mystic | 19b4682054ef64045fbab452b18ade9e55da70fe53672e1db5b0ce8193e0e0d1

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
07/10/2023, 10:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.19b4682054ef64045fbab452b18ade9e55da70fe53672e1db5b0ce8193e0e0d1_JC.exe
Size

1.2MB
MD5

d4c23a8329fba7a56eba2411789af75b
SHA1

48a51891d5b1d6ad63f89667cc2a287a2932d50b
SHA256

19b4682054ef64045fbab452b18ade9e55da70fe53672e1db5b0ce8193e0e0d1
SHA512

109ec8832cdeef157055d29b73245265cc762ba6062ac74ccd7a7108c116980f47c4fa03d667abe4c1d884f19870acf072affa344c5e1c563ceefd991747357a
SSDEEP

24576:8ysAqymZQP8sKZLI18NbVf6TG4M+EveufkpkDGPdRR1+Pgpctoayo6:rXVmK8DIib9GGjYkDGlf2CcaaX

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/1588-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1588-36-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1588-37-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1588-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x00060000000231ee-41.dat	family_redline
behavioral2/files/0x00060000000231ee-42.dat	family_redline
behavioral2/memory/3208-43-0x0000000000080000-0x00000000000BE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
1104	fu2Ak8bR.exe
2044	Ya3yB3iA.exe
3924	ZD2wO7IY.exe
1624	jP8oc3au.exe
4232	1zI67Cl5.exe
3208	2Up547ao.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	jP8oc3au.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.19b4682054ef64045fbab452b18ade9e55da70fe53672e1db5b0ce8193e0e0d1_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	fu2Ak8bR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Ya3yB3iA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	ZD2wO7IY.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4232 set thread context of 1588	4232	1zI67Cl5.exe	93

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1676	4232	WerFault.exe	91
3232	1588	WerFault.exe	93

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 936 wrote to memory of 1104	936	NEAS.19b4682054ef64045fbab452b18ade9e55da70fe53672e1db5b0ce8193e0e0d1_JC.exe	86
PID 936 wrote to memory of 1104	936	NEAS.19b4682054ef64045fbab452b18ade9e55da70fe53672e1db5b0ce8193e0e0d1_JC.exe	86
PID 936 wrote to memory of 1104	936	NEAS.19b4682054ef64045fbab452b18ade9e55da70fe53672e1db5b0ce8193e0e0d1_JC.exe	86
PID 1104 wrote to memory of 2044	1104	fu2Ak8bR.exe	88
PID 1104 wrote to memory of 2044	1104	fu2Ak8bR.exe	88
PID 1104 wrote to memory of 2044	1104	fu2Ak8bR.exe	88
PID 2044 wrote to memory of 3924	2044	Ya3yB3iA.exe	89
PID 2044 wrote to memory of 3924	2044	Ya3yB3iA.exe	89
PID 2044 wrote to memory of 3924	2044	Ya3yB3iA.exe	89
PID 3924 wrote to memory of 1624	3924	ZD2wO7IY.exe	90
PID 3924 wrote to memory of 1624	3924	ZD2wO7IY.exe	90
PID 3924 wrote to memory of 1624	3924	ZD2wO7IY.exe	90
PID 1624 wrote to memory of 4232	1624	jP8oc3au.exe	91
PID 1624 wrote to memory of 4232	1624	jP8oc3au.exe	91
PID 1624 wrote to memory of 4232	1624	jP8oc3au.exe	91
PID 4232 wrote to memory of 1588	4232	1zI67Cl5.exe	93
PID 4232 wrote to memory of 1588	4232	1zI67Cl5.exe	93
PID 4232 wrote to memory of 1588	4232	1zI67Cl5.exe	93
PID 4232 wrote to memory of 1588	4232	1zI67Cl5.exe	93
PID 4232 wrote to memory of 1588	4232	1zI67Cl5.exe	93
PID 4232 wrote to memory of 1588	4232	1zI67Cl5.exe	93
PID 4232 wrote to memory of 1588	4232	1zI67Cl5.exe	93
PID 4232 wrote to memory of 1588	4232	1zI67Cl5.exe	93
PID 4232 wrote to memory of 1588	4232	1zI67Cl5.exe	93
PID 4232 wrote to memory of 1588	4232	1zI67Cl5.exe	93
PID 1624 wrote to memory of 3208	1624	jP8oc3au.exe	99
PID 1624 wrote to memory of 3208	1624	jP8oc3au.exe	99
PID 1624 wrote to memory of 3208	1624	jP8oc3au.exe	99

C:\Users\Admin\AppData\Local\Temp\NEAS.19b4682054ef64045fbab452b18ade9e55da70fe53672e1db5b0ce8193e0e0d1_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.19b4682054ef64045fbab452b18ade9e55da70fe53672e1db5b0ce8193e0e0d1_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:936
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fu2Ak8bR.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fu2Ak8bR.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ya3yB3iA.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ya3yB3iA.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZD2wO7IY.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZD2wO7IY.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3924
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jP8oc3au.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jP8oc3au.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1624
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1zI67Cl5.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1zI67Cl5.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 200
        8⤵
        Program crash
        
        PID:3232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 596
        7⤵
        Program crash
        
        PID:1676
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Up547ao.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Up547ao.exe
        6⤵
        Executes dropped EXE
        
        PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1588 -ip 1588
1⤵
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4232 -ip 4232
1⤵
PID:4820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fu2Ak8bR.exe

Filesize
1.0MB

MD5
e43be75a2f38702536ae8be892f6071d

SHA1
58fe2f1a9f866b0d6bc969a5ba33725af7024533

SHA256
2da199a6f930f6e21e1a38141135c378d1671180150168c9b39bcebca5f4f843

SHA512
04c3e3a012f578c7764d854301413828db9ccc48a124b70d86d6241d9e99aca1a20a831e02777db030d8094cfa724659bb6ef9cbb21d520fa00878cec719b4d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fu2Ak8bR.exe

Filesize
1.0MB

MD5
e43be75a2f38702536ae8be892f6071d

SHA1
58fe2f1a9f866b0d6bc969a5ba33725af7024533

SHA256
2da199a6f930f6e21e1a38141135c378d1671180150168c9b39bcebca5f4f843

SHA512
04c3e3a012f578c7764d854301413828db9ccc48a124b70d86d6241d9e99aca1a20a831e02777db030d8094cfa724659bb6ef9cbb21d520fa00878cec719b4d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ya3yB3iA.exe

Filesize
884KB

MD5
228cb70f255bdc745281fb629abd4e8b

SHA1
93974da5723d28de8b6bcb0ede4913e2569f0fdf

SHA256
99616d7e672460dbdc71551358ea4077c8cf32e61a3463102c720089cd47cfb3

SHA512
940d719887486b6e9e34fbf43ca49c641e41c1b774759f3aa9bdb9f55f62498dc00aeff05bc9e26c2ee2b24f9db77477e180b886e82b945d4c9033c2f8c21b1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ya3yB3iA.exe

Filesize
884KB

MD5
228cb70f255bdc745281fb629abd4e8b

SHA1
93974da5723d28de8b6bcb0ede4913e2569f0fdf

SHA256
99616d7e672460dbdc71551358ea4077c8cf32e61a3463102c720089cd47cfb3

SHA512
940d719887486b6e9e34fbf43ca49c641e41c1b774759f3aa9bdb9f55f62498dc00aeff05bc9e26c2ee2b24f9db77477e180b886e82b945d4c9033c2f8c21b1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZD2wO7IY.exe

Filesize
590KB

MD5
d1e013a0dd079d63fff41c5869f6c9b8

SHA1
a10c675a23af4065cb1f9fe5438562475af5a33a

SHA256
e0857614821609f94115398af9c3c968d93233059200e06cd13657f74413c07f

SHA512
c793b24dc5cce007c0d9fd9e63bdc6881451ff5122a39a2514e8526323f20dcbad9ffa05ce43c1f368d2fa9b422c47bcf810179b8c808a9c279e21113e3b90e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZD2wO7IY.exe

Filesize
590KB

MD5
d1e013a0dd079d63fff41c5869f6c9b8

SHA1
a10c675a23af4065cb1f9fe5438562475af5a33a

SHA256
e0857614821609f94115398af9c3c968d93233059200e06cd13657f74413c07f

SHA512
c793b24dc5cce007c0d9fd9e63bdc6881451ff5122a39a2514e8526323f20dcbad9ffa05ce43c1f368d2fa9b422c47bcf810179b8c808a9c279e21113e3b90e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jP8oc3au.exe

Filesize
417KB

MD5
dc9fb4bb8393ba6dcb939b1d41ed6657

SHA1
25644b7cae0af1c5f5f3484628aa2501af0c2ff9

SHA256
3d3ec00ea2b8ab79113364ec7074e93e9d8e31bc97a952a663a80c44060313f8

SHA512
890d6236e712f999f4faa4718c97f71023b65e86c41b8774de07500159984ab498d82d9b6ab6c3cac1a20148801d83db4adbf5839e42b822fb4679adc536efe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jP8oc3au.exe

Filesize
417KB

MD5
dc9fb4bb8393ba6dcb939b1d41ed6657

SHA1
25644b7cae0af1c5f5f3484628aa2501af0c2ff9

SHA256
3d3ec00ea2b8ab79113364ec7074e93e9d8e31bc97a952a663a80c44060313f8

SHA512
890d6236e712f999f4faa4718c97f71023b65e86c41b8774de07500159984ab498d82d9b6ab6c3cac1a20148801d83db4adbf5839e42b822fb4679adc536efe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1zI67Cl5.exe

Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1zI67Cl5.exe

Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Up547ao.exe

Filesize
231KB

MD5
bf884611bb98b13c78c15c78b822fdd8

SHA1
4327c576c688fcf3e17e3f6b0e64238a2d4fafa9

SHA256
a51c3b6197065a0e297d8dea366a7b8ef55cfc29787de39974ae5affccaf734e

SHA512
f87f552961ccc7e382db85ffadf9a5beb20a1c7e2554f713ccff7fa1f92d95e88fafddebb950121a05d2afdea364c4f842c97a3d25c29db2bc21f8ed61990c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Up547ao.exe

Filesize
231KB

MD5
bf884611bb98b13c78c15c78b822fdd8

SHA1
4327c576c688fcf3e17e3f6b0e64238a2d4fafa9

SHA256
a51c3b6197065a0e297d8dea366a7b8ef55cfc29787de39974ae5affccaf734e

SHA512
f87f552961ccc7e382db85ffadf9a5beb20a1c7e2554f713ccff7fa1f92d95e88fafddebb950121a05d2afdea364c4f842c97a3d25c29db2bc21f8ed61990c1d

Download Submit
memory/1588-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1588-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1588-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1588-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3208-46-0x0000000006FF0000-0x0000000007082000-memory.dmp

Filesize
584KB

Download
memory/3208-43-0x0000000000080000-0x00000000000BE000-memory.dmp

Filesize
248KB

Download
memory/3208-45-0x0000000007500000-0x0000000007AA4000-memory.dmp

Filesize
5.6MB

Download
memory/3208-44-0x0000000074900000-0x00000000750B0000-memory.dmp

Filesize
7.7MB

Download
memory/3208-47-0x0000000007180000-0x0000000007190000-memory.dmp

Filesize
64KB

Download
memory/3208-48-0x0000000006FA0000-0x0000000006FAA000-memory.dmp

Filesize
40KB

Download
memory/3208-49-0x00000000080D0000-0x00000000086E8000-memory.dmp

Filesize
6.1MB

Download
memory/3208-50-0x00000000073B0000-0x00000000074BA000-memory.dmp

Filesize
1.0MB

Download
memory/3208-51-0x0000000007210000-0x0000000007222000-memory.dmp

Filesize
72KB

Download
memory/3208-52-0x00000000072A0000-0x00000000072DC000-memory.dmp

Filesize
240KB

Download
memory/3208-53-0x0000000007240000-0x000000000728C000-memory.dmp

Filesize
304KB

Download
memory/3208-54-0x0000000074900000-0x00000000750B0000-memory.dmp

Filesize
7.7MB

Download
memory/3208-55-0x0000000007180000-0x0000000007190000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads