mystic | af0c568e40461e44653e170346b923921df3b2299a7c92dee7d55a2f9a0d4f2e

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
06-10-2023 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.af0c568e40461e44653e170346b923921df3b2299a7c92dee7d55a2f9a0d4f2e_JC.exe
Size

1.2MB
MD5

e0cc4babef04cb748eaa8b45ecc4bb42
SHA1

6c1afcf2f818a340ddf35f7eb7a76df5b3263da7
SHA256

af0c568e40461e44653e170346b923921df3b2299a7c92dee7d55a2f9a0d4f2e
SHA512

8f104c7571e892c02d88466fc5d50163d114ffe8a749836cf0046cd6652e41877edf22220a87d2c7089fc4dab2c9ec84d8b5ca92589383313b391e2c2967c266
SSDEEP

24576:yyU1DHful+Fu+35mJcdoOEfsUIb2ho+RQEMnW9SMp/YwVhK:ZUJf+CggE0UIb2hoqGW9S4Qch

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/2004-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/2004-36-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/2004-37-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/2004-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x00070000000231e4-41.dat	family_redline
behavioral2/files/0x00070000000231e4-42.dat	family_redline
behavioral2/memory/3356-43-0x00000000005E0000-0x000000000061E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
2260	BZ3Jh2Qt.exe
1884	VU5Mx1od.exe
1028	YQ3ft9BW.exe
5028	nx3QP0Sy.exe
4036	1Jm70ch2.exe
3356	2GZ799Nd.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	VU5Mx1od.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	YQ3ft9BW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	nx3QP0Sy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.af0c568e40461e44653e170346b923921df3b2299a7c92dee7d55a2f9a0d4f2e_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	BZ3Jh2Qt.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4036 set thread context of 2004	4036	1Jm70ch2.exe	92

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1036	4036	WerFault.exe	90
4660	2004	WerFault.exe	92

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4772 wrote to memory of 2260	4772	NEAS.af0c568e40461e44653e170346b923921df3b2299a7c92dee7d55a2f9a0d4f2e_JC.exe	86
PID 4772 wrote to memory of 2260	4772	NEAS.af0c568e40461e44653e170346b923921df3b2299a7c92dee7d55a2f9a0d4f2e_JC.exe	86
PID 4772 wrote to memory of 2260	4772	NEAS.af0c568e40461e44653e170346b923921df3b2299a7c92dee7d55a2f9a0d4f2e_JC.exe	86
PID 2260 wrote to memory of 1884	2260	BZ3Jh2Qt.exe	87
PID 2260 wrote to memory of 1884	2260	BZ3Jh2Qt.exe	87
PID 2260 wrote to memory of 1884	2260	BZ3Jh2Qt.exe	87
PID 1884 wrote to memory of 1028	1884	VU5Mx1od.exe	88
PID 1884 wrote to memory of 1028	1884	VU5Mx1od.exe	88
PID 1884 wrote to memory of 1028	1884	VU5Mx1od.exe	88
PID 1028 wrote to memory of 5028	1028	YQ3ft9BW.exe	89
PID 1028 wrote to memory of 5028	1028	YQ3ft9BW.exe	89
PID 1028 wrote to memory of 5028	1028	YQ3ft9BW.exe	89
PID 5028 wrote to memory of 4036	5028	nx3QP0Sy.exe	90
PID 5028 wrote to memory of 4036	5028	nx3QP0Sy.exe	90
PID 5028 wrote to memory of 4036	5028	nx3QP0Sy.exe	90
PID 4036 wrote to memory of 2004	4036	1Jm70ch2.exe	92
PID 4036 wrote to memory of 2004	4036	1Jm70ch2.exe	92
PID 4036 wrote to memory of 2004	4036	1Jm70ch2.exe	92
PID 4036 wrote to memory of 2004	4036	1Jm70ch2.exe	92
PID 4036 wrote to memory of 2004	4036	1Jm70ch2.exe	92
PID 4036 wrote to memory of 2004	4036	1Jm70ch2.exe	92
PID 4036 wrote to memory of 2004	4036	1Jm70ch2.exe	92
PID 4036 wrote to memory of 2004	4036	1Jm70ch2.exe	92
PID 4036 wrote to memory of 2004	4036	1Jm70ch2.exe	92
PID 4036 wrote to memory of 2004	4036	1Jm70ch2.exe	92
PID 5028 wrote to memory of 3356	5028	nx3QP0Sy.exe	102
PID 5028 wrote to memory of 3356	5028	nx3QP0Sy.exe	102
PID 5028 wrote to memory of 3356	5028	nx3QP0Sy.exe	102

C:\Users\Admin\AppData\Local\Temp\NEAS.af0c568e40461e44653e170346b923921df3b2299a7c92dee7d55a2f9a0d4f2e_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.af0c568e40461e44653e170346b923921df3b2299a7c92dee7d55a2f9a0d4f2e_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4772
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BZ3Jh2Qt.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BZ3Jh2Qt.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VU5Mx1od.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VU5Mx1od.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1884
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YQ3ft9BW.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YQ3ft9BW.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1028
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nx3QP0Sy.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nx3QP0Sy.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:5028
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Jm70ch2.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Jm70ch2.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 540
        8⤵
        Program crash
        
        PID:4660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 156
        7⤵
        Program crash
        
        PID:1036
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2GZ799Nd.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2GZ799Nd.exe
        6⤵
        Executes dropped EXE
        
        PID:3356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4036 -ip 4036
1⤵
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2004 -ip 2004
1⤵
PID:4860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BZ3Jh2Qt.exe

Filesize
1.0MB

MD5
9e60daa556edc91686313a20480d9998

SHA1
82f32781a27218e1b132c66d45dd50c85ba3425b

SHA256
74c691d8ad179c72d5d91b8279601ee37cd35fb56e50ac7b7b5e031bb3c8fb14

SHA512
c3b6354d3337f2cebf1140736414ecae929b19981b0928e200cb74f5cccdfcf09a3d0d6eebaad4052f48b85b22ecc7555b1744855def38d09ea7e5b9a0ca5748

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BZ3Jh2Qt.exe

Filesize
1.0MB

MD5
9e60daa556edc91686313a20480d9998

SHA1
82f32781a27218e1b132c66d45dd50c85ba3425b

SHA256
74c691d8ad179c72d5d91b8279601ee37cd35fb56e50ac7b7b5e031bb3c8fb14

SHA512
c3b6354d3337f2cebf1140736414ecae929b19981b0928e200cb74f5cccdfcf09a3d0d6eebaad4052f48b85b22ecc7555b1744855def38d09ea7e5b9a0ca5748

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VU5Mx1od.exe

Filesize
884KB

MD5
11b08b8f357a4b8c22662f5959ee472f

SHA1
76143855b9fc6bb3eb4ef97ce20f29b2732eb15a

SHA256
30f8d9a1612e3597804b7cfe11044099ef51201d3b8b6815811a7f6dcc5cdf0f

SHA512
640f2fe52fe6685fe2fb50e59aeb07470a56d2fdced387d510d0f03a91474ad312d4c41a195e30732bdb83a5522c3f0fda44c86c05fc03d4367d2483c907c0cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VU5Mx1od.exe

Filesize
884KB

MD5
11b08b8f357a4b8c22662f5959ee472f

SHA1
76143855b9fc6bb3eb4ef97ce20f29b2732eb15a

SHA256
30f8d9a1612e3597804b7cfe11044099ef51201d3b8b6815811a7f6dcc5cdf0f

SHA512
640f2fe52fe6685fe2fb50e59aeb07470a56d2fdced387d510d0f03a91474ad312d4c41a195e30732bdb83a5522c3f0fda44c86c05fc03d4367d2483c907c0cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YQ3ft9BW.exe

Filesize
590KB

MD5
ed954a74aa76741f27c115867c8406fe

SHA1
8b03f26546010b511b0abd4f1407603048e2f0e2

SHA256
697272ef75d754f9c7d5c788974ac7540b662eb0545d128b121ff8e601956ecf

SHA512
c7de57801f60208dda82624c2a47cb977d8fb53dc118c8237e11da3c83f81bbd02f25a56fca73ac2a07c3cc5b2108c19ae1113be2037b355fc82209164c7039d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YQ3ft9BW.exe

Filesize
590KB

MD5
ed954a74aa76741f27c115867c8406fe

SHA1
8b03f26546010b511b0abd4f1407603048e2f0e2

SHA256
697272ef75d754f9c7d5c788974ac7540b662eb0545d128b121ff8e601956ecf

SHA512
c7de57801f60208dda82624c2a47cb977d8fb53dc118c8237e11da3c83f81bbd02f25a56fca73ac2a07c3cc5b2108c19ae1113be2037b355fc82209164c7039d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nx3QP0Sy.exe

Filesize
417KB

MD5
90ce900c7a0e9d4c94e8b57b8f5455c8

SHA1
19ff919c59d0921c67b93865748f686b990f224d

SHA256
4e6c379c72d62e6296a8772f4a432c2060469524dde96f1301f882a9de4dd9f6

SHA512
ffd244f00feb6c625495fcd2521d906a238605642b29b4d882ec46eb25e0b515b904c310f69626b9bc0fad32b48f7f3b0c3931622d95b5e05f3d753fe0b8c444

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nx3QP0Sy.exe

Filesize
417KB

MD5
90ce900c7a0e9d4c94e8b57b8f5455c8

SHA1
19ff919c59d0921c67b93865748f686b990f224d

SHA256
4e6c379c72d62e6296a8772f4a432c2060469524dde96f1301f882a9de4dd9f6

SHA512
ffd244f00feb6c625495fcd2521d906a238605642b29b4d882ec46eb25e0b515b904c310f69626b9bc0fad32b48f7f3b0c3931622d95b5e05f3d753fe0b8c444

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Jm70ch2.exe

Filesize
378KB

MD5
3fdd94f1244d3de44c11b3471723459d

SHA1
840f9c71826bab7ee9c47caeeeaa369a914305da

SHA256
d671bd54df5d5cb95d1cec184c861b8d9076bec157cebdb9937f63b67bd1cde5

SHA512
d0ee5b40bb15627be1c6b9645071a7189df09325ab66d9d21cff6a43a6b8f876ebd83207f2b1cc70472d5b118f6054e5f63bf92fe3d874884db0fcff6bd17b6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Jm70ch2.exe

Filesize
378KB

MD5
3fdd94f1244d3de44c11b3471723459d

SHA1
840f9c71826bab7ee9c47caeeeaa369a914305da

SHA256
d671bd54df5d5cb95d1cec184c861b8d9076bec157cebdb9937f63b67bd1cde5

SHA512
d0ee5b40bb15627be1c6b9645071a7189df09325ab66d9d21cff6a43a6b8f876ebd83207f2b1cc70472d5b118f6054e5f63bf92fe3d874884db0fcff6bd17b6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2GZ799Nd.exe

Filesize
231KB

MD5
d05c162abb64efb4cc3c803b76b38eed

SHA1
dc2a30ad168a1c9836bb18619da743d4c826b48a

SHA256
f20c9b32f6e4c41cdda1d50ce2c948aa0f8b0d6e8b94bd7bd8d90d38c38cc61c

SHA512
091ba6fcf27ba33ede9d720730f564bed07e2eceb4c9559c3bbbc9b0d70916df13ae46a43f667547a976a35ea925b614d1c9089d843070eab70acf95024f5ede

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2GZ799Nd.exe

Filesize
231KB

MD5
d05c162abb64efb4cc3c803b76b38eed

SHA1
dc2a30ad168a1c9836bb18619da743d4c826b48a

SHA256
f20c9b32f6e4c41cdda1d50ce2c948aa0f8b0d6e8b94bd7bd8d90d38c38cc61c

SHA512
091ba6fcf27ba33ede9d720730f564bed07e2eceb4c9559c3bbbc9b0d70916df13ae46a43f667547a976a35ea925b614d1c9089d843070eab70acf95024f5ede

Download Submit
memory/2004-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2004-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2004-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2004-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3356-46-0x0000000007380000-0x0000000007412000-memory.dmp

Filesize
584KB

Download
memory/3356-44-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/3356-45-0x0000000007930000-0x0000000007ED4000-memory.dmp

Filesize
5.6MB

Download
memory/3356-43-0x00000000005E0000-0x000000000061E000-memory.dmp

Filesize
248KB

Download
memory/3356-47-0x00000000074D0000-0x00000000074E0000-memory.dmp

Filesize
64KB

Download
memory/3356-48-0x0000000007460000-0x000000000746A000-memory.dmp

Filesize
40KB

Download
memory/3356-49-0x0000000008500000-0x0000000008B18000-memory.dmp

Filesize
6.1MB

Download
memory/3356-50-0x00000000077C0000-0x00000000078CA000-memory.dmp

Filesize
1.0MB

Download
memory/3356-51-0x0000000007540000-0x0000000007552000-memory.dmp

Filesize
72KB

Download
memory/3356-52-0x00000000076B0000-0x00000000076EC000-memory.dmp

Filesize
240KB

Download
memory/3356-53-0x00000000076F0000-0x000000000773C000-memory.dmp

Filesize
304KB

Download
memory/3356-54-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/3356-55-0x00000000074D0000-0x00000000074E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads