mystic | 1f3e03ca7bfcee157393fb94a3450e5a79979b8f5c0b85427ab51908bb78810b

Analysis

max time kernel
140s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2023 10:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.1f3e03ca7bfcee157393fb94a3450e5a79979b8f5c0b85427ab51908bb78810b_JC.exe
Size

1.2MB
MD5

b81cd3142a789eca2228e02e2a31229c
SHA1

6673628188e3aaa5cc5e3a0fd20cd472a85f237f
SHA256

1f3e03ca7bfcee157393fb94a3450e5a79979b8f5c0b85427ab51908bb78810b
SHA512

1b8855f6be99ade9f5d34a9bc69ba574a77957f397cd5015958eea3508e485934c1092aefebdf012b5671570c7fff8b0056b3325b56d0392abc55581599bb19c
SSDEEP

24576:tyg79ARUhCAlCegO5Q+wvF36AFIVjtftkIKVHXKT+w:Ik9ARmwOqjF36N/Nri

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2840-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/2840-36-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/2840-37-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/2840-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2mE712ld.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2mE712ld.exe	family_redline
behavioral2/memory/3440-43-0x00000000003E0000-0x000000000041E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

TQ8Ny3fX.exeyI0rw7Oy.exeou1po6co.exeSV7Lf3oJ.exe1KW20JF5.exe2mE712ld.exe

pid process

3692 TQ8Ny3fX.exe
468 yI0rw7Oy.exe
1568 ou1po6co.exe
772 SV7Lf3oJ.exe
100 1KW20JF5.exe
3440 2mE712ld.exe

pid	process
3692	TQ8Ny3fX.exe
468	yI0rw7Oy.exe
1568	ou1po6co.exe
772	SV7Lf3oJ.exe
100	1KW20JF5.exe
3440	2mE712ld.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

NEAS.1f3e03ca7bfcee157393fb94a3450e5a79979b8f5c0b85427ab51908bb78810b_JC.exeTQ8Ny3fX.exeyI0rw7Oy.exeou1po6co.exeSV7Lf3oJ.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.1f3e03ca7bfcee157393fb94a3450e5a79979b8f5c0b85427ab51908bb78810b_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	TQ8Ny3fX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	yI0rw7Oy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	ou1po6co.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	SV7Lf3oJ.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1KW20JF5.exe

description pid process target process

PID 100 set thread context of 2840 100 1KW20JF5.exe AppLaunch.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2996 100 WerFault.exe 1KW20JF5.exe
4868 2840 WerFault.exe AppLaunch.exe

description	pid	process	target process
PID 100 set thread context of 2840	100	1KW20JF5.exe	AppLaunch.exe

pid	pid_target	process	target process
2996	100	WerFault.exe	1KW20JF5.exe
4868	2840	WerFault.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

NEAS.1f3e03ca7bfcee157393fb94a3450e5a79979b8f5c0b85427ab51908bb78810b_JC.exeTQ8Ny3fX.exeyI0rw7Oy.exeou1po6co.exeSV7Lf3oJ.exe1KW20JF5.exe

description	pid	process	target process
PID 4936 wrote to memory of 3692	4936	NEAS.1f3e03ca7bfcee157393fb94a3450e5a79979b8f5c0b85427ab51908bb78810b_JC.exe	TQ8Ny3fX.exe
PID 4936 wrote to memory of 3692	4936	NEAS.1f3e03ca7bfcee157393fb94a3450e5a79979b8f5c0b85427ab51908bb78810b_JC.exe	TQ8Ny3fX.exe
PID 4936 wrote to memory of 3692	4936	NEAS.1f3e03ca7bfcee157393fb94a3450e5a79979b8f5c0b85427ab51908bb78810b_JC.exe	TQ8Ny3fX.exe
PID 3692 wrote to memory of 468	3692	TQ8Ny3fX.exe	yI0rw7Oy.exe
PID 3692 wrote to memory of 468	3692	TQ8Ny3fX.exe	yI0rw7Oy.exe
PID 3692 wrote to memory of 468	3692	TQ8Ny3fX.exe	yI0rw7Oy.exe
PID 468 wrote to memory of 1568	468	yI0rw7Oy.exe	ou1po6co.exe
PID 468 wrote to memory of 1568	468	yI0rw7Oy.exe	ou1po6co.exe
PID 468 wrote to memory of 1568	468	yI0rw7Oy.exe	ou1po6co.exe
PID 1568 wrote to memory of 772	1568	ou1po6co.exe	SV7Lf3oJ.exe
PID 1568 wrote to memory of 772	1568	ou1po6co.exe	SV7Lf3oJ.exe
PID 1568 wrote to memory of 772	1568	ou1po6co.exe	SV7Lf3oJ.exe
PID 772 wrote to memory of 100	772	SV7Lf3oJ.exe	1KW20JF5.exe
PID 772 wrote to memory of 100	772	SV7Lf3oJ.exe	1KW20JF5.exe
PID 772 wrote to memory of 100	772	SV7Lf3oJ.exe	1KW20JF5.exe
PID 100 wrote to memory of 2840	100	1KW20JF5.exe	AppLaunch.exe
PID 100 wrote to memory of 2840	100	1KW20JF5.exe	AppLaunch.exe
PID 100 wrote to memory of 2840	100	1KW20JF5.exe	AppLaunch.exe
PID 100 wrote to memory of 2840	100	1KW20JF5.exe	AppLaunch.exe
PID 100 wrote to memory of 2840	100	1KW20JF5.exe	AppLaunch.exe
PID 100 wrote to memory of 2840	100	1KW20JF5.exe	AppLaunch.exe
PID 100 wrote to memory of 2840	100	1KW20JF5.exe	AppLaunch.exe
PID 100 wrote to memory of 2840	100	1KW20JF5.exe	AppLaunch.exe
PID 100 wrote to memory of 2840	100	1KW20JF5.exe	AppLaunch.exe
PID 100 wrote to memory of 2840	100	1KW20JF5.exe	AppLaunch.exe
PID 772 wrote to memory of 3440	772	SV7Lf3oJ.exe	2mE712ld.exe
PID 772 wrote to memory of 3440	772	SV7Lf3oJ.exe	2mE712ld.exe
PID 772 wrote to memory of 3440	772	SV7Lf3oJ.exe	2mE712ld.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.1f3e03ca7bfcee157393fb94a3450e5a79979b8f5c0b85427ab51908bb78810b_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.1f3e03ca7bfcee157393fb94a3450e5a79979b8f5c0b85427ab51908bb78810b_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4936

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TQ8Ny3fX.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TQ8Ny3fX.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3692

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yI0rw7Oy.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yI0rw7Oy.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:468

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ou1po6co.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ou1po6co.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1568

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\SV7Lf3oJ.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\SV7Lf3oJ.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:772

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1KW20JF5.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1KW20JF5.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:2840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 548
8⤵
- Program crash
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 136
7⤵
- Program crash
PID:2996

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2mE712ld.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2mE712ld.exe
6⤵
- Executes dropped EXE
PID:3440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 100 -ip 100
1⤵
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2840 -ip 2840
1⤵
PID:4168

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TQ8Ny3fX.exe
Filesize
1.0MB

MD5
8ca2811ee4fae71a570298ebc6efcbac

SHA1
475da0caa3e4b5931344c9a739c46513edbe0830

SHA256
803bdeb4bc4493002015ca620d956227797f6d2e1f4fb5f4b09b86d3c2be303b

SHA512
6e7925228aaf4175a3c7f1e33131fdbcec9cdd9f40408933e7e607e0d6557ce92905ffe6dd90f6b73aaa38b1e769ad2966aacb375f2c660a4f7842dc5e013621

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TQ8Ny3fX.exe
Filesize
1.0MB

MD5
8ca2811ee4fae71a570298ebc6efcbac

SHA1
475da0caa3e4b5931344c9a739c46513edbe0830

SHA256
803bdeb4bc4493002015ca620d956227797f6d2e1f4fb5f4b09b86d3c2be303b

SHA512
6e7925228aaf4175a3c7f1e33131fdbcec9cdd9f40408933e7e607e0d6557ce92905ffe6dd90f6b73aaa38b1e769ad2966aacb375f2c660a4f7842dc5e013621

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yI0rw7Oy.exe
Filesize
884KB

MD5
35cd0fa9a92632de1fb8f95616fbaf64

SHA1
54d2761ca84428640771282adb9157faaed6e027

SHA256
32bc699ccaf4a011697be83dacd09a35d622910ec756259f5f88b12b8ebb2feb

SHA512
2756154fed40d0c321f863ec2a8e433fb12351d436418daf7730cc1841641aa26a517ba9dbcbd8f640c5c64cee01b1f089518b5d4777e7cd47ebc9ffbb8b56e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yI0rw7Oy.exe
Filesize
884KB

MD5
35cd0fa9a92632de1fb8f95616fbaf64

SHA1
54d2761ca84428640771282adb9157faaed6e027

SHA256
32bc699ccaf4a011697be83dacd09a35d622910ec756259f5f88b12b8ebb2feb

SHA512
2756154fed40d0c321f863ec2a8e433fb12351d436418daf7730cc1841641aa26a517ba9dbcbd8f640c5c64cee01b1f089518b5d4777e7cd47ebc9ffbb8b56e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ou1po6co.exe
Filesize
590KB

MD5
3a081b5e807cd77cc2ab1dd8be90b43f

SHA1
950840587b5abce844724558485224ca5ed40c5a

SHA256
6523b66313e8e95df0775befac10035f535ff46b85b23b68d611bff164f8c2db

SHA512
a3abd35d1932ef8070725965f464612be246c38fea6cad04587fa74c1c3affc30cf78ddb9d19c31a68b0ee00cff6dcced40f786bab19acf921681eb212dfe553

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ou1po6co.exe
Filesize
590KB

MD5
3a081b5e807cd77cc2ab1dd8be90b43f

SHA1
950840587b5abce844724558485224ca5ed40c5a

SHA256
6523b66313e8e95df0775befac10035f535ff46b85b23b68d611bff164f8c2db

SHA512
a3abd35d1932ef8070725965f464612be246c38fea6cad04587fa74c1c3affc30cf78ddb9d19c31a68b0ee00cff6dcced40f786bab19acf921681eb212dfe553

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\SV7Lf3oJ.exe
Filesize
417KB

MD5
3d7f340b03b8668120c515eebb21d8e5

SHA1
b6cdff303bc0e96b55684ef7b7b96466e14ee982

SHA256
6b384a445d0a676ec844ef800f820fc0cfb7f0ef8b25d8e2554c823970a34dc1

SHA512
027875ae8292b0e223ee920c57d578623a3b2140475a5f69b4a495d16a1bb142f57943c22f70fb061cf0acc7f2f730a50ae8221743df81449995eb7061fa2869

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\SV7Lf3oJ.exe
Filesize
417KB

MD5
3d7f340b03b8668120c515eebb21d8e5

SHA1
b6cdff303bc0e96b55684ef7b7b96466e14ee982

SHA256
6b384a445d0a676ec844ef800f820fc0cfb7f0ef8b25d8e2554c823970a34dc1

SHA512
027875ae8292b0e223ee920c57d578623a3b2140475a5f69b4a495d16a1bb142f57943c22f70fb061cf0acc7f2f730a50ae8221743df81449995eb7061fa2869

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1KW20JF5.exe
Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1KW20JF5.exe
Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2mE712ld.exe
Filesize
231KB

MD5
8073d2d3ebad6d4e30393d475a92bb86

SHA1
c51ad178741c1f75c5315236c66dd3acb1350c86

SHA256
956c4bdf9fe0e4700e8158dd17661ffebfda29f11dfe720ecea5a9605ac3bd66

SHA512
159e3ca8e7d7de6004b4fca384d31839a1d79ff31722f617c7f044afb4d772646dbcabcd80d2af92603c3d707091e58012928b6350d9e9f4bf4513cb16036203

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2mE712ld.exe
Filesize
231KB

MD5
8073d2d3ebad6d4e30393d475a92bb86

SHA1
c51ad178741c1f75c5315236c66dd3acb1350c86

SHA256
956c4bdf9fe0e4700e8158dd17661ffebfda29f11dfe720ecea5a9605ac3bd66

SHA512
159e3ca8e7d7de6004b4fca384d31839a1d79ff31722f617c7f044afb4d772646dbcabcd80d2af92603c3d707091e58012928b6350d9e9f4bf4513cb16036203

Download Submit
memory/2840-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2840-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2840-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2840-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3440-46-0x00000000071C0000-0x0000000007252000-memory.dmp

Filesize
584KB

Download
memory/3440-43-0x00000000003E0000-0x000000000041E000-memory.dmp

Filesize
248KB

Download
memory/3440-45-0x00000000076D0000-0x0000000007C74000-memory.dmp

Filesize
5.6MB

Download
memory/3440-44-0x00000000748E0000-0x0000000075090000-memory.dmp

Filesize
7.7MB

Download
memory/3440-47-0x0000000007150000-0x0000000007160000-memory.dmp

Filesize
64KB

Download
memory/3440-48-0x0000000007360000-0x000000000736A000-memory.dmp

Filesize
40KB

Download
memory/3440-49-0x00000000082A0000-0x00000000088B8000-memory.dmp

Filesize
6.1MB

Download
memory/3440-50-0x0000000007510000-0x000000000761A000-memory.dmp

Filesize
1.0MB

Download
memory/3440-51-0x0000000007440000-0x0000000007452000-memory.dmp

Filesize
72KB

Download
memory/3440-52-0x00000000074A0000-0x00000000074DC000-memory.dmp

Filesize
240KB

Download
memory/3440-53-0x0000000007620000-0x000000000766C000-memory.dmp

Filesize
304KB

Download
memory/3440-54-0x00000000748E0000-0x0000000075090000-memory.dmp

Filesize
7.7MB

Download
memory/3440-55-0x0000000007150000-0x0000000007160000-memory.dmp

Filesize
64KB

Download