464fd6c176f7a60c37527fef0ebb6829f7fdfa3c9f.exe	85
PID 1384 wrote to memory of 1244	1384	b099990af5021317f8cba7464fd6c176f7a60c37527fef0ebb6829f7fdfa3c9f.exe	85
PID 1244 wrote to memory of 4612	1244	ks6Bz4EW.exe	86
PID 1244 wrote to memory of 4612	1244	ks6Bz4EW.exe	86
PID 1244 wrote to memory of 4612	1244	ks6Bz4EW.exe	86
PID 4612 wrote to memory of 1952	4612	pi6rI5zz.exe	88
PID 4612 wrote to memory of 1952	4612	pi6rI5zz.exe	88
PID 4612 wrote to memory of 1952	4612	pi6rI5zz.exe	88
PID 1952 wrote to memory of 4924	1952	Fg7OD5bV.exe	89
PID 1952 wrote to memory of 4924	1952	Fg7OD5bV.exe	89
PID 1952 wrote to memory of 4924	1952	Fg7OD5bV.exe	89
PID 4924 wrote to memory of 1312	4924	vB8pY4CH.exe	90
PID 4924 wrote to memory of 1312	4924	vB8pY4CH.exe	90
PID 4924 wrote to memory of 1312	4924	vB8pY4CH.exe	90
PID 1312 wrote to memory of 2408	1312	1Ju05ya1.exe	92
PID 1312 wrote to memory of 2408	1312	1Ju05ya1.exe	92
PID 1312 wrote to memory of 2408	1312	1Ju05ya1.exe	92
PID 1312 wrote to memory of 2408	1312	1Ju05ya1.exe	92
PID 1312 wrote to memory of 2408	1312	1Ju05ya1.exe	92
PID 1312 wrote to memory of 2408	1312	1Ju05ya1.exe	92
PID 1312 wrote to memory of 2408	1312	1Ju05ya1.exe	92
PID 1312 wrote to memory of 2408	1312	1Ju05ya1.exe	92
PID 1312 wrote to memory of 2408	1312	1Ju05ya1.exe	92
PID 1312 wrote to memory of 2408	1312	1Ju05ya1.exe	92
PID 4924 wrote to memory of 1568	4924	vB8pY4CH.exe	98
PID 4924 wrote to memory of 1568	4924	vB8pY4CH.exe	98
PID 4924 wrote to memory of 1568	4924	vB8pY4CH.exe	98

C:\Users\Admin\AppData\Local\Temp\b099990af5021317f8cba7464fd6c176f7a60c37527fef0ebb6829f7fdfa3c9f.exe
"C:\Users\Admin\AppData\Local\Temp\b099990af5021317f8cba7464fd6c176f7a60c37527fef0ebb6829f7fdfa3c9f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ks6Bz4EW.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ks6Bz4EW.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pi6rI5zz.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pi6rI5zz.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4612
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Fg7OD5bV.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Fg7OD5bV.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1952
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vB8pY4CH.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vB8pY4CH.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4924
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ju05ya1.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ju05ya1.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 544
        8⤵
        Program crash
        
        PID:3632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 572
        7⤵
        Program crash
        
        PID:3692
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Bi059Fm.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Bi059Fm.exe
        6⤵
        Executes dropped EXE
        
        PID:1568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1312 -ip 1312
1⤵
PID:3824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2408 -ip 2408
1⤵
PID:3420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ks6Bz4EW.exe

Filesize
1.5MB

MD5
b94e5a12ff625f46a7a9268cc8ba036e

SHA1
0a73b3f07bd119e6d360de4c44782ef2afe05d4e

SHA256
07fdfac5bfc9aba89b3327f682afeef7ddf2b0a83e247d50ab999b44285a4ca3

SHA512
170c00f9196f4e56b704bd378a95a415bc6f12d158f2d8b686f80d87a00847e038d6531067799d76d66358ec2276f819dd9acdccd46fb02b9e5d9970a0481165

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ks6Bz4EW.exe

Filesize
1.5MB

MD5
b94e5a12ff625f46a7a9268cc8ba036e

SHA1
0a73b3f07bd119e6d360de4c44782ef2afe05d4e

SHA256
07fdfac5bfc9aba89b3327f682afeef7ddf2b0a83e247d50ab999b44285a4ca3

SHA512
170c00f9196f4e56b704bd378a95a415bc6f12d158f2d8b686f80d87a00847e038d6531067799d76d66358ec2276f819dd9acdccd46fb02b9e5d9970a0481165

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pi6rI5zz.exe

Filesize
1.3MB

MD5
35922b8d8df3a37d4210ed2d45c56491

SHA1
bcf2cfdb47a0690c6b35e31bd4cceeea806f626b

SHA256
ef510baf6b685d39a1dd61d19cdc9bc0822d29f4033bfe82a6108a0575409cde

SHA512
5df1764761bae51b7b30ffa874c908ff6762810f653a692a646069b2964fda47a75082b75b7d4d1cd1d5ce2ca48f0e19f0e0f2489883241bce93713f1795494d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pi6rI5zz.exe

Filesize
1.3MB

MD5
35922b8d8df3a37d4210ed2d45c56491

SHA1
bcf2cfdb47a0690c6b35e31bd4cceeea806f626b

SHA256
ef510baf6b685d39a1dd61d19cdc9bc0822d29f4033bfe82a6108a0575409cde

SHA512
5df1764761bae51b7b30ffa874c908ff6762810f653a692a646069b2964fda47a75082b75b7d4d1cd1d5ce2ca48f0e19f0e0f2489883241bce93713f1795494d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Fg7OD5bV.exe

Filesize
821KB

MD5
e9ff653b5f413c61cc5b06891a2f2d96

SHA1
49b8f9ad7f6bd4fe124038a21d96ba3af2efbf8c

SHA256
b2adf1a190127df45991ec8413f8e1acec51f9010175562e859f3da9345e57a7

SHA512
39a890866f7ad299c9c510176ebc15bcbf52ade00b53bd7fcbfa8badde4d0375fe337a3ae5d289001ab0520941661f79cf45093171eb266ca2c0090892e70679

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Fg7OD5bV.exe

Filesize
821KB

MD5
e9ff653b5f413c61cc5b06891a2f2d96

SHA1
49b8f9ad7f6bd4fe124038a21d96ba3af2efbf8c

SHA256
b2adf1a190127df45991ec8413f8e1acec51f9010175562e859f3da9345e57a7

SHA512
39a890866f7ad299c9c510176ebc15bcbf52ade00b53bd7fcbfa8badde4d0375fe337a3ae5d289001ab0520941661f79cf45093171eb266ca2c0090892e70679

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vB8pY4CH.exe

Filesize
649KB

MD5
6e32ebbb5f130d9f3667e45dcdbb00c8

SHA1
028c098bd2d1010d9c81dd783b738c9151f31424

SHA256
6a3bbdc68dc289441ff58edcc7213efc419c1369103b71bcd143af9a1ce47edc

SHA512
90bb6a62e34401c851c54634be2e5ea794f8dc4d53271289af24cdde5fb5686fed3674bd6e020879782bc1cdf9068a2aa88755c097963d23adef71b6937c4d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vB8pY4CH.exe

Filesize
649KB

MD5
6e32ebbb5f130d9f3667e45dcdbb00c8

SHA1
028c098bd2d1010d9c81dd783b738c9151f31424

SHA256
6a3bbdc68dc289441ff58edcc7213efc419c1369103b71bcd143af9a1ce47edc

SHA512
90bb6a62e34401c851c54634be2e5ea794f8dc4d53271289af24cdde5fb5686fed3674bd6e020879782bc1cdf9068a2aa88755c097963d23adef71b6937c4d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ju05ya1.exe

Filesize
1.7MB

MD5
144dc3c0a5275a93ff86f00b5c61b9ec

SHA1
784168ab3c4711737656ca13dc4cb59ca267fa45

SHA256
179649325e561f83a53c5cba99cd8f1f589064c8d0f2029fb8e06f61ae986787

SHA512
9af6a9870077621eb046d6fed0fac88eba35edd4cd5e60f49c46018ab633d5cc77ddb9a93886178544198099a4e3b20726a32729ec9d1cf89524b4a579afb783

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ju05ya1.exe

Filesize
1.7MB

MD5
144dc3c0a5275a93ff86f00b5c61b9ec

SHA1
784168ab3c4711737656ca13dc4cb59ca267fa45

SHA256
179649325e561f83a53c5cba99cd8f1f589064c8d0f2029fb8e06f61ae986787

SHA512
9af6a9870077621eb046d6fed0fac88eba35edd4cd5e60f49c46018ab633d5cc77ddb9a93886178544198099a4e3b20726a32729ec9d1cf89524b4a579afb783

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Bi059Fm.exe

Filesize
231KB

MD5
2736918e41a40992ef41b3ba17f41333

SHA1
f45f2398f3c80140e523807d6aee63531f0487c1

SHA256
6506d20ae471d0f12e922efb11b90b9f13b83b0839d7abc59953f46e109a4731

SHA512
d0b66d58eec99424eba7e01738bdeba2898f1f18c5ffb648302683c818c72e7a467624c75685bbe19d63fb7e56b507d5b45323d1e78c40e03eead134052ce3b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Bi059Fm.exe

Filesize
231KB

MD5
2736918e41a40992ef41b3ba17f41333

SHA1
f45f2398f3c80140e523807d6aee63531f0487c1

SHA256
6506d20ae471d0f12e922efb11b90b9f13b83b0839d7abc59953f46e109a4731

SHA512
d0b66d58eec99424eba7e01738bdeba2898f1f18c5ffb648302683c818c72e7a467624c75685bbe19d63fb7e56b507d5b45323d1e78c40e03eead134052ce3b2

Download Submit
memory/1568-46-0x0000000007190000-0x0000000007222000-memory.dmp

Filesize
584KB

Download
memory/1568-48-0x00000000072A0000-0x00000000072AA000-memory.dmp

Filesize
40KB

Download
memory/1568-55-0x00000000072D0000-0x00000000072E0000-memory.dmp

Filesize
64KB

Download
memory/1568-54-0x0000000074720000-0x0000000074ED0000-memory.dmp

Filesize
7.7MB

Download
memory/1568-43-0x0000000000410000-0x000000000044E000-memory.dmp

Filesize
248KB

Download
memory/1568-44-0x0000000074720000-0x0000000074ED0000-memory.dmp

Filesize
7.7MB

Download
memory/1568-45-0x0000000007650000-0x0000000007BF4000-memory.dmp

Filesize
5.6MB

Download
memory/1568-53-0x0000000007C00000-0x0000000007C4C000-memory.dmp

Filesize
304KB

Download
memory/1568-52-0x0000000007610000-0x000000000764C000-memory.dmp

Filesize
240KB

Download
memory/1568-49-0x0000000008220000-0x0000000008838000-memory.dmp

Filesize
6.1MB

Download
memory/1568-47-0x00000000072D0000-0x00000000072E0000-memory.dmp

Filesize
64KB

Download
memory/1568-50-0x0000000007D10000-0x0000000007E1A000-memory.dmp

Filesize
1.0MB

Download
memory/1568-51-0x00000000075B0000-0x00000000075C2000-memory.dmp

Filesize
72KB

Download
memory/2408-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2408-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2408-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2408-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads