Malware Analysis Report

2025-08-11 01:11

Sample ID 231006-zvtl4aab93
Target a4c3412f202d55b1ae04358e3f170c21aeec0f1661d0af1d497947a87b3aea70
SHA256 a4c3412f202d55b1ae04358e3f170c21aeec0f1661d0af1d497947a87b3aea70
Tags
mystic redline gigant infostealer persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a4c3412f202d55b1ae04358e3f170c21aeec0f1661d0af1d497947a87b3aea70

Threat Level: Known bad

The file a4c3412f202d55b1ae04358e3f170c21aeec0f1661d0af1d497947a87b3aea70 was found to be: Known bad.

Malicious Activity Summary

mystic redline gigant infostealer persistence stealer

Detect Mystic stealer payload

Mystic

RedLine

RedLine payload

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-06 21:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-06 21:02

Reported

2023-10-06 21:05

Platform

win10v2004-20230915-en

Max time kernel

139s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4c3412f202d55b1ae04358e3f170c21aeec0f1661d0af1d497947a87b3aea70.exe"

Signatures

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Mystic

stealer mystic

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\a4c3412f202d55b1ae04358e3f170c21aeec0f1661d0af1d497947a87b3aea70.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mP4tm5Bo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wX7BP0wk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BU8mZ0qL.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\la4nN2aB.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1820 set thread context of 4256 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Cr62SH3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3000 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\a4c3412f202d55b1ae04358e3f170c21aeec0f1661d0af1d497947a87b3aea70.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mP4tm5Bo.exe
PID 3000 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\a4c3412f202d55b1ae04358e3f170c21aeec0f1661d0af1d497947a87b3aea70.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mP4tm5Bo.exe
PID 3000 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\a4c3412f202d55b1ae04358e3f170c21aeec0f1661d0af1d497947a87b3aea70.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mP4tm5Bo.exe
PID 3748 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mP4tm5Bo.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wX7BP0wk.exe
PID 3748 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mP4tm5Bo.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wX7BP0wk.exe
PID 3748 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mP4tm5Bo.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wX7BP0wk.exe
PID 828 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wX7BP0wk.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BU8mZ0qL.exe
PID 828 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wX7BP0wk.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BU8mZ0qL.exe
PID 828 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wX7BP0wk.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BU8mZ0qL.exe
PID 5084 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BU8mZ0qL.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\la4nN2aB.exe
PID 5084 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BU8mZ0qL.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\la4nN2aB.exe
PID 5084 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BU8mZ0qL.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\la4nN2aB.exe
PID 2876 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\la4nN2aB.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Cr62SH3.exe
PID 2876 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\la4nN2aB.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Cr62SH3.exe
PID 2876 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\la4nN2aB.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Cr62SH3.exe
PID 1820 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Cr62SH3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1820 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Cr62SH3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1820 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Cr62SH3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1820 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Cr62SH3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1820 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Cr62SH3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1820 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Cr62SH3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1820 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Cr62SH3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1820 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Cr62SH3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1820 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Cr62SH3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1820 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Cr62SH3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2876 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\la4nN2aB.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZU513ch.exe
PID 2876 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\la4nN2aB.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZU513ch.exe
PID 2876 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\la4nN2aB.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZU513ch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a4c3412f202d55b1ae04358e3f170c21aeec0f1661d0af1d497947a87b3aea70.exe

"C:\Users\Admin\AppData\Local\Temp\a4c3412f202d55b1ae04358e3f170c21aeec0f1661d0af1d497947a87b3aea70.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mP4tm5Bo.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mP4tm5Bo.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wX7BP0wk.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wX7BP0wk.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BU8mZ0qL.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BU8mZ0qL.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\la4nN2aB.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\la4nN2aB.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Cr62SH3.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Cr62SH3.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1820 -ip 1820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4256 -ip 4256

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 540

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZU513ch.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZU513ch.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 254.111.26.67.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mP4tm5Bo.exe

MD5 ba4892e26926988f6a2dbb56995247e1
SHA1 7a79129ae7bb490245fac12c3602d78bd83290c3
SHA256 49b0eb8508ad7b7782737bc41f64b74e22028854cc7c556f391680e25660ece0
SHA512 0353061d517d55a31ea283a15e06dcd4b70d0eae615a3569750c93a0dc3e615a13220356affc0f1df3d4a17c385855ee0d2ac95f4000b799abefe9089f1f008b

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mP4tm5Bo.exe

MD5 ba4892e26926988f6a2dbb56995247e1
SHA1 7a79129ae7bb490245fac12c3602d78bd83290c3
SHA256 49b0eb8508ad7b7782737bc41f64b74e22028854cc7c556f391680e25660ece0
SHA512 0353061d517d55a31ea283a15e06dcd4b70d0eae615a3569750c93a0dc3e615a13220356affc0f1df3d4a17c385855ee0d2ac95f4000b799abefe9089f1f008b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wX7BP0wk.exe

MD5 186db84236869477c2534576e7dd6f5a
SHA1 28a977b59c80e801f43a342972c4dc17824b9456
SHA256 a3e663e65f46b81e23c51d7b361072bc5616f295c5d99987c443d2d6710a5d08
SHA512 dd76398b21c0974405873ca2eb8cf8a370183a160437f19a8b6220dbd2781e4cc4e0ef56feec10c5eef66cc1019bb05eb896311b8d19ed55aacc29084f789e7c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wX7BP0wk.exe

MD5 186db84236869477c2534576e7dd6f5a
SHA1 28a977b59c80e801f43a342972c4dc17824b9456
SHA256 a3e663e65f46b81e23c51d7b361072bc5616f295c5d99987c443d2d6710a5d08
SHA512 dd76398b21c0974405873ca2eb8cf8a370183a160437f19a8b6220dbd2781e4cc4e0ef56feec10c5eef66cc1019bb05eb896311b8d19ed55aacc29084f789e7c

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BU8mZ0qL.exe

MD5 b85f2a763913194dd223c4802af384ad
SHA1 ea95d3451450dd44c3d4a4601fb452f4c88f3df0
SHA256 81e9b894f157bc3443d367d11cf4eb290cc08ba7969c471f03d111661c9be7d2
SHA512 ab4ed7d6b8546381396a8212661885f22b747cae60da068e22357a3041fb966858e87fce0e7cffb255b2686b10bf6a3764d972b4d2acf28d7ad9b6e671e0733d

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BU8mZ0qL.exe

MD5 b85f2a763913194dd223c4802af384ad
SHA1 ea95d3451450dd44c3d4a4601fb452f4c88f3df0
SHA256 81e9b894f157bc3443d367d11cf4eb290cc08ba7969c471f03d111661c9be7d2
SHA512 ab4ed7d6b8546381396a8212661885f22b747cae60da068e22357a3041fb966858e87fce0e7cffb255b2686b10bf6a3764d972b4d2acf28d7ad9b6e671e0733d

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\la4nN2aB.exe

MD5 f6f499f248603f12859ee9f7f0c04c84
SHA1 6ac87bf2f88b39bb1385fc781f417a80e316334e
SHA256 1d169ee672ef4b2bbe3630b7077b726aaff5dfa20d15166bcec571f935ddbb58
SHA512 48ef5ea53798691b0cbb51f1ff0e39fea7363c4501f6c5c2d03e19e3410332229aef7c0d02f16e52aa6e16391675ce78e4f7956448bdf5d7cac90762ac73ce61

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\la4nN2aB.exe

MD5 f6f499f248603f12859ee9f7f0c04c84
SHA1 6ac87bf2f88b39bb1385fc781f417a80e316334e
SHA256 1d169ee672ef4b2bbe3630b7077b726aaff5dfa20d15166bcec571f935ddbb58
SHA512 48ef5ea53798691b0cbb51f1ff0e39fea7363c4501f6c5c2d03e19e3410332229aef7c0d02f16e52aa6e16391675ce78e4f7956448bdf5d7cac90762ac73ce61

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Cr62SH3.exe

MD5 d859ff4578532e70d8d8745fc3343875
SHA1 ad023feca03469ae116137fffc644326eb767d83
SHA256 9f52521d2f7ab62a4e4d237fe1e00bdf0881735909c1053b2c70181d1bd84049
SHA512 3a4b619c8bea97e68547238c4b0422e5a6d2545f3ca42635239057295de454cd9fc6546bf0c37c85d5a7bd3cbba2cd4de5c5907ba9c3ac28a75990ccd61a03e1

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Cr62SH3.exe

MD5 d859ff4578532e70d8d8745fc3343875
SHA1 ad023feca03469ae116137fffc644326eb767d83
SHA256 9f52521d2f7ab62a4e4d237fe1e00bdf0881735909c1053b2c70181d1bd84049
SHA512 3a4b619c8bea97e68547238c4b0422e5a6d2545f3ca42635239057295de454cd9fc6546bf0c37c85d5a7bd3cbba2cd4de5c5907ba9c3ac28a75990ccd61a03e1

memory/4256-35-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4256-36-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4256-37-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4256-39-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZU513ch.exe

MD5 d8623a7a068dbdc8ef201ad700abdf9a
SHA1 408f6b54b69e19fe72cb879973de83ffb3a6911e
SHA256 323531e939191dda90ea0fe0b12852dcf65804e03115205d55972ab275e75c5d
SHA512 74420e4724cc3b1911c354f1837ee3a19b369a05fec97545f2562d41909d6f87970475861d8111b3180276b3b0028202b7b60d55c17d481657ceee4bd2b6af87

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZU513ch.exe

MD5 d8623a7a068dbdc8ef201ad700abdf9a
SHA1 408f6b54b69e19fe72cb879973de83ffb3a6911e
SHA256 323531e939191dda90ea0fe0b12852dcf65804e03115205d55972ab275e75c5d
SHA512 74420e4724cc3b1911c354f1837ee3a19b369a05fec97545f2562d41909d6f87970475861d8111b3180276b3b0028202b7b60d55c17d481657ceee4bd2b6af87

memory/1628-43-0x0000000074860000-0x0000000075010000-memory.dmp

memory/1628-44-0x0000000000810000-0x000000000084E000-memory.dmp

memory/1628-45-0x0000000007B90000-0x0000000008134000-memory.dmp

memory/1628-46-0x0000000007680000-0x0000000007712000-memory.dmp

memory/1628-47-0x0000000007900000-0x0000000007910000-memory.dmp

memory/1628-48-0x00000000075F0000-0x00000000075FA000-memory.dmp

memory/1628-49-0x0000000074860000-0x0000000075010000-memory.dmp

memory/1628-50-0x0000000007900000-0x0000000007910000-memory.dmp

memory/1628-51-0x0000000008760000-0x0000000008D78000-memory.dmp

memory/1628-52-0x0000000007A20000-0x0000000007B2A000-memory.dmp

memory/1628-53-0x0000000007860000-0x0000000007872000-memory.dmp

memory/1628-54-0x00000000050A0000-0x00000000050DC000-memory.dmp

memory/1628-55-0x00000000050E0000-0x000000000512C000-memory.dmp