mystic | 51026221011afbd8c473f72b9fa151e679b945193274eb1a709c6a442d2837cd

Analysis

max time kernel
143s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
07/10/2023, 11:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.51026221011afbd8c473f72b9fa151e679b945193274eb1a709c6a442d2837cd_JC.exe
Size

1.2MB
MD5

0ba153f15487abaf082f38fce0ea892c
SHA1

dcbb80fa5443f5859df36dcdfcf5887be81963f3
SHA256

51026221011afbd8c473f72b9fa151e679b945193274eb1a709c6a442d2837cd
SHA512

958d83ac451734341cd1918df98355b977a881217bcbf0b190234f4dcf2939dfbaeb0f2970364fec980d3c4e6c538282ab552d3ec2b60bacfb99827f94ff0c5e
SSDEEP

24576:ayMejniKxpNghNBSo2+vrc+3AZUGjzcoKTuwX:hMeT3nNE7vofyG/cnv

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/4576-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4576-36-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4576-37-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4576-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023202-41.dat	family_redline
behavioral2/files/0x0006000000023202-42.dat	family_redline
behavioral2/memory/2676-43-0x0000000000E20000-0x0000000000E5E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
3796	zn9OS8nH.exe
1684	fh6jN0tH.exe
4744	Oe3Bz9cG.exe
2476	Mc3wm8LH.exe
3048	1Rk58Rg8.exe
2676	2Oe911If.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	fh6jN0tH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Oe3Bz9cG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Mc3wm8LH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.51026221011afbd8c473f72b9fa151e679b945193274eb1a709c6a442d2837cd_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zn9OS8nH.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3048 set thread context of 4576	3048	1Rk58Rg8.exe	94

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4304	4576	WerFault.exe	94
5044	3048	WerFault.exe	91

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 3796	2496	NEAS.51026221011afbd8c473f72b9fa151e679b945193274eb1a709c6a442d2837cd_JC.exe	86
PID 2496 wrote to memory of 3796	2496	NEAS.51026221011afbd8c473f72b9fa151e679b945193274eb1a709c6a442d2837cd_JC.exe	86
PID 2496 wrote to memory of 3796	2496	NEAS.51026221011afbd8c473f72b9fa151e679b945193274eb1a709c6a442d2837cd_JC.exe	86
PID 3796 wrote to memory of 1684	3796	zn9OS8nH.exe	87
PID 3796 wrote to memory of 1684	3796	zn9OS8nH.exe	87
PID 3796 wrote to memory of 1684	3796	zn9OS8nH.exe	87
PID 1684 wrote to memory of 4744	1684	fh6jN0tH.exe	88
PID 1684 wrote to memory of 4744	1684	fh6jN0tH.exe	88
PID 1684 wrote to memory of 4744	1684	fh6jN0tH.exe	88
PID 4744 wrote to memory of 2476	4744	Oe3Bz9cG.exe	90
PID 4744 wrote to memory of 2476	4744	Oe3Bz9cG.exe	90
PID 4744 wrote to memory of 2476	4744	Oe3Bz9cG.exe	90
PID 2476 wrote to memory of 3048	2476	Mc3wm8LH.exe	91
PID 2476 wrote to memory of 3048	2476	Mc3wm8LH.exe	91
PID 2476 wrote to memory of 3048	2476	Mc3wm8LH.exe	91
PID 3048 wrote to memory of 4224	3048	1Rk58Rg8.exe	93
PID 3048 wrote to memory of 4224	3048	1Rk58Rg8.exe	93
PID 3048 wrote to memory of 4224	3048	1Rk58Rg8.exe	93
PID 3048 wrote to memory of 4576	3048	1Rk58Rg8.exe	94
PID 3048 wrote to memory of 4576	3048	1Rk58Rg8.exe	94
PID 3048 wrote to memory of 4576	3048	1Rk58Rg8.exe	94
PID 3048 wrote to memory of 4576	3048	1Rk58Rg8.exe	94
PID 3048 wrote to memory of 4576	3048	1Rk58Rg8.exe	94
PID 3048 wrote to memory of 4576	3048	1Rk58Rg8.exe	94
PID 3048 wrote to memory of 4576	3048	1Rk58Rg8.exe	94
PID 3048 wrote to memory of 4576	3048	1Rk58Rg8.exe	94
PID 3048 wrote to memory of 4576	3048	1Rk58Rg8.exe	94
PID 3048 wrote to memory of 4576	3048	1Rk58Rg8.exe	94
PID 2476 wrote to memory of 2676	2476	Mc3wm8LH.exe	103
PID 2476 wrote to memory of 2676	2476	Mc3wm8LH.exe	103
PID 2476 wrote to memory of 2676	2476	Mc3wm8LH.exe	103

C:\Users\Admin\AppData\Local\Temp\NEAS.51026221011afbd8c473f72b9fa151e679b945193274eb1a709c6a442d2837cd_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.51026221011afbd8c473f72b9fa151e679b945193274eb1a709c6a442d2837cd_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zn9OS8nH.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zn9OS8nH.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3796
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fh6jN0tH.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fh6jN0tH.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1684
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Oe3Bz9cG.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Oe3Bz9cG.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4744
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Mc3wm8LH.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Mc3wm8LH.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2476
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Rk58Rg8.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Rk58Rg8.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4224
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 540
        8⤵
        Program crash
        
        PID:4304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 624
        7⤵
        Program crash
        
        PID:5044
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Oe911If.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Oe911If.exe
        6⤵
        Executes dropped EXE
        
        PID:2676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3048 -ip 3048
1⤵
PID:3824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4576 -ip 4576
1⤵
PID:4860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zn9OS8nH.exe

Filesize
1.0MB

MD5
3f59245cad7ff4170a54d0458d276c86

SHA1
9b99db450c8c18765e8e1ef829dd271b4a557b07

SHA256
c9324901b5ab133e50247307938a63329d2d4f268668e8b9f369598a95308442

SHA512
dde65ea26c9bc08326faa74c9b7b4974979613407248274d192d5caa67ba81aa8041e7bf835bea06cf8a8b336efa3db79e5022f87fe5fe46ea1ec994ef132fe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zn9OS8nH.exe

Filesize
1.0MB

MD5
3f59245cad7ff4170a54d0458d276c86

SHA1
9b99db450c8c18765e8e1ef829dd271b4a557b07

SHA256
c9324901b5ab133e50247307938a63329d2d4f268668e8b9f369598a95308442

SHA512
dde65ea26c9bc08326faa74c9b7b4974979613407248274d192d5caa67ba81aa8041e7bf835bea06cf8a8b336efa3db79e5022f87fe5fe46ea1ec994ef132fe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fh6jN0tH.exe

Filesize
884KB

MD5
9af25c8dc5e9b2fb5f0edfd8203a2cc1

SHA1
aad3e95407ff51055f7d30cb099de0a6239061ca

SHA256
39958b623fcbd1ec8835dd872edd14c61f93d545b4f929962af6951f00474006

SHA512
feb80bfe16c8006db328502019ef7d88ae8c9c6c0b18a12dafdb7695fdf5c9f98c4d8a2e8456426d50099a60acb7f3dd126ab2bfe5b58ad34703dd15e05badca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fh6jN0tH.exe

Filesize
884KB

MD5
9af25c8dc5e9b2fb5f0edfd8203a2cc1

SHA1
aad3e95407ff51055f7d30cb099de0a6239061ca

SHA256
39958b623fcbd1ec8835dd872edd14c61f93d545b4f929962af6951f00474006

SHA512
feb80bfe16c8006db328502019ef7d88ae8c9c6c0b18a12dafdb7695fdf5c9f98c4d8a2e8456426d50099a60acb7f3dd126ab2bfe5b58ad34703dd15e05badca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Oe3Bz9cG.exe

Filesize
590KB

MD5
c8cde8e506ccdde91cfe0986d7b87f9d

SHA1
d3c593956763b1bc51b08b0e94ff8995d774765d

SHA256
b06879af7e617fc092d97f200cd2cd2e1c324347d21735f97f86fd8720444783

SHA512
916d87afb33e215b3447cfbb19c454ef9689611a8e59115d753bd53550fd5484ccb9e4fac71d5686d5001e9bfc74fade521539c2c9f8625551d79463506846aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Oe3Bz9cG.exe

Filesize
590KB

MD5
c8cde8e506ccdde91cfe0986d7b87f9d

SHA1
d3c593956763b1bc51b08b0e94ff8995d774765d

SHA256
b06879af7e617fc092d97f200cd2cd2e1c324347d21735f97f86fd8720444783

SHA512
916d87afb33e215b3447cfbb19c454ef9689611a8e59115d753bd53550fd5484ccb9e4fac71d5686d5001e9bfc74fade521539c2c9f8625551d79463506846aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Mc3wm8LH.exe

Filesize
417KB

MD5
a30cd56153af726fd93165130b266e24

SHA1
46c980ff58548f84db2f63c9c7dfa6e92157d7d2

SHA256
213d14eb03924cae738679e041e69c47f29f7923cc103d5043925275994cacb7

SHA512
939b42ef6c4e4dc1f18b10f393ef3d6c6d8f9a4b0f860fc93b2058bda2f989c42b71f5dec52a5d544806ad483e20e27fd8d84cb08e537e3bb1781cc7f8e7c1c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Mc3wm8LH.exe

Filesize
417KB

MD5
a30cd56153af726fd93165130b266e24

SHA1
46c980ff58548f84db2f63c9c7dfa6e92157d7d2

SHA256
213d14eb03924cae738679e041e69c47f29f7923cc103d5043925275994cacb7

SHA512
939b42ef6c4e4dc1f18b10f393ef3d6c6d8f9a4b0f860fc93b2058bda2f989c42b71f5dec52a5d544806ad483e20e27fd8d84cb08e537e3bb1781cc7f8e7c1c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Rk58Rg8.exe

Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Rk58Rg8.exe

Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Oe911If.exe

Filesize
231KB

MD5
7e9764f303422bcf6affb8e67f91a202

SHA1
0ccfa018096f002d26ee76d67ec24751b10ea47d

SHA256
46d7ede41ebb9118cc364c7161b26b9cfd59d669dedb3a8d78b87431e12e579c

SHA512
87dca93ee919c3d89b7f0155153c328c144bf615fe0c474bedf19e77049e8182a9440fcd05a3a842b518107d3e9adcd521449bb28ceea2136fe4be4e12f4b8e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Oe911If.exe

Filesize
231KB

MD5
7e9764f303422bcf6affb8e67f91a202

SHA1
0ccfa018096f002d26ee76d67ec24751b10ea47d

SHA256
46d7ede41ebb9118cc364c7161b26b9cfd59d669dedb3a8d78b87431e12e579c

SHA512
87dca93ee919c3d89b7f0155153c328c144bf615fe0c474bedf19e77049e8182a9440fcd05a3a842b518107d3e9adcd521449bb28ceea2136fe4be4e12f4b8e3

Download Submit
memory/2676-46-0x0000000007D40000-0x0000000007DD2000-memory.dmp

Filesize
584KB

Download
memory/2676-48-0x0000000007EE0000-0x0000000007EEA000-memory.dmp

Filesize
40KB

Download
memory/2676-55-0x0000000007D10000-0x0000000007D20000-memory.dmp

Filesize
64KB

Download
memory/2676-54-0x0000000073C80000-0x0000000074430000-memory.dmp

Filesize
7.7MB

Download
memory/2676-43-0x0000000000E20000-0x0000000000E5E000-memory.dmp

Filesize
248KB

Download
memory/2676-44-0x0000000073C80000-0x0000000074430000-memory.dmp

Filesize
7.7MB

Download
memory/2676-45-0x0000000008250000-0x00000000087F4000-memory.dmp

Filesize
5.6MB

Download
memory/2676-53-0x0000000008070000-0x00000000080BC000-memory.dmp

Filesize
304KB

Download
memory/2676-52-0x0000000008030000-0x000000000806C000-memory.dmp

Filesize
240KB

Download
memory/2676-49-0x0000000008E20000-0x0000000009438000-memory.dmp

Filesize
6.1MB

Download
memory/2676-47-0x0000000007D10000-0x0000000007D20000-memory.dmp

Filesize
64KB

Download
memory/2676-50-0x00000000080E0000-0x00000000081EA000-memory.dmp

Filesize
1.0MB

Download
memory/2676-51-0x0000000007FD0000-0x0000000007FE2000-memory.dmp

Filesize
72KB

Download
memory/4576-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4576-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4576-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4576-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads