mystic | 29ec4459f7c5b96be00eb9d75d7992fe8fc81618ba6c1c136a35d0d29b14ba83

Analysis

max time kernel
154s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2023 10:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29ec4459f7c5b96be00eb9d75d7992fe8fc81618ba6c1c136a35d0d29b14ba83.exe
Size

1.2MB
MD5

1a68bcc3c6710c7235c62499b82502f3
SHA1

a41bc48f31a078d6d04aa016b60aa16d9f4bdf02
SHA256

29ec4459f7c5b96be00eb9d75d7992fe8fc81618ba6c1c136a35d0d29b14ba83
SHA512

1e34fb4c668df6383a64bf92392fab7455b942e029340f2e01be9969029d67faeeb7a5ad462aa4089c8c2b7ed7460278194e0eac19459cb577e878150dd31942
SSDEEP

24576:RymO7YjIef0hVwjymGpacyJI2ny2QUIcbwpPSWgOPYLOsfOig:EmOUEY0hVwjhCyJfy2QXcOPNggYLOsr

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5052-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/5052-37-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/5052-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/5052-36-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yi534Re.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yi534Re.exe	family_redline
behavioral1/memory/2644-43-0x0000000000EA0000-0x0000000000EDE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

Zo6NH0yZ.exeik7qo4LE.exeWA6lE4MC.exeWF3GP1Un.exe1sB98Tx0.exe2Yi534Re.exe

pid process

3176 Zo6NH0yZ.exe
4672 ik7qo4LE.exe
3248 WA6lE4MC.exe
4164 WF3GP1Un.exe
1760 1sB98Tx0.exe
2644 2Yi534Re.exe

pid	process
3176	Zo6NH0yZ.exe
4672	ik7qo4LE.exe
3248	WA6lE4MC.exe
4164	WF3GP1Un.exe
1760	1sB98Tx0.exe
2644	2Yi534Re.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ik7qo4LE.exeWA6lE4MC.exeWF3GP1Un.exe29ec4459f7c5b96be00eb9d75d7992fe8fc81618ba6c1c136a35d0d29b14ba83.exeZo6NH0yZ.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ik7qo4LE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	WA6lE4MC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	WF3GP1Un.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	29ec4459f7c5b96be00eb9d75d7992fe8fc81618ba6c1c136a35d0d29b14ba83.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Zo6NH0yZ.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1sB98Tx0.exe

description pid process target process

PID 1760 set thread context of 5052 1760 1sB98Tx0.exe AppLaunch.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1020 1760 WerFault.exe 1sB98Tx0.exe
968 5052 WerFault.exe AppLaunch.exe

description	pid	process	target process
PID 1760 set thread context of 5052	1760	1sB98Tx0.exe	AppLaunch.exe

pid	pid_target	process	target process
1020	1760	WerFault.exe	1sB98Tx0.exe
968	5052	WerFault.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

29ec4459f7c5b96be00eb9d75d7992fe8fc81618ba6c1c136a35d0d29b14ba83.exeZo6NH0yZ.exeik7qo4LE.exeWA6lE4MC.exeWF3GP1Un.exe1sB98Tx0.exe

description	pid	process	target process
PID 3720 wrote to memory of 3176	3720	29ec4459f7c5b96be00eb9d75d7992fe8fc81618ba6c1c136a35d0d29b14ba83.exe	Zo6NH0yZ.exe
PID 3720 wrote to memory of 3176	3720	29ec4459f7c5b96be00eb9d75d7992fe8fc81618ba6c1c136a35d0d29b14ba83.exe	Zo6NH0yZ.exe
PID 3720 wrote to memory of 3176	3720	29ec4459f7c5b96be00eb9d75d7992fe8fc81618ba6c1c136a35d0d29b14ba83.exe	Zo6NH0yZ.exe
PID 3176 wrote to memory of 4672	3176	Zo6NH0yZ.exe	ik7qo4LE.exe
PID 3176 wrote to memory of 4672	3176	Zo6NH0yZ.exe	ik7qo4LE.exe
PID 3176 wrote to memory of 4672	3176	Zo6NH0yZ.exe	ik7qo4LE.exe
PID 4672 wrote to memory of 3248	4672	ik7qo4LE.exe	WA6lE4MC.exe
PID 4672 wrote to memory of 3248	4672	ik7qo4LE.exe	WA6lE4MC.exe
PID 4672 wrote to memory of 3248	4672	ik7qo4LE.exe	WA6lE4MC.exe
PID 3248 wrote to memory of 4164	3248	WA6lE4MC.exe	WF3GP1Un.exe
PID 3248 wrote to memory of 4164	3248	WA6lE4MC.exe	WF3GP1Un.exe
PID 3248 wrote to memory of 4164	3248	WA6lE4MC.exe	WF3GP1Un.exe
PID 4164 wrote to memory of 1760	4164	WF3GP1Un.exe	1sB98Tx0.exe
PID 4164 wrote to memory of 1760	4164	WF3GP1Un.exe	1sB98Tx0.exe
PID 4164 wrote to memory of 1760	4164	WF3GP1Un.exe	1sB98Tx0.exe
PID 1760 wrote to memory of 3000	1760	1sB98Tx0.exe	AppLaunch.exe
PID 1760 wrote to memory of 3000	1760	1sB98Tx0.exe	AppLaunch.exe
PID 1760 wrote to memory of 3000	1760	1sB98Tx0.exe	AppLaunch.exe
PID 1760 wrote to memory of 5052	1760	1sB98Tx0.exe	AppLaunch.exe
PID 1760 wrote to memory of 5052	1760	1sB98Tx0.exe	AppLaunch.exe
PID 1760 wrote to memory of 5052	1760	1sB98Tx0.exe	AppLaunch.exe
PID 1760 wrote to memory of 5052	1760	1sB98Tx0.exe	AppLaunch.exe
PID 1760 wrote to memory of 5052	1760	1sB98Tx0.exe	AppLaunch.exe
PID 1760 wrote to memory of 5052	1760	1sB98Tx0.exe	AppLaunch.exe
PID 1760 wrote to memory of 5052	1760	1sB98Tx0.exe	AppLaunch.exe
PID 1760 wrote to memory of 5052	1760	1sB98Tx0.exe	AppLaunch.exe
PID 1760 wrote to memory of 5052	1760	1sB98Tx0.exe	AppLaunch.exe
PID 1760 wrote to memory of 5052	1760	1sB98Tx0.exe	AppLaunch.exe
PID 4164 wrote to memory of 2644	4164	WF3GP1Un.exe	2Yi534Re.exe
PID 4164 wrote to memory of 2644	4164	WF3GP1Un.exe	2Yi534Re.exe
PID 4164 wrote to memory of 2644	4164	WF3GP1Un.exe	2Yi534Re.exe

C:\Users\Admin\AppData\Local\Temp\29ec4459f7c5b96be00eb9d75d7992fe8fc81618ba6c1c136a35d0d29b14ba83.exe
"C:\Users\Admin\AppData\Local\Temp\29ec4459f7c5b96be00eb9d75d7992fe8fc81618ba6c1c136a35d0d29b14ba83.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3720

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Zo6NH0yZ.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Zo6NH0yZ.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3176

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ik7qo4LE.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ik7qo4LE.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4672

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WA6lE4MC.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WA6lE4MC.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3248

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WF3GP1Un.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WF3GP1Un.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4164

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1sB98Tx0.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1sB98Tx0.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:3000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 560
8⤵
- Program crash
PID:968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 156
7⤵
- Program crash
PID:1020

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yi534Re.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yi534Re.exe
6⤵
- Executes dropped EXE
PID:2644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1760 -ip 1760
1⤵
PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5052 -ip 5052
1⤵
PID:4948

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Zo6NH0yZ.exe
Filesize
1.0MB

MD5
b6ce3ed6020a6081ac8cba86e443f03e

SHA1
58067b4970b48ec2a8eb0aabfca8082002243ad8

SHA256
36bc55c7c172cb4624dbcd085827e1743310d804c38398617cd8c5e9441cd6cc

SHA512
4faa04b965b53cefbd239f7c4257dbee0e4913dea681dc5f2a5e87aa289b30ca7d926e1d024c39bbe06a43f3f18d2e9144551104033caecf8f6fd71348261aee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Zo6NH0yZ.exe
Filesize
1.0MB

MD5
b6ce3ed6020a6081ac8cba86e443f03e

SHA1
58067b4970b48ec2a8eb0aabfca8082002243ad8

SHA256
36bc55c7c172cb4624dbcd085827e1743310d804c38398617cd8c5e9441cd6cc

SHA512
4faa04b965b53cefbd239f7c4257dbee0e4913dea681dc5f2a5e87aa289b30ca7d926e1d024c39bbe06a43f3f18d2e9144551104033caecf8f6fd71348261aee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ik7qo4LE.exe
Filesize
884KB

MD5
bc55deffb8e99e8faa789e4501e8c905

SHA1
302d733aea586aaf1eef368bf7b18c20a14b2652

SHA256
81834db0f31c26ade41118fd30f5d4e8ae05bf6dfa6ba0fb8e4627cae01ae4f1

SHA512
0e866f353bed6e4a461db63f81478a8cc963de7ee8cbeb5f91aa2a1f95f37389d1d7cb9303699ed9aab8d36785770bf5aa9ef11b847f511454f54366f48e2a1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ik7qo4LE.exe
Filesize
884KB

MD5
bc55deffb8e99e8faa789e4501e8c905

SHA1
302d733aea586aaf1eef368bf7b18c20a14b2652

SHA256
81834db0f31c26ade41118fd30f5d4e8ae05bf6dfa6ba0fb8e4627cae01ae4f1

SHA512
0e866f353bed6e4a461db63f81478a8cc963de7ee8cbeb5f91aa2a1f95f37389d1d7cb9303699ed9aab8d36785770bf5aa9ef11b847f511454f54366f48e2a1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WA6lE4MC.exe
Filesize
590KB

MD5
e08e8e94be8dbe821a64926fbe16879d

SHA1
0812948fb6d2ca54880aa38dca013aa658283381

SHA256
63e45ed76821ec1d324c3b076ab18c74b5effdd56f9ef3a2ce77ed765d918583

SHA512
db03091b6d529f4523ba5500a2b96f97933ca4104571ab23acbef69b6322d13fdb3bd98bc3775f8351a80320971d41476b05c96dd05273cedca8155dc9f32f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WA6lE4MC.exe
Filesize
590KB

MD5
e08e8e94be8dbe821a64926fbe16879d

SHA1
0812948fb6d2ca54880aa38dca013aa658283381

SHA256
63e45ed76821ec1d324c3b076ab18c74b5effdd56f9ef3a2ce77ed765d918583

SHA512
db03091b6d529f4523ba5500a2b96f97933ca4104571ab23acbef69b6322d13fdb3bd98bc3775f8351a80320971d41476b05c96dd05273cedca8155dc9f32f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WF3GP1Un.exe
Filesize
417KB

MD5
4b284f19f23b341f3658b72d12cf2c85

SHA1
7d7e0f296e0ad2db22a38c7cf439e9fcf377f35a

SHA256
6136292a1c9d99b76d0d03a79b45a76f91d3211038768e90795df634c4fe5f27

SHA512
acaf183c84ca4bcda642653be789ded918750ee10d86a39632dfc4120f6866d22b968dbc8d961123d5429e57d606a9beb00bee64d4a5e9eba61465df07b847ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WF3GP1Un.exe
Filesize
417KB

MD5
4b284f19f23b341f3658b72d12cf2c85

SHA1
7d7e0f296e0ad2db22a38c7cf439e9fcf377f35a

SHA256
6136292a1c9d99b76d0d03a79b45a76f91d3211038768e90795df634c4fe5f27

SHA512
acaf183c84ca4bcda642653be789ded918750ee10d86a39632dfc4120f6866d22b968dbc8d961123d5429e57d606a9beb00bee64d4a5e9eba61465df07b847ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1sB98Tx0.exe
Filesize
378KB

MD5
2a3dcac5415aebc31b37fa7a662ff178

SHA1
9e7b23e4699a4598c020dc049192da16eecaa370

SHA256
56081f2f0196e45c1b826a68c0e30dc14093a8cccb9a08d89a5c51b94bda3012

SHA512
a88a59811a21110fc9eaae798a4194614c29dea4a77418bb93731b3437560841456a2e96f08ae3c238b088456b379f9c9b97793c2a986a3bd1ec21957d403ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1sB98Tx0.exe
Filesize
378KB

MD5
2a3dcac5415aebc31b37fa7a662ff178

SHA1
9e7b23e4699a4598c020dc049192da16eecaa370

SHA256
56081f2f0196e45c1b826a68c0e30dc14093a8cccb9a08d89a5c51b94bda3012

SHA512
a88a59811a21110fc9eaae798a4194614c29dea4a77418bb93731b3437560841456a2e96f08ae3c238b088456b379f9c9b97793c2a986a3bd1ec21957d403ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yi534Re.exe
Filesize
231KB

MD5
b3299a04c0861404ba2abda8a3ac36cb

SHA1
f01c0185ca892c2a1c02d2f8ef8ecffdd0e6e449

SHA256
1be3f4de4e4d5b959e9474badc9fbf42f767768b1dcb10cfb2c2bd96cc5ddaf4

SHA512
52f7a17db0597cf96c6e1953e5c8589f6b48754f2fb2c22d941bd22389608ff4989b2a40ab657431a633f0c85d45e98eb046ffbc31f452e244a196bd921842b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yi534Re.exe
Filesize
231KB

MD5
b3299a04c0861404ba2abda8a3ac36cb

SHA1
f01c0185ca892c2a1c02d2f8ef8ecffdd0e6e449

SHA256
1be3f4de4e4d5b959e9474badc9fbf42f767768b1dcb10cfb2c2bd96cc5ddaf4

SHA512
52f7a17db0597cf96c6e1953e5c8589f6b48754f2fb2c22d941bd22389608ff4989b2a40ab657431a633f0c85d45e98eb046ffbc31f452e244a196bd921842b8

Download Submit
memory/2644-46-0x0000000007D00000-0x0000000007D92000-memory.dmp

Filesize
584KB

Download
memory/2644-43-0x0000000000EA0000-0x0000000000EDE000-memory.dmp

Filesize
248KB

Download
memory/2644-47-0x0000000007CE0000-0x0000000007CF0000-memory.dmp

Filesize
64KB

Download
memory/2644-55-0x0000000007CE0000-0x0000000007CF0000-memory.dmp

Filesize
64KB

Download
memory/2644-48-0x0000000007C80000-0x0000000007C8A000-memory.dmp

Filesize
40KB

Download
memory/2644-44-0x0000000073FA0000-0x0000000074750000-memory.dmp

Filesize
7.7MB

Download
memory/2644-45-0x0000000008210000-0x00000000087B4000-memory.dmp

Filesize
5.6MB

Download
memory/2644-49-0x0000000008DE0000-0x00000000093F8000-memory.dmp

Filesize
6.1MB

Download
memory/2644-54-0x0000000073FA0000-0x0000000074750000-memory.dmp

Filesize
7.7MB

Download
memory/2644-53-0x0000000007FD0000-0x000000000801C000-memory.dmp

Filesize
304KB

Download
memory/2644-52-0x0000000007F90000-0x0000000007FCC000-memory.dmp

Filesize
240KB

Download
memory/2644-50-0x0000000008060000-0x000000000816A000-memory.dmp

Filesize
1.0MB

Download
memory/2644-51-0x0000000007E00000-0x0000000007E12000-memory.dmp

Filesize
72KB

Download
memory/5052-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5052-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5052-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5052-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download