mystic | 1028758d81311bf28fd1a39e9894a3b130c1266ef4daa07d94061457720675c8

Analysis

max time kernel
151s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2023 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.1028758d81311bf28fd1a39e9894a3b130c1266ef4daa07d94061457720675c8_JC.exe
Size

1.2MB
MD5

d70c46a0072fc1e0f94041d246d1a307
SHA1

b4a3a84383351e58bbc6bb48ecb637cee267006b
SHA256

1028758d81311bf28fd1a39e9894a3b130c1266ef4daa07d94061457720675c8
SHA512

57fa598d5f53dfea90d313cf0d14cf1802d98293412bae1f6980ce5cfc61f882c87ffbb419e3bed6b84aebd6fd988bcbd967e340dc9b50a90a57da9f07c1def3
SSDEEP

24576:Yy4MSznBqLQn6kMjCV0KcxdA+XfzzxLxz+o30xumJJlZ5Yjsm:fhSdqLQXMfVxWqzzxLre/Zh

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3844-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3844-36-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3844-37-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3844-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2QF864bC.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2QF864bC.exe	family_redline
behavioral2/memory/700-44-0x0000000000E80000-0x0000000000EBE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

mc0TS7eZ.exetN5gx5ZB.exefG8Qp4EE.exeWe8on1Qk.exe1pz65pt1.exe2QF864bC.exe

pid process

4404 mc0TS7eZ.exe
1616 tN5gx5ZB.exe
2796 fG8Qp4EE.exe
1488 We8on1Qk.exe
576 1pz65pt1.exe
700 2QF864bC.exe

pid	process
4404	mc0TS7eZ.exe
1616	tN5gx5ZB.exe
2796	fG8Qp4EE.exe
1488	We8on1Qk.exe
576	1pz65pt1.exe
700	2QF864bC.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

mc0TS7eZ.exetN5gx5ZB.exefG8Qp4EE.exeWe8on1Qk.exeNEAS.1028758d81311bf28fd1a39e9894a3b130c1266ef4daa07d94061457720675c8_JC.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	mc0TS7eZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	tN5gx5ZB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	fG8Qp4EE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	We8on1Qk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.1028758d81311bf28fd1a39e9894a3b130c1266ef4daa07d94061457720675c8_JC.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1pz65pt1.exe

description pid process target process

PID 576 set thread context of 3844 576 1pz65pt1.exe AppLaunch.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

968 576 WerFault.exe 1pz65pt1.exe
592 3844 WerFault.exe AppLaunch.exe

description	pid	process	target process
PID 576 set thread context of 3844	576	1pz65pt1.exe	AppLaunch.exe

pid	pid_target	process	target process
968	576	WerFault.exe	1pz65pt1.exe
592	3844	WerFault.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

NEAS.1028758d81311bf28fd1a39e9894a3b130c1266ef4daa07d94061457720675c8_JC.exemc0TS7eZ.exetN5gx5ZB.exefG8Qp4EE.exeWe8on1Qk.exe1pz65pt1.exe

description	pid	process	target process
PID 4980 wrote to memory of 4404	4980	NEAS.1028758d81311bf28fd1a39e9894a3b130c1266ef4daa07d94061457720675c8_JC.exe	mc0TS7eZ.exe
PID 4980 wrote to memory of 4404	4980	NEAS.1028758d81311bf28fd1a39e9894a3b130c1266ef4daa07d94061457720675c8_JC.exe	mc0TS7eZ.exe
PID 4980 wrote to memory of 4404	4980	NEAS.1028758d81311bf28fd1a39e9894a3b130c1266ef4daa07d94061457720675c8_JC.exe	mc0TS7eZ.exe
PID 4404 wrote to memory of 1616	4404	mc0TS7eZ.exe	tN5gx5ZB.exe
PID 4404 wrote to memory of 1616	4404	mc0TS7eZ.exe	tN5gx5ZB.exe
PID 4404 wrote to memory of 1616	4404	mc0TS7eZ.exe	tN5gx5ZB.exe
PID 1616 wrote to memory of 2796	1616	tN5gx5ZB.exe	fG8Qp4EE.exe
PID 1616 wrote to memory of 2796	1616	tN5gx5ZB.exe	fG8Qp4EE.exe
PID 1616 wrote to memory of 2796	1616	tN5gx5ZB.exe	fG8Qp4EE.exe
PID 2796 wrote to memory of 1488	2796	fG8Qp4EE.exe	We8on1Qk.exe
PID 2796 wrote to memory of 1488	2796	fG8Qp4EE.exe	We8on1Qk.exe
PID 2796 wrote to memory of 1488	2796	fG8Qp4EE.exe	We8on1Qk.exe
PID 1488 wrote to memory of 576	1488	We8on1Qk.exe	1pz65pt1.exe
PID 1488 wrote to memory of 576	1488	We8on1Qk.exe	1pz65pt1.exe
PID 1488 wrote to memory of 576	1488	We8on1Qk.exe	1pz65pt1.exe
PID 576 wrote to memory of 3844	576	1pz65pt1.exe	AppLaunch.exe
PID 576 wrote to memory of 3844	576	1pz65pt1.exe	AppLaunch.exe
PID 576 wrote to memory of 3844	576	1pz65pt1.exe	AppLaunch.exe
PID 576 wrote to memory of 3844	576	1pz65pt1.exe	AppLaunch.exe
PID 576 wrote to memory of 3844	576	1pz65pt1.exe	AppLaunch.exe
PID 576 wrote to memory of 3844	576	1pz65pt1.exe	AppLaunch.exe
PID 576 wrote to memory of 3844	576	1pz65pt1.exe	AppLaunch.exe
PID 576 wrote to memory of 3844	576	1pz65pt1.exe	AppLaunch.exe
PID 576 wrote to memory of 3844	576	1pz65pt1.exe	AppLaunch.exe
PID 576 wrote to memory of 3844	576	1pz65pt1.exe	AppLaunch.exe
PID 1488 wrote to memory of 700	1488	We8on1Qk.exe	2QF864bC.exe
PID 1488 wrote to memory of 700	1488	We8on1Qk.exe	2QF864bC.exe
PID 1488 wrote to memory of 700	1488	We8on1Qk.exe	2QF864bC.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.1028758d81311bf28fd1a39e9894a3b130c1266ef4daa07d94061457720675c8_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.1028758d81311bf28fd1a39e9894a3b130c1266ef4daa07d94061457720675c8_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4980

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mc0TS7eZ.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mc0TS7eZ.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4404

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tN5gx5ZB.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tN5gx5ZB.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1616

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fG8Qp4EE.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fG8Qp4EE.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2796

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\We8on1Qk.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\We8on1Qk.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1488

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pz65pt1.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pz65pt1.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 540
8⤵
- Program crash
PID:592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 148
7⤵
- Program crash
PID:968

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2QF864bC.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2QF864bC.exe
6⤵
- Executes dropped EXE
PID:700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 576 -ip 576
1⤵
PID:756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3844 -ip 3844
1⤵
PID:4388

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mc0TS7eZ.exe
Filesize
1.0MB

MD5
82fa0b61cb3aa852ddd135fab8ea05ab

SHA1
c6ae6e27dd90806dd99b83899db68d38ab37a372

SHA256
8f594667b32dbf0b930f70ff8113dc510e8c872f80d7953a203179a3ebeb0d2e

SHA512
aa6627455843eccfceb9919777b9f5e9832293b76d9c0e1620437028d57ce3fea4775116495a4cfc719a8113875b56cb6e985e31cb31dcb88a8804dfc3b913e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mc0TS7eZ.exe
Filesize
1.0MB

MD5
82fa0b61cb3aa852ddd135fab8ea05ab

SHA1
c6ae6e27dd90806dd99b83899db68d38ab37a372

SHA256
8f594667b32dbf0b930f70ff8113dc510e8c872f80d7953a203179a3ebeb0d2e

SHA512
aa6627455843eccfceb9919777b9f5e9832293b76d9c0e1620437028d57ce3fea4775116495a4cfc719a8113875b56cb6e985e31cb31dcb88a8804dfc3b913e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tN5gx5ZB.exe
Filesize
884KB

MD5
d3f9c1faa7a01f825aaabd2b5b98970c

SHA1
fb4119e7f3d3e96d43d9f694e10cf12ee0c0e3ae

SHA256
0709711ff39f499d80d03d5f14b19e7137efa414e1a4571d0d892953c6fefa4e

SHA512
40187030302bc19af8d42cb2fcaeefc71480d555d46f3e694cd3a5773e3caeb563c533293d746e6697a0f04587d4200523b099a25c876efd09dbf07cfdc7ab54

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tN5gx5ZB.exe
Filesize
884KB

MD5
d3f9c1faa7a01f825aaabd2b5b98970c

SHA1
fb4119e7f3d3e96d43d9f694e10cf12ee0c0e3ae

SHA256
0709711ff39f499d80d03d5f14b19e7137efa414e1a4571d0d892953c6fefa4e

SHA512
40187030302bc19af8d42cb2fcaeefc71480d555d46f3e694cd3a5773e3caeb563c533293d746e6697a0f04587d4200523b099a25c876efd09dbf07cfdc7ab54

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fG8Qp4EE.exe
Filesize
590KB

MD5
93363bedaf9cd28aae401a6f5bada33b

SHA1
6c477f9ec39bc41e3e577d470b55587704b9208d

SHA256
664e4ec485dba8e32c03a20b68bc6b19883254721d083762abc57acc40686ccf

SHA512
d9947ace95a7c38171c8d3d309b38a7af97bfa23e9f77372078b06326501a54633d5798eb199e98d4e1c46991171eb504438234c873b42b2aa55a4f719946156

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fG8Qp4EE.exe
Filesize
590KB

MD5
93363bedaf9cd28aae401a6f5bada33b

SHA1
6c477f9ec39bc41e3e577d470b55587704b9208d

SHA256
664e4ec485dba8e32c03a20b68bc6b19883254721d083762abc57acc40686ccf

SHA512
d9947ace95a7c38171c8d3d309b38a7af97bfa23e9f77372078b06326501a54633d5798eb199e98d4e1c46991171eb504438234c873b42b2aa55a4f719946156

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\We8on1Qk.exe
Filesize
417KB

MD5
0dc8f7d79cfade9c5dfe760eb92de13a

SHA1
6d258db018fc96ce7baea4be96e8b8db590a832d

SHA256
435aa84120a6944cc73c849059ea1cde5491583ccef37e2c3b78658ebca198cd

SHA512
c4c3eb9b5d4a4f3a6a1397af8a6d37a9808d6cb752d6d7cf9111af979dc07e5eef481e1d4079605185863362ea0b192e6b62dae6a591cbfdbdf863c06f7dc39a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\We8on1Qk.exe
Filesize
417KB

MD5
0dc8f7d79cfade9c5dfe760eb92de13a

SHA1
6d258db018fc96ce7baea4be96e8b8db590a832d

SHA256
435aa84120a6944cc73c849059ea1cde5491583ccef37e2c3b78658ebca198cd

SHA512
c4c3eb9b5d4a4f3a6a1397af8a6d37a9808d6cb752d6d7cf9111af979dc07e5eef481e1d4079605185863362ea0b192e6b62dae6a591cbfdbdf863c06f7dc39a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pz65pt1.exe
Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pz65pt1.exe
Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2QF864bC.exe
Filesize
231KB

MD5
eeec1c738f5c64e26f42e1d77b29aae0

SHA1
49cd814625ce74f7c3e2e365d548c9dde081dd3f

SHA256
4652e83673b3c7af196353d9899a18f978c13028f604975065d754fd39a4a8a3

SHA512
7925084623e77211ed09b7da8ffab0e5de2f4c9d4598a13f62beeac03142b7b4dfcfa357c9f76c4d71ed3f1af4a2bae4f86a3a2f49fe6b8428e98c127f8e3c83

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2QF864bC.exe
Filesize
231KB

MD5
eeec1c738f5c64e26f42e1d77b29aae0

SHA1
49cd814625ce74f7c3e2e365d548c9dde081dd3f

SHA256
4652e83673b3c7af196353d9899a18f978c13028f604975065d754fd39a4a8a3

SHA512
7925084623e77211ed09b7da8ffab0e5de2f4c9d4598a13f62beeac03142b7b4dfcfa357c9f76c4d71ed3f1af4a2bae4f86a3a2f49fe6b8428e98c127f8e3c83

Download Submit
memory/700-46-0x0000000007D70000-0x0000000007E02000-memory.dmp

Filesize
584KB

Download
memory/700-43-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/700-47-0x0000000007F50000-0x0000000007F60000-memory.dmp

Filesize
64KB

Download
memory/700-55-0x0000000008A40000-0x0000000008A8C000-memory.dmp

Filesize
304KB

Download
memory/700-48-0x0000000007F30000-0x0000000007F3A000-memory.dmp

Filesize
40KB

Download
memory/700-44-0x0000000000E80000-0x0000000000EBE000-memory.dmp

Filesize
248KB

Download
memory/700-45-0x0000000008280000-0x0000000008824000-memory.dmp

Filesize
5.6MB

Download
memory/700-49-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/700-54-0x0000000008240000-0x000000000827C000-memory.dmp

Filesize
240KB

Download
memory/700-53-0x00000000081E0000-0x00000000081F2000-memory.dmp

Filesize
72KB

Download
memory/700-52-0x0000000008830000-0x000000000893A000-memory.dmp

Filesize
1.0MB

Download
memory/700-50-0x0000000007F50000-0x0000000007F60000-memory.dmp

Filesize
64KB

Download
memory/700-51-0x0000000008E50000-0x0000000009468000-memory.dmp

Filesize
6.1MB

Download
memory/3844-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3844-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3844-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3844-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download