mystic | 83479adc751e89d094a80192bd7e9427a287bafcf5d2054aaff1ffdeba3f20ac

Analysis

max time kernel
141s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
06/10/2023, 10:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83479adc751e89d094a80192bd7e9427a287bafcf5d2054aaff1ffdeba3f20ac.exe
Size

1.2MB
MD5

7883a8936ad8b3a7589f08ae966726fa
SHA1

767dbada422ff33262c817f1a2a44aaa051a0360
SHA256

83479adc751e89d094a80192bd7e9427a287bafcf5d2054aaff1ffdeba3f20ac
SHA512

e5db7a2ffaef9b965d3f80758c8f2462adb7666a9fe603c903272cd2b35658a8523aec072b7d387e4e25ce5a58b236f39faaa44c6bd6939f34c65ef5a43296b7
SSDEEP

24576:fynUKjpZmjtFV2EyQcV6J8JVG325okvSvKkJVWLhPRFG:qUKjp8yQLJ86mRSvJJVWV5

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/1936-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1936-36-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1936-37-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1936-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x00060000000231ee-40.dat	family_redline
behavioral1/files/0x00060000000231ee-42.dat	family_redline
behavioral1/memory/3624-43-0x0000000000CC0000-0x0000000000CFE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
1084	sJ9wl3nR.exe
1860	qe3Pp3Os.exe
4944	fm6PX1Gm.exe
4436	uZ1XL1nt.exe
3760	1yr01tU4.exe
3624	2ZZ139ci.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	sJ9wl3nR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	qe3Pp3Os.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	fm6PX1Gm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	uZ1XL1nt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	83479adc751e89d094a80192bd7e9427a287bafcf5d2054aaff1ffdeba3f20ac.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3760 set thread context of 1936	3760	1yr01tU4.exe	92

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2756	1936	WerFault.exe	92
4920	3760	WerFault.exe	90

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 1084	2940	83479adc751e89d094a80192bd7e9427a287bafcf5d2054aaff1ffdeba3f20ac.exe	86
PID 2940 wrote to memory of 1084	2940	83479adc751e89d094a80192bd7e9427a287bafcf5d2054aaff1ffdeba3f20ac.exe	86
PID 2940 wrote to memory of 1084	2940	83479adc751e89d094a80192bd7e9427a287bafcf5d2054aaff1ffdeba3f20ac.exe	86
PID 1084 wrote to memory of 1860	1084	sJ9wl3nR.exe	87
PID 1084 wrote to memory of 1860	1084	sJ9wl3nR.exe	87
PID 1084 wrote to memory of 1860	1084	sJ9wl3nR.exe	87
PID 1860 wrote to memory of 4944	1860	qe3Pp3Os.exe	88
PID 1860 wrote to memory of 4944	1860	qe3Pp3Os.exe	88
PID 1860 wrote to memory of 4944	1860	qe3Pp3Os.exe	88
PID 4944 wrote to memory of 4436	4944	fm6PX1Gm.exe	89
PID 4944 wrote to memory of 4436	4944	fm6PX1Gm.exe	89
PID 4944 wrote to memory of 4436	4944	fm6PX1Gm.exe	89
PID 4436 wrote to memory of 3760	4436	uZ1XL1nt.exe	90
PID 4436 wrote to memory of 3760	4436	uZ1XL1nt.exe	90
PID 4436 wrote to memory of 3760	4436	uZ1XL1nt.exe	90
PID 3760 wrote to memory of 1936	3760	1yr01tU4.exe	92
PID 3760 wrote to memory of 1936	3760	1yr01tU4.exe	92
PID 3760 wrote to memory of 1936	3760	1yr01tU4.exe	92
PID 3760 wrote to memory of 1936	3760	1yr01tU4.exe	92
PID 3760 wrote to memory of 1936	3760	1yr01tU4.exe	92
PID 3760 wrote to memory of 1936	3760	1yr01tU4.exe	92
PID 3760 wrote to memory of 1936	3760	1yr01tU4.exe	92
PID 3760 wrote to memory of 1936	3760	1yr01tU4.exe	92
PID 3760 wrote to memory of 1936	3760	1yr01tU4.exe	92
PID 3760 wrote to memory of 1936	3760	1yr01tU4.exe	92
PID 4436 wrote to memory of 3624	4436	uZ1XL1nt.exe	99
PID 4436 wrote to memory of 3624	4436	uZ1XL1nt.exe	99
PID 4436 wrote to memory of 3624	4436	uZ1XL1nt.exe	99

C:\Users\Admin\AppData\Local\Temp\83479adc751e89d094a80192bd7e9427a287bafcf5d2054aaff1ffdeba3f20ac.exe
"C:\Users\Admin\AppData\Local\Temp\83479adc751e89d094a80192bd7e9427a287bafcf5d2054aaff1ffdeba3f20ac.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sJ9wl3nR.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sJ9wl3nR.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1084
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qe3Pp3Os.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qe3Pp3Os.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1860
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fm6PX1Gm.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fm6PX1Gm.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4944
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uZ1XL1nt.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uZ1XL1nt.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4436
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1yr01tU4.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1yr01tU4.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3760
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 200
        8⤵
        Program crash
        
        PID:2756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 152
        7⤵
        Program crash
        
        PID:4920
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZZ139ci.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZZ139ci.exe
        6⤵
        Executes dropped EXE
        
        PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1936 -ip 1936
1⤵
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3760 -ip 3760
1⤵
PID:3912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sJ9wl3nR.exe

Filesize
1.0MB

MD5
9da87467ae96162c77345c9c1d44a37b

SHA1
34fab8a9444b28128cf83039b0de88da86fcd982

SHA256
4d584939c90084c4beca80bc59076d646bbdf1f34c56a3a2c2bd14016dc0c5df

SHA512
340c24b0042aea58e685332c258d59dad1125d915d2831da694d0eca29fc7c551355ad1453bb089674da457586ed225236515ef1fd3add86cd3e6f00e08b94a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sJ9wl3nR.exe

Filesize
1.0MB

MD5
9da87467ae96162c77345c9c1d44a37b

SHA1
34fab8a9444b28128cf83039b0de88da86fcd982

SHA256
4d584939c90084c4beca80bc59076d646bbdf1f34c56a3a2c2bd14016dc0c5df

SHA512
340c24b0042aea58e685332c258d59dad1125d915d2831da694d0eca29fc7c551355ad1453bb089674da457586ed225236515ef1fd3add86cd3e6f00e08b94a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qe3Pp3Os.exe

Filesize
884KB

MD5
207a282ab43c4d24a28d1f088063506a

SHA1
67579f28d21f72ad4a0b9bbee2517a0fdf251db9

SHA256
5187579e489f7204a08b7600200d655c4bc07afbd55b2076b4cf9df5a9052535

SHA512
1804fdc02fc40a011424bfe560f4028fd4df300a95c39afb83389f962815fa2853759b7f3ea65623cac1f26e46075099a9ad5c7f3077ff8659561ce4ca4d1e97

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qe3Pp3Os.exe

Filesize
884KB

MD5
207a282ab43c4d24a28d1f088063506a

SHA1
67579f28d21f72ad4a0b9bbee2517a0fdf251db9

SHA256
5187579e489f7204a08b7600200d655c4bc07afbd55b2076b4cf9df5a9052535

SHA512
1804fdc02fc40a011424bfe560f4028fd4df300a95c39afb83389f962815fa2853759b7f3ea65623cac1f26e46075099a9ad5c7f3077ff8659561ce4ca4d1e97

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fm6PX1Gm.exe

Filesize
590KB

MD5
c8424a04734507943707517fad9be4ce

SHA1
cf42250d6fe7472e61b82a0c6c30e72bff0f035c

SHA256
e93d851a00a85089d1a2c3791332b8fa0cb6fdade6b3be148d89031c8f86f58b

SHA512
bd21b64b04764c355aff541b43026e083dfe92a7fd9e8a58d09dd96b99ef91514d06713907044b66a69996c4947ee4181cb47021a38dc6df3537fb11bccc70e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fm6PX1Gm.exe

Filesize
590KB

MD5
c8424a04734507943707517fad9be4ce

SHA1
cf42250d6fe7472e61b82a0c6c30e72bff0f035c

SHA256
e93d851a00a85089d1a2c3791332b8fa0cb6fdade6b3be148d89031c8f86f58b

SHA512
bd21b64b04764c355aff541b43026e083dfe92a7fd9e8a58d09dd96b99ef91514d06713907044b66a69996c4947ee4181cb47021a38dc6df3537fb11bccc70e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uZ1XL1nt.exe

Filesize
417KB

MD5
88884ab09f4ca0ff048e15d791b2f758

SHA1
2d41a1fd9570a75495e567b04def73e849a8d7ef

SHA256
03f8b278c15cf2715d5a84e33a5a1ab79498541502fddab7ba2f23d8573794a1

SHA512
f9b2529fbeed46bb08caeda228fe828bca46558e1a7444375750974451ea515c0c3f5684303f1d18abb939ad8a8402ef2353512fc06d42736509ff56c0503cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uZ1XL1nt.exe

Filesize
417KB

MD5
88884ab09f4ca0ff048e15d791b2f758

SHA1
2d41a1fd9570a75495e567b04def73e849a8d7ef

SHA256
03f8b278c15cf2715d5a84e33a5a1ab79498541502fddab7ba2f23d8573794a1

SHA512
f9b2529fbeed46bb08caeda228fe828bca46558e1a7444375750974451ea515c0c3f5684303f1d18abb939ad8a8402ef2353512fc06d42736509ff56c0503cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1yr01tU4.exe

Filesize
378KB

MD5
508ae54f94fd96b71dffb0a29065ecb9

SHA1
70da6a53f56453204688cc406f50464f6d2a7a84

SHA256
513006185004a6ba985b4ebd0185e8e64312aa797e347b47f55024eb9b48d3e2

SHA512
77a745e202114f05a71258e9d6ddc833f984e28a067d51cbb939a860e42b2023887332025988171ffa34f6fbd31bde848670b46cc885b17088456c2a154e0adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1yr01tU4.exe

Filesize
378KB

MD5
508ae54f94fd96b71dffb0a29065ecb9

SHA1
70da6a53f56453204688cc406f50464f6d2a7a84

SHA256
513006185004a6ba985b4ebd0185e8e64312aa797e347b47f55024eb9b48d3e2

SHA512
77a745e202114f05a71258e9d6ddc833f984e28a067d51cbb939a860e42b2023887332025988171ffa34f6fbd31bde848670b46cc885b17088456c2a154e0adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZZ139ci.exe

Filesize
231KB

MD5
61e563e7362437dd5c6ae53cbe787978

SHA1
7c5ce693836aa889f757594409cf78d3af446e0b

SHA256
8ae3cba46fd829f831c05b5be02f8d35ce6b4fab765b705ec4d9304fd891c2e8

SHA512
1aebc27d9e259074c43a1939439c2eabda22ec4de388f566e9ff17eb03c7e333925300ba85f6a608baa29b2cb38b7ba9515e68db5f0098faa3833476ae94b79b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZZ139ci.exe

Filesize
231KB

MD5
61e563e7362437dd5c6ae53cbe787978

SHA1
7c5ce693836aa889f757594409cf78d3af446e0b

SHA256
8ae3cba46fd829f831c05b5be02f8d35ce6b4fab765b705ec4d9304fd891c2e8

SHA512
1aebc27d9e259074c43a1939439c2eabda22ec4de388f566e9ff17eb03c7e333925300ba85f6a608baa29b2cb38b7ba9515e68db5f0098faa3833476ae94b79b

Download Submit
memory/1936-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1936-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1936-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1936-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3624-46-0x0000000007C40000-0x0000000007CD2000-memory.dmp

Filesize
584KB

Download
memory/3624-44-0x0000000074900000-0x00000000750B0000-memory.dmp

Filesize
7.7MB

Download
memory/3624-45-0x0000000008150000-0x00000000086F4000-memory.dmp

Filesize
5.6MB

Download
memory/3624-43-0x0000000000CC0000-0x0000000000CFE000-memory.dmp

Filesize
248KB

Download
memory/3624-47-0x0000000007D80000-0x0000000007D90000-memory.dmp

Filesize
64KB

Download
memory/3624-48-0x0000000007BF0000-0x0000000007BFA000-memory.dmp

Filesize
40KB

Download
memory/3624-49-0x0000000008D20000-0x0000000009338000-memory.dmp

Filesize
6.1MB

Download
memory/3624-50-0x0000000007F90000-0x000000000809A000-memory.dmp

Filesize
1.0MB

Download
memory/3624-51-0x0000000007D60000-0x0000000007D72000-memory.dmp

Filesize
72KB

Download
memory/3624-52-0x0000000007EC0000-0x0000000007EFC000-memory.dmp

Filesize
240KB

Download
memory/3624-53-0x0000000007F00000-0x0000000007F4C000-memory.dmp

Filesize
304KB

Download
memory/3624-54-0x0000000074900000-0x00000000750B0000-memory.dmp

Filesize
7.7MB

Download
memory/3624-55-0x0000000007D80000-0x0000000007D90000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads