mystic | efea1c78554300df5eb3eedaffb2293fe3a7533b80e5eb5d7286443679c4fa90

Analysis

max time kernel
143s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
06/10/2023, 20:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

efea1c78554300df5eb3eedaffb2293fe3a7533b80e5eb5d7286443679c4fa90.exe
Size

1.2MB
MD5

c8ed428ce8ad84be6787d5afa45691be
SHA1

6778682df4879e5be9b2dd500d351c05df74c338
SHA256

efea1c78554300df5eb3eedaffb2293fe3a7533b80e5eb5d7286443679c4fa90
SHA512

a57556bf32b35504268e9be72e1192a8749401a174153cf9e2564fe7eb7d651d236407328205840ac1f412245053176fe4a6590df560186d06aadf5e443cbd82
SSDEEP

24576:1yji3fmDxrSEQC2RaROsaq6KOXMTZmeMMmlXpmDda762UbypYlMC8WIm:Qm3firSEQChRTaqC6pMplX4DA7sycDQ

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/3952-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/3952-36-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/3952-37-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/3952-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0006000000023209-41.dat	family_redline
behavioral1/files/0x0006000000023209-42.dat	family_redline
behavioral1/memory/4480-43-0x0000000000BC0000-0x0000000000BFE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
2896	uR3oJ0Wx.exe
4976	NY5pf7qr.exe
1928	fa5kY4RF.exe
3476	dI6Ws2DO.exe
456	1Cl10oH6.exe
4480	2LA279uS.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	efea1c78554300df5eb3eedaffb2293fe3a7533b80e5eb5d7286443679c4fa90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	uR3oJ0Wx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	NY5pf7qr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	fa5kY4RF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	dI6Ws2DO.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 456 set thread context of 3952	456	1Cl10oH6.exe	95

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4424	3952	WerFault.exe	95
408	456	WerFault.exe	90

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 2896	4800	efea1c78554300df5eb3eedaffb2293fe3a7533b80e5eb5d7286443679c4fa90.exe	83
PID 4800 wrote to memory of 2896	4800	efea1c78554300df5eb3eedaffb2293fe3a7533b80e5eb5d7286443679c4fa90.exe	83
PID 4800 wrote to memory of 2896	4800	efea1c78554300df5eb3eedaffb2293fe3a7533b80e5eb5d7286443679c4fa90.exe	83
PID 2896 wrote to memory of 4976	2896	uR3oJ0Wx.exe	84
PID 2896 wrote to memory of 4976	2896	uR3oJ0Wx.exe	84
PID 2896 wrote to memory of 4976	2896	uR3oJ0Wx.exe	84
PID 4976 wrote to memory of 1928	4976	NY5pf7qr.exe	87
PID 4976 wrote to memory of 1928	4976	NY5pf7qr.exe	87
PID 4976 wrote to memory of 1928	4976	NY5pf7qr.exe	87
PID 1928 wrote to memory of 3476	1928	fa5kY4RF.exe	89
PID 1928 wrote to memory of 3476	1928	fa5kY4RF.exe	89
PID 1928 wrote to memory of 3476	1928	fa5kY4RF.exe	89
PID 3476 wrote to memory of 456	3476	dI6Ws2DO.exe	90
PID 3476 wrote to memory of 456	3476	dI6Ws2DO.exe	90
PID 3476 wrote to memory of 456	3476	dI6Ws2DO.exe	90
PID 456 wrote to memory of 2908	456	1Cl10oH6.exe	94
PID 456 wrote to memory of 2908	456	1Cl10oH6.exe	94
PID 456 wrote to memory of 2908	456	1Cl10oH6.exe	94
PID 456 wrote to memory of 3952	456	1Cl10oH6.exe	95
PID 456 wrote to memory of 3952	456	1Cl10oH6.exe	95
PID 456 wrote to memory of 3952	456	1Cl10oH6.exe	95
PID 456 wrote to memory of 3952	456	1Cl10oH6.exe	95
PID 456 wrote to memory of 3952	456	1Cl10oH6.exe	95
PID 456 wrote to memory of 3952	456	1Cl10oH6.exe	95
PID 456 wrote to memory of 3952	456	1Cl10oH6.exe	95
PID 456 wrote to memory of 3952	456	1Cl10oH6.exe	95
PID 456 wrote to memory of 3952	456	1Cl10oH6.exe	95
PID 456 wrote to memory of 3952	456	1Cl10oH6.exe	95
PID 3476 wrote to memory of 4480	3476	dI6Ws2DO.exe	101
PID 3476 wrote to memory of 4480	3476	dI6Ws2DO.exe	101
PID 3476 wrote to memory of 4480	3476	dI6Ws2DO.exe	101

C:\Users\Admin\AppData\Local\Temp\efea1c78554300df5eb3eedaffb2293fe3a7533b80e5eb5d7286443679c4fa90.exe
"C:\Users\Admin\AppData\Local\Temp\efea1c78554300df5eb3eedaffb2293fe3a7533b80e5eb5d7286443679c4fa90.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uR3oJ0Wx.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uR3oJ0Wx.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NY5pf7qr.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NY5pf7qr.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4976
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fa5kY4RF.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fa5kY4RF.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1928
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dI6Ws2DO.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dI6Ws2DO.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3476
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Cl10oH6.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Cl10oH6.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2908
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 540
        8⤵
        Program crash
        
        PID:4424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 148
        7⤵
        Program crash
        
        PID:408
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2LA279uS.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2LA279uS.exe
        6⤵
        Executes dropped EXE
        
        PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3952 -ip 3952
1⤵
PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 456 -ip 456
1⤵
PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uR3oJ0Wx.exe

Filesize
1.0MB

MD5
fbe8587a2e4616321ec8ee96efefc1cb

SHA1
2d8f2b61eb0e6fb391c107a84bf3f8b027147d64

SHA256
536f06121c37909193c103db4ee032ec80d0d66a1ec58225c8bea4c38b73c7e1

SHA512
375da00f90691ec1dd6961a38d5f0114f257b49748d193292b851fc709f6407c76cfd17500e44e89dd4e53e33d8e63510f9a50d9e4e1a3a18e86bf2e6997f481

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uR3oJ0Wx.exe

Filesize
1.0MB

MD5
fbe8587a2e4616321ec8ee96efefc1cb

SHA1
2d8f2b61eb0e6fb391c107a84bf3f8b027147d64

SHA256
536f06121c37909193c103db4ee032ec80d0d66a1ec58225c8bea4c38b73c7e1

SHA512
375da00f90691ec1dd6961a38d5f0114f257b49748d193292b851fc709f6407c76cfd17500e44e89dd4e53e33d8e63510f9a50d9e4e1a3a18e86bf2e6997f481

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NY5pf7qr.exe

Filesize
885KB

MD5
9dcea3a974bb6cec8fe6da9cf3514bbd

SHA1
40de3a6e50370b024dbaf8b18b1de494a431a78e

SHA256
e44655609fdc57e15055a7ce59e49e1bfc3f9b8b151b19be2b99807b98c7f3be

SHA512
771d3c4aff71da08e14d64e7927836b4e54dcec7b04399824f6d8c29d73d00fefba96f17e3df693f6aea870273bc4ec8f3a3f640cd6d2d8bc85871b541290dde

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NY5pf7qr.exe

Filesize
885KB

MD5
9dcea3a974bb6cec8fe6da9cf3514bbd

SHA1
40de3a6e50370b024dbaf8b18b1de494a431a78e

SHA256
e44655609fdc57e15055a7ce59e49e1bfc3f9b8b151b19be2b99807b98c7f3be

SHA512
771d3c4aff71da08e14d64e7927836b4e54dcec7b04399824f6d8c29d73d00fefba96f17e3df693f6aea870273bc4ec8f3a3f640cd6d2d8bc85871b541290dde

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fa5kY4RF.exe

Filesize
590KB

MD5
f6a6622429dcccf7575cea4541ade610

SHA1
10f140d271ee7eba3dfeba728f8e186789f441e5

SHA256
9fe5c3bea625770b8a077642cf30197b05dddc646888d039242515f510a79ec7

SHA512
bb30e939cec3a30b5ff50a015126b6103b2b982006265be904dfd05b89ad5f8fd4aef0296584c1d9e66c60f13a15ce00578f749d2645ecd0512e7fb0cab8d805

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fa5kY4RF.exe

Filesize
590KB

MD5
f6a6622429dcccf7575cea4541ade610

SHA1
10f140d271ee7eba3dfeba728f8e186789f441e5

SHA256
9fe5c3bea625770b8a077642cf30197b05dddc646888d039242515f510a79ec7

SHA512
bb30e939cec3a30b5ff50a015126b6103b2b982006265be904dfd05b89ad5f8fd4aef0296584c1d9e66c60f13a15ce00578f749d2645ecd0512e7fb0cab8d805

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dI6Ws2DO.exe

Filesize
418KB

MD5
12dfcbc1c9332aec1b253167d4a256e3

SHA1
3fb63dad1a634bf67d609d46fce06ccade51c333

SHA256
de70c947b402b692a3253525ac966a1ff4752e92f189f5a4104488d921d287cd

SHA512
2b11881aed08faf96fe3c5f73e633ec6bcc1b7c2f9547bb17278b6499c0513ffb3d5dd5fb3d7583cef0a41c5007508661dfcf35a778058257948bff13eca90b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dI6Ws2DO.exe

Filesize
418KB

MD5
12dfcbc1c9332aec1b253167d4a256e3

SHA1
3fb63dad1a634bf67d609d46fce06ccade51c333

SHA256
de70c947b402b692a3253525ac966a1ff4752e92f189f5a4104488d921d287cd

SHA512
2b11881aed08faf96fe3c5f73e633ec6bcc1b7c2f9547bb17278b6499c0513ffb3d5dd5fb3d7583cef0a41c5007508661dfcf35a778058257948bff13eca90b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Cl10oH6.exe

Filesize
378KB

MD5
64f9786368225351aeca8ef283af8432

SHA1
e535c9bc713c652169dd32c5bec6f5af04f68eee

SHA256
96e5f76895564aa5073aae8973149bda257960eb67eea5a0320c6ddf5ee65f85

SHA512
f2588c8656a684c8779dd7b9c6f31bf42ab492c149b4fe0466fefad7d667ae2ca80483ffeb1bdefb158a59cedd31377cf05a1f9c5f66be9d1da8cb404de74809

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Cl10oH6.exe

Filesize
378KB

MD5
64f9786368225351aeca8ef283af8432

SHA1
e535c9bc713c652169dd32c5bec6f5af04f68eee

SHA256
96e5f76895564aa5073aae8973149bda257960eb67eea5a0320c6ddf5ee65f85

SHA512
f2588c8656a684c8779dd7b9c6f31bf42ab492c149b4fe0466fefad7d667ae2ca80483ffeb1bdefb158a59cedd31377cf05a1f9c5f66be9d1da8cb404de74809

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2LA279uS.exe

Filesize
231KB

MD5
c5229b159f5ac0115c812817c85f12f4

SHA1
23340e3f235ea19ca1436f08af1499007440e1ee

SHA256
1de7d499edba03a6644833245c219051c6560f85a4328e43040df7fdd4bfd3f0

SHA512
39bcd6ceeb83d5976945a3a2f6f3ec0c8efe108fda5e277b921d88979c23ad20daa607eee62489cfe67ea2a5121c29bd040f7795ef7b3cd4f4677a6d91c5778e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2LA279uS.exe

Filesize
231KB

MD5
c5229b159f5ac0115c812817c85f12f4

SHA1
23340e3f235ea19ca1436f08af1499007440e1ee

SHA256
1de7d499edba03a6644833245c219051c6560f85a4328e43040df7fdd4bfd3f0

SHA512
39bcd6ceeb83d5976945a3a2f6f3ec0c8efe108fda5e277b921d88979c23ad20daa607eee62489cfe67ea2a5121c29bd040f7795ef7b3cd4f4677a6d91c5778e

Download Submit
memory/3952-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3952-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3952-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3952-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4480-46-0x0000000007990000-0x0000000007A22000-memory.dmp

Filesize
584KB

Download
memory/4480-43-0x0000000000BC0000-0x0000000000BFE000-memory.dmp

Filesize
248KB

Download
memory/4480-45-0x0000000007EA0000-0x0000000008444000-memory.dmp

Filesize
5.6MB

Download
memory/4480-44-0x0000000074880000-0x0000000075030000-memory.dmp

Filesize
7.7MB

Download
memory/4480-47-0x0000000007B70000-0x0000000007B80000-memory.dmp

Filesize
64KB

Download
memory/4480-48-0x0000000007B30000-0x0000000007B3A000-memory.dmp

Filesize
40KB

Download
memory/4480-49-0x0000000008A70000-0x0000000009088000-memory.dmp

Filesize
6.1MB

Download
memory/4480-50-0x0000000007D80000-0x0000000007E8A000-memory.dmp

Filesize
1.0MB

Download
memory/4480-51-0x0000000007C10000-0x0000000007C22000-memory.dmp

Filesize
72KB

Download
memory/4480-52-0x0000000007C70000-0x0000000007CAC000-memory.dmp

Filesize
240KB

Download
memory/4480-53-0x0000000007CB0000-0x0000000007CFC000-memory.dmp

Filesize
304KB

Download
memory/4480-54-0x0000000074880000-0x0000000075030000-memory.dmp

Filesize
7.7MB

Download
memory/4480-55-0x0000000007B70000-0x0000000007B80000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads