Malware Analysis Report

2025-08-05 21:01

Sample ID 231007-fyxndahc7w
Target 7ffa888fbab3ebf2f529903826e30370223800cb9e63fec0dcd7a9683e6021e1
SHA256 7ffa888fbab3ebf2f529903826e30370223800cb9e63fec0dcd7a9683e6021e1
Tags
mystic redline gigant infostealer persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7ffa888fbab3ebf2f529903826e30370223800cb9e63fec0dcd7a9683e6021e1

Threat Level: Known bad

The file 7ffa888fbab3ebf2f529903826e30370223800cb9e63fec0dcd7a9683e6021e1 was found to be: Known bad.

Malicious Activity Summary

mystic redline gigant infostealer persistence stealer

Mystic

RedLine payload

Detect Mystic stealer payload

RedLine

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-07 05:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-07 05:17

Reported

2023-10-07 05:20

Platform

win10v2004-20230915-en

Max time kernel

147s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7ffa888fbab3ebf2f529903826e30370223800cb9e63fec0dcd7a9683e6021e1.exe"

Signatures

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Mystic

stealer mystic

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\7ffa888fbab3ebf2f529903826e30370223800cb9e63fec0dcd7a9683e6021e1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qY3IT2vS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Bb6tk4gA.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UA0dr1jB.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LM8lO9hX.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 648 set thread context of 1496 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Nh04DF3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4960 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\7ffa888fbab3ebf2f529903826e30370223800cb9e63fec0dcd7a9683e6021e1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qY3IT2vS.exe
PID 4960 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\7ffa888fbab3ebf2f529903826e30370223800cb9e63fec0dcd7a9683e6021e1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qY3IT2vS.exe
PID 4960 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\7ffa888fbab3ebf2f529903826e30370223800cb9e63fec0dcd7a9683e6021e1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qY3IT2vS.exe
PID 4864 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qY3IT2vS.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Bb6tk4gA.exe
PID 4864 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qY3IT2vS.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Bb6tk4gA.exe
PID 4864 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qY3IT2vS.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Bb6tk4gA.exe
PID 2212 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Bb6tk4gA.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UA0dr1jB.exe
PID 2212 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Bb6tk4gA.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UA0dr1jB.exe
PID 2212 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Bb6tk4gA.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UA0dr1jB.exe
PID 1312 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UA0dr1jB.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LM8lO9hX.exe
PID 1312 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UA0dr1jB.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LM8lO9hX.exe
PID 1312 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UA0dr1jB.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LM8lO9hX.exe
PID 4732 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LM8lO9hX.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Nh04DF3.exe
PID 4732 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LM8lO9hX.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Nh04DF3.exe
PID 4732 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LM8lO9hX.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Nh04DF3.exe
PID 648 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Nh04DF3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 648 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Nh04DF3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 648 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Nh04DF3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 648 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Nh04DF3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 648 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Nh04DF3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 648 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Nh04DF3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 648 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Nh04DF3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 648 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Nh04DF3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 648 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Nh04DF3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 648 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Nh04DF3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4732 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LM8lO9hX.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2xg494Yp.exe
PID 4732 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LM8lO9hX.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2xg494Yp.exe
PID 4732 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LM8lO9hX.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2xg494Yp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7ffa888fbab3ebf2f529903826e30370223800cb9e63fec0dcd7a9683e6021e1.exe

"C:\Users\Admin\AppData\Local\Temp\7ffa888fbab3ebf2f529903826e30370223800cb9e63fec0dcd7a9683e6021e1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qY3IT2vS.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qY3IT2vS.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Bb6tk4gA.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Bb6tk4gA.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UA0dr1jB.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UA0dr1jB.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LM8lO9hX.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LM8lO9hX.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Nh04DF3.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Nh04DF3.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 648 -ip 648

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1496 -ip 1496

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 540

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2xg494Yp.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2xg494Yp.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp
FI 77.91.124.55:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qY3IT2vS.exe

MD5 7d8bce8a938054d015700b4c48b17712
SHA1 97439d5d78eb7f6137f71ac67b2e43cdaeee08fa
SHA256 928519206beaf315b784a5ff08e8c5cd0cb87973bb09ea8cc93634ab2f480c28
SHA512 cfecd593080010efd4252d2da37baf3fc0a6acc80d5585479b3d16b70ae22e2499e19a2aeee7883c4301e7e621bf278d1b154dfe1f0de0e840f3f418e0f4b2fc

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qY3IT2vS.exe

MD5 7d8bce8a938054d015700b4c48b17712
SHA1 97439d5d78eb7f6137f71ac67b2e43cdaeee08fa
SHA256 928519206beaf315b784a5ff08e8c5cd0cb87973bb09ea8cc93634ab2f480c28
SHA512 cfecd593080010efd4252d2da37baf3fc0a6acc80d5585479b3d16b70ae22e2499e19a2aeee7883c4301e7e621bf278d1b154dfe1f0de0e840f3f418e0f4b2fc

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Bb6tk4gA.exe

MD5 1f64d4e95e750972b6ca8da2ca7f200e
SHA1 095a309f4b1051dfd077467f53898401614dd5e8
SHA256 e4e49b8568937c43bba5621fcfe9e3762efb9c4078b3287603ef249c522d126d
SHA512 024e0f80fbdfd0c55b1ffdb782454dbfd5be9facb112fb0bc11c154a227b99a4d9ee512a17e899c58caf7227a4220b464cc4587e694e02675844cdbb5fb071de

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Bb6tk4gA.exe

MD5 1f64d4e95e750972b6ca8da2ca7f200e
SHA1 095a309f4b1051dfd077467f53898401614dd5e8
SHA256 e4e49b8568937c43bba5621fcfe9e3762efb9c4078b3287603ef249c522d126d
SHA512 024e0f80fbdfd0c55b1ffdb782454dbfd5be9facb112fb0bc11c154a227b99a4d9ee512a17e899c58caf7227a4220b464cc4587e694e02675844cdbb5fb071de

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UA0dr1jB.exe

MD5 51c4e08e66ba110fc409dd29756663a9
SHA1 eebcc81a6df9af1f9f83338cd4025581063cba16
SHA256 9a0c968ae1804661c5bef3200fe2981f14f49e385f32f398316f57620825d0a3
SHA512 0adcf46abf851327e0dcbde29f0cbb4ac2a8edb6409dc3656200859c63b1e9a45809bd34ed2ac0d4c8b6fa56a2448bde37af15772b2b18c93a040efaae1466c1

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UA0dr1jB.exe

MD5 51c4e08e66ba110fc409dd29756663a9
SHA1 eebcc81a6df9af1f9f83338cd4025581063cba16
SHA256 9a0c968ae1804661c5bef3200fe2981f14f49e385f32f398316f57620825d0a3
SHA512 0adcf46abf851327e0dcbde29f0cbb4ac2a8edb6409dc3656200859c63b1e9a45809bd34ed2ac0d4c8b6fa56a2448bde37af15772b2b18c93a040efaae1466c1

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LM8lO9hX.exe

MD5 ed39b18378f94c9be599adcabf326d5e
SHA1 242a649a528bfe33d35032338737d9d80d54ddc0
SHA256 0289e8beece7f929ee4f1866f135bf6643fc3acb7b1d8f032344a8ea80b0a508
SHA512 658c269a273ad03f4b8767d98c09308073a666d99d6efe815d0dd2b2d48d004392e5eda174084bc0fa87b48f39d4a89a4824c5018431ad147e1d611aca3e7a10

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LM8lO9hX.exe

MD5 ed39b18378f94c9be599adcabf326d5e
SHA1 242a649a528bfe33d35032338737d9d80d54ddc0
SHA256 0289e8beece7f929ee4f1866f135bf6643fc3acb7b1d8f032344a8ea80b0a508
SHA512 658c269a273ad03f4b8767d98c09308073a666d99d6efe815d0dd2b2d48d004392e5eda174084bc0fa87b48f39d4a89a4824c5018431ad147e1d611aca3e7a10

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Nh04DF3.exe

MD5 f0831f173733de08511f3a0739f278a6
SHA1 06dc809d653c5d2c97386084ae13b50a73eb5b60
SHA256 8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA512 19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Nh04DF3.exe

MD5 f0831f173733de08511f3a0739f278a6
SHA1 06dc809d653c5d2c97386084ae13b50a73eb5b60
SHA256 8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA512 19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

memory/1496-35-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1496-36-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1496-37-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1496-39-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2xg494Yp.exe

MD5 3ad22e3c5ba832c17ae0ce322cdfa8bc
SHA1 c8d4b98f62698287ae004a8f73612d7080ac0416
SHA256 2b56240abd8cc504dafbd738f0e52a21e3e0a4b82b74eb32848cf58feef71fe3
SHA512 6fac06c77feda96873aa406e349487f248760b15ac011902b20ac0a7c4e799e4064806ff5f043405ddfe060cda8d6e20ef84dbf554debcb4cfeeb892133b2b81

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2xg494Yp.exe

MD5 3ad22e3c5ba832c17ae0ce322cdfa8bc
SHA1 c8d4b98f62698287ae004a8f73612d7080ac0416
SHA256 2b56240abd8cc504dafbd738f0e52a21e3e0a4b82b74eb32848cf58feef71fe3
SHA512 6fac06c77feda96873aa406e349487f248760b15ac011902b20ac0a7c4e799e4064806ff5f043405ddfe060cda8d6e20ef84dbf554debcb4cfeeb892133b2b81

memory/3152-43-0x0000000073FA0000-0x0000000074750000-memory.dmp

memory/3152-44-0x0000000000760000-0x000000000079E000-memory.dmp

memory/3152-45-0x00000000079D0000-0x0000000007F74000-memory.dmp

memory/3152-46-0x0000000007500000-0x0000000007592000-memory.dmp

memory/3152-47-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/3152-48-0x00000000076E0000-0x00000000076EA000-memory.dmp

memory/3152-49-0x00000000085A0000-0x0000000008BB8000-memory.dmp

memory/3152-50-0x0000000007890000-0x000000000799A000-memory.dmp

memory/3152-51-0x00000000077C0000-0x00000000077D2000-memory.dmp

memory/3152-52-0x0000000007820000-0x000000000785C000-memory.dmp

memory/3152-53-0x0000000007F80000-0x0000000007FCC000-memory.dmp

memory/3152-54-0x0000000073FA0000-0x0000000074750000-memory.dmp

memory/3152-55-0x00000000074A0000-0x00000000074B0000-memory.dmp