mystic | 1e23f7e01d6855a5b89b16d0ec1d5f0ea2f211389eab8bf38bdce0b8621be451

Analysis

max time kernel
138s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
06/10/2023, 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.1e23f7e01d6855a5b89b16d0ec1d5f0ea2f211389eab8bf38bdce0b8621be451_JC.exe
Size

1.6MB
MD5

aa3c2060fc43b926b908e7f9a50f9dc5
SHA1

ccb1e8398fa089b23fe31983baad0565f83b2f2c
SHA256

1e23f7e01d6855a5b89b16d0ec1d5f0ea2f211389eab8bf38bdce0b8621be451
SHA512

215e139ebe4f63c2662bac3ab89db3a97e21c9764469c11d0b7156941d76f35edce621e840d8afc5e50cf56e94fd53f6fc853a2180db2fe7b81872e15e86bdb3
SSDEEP

49152:G8kMk2Uj/R6FhBJmLkF9GITIIPWWYbxXSr:Q2UjgzBpkmxWW8XS

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/1888-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1888-36-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1888-37-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1888-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x00060000000231cd-41.dat	family_redline
behavioral2/files/0x00060000000231cd-42.dat	family_redline
behavioral2/memory/3820-44-0x0000000000550000-0x000000000058E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
3256	SU5hv3Pw.exe
2916	UF8Oz4Jg.exe
1976	rJ5lE3kg.exe
4424	QK4oK4Mq.exe
736	1Js49FR3.exe
3820	2Qd567HH.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	rJ5lE3kg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	QK4oK4Mq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.1e23f7e01d6855a5b89b16d0ec1d5f0ea2f211389eab8bf38bdce0b8621be451_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	SU5hv3Pw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	UF8Oz4Jg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 736 set thread context of 1888	736	1Js49FR3.exe	91

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1120	1888	WerFault.exe	91
4616	736	WerFault.exe	90

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 920 wrote to memory of 3256	920	NEAS.1e23f7e01d6855a5b89b16d0ec1d5f0ea2f211389eab8bf38bdce0b8621be451_JC.exe	86
PID 920 wrote to memory of 3256	920	NEAS.1e23f7e01d6855a5b89b16d0ec1d5f0ea2f211389eab8bf38bdce0b8621be451_JC.exe	86
PID 920 wrote to memory of 3256	920	NEAS.1e23f7e01d6855a5b89b16d0ec1d5f0ea2f211389eab8bf38bdce0b8621be451_JC.exe	86
PID 3256 wrote to memory of 2916	3256	SU5hv3Pw.exe	87
PID 3256 wrote to memory of 2916	3256	SU5hv3Pw.exe	87
PID 3256 wrote to memory of 2916	3256	SU5hv3Pw.exe	87
PID 2916 wrote to memory of 1976	2916	UF8Oz4Jg.exe	88
PID 2916 wrote to memory of 1976	2916	UF8Oz4Jg.exe	88
PID 2916 wrote to memory of 1976	2916	UF8Oz4Jg.exe	88
PID 1976 wrote to memory of 4424	1976	rJ5lE3kg.exe	89
PID 1976 wrote to memory of 4424	1976	rJ5lE3kg.exe	89
PID 1976 wrote to memory of 4424	1976	rJ5lE3kg.exe	89
PID 4424 wrote to memory of 736	4424	QK4oK4Mq.exe	90
PID 4424 wrote to memory of 736	4424	QK4oK4Mq.exe	90
PID 4424 wrote to memory of 736	4424	QK4oK4Mq.exe	90
PID 736 wrote to memory of 1888	736	1Js49FR3.exe	91
PID 736 wrote to memory of 1888	736	1Js49FR3.exe	91
PID 736 wrote to memory of 1888	736	1Js49FR3.exe	91
PID 736 wrote to memory of 1888	736	1Js49FR3.exe	91
PID 736 wrote to memory of 1888	736	1Js49FR3.exe	91
PID 736 wrote to memory of 1888	736	1Js49FR3.exe	91
PID 736 wrote to memory of 1888	736	1Js49FR3.exe	91
PID 736 wrote to memory of 1888	736	1Js49FR3.exe	91
PID 736 wrote to memory of 1888	736	1Js49FR3.exe	91
PID 736 wrote to memory of 1888	736	1Js49FR3.exe	91
PID 4424 wrote to memory of 3820	4424	QK4oK4Mq.exe	102
PID 4424 wrote to memory of 3820	4424	QK4oK4Mq.exe	102
PID 4424 wrote to memory of 3820	4424	QK4oK4Mq.exe	102

C:\Users\Admin\AppData\Local\Temp\NEAS.1e23f7e01d6855a5b89b16d0ec1d5f0ea2f211389eab8bf38bdce0b8621be451_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.1e23f7e01d6855a5b89b16d0ec1d5f0ea2f211389eab8bf38bdce0b8621be451_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:920
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SU5hv3Pw.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SU5hv3Pw.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3256
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UF8Oz4Jg.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UF8Oz4Jg.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rJ5lE3kg.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rJ5lE3kg.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1976
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\QK4oK4Mq.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\QK4oK4Mq.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4424
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Js49FR3.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Js49FR3.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 540
        8⤵
        Program crash
        
        PID:1120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 600
        7⤵
        Program crash
        
        PID:4616
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Qd567HH.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Qd567HH.exe
        6⤵
        Executes dropped EXE
        
        PID:3820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1888 -ip 1888
1⤵
PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 736 -ip 736
1⤵
PID:4528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SU5hv3Pw.exe

Filesize
1.5MB

MD5
0f3a0c136674ff82b29e90a936f298b3

SHA1
e9ec15bcad3e4d814bb0d602c526d4b74047dfc5

SHA256
3f64c031f1570e184c5ccc008b9195f5ba91f7cfab6c2ccc1a501f2e2ac581f1

SHA512
b9a51140a38b3289c6df70aaae8540be3e64b386fba51ebadd8f93a8542cc515ab9b68b74f8b33258945b2d9723cebfa095f763f42d27bbb033fdb463fbfcd55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SU5hv3Pw.exe

Filesize
1.5MB

MD5
0f3a0c136674ff82b29e90a936f298b3

SHA1
e9ec15bcad3e4d814bb0d602c526d4b74047dfc5

SHA256
3f64c031f1570e184c5ccc008b9195f5ba91f7cfab6c2ccc1a501f2e2ac581f1

SHA512
b9a51140a38b3289c6df70aaae8540be3e64b386fba51ebadd8f93a8542cc515ab9b68b74f8b33258945b2d9723cebfa095f763f42d27bbb033fdb463fbfcd55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UF8Oz4Jg.exe

Filesize
1.3MB

MD5
4d82dbe3933a7ae0abfb4354d604a436

SHA1
7de5b777f30e90aae4a3cae9cc515c04b2fc55e1

SHA256
e4605e0e6eac232617a9f9d7a518262b7cb923e7128466a61f846537fd298c46

SHA512
4b4f45ce2dc789127107859ae5bfbd4e521a79caf284dec3a63c1db564e460fe70e255e1cc3546bd1b6ff19d32d0248a890639901cc60aae9b17ab31fdb85e97

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UF8Oz4Jg.exe

Filesize
1.3MB

MD5
4d82dbe3933a7ae0abfb4354d604a436

SHA1
7de5b777f30e90aae4a3cae9cc515c04b2fc55e1

SHA256
e4605e0e6eac232617a9f9d7a518262b7cb923e7128466a61f846537fd298c46

SHA512
4b4f45ce2dc789127107859ae5bfbd4e521a79caf284dec3a63c1db564e460fe70e255e1cc3546bd1b6ff19d32d0248a890639901cc60aae9b17ab31fdb85e97

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rJ5lE3kg.exe

Filesize
823KB

MD5
6f298f2102b33f6db266914368e95622

SHA1
692ded1e38574bce597e0f05e9d8256014d16815

SHA256
4d2c1adf6f41c0c8af2fb3f9e674ac5323ad775ef0f1e0e9c69cf52cdf5e2f37

SHA512
bbf9c2e38dcc19544228c7c13d3a8f1d3f3a2fb678d67f12622c11e5a94107291b7caa6d5b61e5b485994dbffea6379f0bf45fe3b91b4af663bac46a48e88179

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rJ5lE3kg.exe

Filesize
823KB

MD5
6f298f2102b33f6db266914368e95622

SHA1
692ded1e38574bce597e0f05e9d8256014d16815

SHA256
4d2c1adf6f41c0c8af2fb3f9e674ac5323ad775ef0f1e0e9c69cf52cdf5e2f37

SHA512
bbf9c2e38dcc19544228c7c13d3a8f1d3f3a2fb678d67f12622c11e5a94107291b7caa6d5b61e5b485994dbffea6379f0bf45fe3b91b4af663bac46a48e88179

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\QK4oK4Mq.exe

Filesize
651KB

MD5
9b71bc8c5e1344d771f35e3809eb0ec0

SHA1
1a9cf665b82af9a44de9a0b29715377d89902abb

SHA256
4fef0a21cbd3de02b7e05eb7276175f5d18f22d8ecc70e04d89ddeedcd72be6f

SHA512
151396ea87f04896ae25f625d0485bf789538208b1641e0c58d6e5dc85549132b2701587112a9bd79545fae0e3426bf170575b3ed1f16b701c38a53d0d71ef46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\QK4oK4Mq.exe

Filesize
651KB

MD5
9b71bc8c5e1344d771f35e3809eb0ec0

SHA1
1a9cf665b82af9a44de9a0b29715377d89902abb

SHA256
4fef0a21cbd3de02b7e05eb7276175f5d18f22d8ecc70e04d89ddeedcd72be6f

SHA512
151396ea87f04896ae25f625d0485bf789538208b1641e0c58d6e5dc85549132b2701587112a9bd79545fae0e3426bf170575b3ed1f16b701c38a53d0d71ef46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Js49FR3.exe

Filesize
1.7MB

MD5
413c69f99c96ed4f8087cb3fbbbfcdc9

SHA1
5222387f4c70dc2bc9d412a2cb0593689abcb0b7

SHA256
146281a0faf2dcd65b8b2ca6c18b6b757c8dd2064918ee9aeaf606e982a68e75

SHA512
e5c2cd1e9b4f4c1012353a3792967e960a5d9da314f1fbba8c40d9355b9cfdf2e718307a278e57c4cc812edf62599f81934e1055296cfa546a3760f71d9bf5ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Js49FR3.exe

Filesize
1.7MB

MD5
413c69f99c96ed4f8087cb3fbbbfcdc9

SHA1
5222387f4c70dc2bc9d412a2cb0593689abcb0b7

SHA256
146281a0faf2dcd65b8b2ca6c18b6b757c8dd2064918ee9aeaf606e982a68e75

SHA512
e5c2cd1e9b4f4c1012353a3792967e960a5d9da314f1fbba8c40d9355b9cfdf2e718307a278e57c4cc812edf62599f81934e1055296cfa546a3760f71d9bf5ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Qd567HH.exe

Filesize
230KB

MD5
e08b8585c5a65f833a6861e89df920b4

SHA1
71ad151b2f788d3a1263a985ba35c30dc2816697

SHA256
7286fea2de1dc9558a14cee120b3d2763718fef22f83691f6e71f6ec09677acd

SHA512
6db8b0b77002e9cc7449776a1cb5bee3cf19b1786e7ae8b9ce8463f3267b2793d5463ff7dc4cc38e6a6b3ecebebdbd579f9ff7ccdb61da23957eda979d4ba885

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Qd567HH.exe

Filesize
230KB

MD5
e08b8585c5a65f833a6861e89df920b4

SHA1
71ad151b2f788d3a1263a985ba35c30dc2816697

SHA256
7286fea2de1dc9558a14cee120b3d2763718fef22f83691f6e71f6ec09677acd

SHA512
6db8b0b77002e9cc7449776a1cb5bee3cf19b1786e7ae8b9ce8463f3267b2793d5463ff7dc4cc38e6a6b3ecebebdbd579f9ff7ccdb61da23957eda979d4ba885

Download Submit
memory/1888-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1888-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1888-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1888-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3820-46-0x0000000007430000-0x00000000074C2000-memory.dmp

Filesize
584KB

Download
memory/3820-44-0x0000000000550000-0x000000000058E000-memory.dmp

Filesize
248KB

Download
memory/3820-45-0x0000000007940000-0x0000000007EE4000-memory.dmp

Filesize
5.6MB

Download
memory/3820-43-0x0000000073D20000-0x00000000744D0000-memory.dmp

Filesize
7.7MB

Download
memory/3820-47-0x00000000073D0000-0x00000000073E0000-memory.dmp

Filesize
64KB

Download
memory/3820-48-0x0000000007620000-0x000000000762A000-memory.dmp

Filesize
40KB

Download
memory/3820-49-0x0000000008510000-0x0000000008B28000-memory.dmp

Filesize
6.1MB

Download
memory/3820-50-0x00000000077C0000-0x00000000078CA000-memory.dmp

Filesize
1.0MB

Download
memory/3820-51-0x00000000076F0000-0x0000000007702000-memory.dmp

Filesize
72KB

Download
memory/3820-52-0x0000000007750000-0x000000000778C000-memory.dmp

Filesize
240KB

Download
memory/3820-53-0x00000000078D0000-0x000000000791C000-memory.dmp

Filesize
304KB

Download
memory/3820-54-0x0000000073D20000-0x00000000744D0000-memory.dmp

Filesize
7.7MB

Download
memory/3820-55-0x00000000073D0000-0x00000000073E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads