Malware Analysis Report

2025-08-05 21:00

Sample ID 231007-g5zxrahe7y
Target 5c5167b5fa76db29ca8ae12f128646effd9bcc1c8956371aaee13bddc98fbe58
SHA256 5c5167b5fa76db29ca8ae12f128646effd9bcc1c8956371aaee13bddc98fbe58
Tags
mystic redline gigant infostealer persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5c5167b5fa76db29ca8ae12f128646effd9bcc1c8956371aaee13bddc98fbe58

Threat Level: Known bad

The file 5c5167b5fa76db29ca8ae12f128646effd9bcc1c8956371aaee13bddc98fbe58 was found to be: Known bad.

Malicious Activity Summary

mystic redline gigant infostealer persistence stealer

RedLine

RedLine payload

Detect Mystic stealer payload

Mystic

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-07 06:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-07 06:23

Reported

2023-10-07 06:26

Platform

win10v2004-20230915-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5c5167b5fa76db29ca8ae12f128646effd9bcc1c8956371aaee13bddc98fbe58.exe"

Signatures

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Mystic

stealer mystic

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\5c5167b5fa76db29ca8ae12f128646effd9bcc1c8956371aaee13bddc98fbe58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jy9vG4vV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XM1sC3iy.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\yB3qe9oe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gI3fo3mF.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4192 set thread context of 3188 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1PY13Ks8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2700 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\5c5167b5fa76db29ca8ae12f128646effd9bcc1c8956371aaee13bddc98fbe58.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jy9vG4vV.exe
PID 2700 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\5c5167b5fa76db29ca8ae12f128646effd9bcc1c8956371aaee13bddc98fbe58.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jy9vG4vV.exe
PID 2700 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\5c5167b5fa76db29ca8ae12f128646effd9bcc1c8956371aaee13bddc98fbe58.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jy9vG4vV.exe
PID 1060 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jy9vG4vV.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XM1sC3iy.exe
PID 1060 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jy9vG4vV.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XM1sC3iy.exe
PID 1060 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jy9vG4vV.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XM1sC3iy.exe
PID 4300 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XM1sC3iy.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\yB3qe9oe.exe
PID 4300 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XM1sC3iy.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\yB3qe9oe.exe
PID 4300 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XM1sC3iy.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\yB3qe9oe.exe
PID 1032 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\yB3qe9oe.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gI3fo3mF.exe
PID 1032 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\yB3qe9oe.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gI3fo3mF.exe
PID 1032 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\yB3qe9oe.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gI3fo3mF.exe
PID 4824 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gI3fo3mF.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1PY13Ks8.exe
PID 4824 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gI3fo3mF.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1PY13Ks8.exe
PID 4824 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gI3fo3mF.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1PY13Ks8.exe
PID 4192 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1PY13Ks8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4192 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1PY13Ks8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4192 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1PY13Ks8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4192 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1PY13Ks8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4192 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1PY13Ks8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4192 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1PY13Ks8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4192 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1PY13Ks8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4192 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1PY13Ks8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4192 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1PY13Ks8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4192 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1PY13Ks8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4824 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gI3fo3mF.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Lw469gT.exe
PID 4824 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gI3fo3mF.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Lw469gT.exe
PID 4824 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gI3fo3mF.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Lw469gT.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5c5167b5fa76db29ca8ae12f128646effd9bcc1c8956371aaee13bddc98fbe58.exe

"C:\Users\Admin\AppData\Local\Temp\5c5167b5fa76db29ca8ae12f128646effd9bcc1c8956371aaee13bddc98fbe58.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jy9vG4vV.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jy9vG4vV.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XM1sC3iy.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XM1sC3iy.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\yB3qe9oe.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\yB3qe9oe.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gI3fo3mF.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gI3fo3mF.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1PY13Ks8.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1PY13Ks8.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3188 -ip 3188

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4192 -ip 4192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 540

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Lw469gT.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Lw469gT.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 198.111.78.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jy9vG4vV.exe

MD5 92bcae9523fa276ff5cbec7700876fe5
SHA1 308a273b3e213e1d1f77d4e8ba4c586bf6054ba8
SHA256 cc1aa43c0328e4b58f784be077e6b72d9deb9079c2858217338704d5e952cb7c
SHA512 f2bbb48ad972572b83a00e421714e6e0e69e24eca3f5a94996a7b06d78361c4a78e2db3411cc35c50f0994f2c5af7384a15e547d9bf012c4ea57e43275448c30

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jy9vG4vV.exe

MD5 92bcae9523fa276ff5cbec7700876fe5
SHA1 308a273b3e213e1d1f77d4e8ba4c586bf6054ba8
SHA256 cc1aa43c0328e4b58f784be077e6b72d9deb9079c2858217338704d5e952cb7c
SHA512 f2bbb48ad972572b83a00e421714e6e0e69e24eca3f5a94996a7b06d78361c4a78e2db3411cc35c50f0994f2c5af7384a15e547d9bf012c4ea57e43275448c30

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XM1sC3iy.exe

MD5 ea0ac474ffd1b5126c78f897ebf94d9d
SHA1 8abdd1a8911c3c4093490afd7ed89527b7670ed6
SHA256 f5d2169a9ecc93fd57c081e3b609dce0d546f026584245c9b519c5c06ad0fa79
SHA512 17b5a3fc6f6f87cc4f44899e902f5ecabf252c3834ba52ce718b36bf7036e096e8945a876b1c3809f1a9bc495a6a1e8e12a4edd4153d30344dc8ba200dd6d23d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XM1sC3iy.exe

MD5 ea0ac474ffd1b5126c78f897ebf94d9d
SHA1 8abdd1a8911c3c4093490afd7ed89527b7670ed6
SHA256 f5d2169a9ecc93fd57c081e3b609dce0d546f026584245c9b519c5c06ad0fa79
SHA512 17b5a3fc6f6f87cc4f44899e902f5ecabf252c3834ba52ce718b36bf7036e096e8945a876b1c3809f1a9bc495a6a1e8e12a4edd4153d30344dc8ba200dd6d23d

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\yB3qe9oe.exe

MD5 17690c1b10bae3f34acae87975eba51e
SHA1 f9c9cc016eb1158101fda934ad1f77f788714a8e
SHA256 155aa6b44d63f75e82d3c8ed71c473dcc489f72f1ea888934193d6d3eeb0f7db
SHA512 21585c47ffdea3750afd0d6d488036a56b72da78703e9d4dc1d1246ce67de8004c341a0f0862386a9faf8664f2add457f32c4536c3fee0ecfb64b567b03bcd4e

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\yB3qe9oe.exe

MD5 17690c1b10bae3f34acae87975eba51e
SHA1 f9c9cc016eb1158101fda934ad1f77f788714a8e
SHA256 155aa6b44d63f75e82d3c8ed71c473dcc489f72f1ea888934193d6d3eeb0f7db
SHA512 21585c47ffdea3750afd0d6d488036a56b72da78703e9d4dc1d1246ce67de8004c341a0f0862386a9faf8664f2add457f32c4536c3fee0ecfb64b567b03bcd4e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gI3fo3mF.exe

MD5 459be124daa7b2cee946a6e817bc4aca
SHA1 0a7cc81eb16d44bd4f95de294eda2fde57e66c2b
SHA256 0d68190bc3532fb0efb7df9df9e3036bd6abfc1d2fdb1e20cae06941abc67abf
SHA512 44e5770efcfb1c399b9c6777c28a2419f07b3b6199f73f1eacb0abc7baf8fe6618124b291dfa8428deb8ec3de1d65b52b613e4ae88d9a58710e6d0e6ac7dee3e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gI3fo3mF.exe

MD5 459be124daa7b2cee946a6e817bc4aca
SHA1 0a7cc81eb16d44bd4f95de294eda2fde57e66c2b
SHA256 0d68190bc3532fb0efb7df9df9e3036bd6abfc1d2fdb1e20cae06941abc67abf
SHA512 44e5770efcfb1c399b9c6777c28a2419f07b3b6199f73f1eacb0abc7baf8fe6618124b291dfa8428deb8ec3de1d65b52b613e4ae88d9a58710e6d0e6ac7dee3e

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1PY13Ks8.exe

MD5 f0831f173733de08511f3a0739f278a6
SHA1 06dc809d653c5d2c97386084ae13b50a73eb5b60
SHA256 8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA512 19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1PY13Ks8.exe

MD5 f0831f173733de08511f3a0739f278a6
SHA1 06dc809d653c5d2c97386084ae13b50a73eb5b60
SHA256 8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA512 19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

memory/3188-35-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3188-36-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3188-37-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3188-39-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Lw469gT.exe

MD5 0258dbe115a62667aa8a06ad3d8fd735
SHA1 98b2234856ef0a8adc212f03c67a7efbd77e5c96
SHA256 6af2a1fafa879b054235181766ea8a987b56bff4873438da5e380dfcd11579d3
SHA512 b88f519b92c80f51447e08f33ee1ca1cd3f8316ff85a9c301542d7ef79bc5b80ea41c47b2892c69796320a3702b6d88fce123cc88656ae96e9c3d90fa3fc6324

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Lw469gT.exe

MD5 0258dbe115a62667aa8a06ad3d8fd735
SHA1 98b2234856ef0a8adc212f03c67a7efbd77e5c96
SHA256 6af2a1fafa879b054235181766ea8a987b56bff4873438da5e380dfcd11579d3
SHA512 b88f519b92c80f51447e08f33ee1ca1cd3f8316ff85a9c301542d7ef79bc5b80ea41c47b2892c69796320a3702b6d88fce123cc88656ae96e9c3d90fa3fc6324

memory/2412-43-0x0000000000DF0000-0x0000000000E2E000-memory.dmp

memory/2412-44-0x00000000741F0000-0x00000000749A0000-memory.dmp

memory/2412-45-0x0000000008250000-0x00000000087F4000-memory.dmp

memory/2412-46-0x0000000007D40000-0x0000000007DD2000-memory.dmp

memory/2412-47-0x0000000007E90000-0x0000000007EA0000-memory.dmp

memory/2412-48-0x0000000007D10000-0x0000000007D1A000-memory.dmp

memory/2412-49-0x0000000008E20000-0x0000000009438000-memory.dmp

memory/2412-50-0x00000000080D0000-0x00000000081DA000-memory.dmp

memory/2412-51-0x0000000007F90000-0x0000000007FA2000-memory.dmp

memory/2412-52-0x0000000008000000-0x000000000803C000-memory.dmp

memory/2412-53-0x0000000008040000-0x000000000808C000-memory.dmp

memory/2412-54-0x00000000741F0000-0x00000000749A0000-memory.dmp

memory/2412-55-0x0000000007E90000-0x0000000007EA0000-memory.dmp