Malware Analysis Report

2025-08-05 21:00

Sample ID 231007-gjnmlahd5z
Target 3b25010716254931851928e53873ec833ddac68b17eb86475d05bfbfa4ed1a5f
SHA256 3b25010716254931851928e53873ec833ddac68b17eb86475d05bfbfa4ed1a5f
Tags
mystic redline gigant infostealer persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3b25010716254931851928e53873ec833ddac68b17eb86475d05bfbfa4ed1a5f

Threat Level: Known bad

The file 3b25010716254931851928e53873ec833ddac68b17eb86475d05bfbfa4ed1a5f was found to be: Known bad.

Malicious Activity Summary

mystic redline gigant infostealer persistence stealer

Mystic

RedLine payload

RedLine

Detect Mystic stealer payload

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-07 05:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-07 05:50

Reported

2023-10-07 05:52

Platform

win10v2004-20230915-en

Max time kernel

140s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3b25010716254931851928e53873ec833ddac68b17eb86475d05bfbfa4ed1a5f.exe"

Signatures

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Mystic

stealer mystic

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bK6MM6iC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RB2kt7oI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lw3cy0bM.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vo3Re0sw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\3b25010716254931851928e53873ec833ddac68b17eb86475d05bfbfa4ed1a5f.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1020 set thread context of 1012 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zj47kq4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3132 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\3b25010716254931851928e53873ec833ddac68b17eb86475d05bfbfa4ed1a5f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bK6MM6iC.exe
PID 3132 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\3b25010716254931851928e53873ec833ddac68b17eb86475d05bfbfa4ed1a5f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bK6MM6iC.exe
PID 3132 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\3b25010716254931851928e53873ec833ddac68b17eb86475d05bfbfa4ed1a5f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bK6MM6iC.exe
PID 1520 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bK6MM6iC.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RB2kt7oI.exe
PID 1520 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bK6MM6iC.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RB2kt7oI.exe
PID 1520 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bK6MM6iC.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RB2kt7oI.exe
PID 212 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RB2kt7oI.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lw3cy0bM.exe
PID 212 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RB2kt7oI.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lw3cy0bM.exe
PID 212 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RB2kt7oI.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lw3cy0bM.exe
PID 2000 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lw3cy0bM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vo3Re0sw.exe
PID 2000 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lw3cy0bM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vo3Re0sw.exe
PID 2000 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lw3cy0bM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vo3Re0sw.exe
PID 3488 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vo3Re0sw.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zj47kq4.exe
PID 3488 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vo3Re0sw.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zj47kq4.exe
PID 3488 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vo3Re0sw.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zj47kq4.exe
PID 1020 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zj47kq4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1020 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zj47kq4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1020 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zj47kq4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1020 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zj47kq4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1020 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zj47kq4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1020 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zj47kq4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1020 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zj47kq4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1020 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zj47kq4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1020 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zj47kq4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1020 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zj47kq4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3488 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vo3Re0sw.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2at668dL.exe
PID 3488 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vo3Re0sw.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2at668dL.exe
PID 3488 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vo3Re0sw.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2at668dL.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3b25010716254931851928e53873ec833ddac68b17eb86475d05bfbfa4ed1a5f.exe

"C:\Users\Admin\AppData\Local\Temp\3b25010716254931851928e53873ec833ddac68b17eb86475d05bfbfa4ed1a5f.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bK6MM6iC.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bK6MM6iC.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RB2kt7oI.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RB2kt7oI.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lw3cy0bM.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lw3cy0bM.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vo3Re0sw.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vo3Re0sw.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zj47kq4.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zj47kq4.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1020 -ip 1020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1012 -ip 1012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 156

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 544

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2at668dL.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2at668dL.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bK6MM6iC.exe

MD5 1a2a4274e09d2c54cda31cfc5f448be7
SHA1 f98a016ad37847254d4c0cbcbd4eb1062697baf2
SHA256 bf1557f0eec4ec3c50019cb6297288bcdeb7e5fc22c9342213b18d36b861f8d6
SHA512 28bc5e0465bdb80c63d99255d658460d828b8cf7afeff9dabf8a7b63e0c223773e3aeae25a9da483c5962db0bc6dd454c13d09c449d13121e1e10868f991205a

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bK6MM6iC.exe

MD5 1a2a4274e09d2c54cda31cfc5f448be7
SHA1 f98a016ad37847254d4c0cbcbd4eb1062697baf2
SHA256 bf1557f0eec4ec3c50019cb6297288bcdeb7e5fc22c9342213b18d36b861f8d6
SHA512 28bc5e0465bdb80c63d99255d658460d828b8cf7afeff9dabf8a7b63e0c223773e3aeae25a9da483c5962db0bc6dd454c13d09c449d13121e1e10868f991205a

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RB2kt7oI.exe

MD5 15cb8b1d25f2b0f8f6e4fdf1679fc3a3
SHA1 7a8de3ae1736af216ce6d77765154d234bd7f8e9
SHA256 12bb20b7870fe0669536c152d4d56089cc12d77d886c84263c604acf89402f77
SHA512 600a1545350e1b7ce699281e53387f94ffa533f45135cc3dc7e46c561f358c32f71865b76ff53a470b280504f7c4202f02aab860e59d1c9231162055f1117156

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RB2kt7oI.exe

MD5 15cb8b1d25f2b0f8f6e4fdf1679fc3a3
SHA1 7a8de3ae1736af216ce6d77765154d234bd7f8e9
SHA256 12bb20b7870fe0669536c152d4d56089cc12d77d886c84263c604acf89402f77
SHA512 600a1545350e1b7ce699281e53387f94ffa533f45135cc3dc7e46c561f358c32f71865b76ff53a470b280504f7c4202f02aab860e59d1c9231162055f1117156

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lw3cy0bM.exe

MD5 42d52021278c70e39ac42b8d113515a8
SHA1 f79b437c4a8927f5fe266e7094d4af31a64c6f4e
SHA256 2705ab1ca508597647b7952bde0de01e27cbfc4770c5c9c1a1de02072d2be8ff
SHA512 c2cdb3e90605f2d6444453bfad3aa7d38dd82212b1c6c4df4219b1168655918e0b0c616f7fc70171abef675a90030987d2e28cd9b10e4e59d0ab76c5353c3511

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lw3cy0bM.exe

MD5 42d52021278c70e39ac42b8d113515a8
SHA1 f79b437c4a8927f5fe266e7094d4af31a64c6f4e
SHA256 2705ab1ca508597647b7952bde0de01e27cbfc4770c5c9c1a1de02072d2be8ff
SHA512 c2cdb3e90605f2d6444453bfad3aa7d38dd82212b1c6c4df4219b1168655918e0b0c616f7fc70171abef675a90030987d2e28cd9b10e4e59d0ab76c5353c3511

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vo3Re0sw.exe

MD5 edd3be43bea3cd73d0954251636b1f9e
SHA1 a5d8f137b446362cea4bd4a8a6b8af5d8e56e453
SHA256 d391a13b57e2e2f484160bb6b4f7bfeb355054917d1030cc0e30a4c08c2027a4
SHA512 8ed4278e3ea14aba5bdf0ced87c0f6622c24875e19cc449a4beafc12bd78752705bb90df0d8a5856eb24351f07f8ddd72789c8f751673e858fb92994ae9df8ad

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vo3Re0sw.exe

MD5 edd3be43bea3cd73d0954251636b1f9e
SHA1 a5d8f137b446362cea4bd4a8a6b8af5d8e56e453
SHA256 d391a13b57e2e2f484160bb6b4f7bfeb355054917d1030cc0e30a4c08c2027a4
SHA512 8ed4278e3ea14aba5bdf0ced87c0f6622c24875e19cc449a4beafc12bd78752705bb90df0d8a5856eb24351f07f8ddd72789c8f751673e858fb92994ae9df8ad

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zj47kq4.exe

MD5 f0831f173733de08511f3a0739f278a6
SHA1 06dc809d653c5d2c97386084ae13b50a73eb5b60
SHA256 8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA512 19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zj47kq4.exe

MD5 f0831f173733de08511f3a0739f278a6
SHA1 06dc809d653c5d2c97386084ae13b50a73eb5b60
SHA256 8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA512 19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

memory/1012-35-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1012-36-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1012-37-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1012-39-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2at668dL.exe

MD5 d06bb8e6a189f79df58a5919e5ca675f
SHA1 0deacf0fd3a885e5b0c66e09b92bec964b5f77af
SHA256 7a8893aa6a53edbe61dbf29d5f13ae27932e815f116948f1c175440a238bc75b
SHA512 dcd55972e60b8ad60ff79711763b802d97f0cd055bbd13839c48f21191d388553fe32673d9eec17e7080700926c7eb06bfa2b3c3095fecfb78c1a85b729f8168

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2at668dL.exe

MD5 d06bb8e6a189f79df58a5919e5ca675f
SHA1 0deacf0fd3a885e5b0c66e09b92bec964b5f77af
SHA256 7a8893aa6a53edbe61dbf29d5f13ae27932e815f116948f1c175440a238bc75b
SHA512 dcd55972e60b8ad60ff79711763b802d97f0cd055bbd13839c48f21191d388553fe32673d9eec17e7080700926c7eb06bfa2b3c3095fecfb78c1a85b729f8168

memory/4136-43-0x00000000004B0000-0x00000000004EE000-memory.dmp

memory/4136-44-0x00000000744F0000-0x0000000074CA0000-memory.dmp

memory/4136-45-0x0000000007800000-0x0000000007DA4000-memory.dmp

memory/4136-46-0x00000000072F0000-0x0000000007382000-memory.dmp

memory/4136-47-0x00000000072C0000-0x00000000072D0000-memory.dmp

memory/4136-48-0x0000000007290000-0x000000000729A000-memory.dmp

memory/4136-49-0x00000000083D0000-0x00000000089E8000-memory.dmp

memory/4136-50-0x0000000007670000-0x000000000777A000-memory.dmp

memory/4136-51-0x0000000007500000-0x0000000007512000-memory.dmp

memory/4136-52-0x00000000075A0000-0x00000000075DC000-memory.dmp

memory/4136-53-0x00000000075E0000-0x000000000762C000-memory.dmp

memory/4136-54-0x00000000744F0000-0x0000000074CA0000-memory.dmp

memory/4136-55-0x00000000072C0000-0x00000000072D0000-memory.dmp