mystic | 2b168dc536fc2abd0454840c703e55cf7a16d76f6a25af008b7fa32bd9922ba3

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
07/10/2023, 10:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2b168dc536fc2abd0454840c703e55cf7a16d76f6a25af008b7fa32bd9922ba3.exe
Size

1.2MB
MD5

937916150d8513b0b36b7ed09531a16b
SHA1

7c7d32446134a5a83296843b1b1bc07a043e7282
SHA256

2b168dc536fc2abd0454840c703e55cf7a16d76f6a25af008b7fa32bd9922ba3
SHA512

f62dcf2e32c1f8336864ab1fe87b528da8db258770754a35f586ef74f6e9b83fa5afa99134ba0e0cb62ef2c02ecf78fb0924f4d418c97a213c104d0387ce7577
SSDEEP

24576:JyjTyoLOOvQwWOa7OVVYowk042oi9He2RfO2BkNd5nvA1PZ:8XtjvQpOmsYnkQof2RL65Y1P

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/1820-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1820-37-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1820-36-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1820-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0006000000023269-41.dat	family_redline
behavioral1/files/0x0006000000023269-42.dat	family_redline
behavioral1/memory/3584-44-0x0000000000120000-0x000000000015E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
3740	Ol6Sb7wa.exe
4216	ck7mW6jU.exe
632	am7Yo2Ra.exe
2744	kL6DP3Pw.exe
2956	1Qe89VJ0.exe
3584	2Am699NQ.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	am7Yo2Ra.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	kL6DP3Pw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2b168dc536fc2abd0454840c703e55cf7a16d76f6a25af008b7fa32bd9922ba3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Ol6Sb7wa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ck7mW6jU.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2956 set thread context of 1820	2956	1Qe89VJ0.exe	93

Program crash 2 IoCs

pid	pid_target	Process	procid_target
912	1820	WerFault.exe	93
4736	2956	WerFault.exe	90

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 4448 wrote to memory of 3740	4448	2b168dc536fc2abd0454840c703e55cf7a16d76f6a25af008b7fa32bd9922ba3.exe	85
PID 4448 wrote to memory of 3740	4448	2b168dc536fc2abd0454840c703e55cf7a16d76f6a25af008b7fa32bd9922ba3.exe	85
PID 4448 wrote to memory of 3740	4448	2b168dc536fc2abd0454840c703e55cf7a16d76f6a25af008b7fa32bd9922ba3.exe	85
PID 3740 wrote to memory of 4216	3740	Ol6Sb7wa.exe	87
PID 3740 wrote to memory of 4216	3740	Ol6Sb7wa.exe	87
PID 3740 wrote to memory of 4216	3740	Ol6Sb7wa.exe	87
PID 4216 wrote to memory of 632	4216	ck7mW6jU.exe	88
PID 4216 wrote to memory of 632	4216	ck7mW6jU.exe	88
PID 4216 wrote to memory of 632	4216	ck7mW6jU.exe	88
PID 632 wrote to memory of 2744	632	am7Yo2Ra.exe	89
PID 632 wrote to memory of 2744	632	am7Yo2Ra.exe	89
PID 632 wrote to memory of 2744	632	am7Yo2Ra.exe	89
PID 2744 wrote to memory of 2956	2744	kL6DP3Pw.exe	90
PID 2744 wrote to memory of 2956	2744	kL6DP3Pw.exe	90
PID 2744 wrote to memory of 2956	2744	kL6DP3Pw.exe	90
PID 2956 wrote to memory of 716	2956	1Qe89VJ0.exe	92
PID 2956 wrote to memory of 716	2956	1Qe89VJ0.exe	92
PID 2956 wrote to memory of 716	2956	1Qe89VJ0.exe	92
PID 2956 wrote to memory of 1820	2956	1Qe89VJ0.exe	93
PID 2956 wrote to memory of 1820	2956	1Qe89VJ0.exe	93
PID 2956 wrote to memory of 1820	2956	1Qe89VJ0.exe	93
PID 2956 wrote to memory of 1820	2956	1Qe89VJ0.exe	93
PID 2956 wrote to memory of 1820	2956	1Qe89VJ0.exe	93
PID 2956 wrote to memory of 1820	2956	1Qe89VJ0.exe	93
PID 2956 wrote to memory of 1820	2956	1Qe89VJ0.exe	93
PID 2956 wrote to memory of 1820	2956	1Qe89VJ0.exe	93
PID 2956 wrote to memory of 1820	2956	1Qe89VJ0.exe	93
PID 2956 wrote to memory of 1820	2956	1Qe89VJ0.exe	93
PID 2744 wrote to memory of 3584	2744	kL6DP3Pw.exe	99
PID 2744 wrote to memory of 3584	2744	kL6DP3Pw.exe	99
PID 2744 wrote to memory of 3584	2744	kL6DP3Pw.exe	99

C:\Users\Admin\AppData\Local\Temp\2b168dc536fc2abd0454840c703e55cf7a16d76f6a25af008b7fa32bd9922ba3.exe
"C:\Users\Admin\AppData\Local\Temp\2b168dc536fc2abd0454840c703e55cf7a16d76f6a25af008b7fa32bd9922ba3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4448
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ol6Sb7wa.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ol6Sb7wa.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3740
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ck7mW6jU.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ck7mW6jU.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4216
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\am7Yo2Ra.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\am7Yo2Ra.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:632
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kL6DP3Pw.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kL6DP3Pw.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2744
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Qe89VJ0.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Qe89VJ0.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:716
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 540
        8⤵
        Program crash
        
        PID:912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 616
        7⤵
        Program crash
        
        PID:4736
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Am699NQ.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Am699NQ.exe
        6⤵
        Executes dropped EXE
        
        PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2956 -ip 2956
1⤵
PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1820 -ip 1820
1⤵
PID:4708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ol6Sb7wa.exe

Filesize
1.0MB

MD5
45692578afa962dfcce4c297159065b1

SHA1
ea8f873178b8d8b238f5f65905712432319db6d0

SHA256
75ecc2c5f2cc2062ed5b213fac61bb986870815c1a0d49872c9220e702fb9d7e

SHA512
dee88bb92d884a4f4eab618e2095e627d90e86103cc5a51ec1deca014b8008f4ac0fc9e93bb9d8634789ed15b568fba66cdeed3b1b112343f567962657c463b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ol6Sb7wa.exe

Filesize
1.0MB

MD5
45692578afa962dfcce4c297159065b1

SHA1
ea8f873178b8d8b238f5f65905712432319db6d0

SHA256
75ecc2c5f2cc2062ed5b213fac61bb986870815c1a0d49872c9220e702fb9d7e

SHA512
dee88bb92d884a4f4eab618e2095e627d90e86103cc5a51ec1deca014b8008f4ac0fc9e93bb9d8634789ed15b568fba66cdeed3b1b112343f567962657c463b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ck7mW6jU.exe

Filesize
884KB

MD5
f9bb069160eeb83dadf7e04088b09b83

SHA1
f63eb04d5a787aa7efd4c0475072e0fb3e059f21

SHA256
2d4a4fd626a69a01006380cbc6d0c9fa1de04100cea40f8620fd4af154eb6a15

SHA512
79a1333e5c935a403a4c29d9cfa166b236830ed34ed34aaf8a32b5c8f6f7a97b0111ae09fb5191ff215a49e0b87130eddedf6fc50c3f124d560132ab8b0febd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ck7mW6jU.exe

Filesize
884KB

MD5
f9bb069160eeb83dadf7e04088b09b83

SHA1
f63eb04d5a787aa7efd4c0475072e0fb3e059f21

SHA256
2d4a4fd626a69a01006380cbc6d0c9fa1de04100cea40f8620fd4af154eb6a15

SHA512
79a1333e5c935a403a4c29d9cfa166b236830ed34ed34aaf8a32b5c8f6f7a97b0111ae09fb5191ff215a49e0b87130eddedf6fc50c3f124d560132ab8b0febd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\am7Yo2Ra.exe

Filesize
590KB

MD5
c1678172102e37275e87c32053893a32

SHA1
d836e3709a7240aa860ecc0e94cd4d8b21c9aa34

SHA256
5fc30253ea3b545a2b74b02d7d66e269ce9b61cc0c689bd74c7631f468e5aad9

SHA512
75afd509e7f1a7891c9f84d863fed9c6a12d4c7702926d749591204486151575dcf554d57fa7a8e0c7cbd89ac1ebe2eb5681aaedbd096901013bd25f33aa0461

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\am7Yo2Ra.exe

Filesize
590KB

MD5
c1678172102e37275e87c32053893a32

SHA1
d836e3709a7240aa860ecc0e94cd4d8b21c9aa34

SHA256
5fc30253ea3b545a2b74b02d7d66e269ce9b61cc0c689bd74c7631f468e5aad9

SHA512
75afd509e7f1a7891c9f84d863fed9c6a12d4c7702926d749591204486151575dcf554d57fa7a8e0c7cbd89ac1ebe2eb5681aaedbd096901013bd25f33aa0461

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kL6DP3Pw.exe

Filesize
417KB

MD5
fe1e5d5f55733a55377c6f03abb9617a

SHA1
d19e21e0e5bb061b85a2972ca1f9f14fe8a66106

SHA256
3df4d5fd83d69304250be86af292a70bd936e6737fa2ed5be48d1cff13470332

SHA512
cc79efabe32fa1490bf20995526b0032f8583dd89fe64b0c0246cc7628c6722a18b66783f40039bda738ef652f0aff8c919a7c510558b86c5767215853c3d16d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kL6DP3Pw.exe

Filesize
417KB

MD5
fe1e5d5f55733a55377c6f03abb9617a

SHA1
d19e21e0e5bb061b85a2972ca1f9f14fe8a66106

SHA256
3df4d5fd83d69304250be86af292a70bd936e6737fa2ed5be48d1cff13470332

SHA512
cc79efabe32fa1490bf20995526b0032f8583dd89fe64b0c0246cc7628c6722a18b66783f40039bda738ef652f0aff8c919a7c510558b86c5767215853c3d16d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Qe89VJ0.exe

Filesize
378KB

MD5
52b73fee9b26ad0159de6bdd10709654

SHA1
8586d97264b6dca97b3fda2e87bd6a6ece171491

SHA256
10ed24797a71bac85e05edb3de375f01b2ede2e370769594c53669710cf51c73

SHA512
37d0b3328677f721d4ebda5c8eef01a5f627f8c19f6720b7b45983c55054b0aa7df3a3bb8a5563d5c87a97b0123fa191789749369ce8d168eac6a54fe59541dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Qe89VJ0.exe

Filesize
378KB

MD5
52b73fee9b26ad0159de6bdd10709654

SHA1
8586d97264b6dca97b3fda2e87bd6a6ece171491

SHA256
10ed24797a71bac85e05edb3de375f01b2ede2e370769594c53669710cf51c73

SHA512
37d0b3328677f721d4ebda5c8eef01a5f627f8c19f6720b7b45983c55054b0aa7df3a3bb8a5563d5c87a97b0123fa191789749369ce8d168eac6a54fe59541dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Am699NQ.exe

Filesize
231KB

MD5
9680fc4279afb06da2f3f735d3aae255

SHA1
780bc612ef7d497b720dcbdd4f41ddb5b75e3aac

SHA256
6f2cd70590231e6eb78c185695c1e543f97195499517b6dbddfcfb368aa560ab

SHA512
bbf38113a46404018619f84baba1f3e54153f996552830e7740449996c47eb50f62159549987cc7c16b23813ed0dfdcdad967b50fbd5819891dee1e61fcef351

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Am699NQ.exe

Filesize
231KB

MD5
9680fc4279afb06da2f3f735d3aae255

SHA1
780bc612ef7d497b720dcbdd4f41ddb5b75e3aac

SHA256
6f2cd70590231e6eb78c185695c1e543f97195499517b6dbddfcfb368aa560ab

SHA512
bbf38113a46404018619f84baba1f3e54153f996552830e7740449996c47eb50f62159549987cc7c16b23813ed0dfdcdad967b50fbd5819891dee1e61fcef351

Download Submit
memory/1820-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1820-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1820-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1820-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3584-46-0x0000000006EA0000-0x0000000006F32000-memory.dmp

Filesize
584KB

Download
memory/3584-44-0x0000000000120000-0x000000000015E000-memory.dmp

Filesize
248KB

Download
memory/3584-45-0x0000000007350000-0x00000000078F4000-memory.dmp

Filesize
5.6MB

Download
memory/3584-43-0x0000000074770000-0x0000000074F20000-memory.dmp

Filesize
7.7MB

Download
memory/3584-47-0x00000000070F0000-0x0000000007100000-memory.dmp

Filesize
64KB

Download
memory/3584-48-0x0000000007090000-0x000000000709A000-memory.dmp

Filesize
40KB

Download
memory/3584-49-0x0000000007F20000-0x0000000008538000-memory.dmp

Filesize
6.1MB

Download
memory/3584-50-0x0000000007900000-0x0000000007A0A000-memory.dmp

Filesize
1.0MB

Download
memory/3584-51-0x0000000007170000-0x0000000007182000-memory.dmp

Filesize
72KB

Download
memory/3584-52-0x00000000071D0000-0x000000000720C000-memory.dmp

Filesize
240KB

Download
memory/3584-53-0x0000000074770000-0x0000000074F20000-memory.dmp

Filesize
7.7MB

Download
memory/3584-54-0x0000000007210000-0x000000000725C000-memory.dmp

Filesize
304KB

Download
memory/3584-55-0x00000000070F0000-0x0000000007100000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads