mystic | 209bf10cdb445c1647d24917f0f7fad1801b8a2ddcafb298d231b3189a398cd0

Analysis

max time kernel
168s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2023 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.209bf10cdb445c1647d24917f0f7fad1801b8a2ddcafb298d231b3189a398cd0_JC.exe
Size

1.2MB
MD5

b1e96ac076f6e08dd5b103eb6720ee3d
SHA1

b0d5ccdf18767a4de814ca099c428d4482069988
SHA256

209bf10cdb445c1647d24917f0f7fad1801b8a2ddcafb298d231b3189a398cd0
SHA512

6bb1b6cebc7e4904b8bcc8250e69fa2a646f20c5966e194a196d6d12c2c7c3090ebf2799ecefc80d04c3524d4e36c17557105d7addfd1c49288adf29f89f1ef6
SSDEEP

24576:gyvbYae6iXxAODqJHtsN+xQawaVQQoyJ:nve8O2htuH3aVQz

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3764-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3764-36-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3764-37-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3764-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2KB807DS.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2KB807DS.exe	family_redline
behavioral2/memory/4472-43-0x0000000000E10000-0x0000000000E4E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

bp4jT9uM.exegL6SV5Id.exetA7nA7gg.exelM3bB7bb.exe1Qn12uh3.exe2KB807DS.exe

pid process

3092 bp4jT9uM.exe
1700 gL6SV5Id.exe
3760 tA7nA7gg.exe
3948 lM3bB7bb.exe
2924 1Qn12uh3.exe
4472 2KB807DS.exe

pid	process
3092	bp4jT9uM.exe
1700	gL6SV5Id.exe
3760	tA7nA7gg.exe
3948	lM3bB7bb.exe
2924	1Qn12uh3.exe
4472	2KB807DS.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

NEAS.209bf10cdb445c1647d24917f0f7fad1801b8a2ddcafb298d231b3189a398cd0_JC.exebp4jT9uM.exegL6SV5Id.exetA7nA7gg.exelM3bB7bb.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.209bf10cdb445c1647d24917f0f7fad1801b8a2ddcafb298d231b3189a398cd0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	bp4jT9uM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	gL6SV5Id.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	tA7nA7gg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	lM3bB7bb.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1Qn12uh3.exe

description pid process target process

PID 2924 set thread context of 3764 2924 1Qn12uh3.exe AppLaunch.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

5040 2924 WerFault.exe 1Qn12uh3.exe
1028 3764 WerFault.exe AppLaunch.exe

description	pid	process	target process
PID 2924 set thread context of 3764	2924	1Qn12uh3.exe	AppLaunch.exe

pid	pid_target	process	target process
5040	2924	WerFault.exe	1Qn12uh3.exe
1028	3764	WerFault.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

NEAS.209bf10cdb445c1647d24917f0f7fad1801b8a2ddcafb298d231b3189a398cd0_JC.exebp4jT9uM.exegL6SV5Id.exetA7nA7gg.exelM3bB7bb.exe1Qn12uh3.exe

description	pid	process	target process
PID 2024 wrote to memory of 3092	2024	NEAS.209bf10cdb445c1647d24917f0f7fad1801b8a2ddcafb298d231b3189a398cd0_JC.exe	bp4jT9uM.exe
PID 2024 wrote to memory of 3092	2024	NEAS.209bf10cdb445c1647d24917f0f7fad1801b8a2ddcafb298d231b3189a398cd0_JC.exe	bp4jT9uM.exe
PID 2024 wrote to memory of 3092	2024	NEAS.209bf10cdb445c1647d24917f0f7fad1801b8a2ddcafb298d231b3189a398cd0_JC.exe	bp4jT9uM.exe
PID 3092 wrote to memory of 1700	3092	bp4jT9uM.exe	gL6SV5Id.exe
PID 3092 wrote to memory of 1700	3092	bp4jT9uM.exe	gL6SV5Id.exe
PID 3092 wrote to memory of 1700	3092	bp4jT9uM.exe	gL6SV5Id.exe
PID 1700 wrote to memory of 3760	1700	gL6SV5Id.exe	tA7nA7gg.exe
PID 1700 wrote to memory of 3760	1700	gL6SV5Id.exe	tA7nA7gg.exe
PID 1700 wrote to memory of 3760	1700	gL6SV5Id.exe	tA7nA7gg.exe
PID 3760 wrote to memory of 3948	3760	tA7nA7gg.exe	lM3bB7bb.exe
PID 3760 wrote to memory of 3948	3760	tA7nA7gg.exe	lM3bB7bb.exe
PID 3760 wrote to memory of 3948	3760	tA7nA7gg.exe	lM3bB7bb.exe
PID 3948 wrote to memory of 2924	3948	lM3bB7bb.exe	1Qn12uh3.exe
PID 3948 wrote to memory of 2924	3948	lM3bB7bb.exe	1Qn12uh3.exe
PID 3948 wrote to memory of 2924	3948	lM3bB7bb.exe	1Qn12uh3.exe
PID 2924 wrote to memory of 3764	2924	1Qn12uh3.exe	AppLaunch.exe
PID 2924 wrote to memory of 3764	2924	1Qn12uh3.exe	AppLaunch.exe
PID 2924 wrote to memory of 3764	2924	1Qn12uh3.exe	AppLaunch.exe
PID 2924 wrote to memory of 3764	2924	1Qn12uh3.exe	AppLaunch.exe
PID 2924 wrote to memory of 3764	2924	1Qn12uh3.exe	AppLaunch.exe
PID 2924 wrote to memory of 3764	2924	1Qn12uh3.exe	AppLaunch.exe
PID 2924 wrote to memory of 3764	2924	1Qn12uh3.exe	AppLaunch.exe
PID 2924 wrote to memory of 3764	2924	1Qn12uh3.exe	AppLaunch.exe
PID 2924 wrote to memory of 3764	2924	1Qn12uh3.exe	AppLaunch.exe
PID 2924 wrote to memory of 3764	2924	1Qn12uh3.exe	AppLaunch.exe
PID 3948 wrote to memory of 4472	3948	lM3bB7bb.exe	2KB807DS.exe
PID 3948 wrote to memory of 4472	3948	lM3bB7bb.exe	2KB807DS.exe
PID 3948 wrote to memory of 4472	3948	lM3bB7bb.exe	2KB807DS.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.209bf10cdb445c1647d24917f0f7fad1801b8a2ddcafb298d231b3189a398cd0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.209bf10cdb445c1647d24917f0f7fad1801b8a2ddcafb298d231b3189a398cd0_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bp4jT9uM.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bp4jT9uM.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3092
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gL6SV5Id.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gL6SV5Id.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tA7nA7gg.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tA7nA7gg.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3760
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\lM3bB7bb.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\lM3bB7bb.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3948
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Qn12uh3.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Qn12uh3.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 540
        8⤵
        Program crash
        
        PID:1028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 592
        7⤵
        Program crash
        
        PID:5040
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2KB807DS.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2KB807DS.exe
        6⤵
        Executes dropped EXE
        
        PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2924 -ip 2924
1⤵
PID:4268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3764 -ip 3764
1⤵
PID:4916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bp4jT9uM.exe

Filesize
1.0MB

MD5
0de88f2323b3be2f7251a375c6ab33eb

SHA1
c2df2bfd944c4657852453a6ed13f17caac66ee1

SHA256
cd5a05c82fe99d0ed411a0cf607ee2688503afb261324c41c00ef1362bd39925

SHA512
ddfd7d505be7985a3e63051826f5e690c5cd804b1010f81d835b2383382e205dc0f8270d87b971664b7d39761dc723bcedd2f541509413d538bb174d1833bd87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bp4jT9uM.exe

Filesize
1.0MB

MD5
0de88f2323b3be2f7251a375c6ab33eb

SHA1
c2df2bfd944c4657852453a6ed13f17caac66ee1

SHA256
cd5a05c82fe99d0ed411a0cf607ee2688503afb261324c41c00ef1362bd39925

SHA512
ddfd7d505be7985a3e63051826f5e690c5cd804b1010f81d835b2383382e205dc0f8270d87b971664b7d39761dc723bcedd2f541509413d538bb174d1833bd87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gL6SV5Id.exe

Filesize
884KB

MD5
5c1827e55024ec63ae47e5b2ca74475c

SHA1
641488787215a8dc76ae923618b583cd79986c18

SHA256
f90993ac8df46bf0533cb3871e45ac820ba1335acd386c6e08db61219a145048

SHA512
df09cb8871ac2c12998dd525971e78c20483c3ef96506c3b363e06af4570eef77d21be2bd1268a2584825a568d10042bc8bc8cec44cf6ca385403990dab5fd46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gL6SV5Id.exe

Filesize
884KB

MD5
5c1827e55024ec63ae47e5b2ca74475c

SHA1
641488787215a8dc76ae923618b583cd79986c18

SHA256
f90993ac8df46bf0533cb3871e45ac820ba1335acd386c6e08db61219a145048

SHA512
df09cb8871ac2c12998dd525971e78c20483c3ef96506c3b363e06af4570eef77d21be2bd1268a2584825a568d10042bc8bc8cec44cf6ca385403990dab5fd46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tA7nA7gg.exe

Filesize
590KB

MD5
54046877820bfb21b87a3bc46e7f876d

SHA1
35e32b28887c35cc5da7e20e1b83dd8576560458

SHA256
5eda5cbcc20aeafe1e47dae80b4d26187fd4376320348504a1e9b75b91c454b2

SHA512
4081b00f3821209de9ef11d607f53f7c4f7d0190883ae7032a83cc79111c21529e937269da4dd13c3912d8bb59ce5f6be2f85d7da3bda5b7e4790b5ffe52c286

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tA7nA7gg.exe

Filesize
590KB

MD5
54046877820bfb21b87a3bc46e7f876d

SHA1
35e32b28887c35cc5da7e20e1b83dd8576560458

SHA256
5eda5cbcc20aeafe1e47dae80b4d26187fd4376320348504a1e9b75b91c454b2

SHA512
4081b00f3821209de9ef11d607f53f7c4f7d0190883ae7032a83cc79111c21529e937269da4dd13c3912d8bb59ce5f6be2f85d7da3bda5b7e4790b5ffe52c286

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\lM3bB7bb.exe

Filesize
417KB

MD5
41909123ce4ea83cc310415939150ce5

SHA1
a104239e7bd97961fda2a01601a4dd72be4c6c96

SHA256
240e71f111c8f46a50b9297b0ac8fe827a3168748929e3ed27057623a8c2201f

SHA512
295e9e3e8505177ff87831d2d33ee34c514ab21a414978147b4d6613b24035b6e30a093412d350fdd125773c3812be1075460870223d15f1ecb7909f41d4c1a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\lM3bB7bb.exe

Filesize
417KB

MD5
41909123ce4ea83cc310415939150ce5

SHA1
a104239e7bd97961fda2a01601a4dd72be4c6c96

SHA256
240e71f111c8f46a50b9297b0ac8fe827a3168748929e3ed27057623a8c2201f

SHA512
295e9e3e8505177ff87831d2d33ee34c514ab21a414978147b4d6613b24035b6e30a093412d350fdd125773c3812be1075460870223d15f1ecb7909f41d4c1a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Qn12uh3.exe

Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Qn12uh3.exe

Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2KB807DS.exe

Filesize
231KB

MD5
b42136c7fca5a0ca06ec66a54531da66

SHA1
23314c62d37db976a6d31b419c2862343a39602c

SHA256
a6386992dcd0d210931566d691ff1fc19aac5fdd3e574b93aad6e8ed23d9d26a

SHA512
1059a8138d445e27f0943b2bbd8293245c8b8ac828b45207aafeccc988b8be20573ca73d3b6b0d8311a49abeaa909ed062089b7ba68f565e20cdd2c01184c62a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2KB807DS.exe

Filesize
231KB

MD5
b42136c7fca5a0ca06ec66a54531da66

SHA1
23314c62d37db976a6d31b419c2862343a39602c

SHA256
a6386992dcd0d210931566d691ff1fc19aac5fdd3e574b93aad6e8ed23d9d26a

SHA512
1059a8138d445e27f0943b2bbd8293245c8b8ac828b45207aafeccc988b8be20573ca73d3b6b0d8311a49abeaa909ed062089b7ba68f565e20cdd2c01184c62a

Download Submit
memory/3764-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3764-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3764-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3764-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4472-46-0x0000000007BC0000-0x0000000007C52000-memory.dmp

Filesize
584KB

Download
memory/4472-44-0x0000000074190000-0x0000000074940000-memory.dmp

Filesize
7.7MB

Download
memory/4472-45-0x00000000080D0000-0x0000000008674000-memory.dmp

Filesize
5.6MB

Download
memory/4472-43-0x0000000000E10000-0x0000000000E4E000-memory.dmp

Filesize
248KB

Download
memory/4472-47-0x0000000007DA0000-0x0000000007DB0000-memory.dmp

Filesize
64KB

Download
memory/4472-48-0x0000000007C90000-0x0000000007C9A000-memory.dmp

Filesize
40KB

Download
memory/4472-49-0x0000000008CA0000-0x00000000092B8000-memory.dmp

Filesize
6.1MB

Download
memory/4472-50-0x0000000007FB0000-0x00000000080BA000-memory.dmp

Filesize
1.0MB

Download
memory/4472-51-0x0000000007D70000-0x0000000007D82000-memory.dmp

Filesize
72KB

Download
memory/4472-52-0x0000000007EE0000-0x0000000007F1C000-memory.dmp

Filesize
240KB

Download
memory/4472-53-0x0000000007F20000-0x0000000007F6C000-memory.dmp

Filesize
304KB

Download
memory/4472-54-0x0000000074190000-0x0000000074940000-memory.dmp

Filesize
7.7MB

Download
memory/4472-55-0x0000000007DA0000-0x0000000007DB0000-memory.dmp

Filesize
64KB

Download