mystic | 198e731935d5a9c0b26797118791b53fd76ddd1a38302cf739ad3a57f0c6b2e9

Analysis

max time kernel
144s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
07/10/2023, 10:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.198e731935d5a9c0b26797118791b53fd76ddd1a38302cf739ad3a57f0c6b2e9_JC.exe
Size

1.2MB
MD5

3e687a14033b8ba0968ce86c415abe8e
SHA1

c5483168957df8fb20c9587148553c01953dd750
SHA256

198e731935d5a9c0b26797118791b53fd76ddd1a38302cf739ad3a57f0c6b2e9
SHA512

b60bec6ef664945bcdef20dde1a5904e5895abdb5fb91fcd19a68dc401ae43a53f9bbd67e7b56b1966d21e19cd22ebd4633c6ba200f2de81d5c4037478b4068f
SSDEEP

24576:UyjbRWpNSrTSgvWiRfSWA4gskS7cY7K0PxljuzTg5ST:jjbRBXZvWiVSGgsgalPxJP

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/1980-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1980-36-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1980-37-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1980-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023212-41.dat	family_redline
behavioral2/files/0x0007000000023212-42.dat	family_redline
behavioral2/memory/2156-43-0x0000000000340000-0x000000000037E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
3220	pb2Pk7LF.exe
3520	JP1JU5QT.exe
4748	jF5nI4Cy.exe
4540	xF3jq4bP.exe
948	1GG11Kk2.exe
2156	2pP673Rw.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.198e731935d5a9c0b26797118791b53fd76ddd1a38302cf739ad3a57f0c6b2e9_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	pb2Pk7LF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	JP1JU5QT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	jF5nI4Cy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	xF3jq4bP.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 948 set thread context of 1980	948	1GG11Kk2.exe	92

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3324	1980	WerFault.exe	92
4648	948	WerFault.exe	90

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4304 wrote to memory of 3220	4304	NEAS.198e731935d5a9c0b26797118791b53fd76ddd1a38302cf739ad3a57f0c6b2e9_JC.exe	86
PID 4304 wrote to memory of 3220	4304	NEAS.198e731935d5a9c0b26797118791b53fd76ddd1a38302cf739ad3a57f0c6b2e9_JC.exe	86
PID 4304 wrote to memory of 3220	4304	NEAS.198e731935d5a9c0b26797118791b53fd76ddd1a38302cf739ad3a57f0c6b2e9_JC.exe	86
PID 3220 wrote to memory of 3520	3220	pb2Pk7LF.exe	87
PID 3220 wrote to memory of 3520	3220	pb2Pk7LF.exe	87
PID 3220 wrote to memory of 3520	3220	pb2Pk7LF.exe	87
PID 3520 wrote to memory of 4748	3520	JP1JU5QT.exe	88
PID 3520 wrote to memory of 4748	3520	JP1JU5QT.exe	88
PID 3520 wrote to memory of 4748	3520	JP1JU5QT.exe	88
PID 4748 wrote to memory of 4540	4748	jF5nI4Cy.exe	89
PID 4748 wrote to memory of 4540	4748	jF5nI4Cy.exe	89
PID 4748 wrote to memory of 4540	4748	jF5nI4Cy.exe	89
PID 4540 wrote to memory of 948	4540	xF3jq4bP.exe	90
PID 4540 wrote to memory of 948	4540	xF3jq4bP.exe	90
PID 4540 wrote to memory of 948	4540	xF3jq4bP.exe	90
PID 948 wrote to memory of 1980	948	1GG11Kk2.exe	92
PID 948 wrote to memory of 1980	948	1GG11Kk2.exe	92
PID 948 wrote to memory of 1980	948	1GG11Kk2.exe	92
PID 948 wrote to memory of 1980	948	1GG11Kk2.exe	92
PID 948 wrote to memory of 1980	948	1GG11Kk2.exe	92
PID 948 wrote to memory of 1980	948	1GG11Kk2.exe	92
PID 948 wrote to memory of 1980	948	1GG11Kk2.exe	92
PID 948 wrote to memory of 1980	948	1GG11Kk2.exe	92
PID 948 wrote to memory of 1980	948	1GG11Kk2.exe	92
PID 948 wrote to memory of 1980	948	1GG11Kk2.exe	92
PID 4540 wrote to memory of 2156	4540	xF3jq4bP.exe	99
PID 4540 wrote to memory of 2156	4540	xF3jq4bP.exe	99
PID 4540 wrote to memory of 2156	4540	xF3jq4bP.exe	99

C:\Users\Admin\AppData\Local\Temp\NEAS.198e731935d5a9c0b26797118791b53fd76ddd1a38302cf739ad3a57f0c6b2e9_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.198e731935d5a9c0b26797118791b53fd76ddd1a38302cf739ad3a57f0c6b2e9_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4304
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pb2Pk7LF.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pb2Pk7LF.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3220
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JP1JU5QT.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JP1JU5QT.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3520
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jF5nI4Cy.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jF5nI4Cy.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4748
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xF3jq4bP.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xF3jq4bP.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4540
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1GG11Kk2.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1GG11Kk2.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 540
        8⤵
        Program crash
        
        PID:3324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 160
        7⤵
        Program crash
        
        PID:4648
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2pP673Rw.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2pP673Rw.exe
        6⤵
        Executes dropped EXE
        
        PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 948 -ip 948
1⤵
PID:1760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1980 -ip 1980
1⤵
PID:3812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pb2Pk7LF.exe

Filesize
1.0MB

MD5
50396aa17d248d8afe74cf8f19a9c33f

SHA1
33bdd0fea1dbc5434c5edf34106af19ad76b825c

SHA256
1758bfee38a61d558e5e500b6cc4d6896eabe1b55f729591163da9a72a9f6e85

SHA512
beff0f6cee774e3fb8dcfdc0ef7a443cffed16ae40ead36aa51307a52d9fa0cd3ab7da6831e9cb5db84611f2f00cd5503061d22a4d4fa77aa2f38f470db14bc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pb2Pk7LF.exe

Filesize
1.0MB

MD5
50396aa17d248d8afe74cf8f19a9c33f

SHA1
33bdd0fea1dbc5434c5edf34106af19ad76b825c

SHA256
1758bfee38a61d558e5e500b6cc4d6896eabe1b55f729591163da9a72a9f6e85

SHA512
beff0f6cee774e3fb8dcfdc0ef7a443cffed16ae40ead36aa51307a52d9fa0cd3ab7da6831e9cb5db84611f2f00cd5503061d22a4d4fa77aa2f38f470db14bc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JP1JU5QT.exe

Filesize
885KB

MD5
dcb7dd1183d028f3784e63f8a63dd11c

SHA1
0383498afbc0b7dc8405711712a18d6bb41af6f2

SHA256
7869320b7c531f801f0cf245cce512fe55f1cbedd1311665c356ad6bf314ede8

SHA512
83f588765502e7268d196f0a7ca1d0a27ea3330262a882712bbf2a2be33938bc2b775b59e2f9fcd7c9f12c34e5538b0f8a2b20c2b32a8509a69792377b01789f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JP1JU5QT.exe

Filesize
885KB

MD5
dcb7dd1183d028f3784e63f8a63dd11c

SHA1
0383498afbc0b7dc8405711712a18d6bb41af6f2

SHA256
7869320b7c531f801f0cf245cce512fe55f1cbedd1311665c356ad6bf314ede8

SHA512
83f588765502e7268d196f0a7ca1d0a27ea3330262a882712bbf2a2be33938bc2b775b59e2f9fcd7c9f12c34e5538b0f8a2b20c2b32a8509a69792377b01789f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jF5nI4Cy.exe

Filesize
590KB

MD5
b02dee59706aa71090cfa2a67cc0c7ca

SHA1
d869ea683c563affb2b7041fdccca5b61d1141e3

SHA256
7eca710778bc8571155750f273a6fbfbd6ed218a394e95cb64620a3520bf70f2

SHA512
d7ea424df02d92fbb1ac8c7d35231cf888df4a82aa35583c2c5f6a7f8c83b3ef0fa833e95a630a37906fd88655653884703996022df97b7c251b7e39cd7b529a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jF5nI4Cy.exe

Filesize
590KB

MD5
b02dee59706aa71090cfa2a67cc0c7ca

SHA1
d869ea683c563affb2b7041fdccca5b61d1141e3

SHA256
7eca710778bc8571155750f273a6fbfbd6ed218a394e95cb64620a3520bf70f2

SHA512
d7ea424df02d92fbb1ac8c7d35231cf888df4a82aa35583c2c5f6a7f8c83b3ef0fa833e95a630a37906fd88655653884703996022df97b7c251b7e39cd7b529a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xF3jq4bP.exe

Filesize
417KB

MD5
d6c90b9404be517719efb3e440559564

SHA1
e80a31033f5152ff7c99f77b54aabad49133fc67

SHA256
d57df80c79fcc09a425cbf698b5da027e320671a4def137fd8d152ca2b8b073d

SHA512
59bc81d46745ac68f86cee31c483701dd4388563975f390ac6e7edba4baab5bb97abc430b33c0f44b70f8bcb74af5d4a82e2e02f1242770711c9816ad1e77295

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xF3jq4bP.exe

Filesize
417KB

MD5
d6c90b9404be517719efb3e440559564

SHA1
e80a31033f5152ff7c99f77b54aabad49133fc67

SHA256
d57df80c79fcc09a425cbf698b5da027e320671a4def137fd8d152ca2b8b073d

SHA512
59bc81d46745ac68f86cee31c483701dd4388563975f390ac6e7edba4baab5bb97abc430b33c0f44b70f8bcb74af5d4a82e2e02f1242770711c9816ad1e77295

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1GG11Kk2.exe

Filesize
378KB

MD5
95ab34f204236ba37848cc9cc95405e1

SHA1
bb51007f4c622de6695c888b0ad77fd7d338d57c

SHA256
699f39018aace26083e65b195f12fb9440be99f4fd86b8a6c1fa01683dbe91f6

SHA512
180711f110f58ff84524075c132ca202274d5f8983aba1374b6f39dd86c572f950c36538da73b554df0b9935159a3bcbb5a39255acdc891e5d42a7d20574bf07

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1GG11Kk2.exe

Filesize
378KB

MD5
95ab34f204236ba37848cc9cc95405e1

SHA1
bb51007f4c622de6695c888b0ad77fd7d338d57c

SHA256
699f39018aace26083e65b195f12fb9440be99f4fd86b8a6c1fa01683dbe91f6

SHA512
180711f110f58ff84524075c132ca202274d5f8983aba1374b6f39dd86c572f950c36538da73b554df0b9935159a3bcbb5a39255acdc891e5d42a7d20574bf07

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2pP673Rw.exe

Filesize
231KB

MD5
0f740d8c8f3e43861d9bdd866f9af0f9

SHA1
caa75992994504eda91b8b130962aa52ab922283

SHA256
6e24db519479cf96182b5ca743949c1205fa5218c4a69694019b388eea8c2206

SHA512
77f766ea7dd51469b7fd44fcb53b05ad2276dbcd43bb1f482d7b2b655275cf060e3cdb204ae1983aa9b48071143277d091ce62d16fde5f69bf6520169456146b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2pP673Rw.exe

Filesize
231KB

MD5
0f740d8c8f3e43861d9bdd866f9af0f9

SHA1
caa75992994504eda91b8b130962aa52ab922283

SHA256
6e24db519479cf96182b5ca743949c1205fa5218c4a69694019b388eea8c2206

SHA512
77f766ea7dd51469b7fd44fcb53b05ad2276dbcd43bb1f482d7b2b655275cf060e3cdb204ae1983aa9b48071143277d091ce62d16fde5f69bf6520169456146b

Download Submit
memory/1980-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1980-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1980-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1980-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2156-46-0x0000000007240000-0x00000000072D2000-memory.dmp

Filesize
584KB

Download
memory/2156-43-0x0000000000340000-0x000000000037E000-memory.dmp

Filesize
248KB

Download
memory/2156-45-0x0000000007710000-0x0000000007CB4000-memory.dmp

Filesize
5.6MB

Download
memory/2156-44-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download
memory/2156-47-0x0000000007460000-0x0000000007470000-memory.dmp

Filesize
64KB

Download
memory/2156-48-0x00000000073F0000-0x00000000073FA000-memory.dmp

Filesize
40KB

Download
memory/2156-49-0x00000000082E0000-0x00000000088F8000-memory.dmp

Filesize
6.1MB

Download
memory/2156-50-0x0000000007CC0000-0x0000000007DCA000-memory.dmp

Filesize
1.0MB

Download
memory/2156-51-0x00000000074D0000-0x00000000074E2000-memory.dmp

Filesize
72KB

Download
memory/2156-52-0x0000000007530000-0x000000000756C000-memory.dmp

Filesize
240KB

Download
memory/2156-53-0x0000000007570000-0x00000000075BC000-memory.dmp

Filesize
304KB

Download
memory/2156-54-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download
memory/2156-55-0x0000000007460000-0x0000000007470000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads