mystic | 575672d2a96bf9d67c38852b832e9faafdc27b03d7a962ee35518be0810ccfc7

Analysis

max time kernel
156s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2023 12:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.575672d2a96bf9d67c38852b832e9faafdc27b03d7a962ee35518be0810ccfc7_JC.exe
Size

1.2MB
MD5

132634c45f4bfb7613cf7769a8ca51b6
SHA1

7e99fb81476af52c84815d058556e237f8bcd05d
SHA256

575672d2a96bf9d67c38852b832e9faafdc27b03d7a962ee35518be0810ccfc7
SHA512

8b6f36957dacbf7d5165825fb60f6e867b030c5c5564ac417ca7223b53945c0e0857ed83d0ce8a4036bae3df245b034ebbd3288c75dc79403bdb92c65f88a738
SSDEEP

24576:qylyzgqub1NU6PdWyF00XpD0A+T1NQnp+zmrOf6lszGjpe3KhTbSf:xlOo1NU6Y/0ZDnxmKszGjpe6

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2568-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/2568-36-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/2568-37-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/2568-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yb105Ti.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yb105Ti.exe	family_redline
behavioral2/memory/4836-43-0x0000000000090000-0x00000000000CE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

NE9eY9XZ.exeTQ5QD7ZD.exeEh1qW6xm.exeeT7Hy0ig.exe1sO22SA3.exe2Yb105Ti.exe

pid process

460 NE9eY9XZ.exe
384 TQ5QD7ZD.exe
3276 Eh1qW6xm.exe
5088 eT7Hy0ig.exe
4776 1sO22SA3.exe
4836 2Yb105Ti.exe

pid	process
460	NE9eY9XZ.exe
384	TQ5QD7ZD.exe
3276	Eh1qW6xm.exe
5088	eT7Hy0ig.exe
4776	1sO22SA3.exe
4836	2Yb105Ti.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

NEAS.575672d2a96bf9d67c38852b832e9faafdc27b03d7a962ee35518be0810ccfc7_JC.exeNE9eY9XZ.exeTQ5QD7ZD.exeEh1qW6xm.exeeT7Hy0ig.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.575672d2a96bf9d67c38852b832e9faafdc27b03d7a962ee35518be0810ccfc7_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	NE9eY9XZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	TQ5QD7ZD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Eh1qW6xm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	eT7Hy0ig.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1sO22SA3.exe

description pid process target process

PID 4776 set thread context of 2568 4776 1sO22SA3.exe AppLaunch.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4504 2568 WerFault.exe AppLaunch.exe
408 4776 WerFault.exe 1sO22SA3.exe

description	pid	process	target process
PID 4776 set thread context of 2568	4776	1sO22SA3.exe	AppLaunch.exe

pid	pid_target	process	target process
4504	2568	WerFault.exe	AppLaunch.exe
408	4776	WerFault.exe	1sO22SA3.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

NEAS.575672d2a96bf9d67c38852b832e9faafdc27b03d7a962ee35518be0810ccfc7_JC.exeNE9eY9XZ.exeTQ5QD7ZD.exeEh1qW6xm.exeeT7Hy0ig.exe1sO22SA3.exe

description	pid	process	target process
PID 4100 wrote to memory of 460	4100	NEAS.575672d2a96bf9d67c38852b832e9faafdc27b03d7a962ee35518be0810ccfc7_JC.exe	NE9eY9XZ.exe
PID 4100 wrote to memory of 460	4100	NEAS.575672d2a96bf9d67c38852b832e9faafdc27b03d7a962ee35518be0810ccfc7_JC.exe	NE9eY9XZ.exe
PID 4100 wrote to memory of 460	4100	NEAS.575672d2a96bf9d67c38852b832e9faafdc27b03d7a962ee35518be0810ccfc7_JC.exe	NE9eY9XZ.exe
PID 460 wrote to memory of 384	460	NE9eY9XZ.exe	TQ5QD7ZD.exe
PID 460 wrote to memory of 384	460	NE9eY9XZ.exe	TQ5QD7ZD.exe
PID 460 wrote to memory of 384	460	NE9eY9XZ.exe	TQ5QD7ZD.exe
PID 384 wrote to memory of 3276	384	TQ5QD7ZD.exe	Eh1qW6xm.exe
PID 384 wrote to memory of 3276	384	TQ5QD7ZD.exe	Eh1qW6xm.exe
PID 384 wrote to memory of 3276	384	TQ5QD7ZD.exe	Eh1qW6xm.exe
PID 3276 wrote to memory of 5088	3276	Eh1qW6xm.exe	eT7Hy0ig.exe
PID 3276 wrote to memory of 5088	3276	Eh1qW6xm.exe	eT7Hy0ig.exe
PID 3276 wrote to memory of 5088	3276	Eh1qW6xm.exe	eT7Hy0ig.exe
PID 5088 wrote to memory of 4776	5088	eT7Hy0ig.exe	1sO22SA3.exe
PID 5088 wrote to memory of 4776	5088	eT7Hy0ig.exe	1sO22SA3.exe
PID 5088 wrote to memory of 4776	5088	eT7Hy0ig.exe	1sO22SA3.exe
PID 4776 wrote to memory of 2568	4776	1sO22SA3.exe	AppLaunch.exe
PID 4776 wrote to memory of 2568	4776	1sO22SA3.exe	AppLaunch.exe
PID 4776 wrote to memory of 2568	4776	1sO22SA3.exe	AppLaunch.exe
PID 4776 wrote to memory of 2568	4776	1sO22SA3.exe	AppLaunch.exe
PID 4776 wrote to memory of 2568	4776	1sO22SA3.exe	AppLaunch.exe
PID 4776 wrote to memory of 2568	4776	1sO22SA3.exe	AppLaunch.exe
PID 4776 wrote to memory of 2568	4776	1sO22SA3.exe	AppLaunch.exe
PID 4776 wrote to memory of 2568	4776	1sO22SA3.exe	AppLaunch.exe
PID 4776 wrote to memory of 2568	4776	1sO22SA3.exe	AppLaunch.exe
PID 4776 wrote to memory of 2568	4776	1sO22SA3.exe	AppLaunch.exe
PID 5088 wrote to memory of 4836	5088	eT7Hy0ig.exe	2Yb105Ti.exe
PID 5088 wrote to memory of 4836	5088	eT7Hy0ig.exe	2Yb105Ti.exe
PID 5088 wrote to memory of 4836	5088	eT7Hy0ig.exe	2Yb105Ti.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.575672d2a96bf9d67c38852b832e9faafdc27b03d7a962ee35518be0810ccfc7_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.575672d2a96bf9d67c38852b832e9faafdc27b03d7a962ee35518be0810ccfc7_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4100

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NE9eY9XZ.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NE9eY9XZ.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:460

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TQ5QD7ZD.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TQ5QD7ZD.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:384

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Eh1qW6xm.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Eh1qW6xm.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3276

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\eT7Hy0ig.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\eT7Hy0ig.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5088

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1sO22SA3.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1sO22SA3.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:2568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 540
8⤵
- Program crash
PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 156
7⤵
- Program crash
PID:408

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yb105Ti.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yb105Ti.exe
6⤵
- Executes dropped EXE
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4776 -ip 4776
1⤵
PID:1572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2568 -ip 2568
1⤵
PID:4076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NE9eY9XZ.exe
Filesize
1.0MB

MD5
8cfc4aef1fb4425504540f13afb55cb0

SHA1
d9586705ecb0e63672751b1eff0481bf007ee8af

SHA256
690680e679dcb6e90d0ddb5062b5e1e42a37da6538ae3c77172880a8a3908e2b

SHA512
8a85c8a30a0ce3476b948c8a78dc2742815dcad36bd1222aa14d755b0baf5af19c440184571342a216e27046720a8603ea7ff8db5e8ebdf7b1b75d6993fe67fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NE9eY9XZ.exe
Filesize
1.0MB

MD5
8cfc4aef1fb4425504540f13afb55cb0

SHA1
d9586705ecb0e63672751b1eff0481bf007ee8af

SHA256
690680e679dcb6e90d0ddb5062b5e1e42a37da6538ae3c77172880a8a3908e2b

SHA512
8a85c8a30a0ce3476b948c8a78dc2742815dcad36bd1222aa14d755b0baf5af19c440184571342a216e27046720a8603ea7ff8db5e8ebdf7b1b75d6993fe67fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TQ5QD7ZD.exe
Filesize
884KB

MD5
1b84c535db061e7393cb68937bc408c2

SHA1
6b84211a2417dfbaf140adcaf0669011b195d98b

SHA256
dc6962223c2f579d00e7465d94f2a20a598e76bc1b28251bd72ac6288c364625

SHA512
42cdb781f4a77b1b8ecfa49b082c4b26c69c3cf0a97a1ac79dc98aecbfd964ff964a04849db671dfeb4de107c7586d73830e69106311d10d43b77629d4bd8f49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TQ5QD7ZD.exe
Filesize
884KB

MD5
1b84c535db061e7393cb68937bc408c2

SHA1
6b84211a2417dfbaf140adcaf0669011b195d98b

SHA256
dc6962223c2f579d00e7465d94f2a20a598e76bc1b28251bd72ac6288c364625

SHA512
42cdb781f4a77b1b8ecfa49b082c4b26c69c3cf0a97a1ac79dc98aecbfd964ff964a04849db671dfeb4de107c7586d73830e69106311d10d43b77629d4bd8f49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Eh1qW6xm.exe
Filesize
590KB

MD5
1810288ba1d5b4b59bcec664939757fe

SHA1
8a679dc013ad8e6c1405a09b41e3d4a3836e858d

SHA256
e088c4dac1c93edab41ab7f6f71732e95e2497fde0d115239ba5b92f40cb58b5

SHA512
9cd2bbb662f037506dddcfb2e5bdfd32c237247b489689df7d7cbfa55d1736b61e9086b9532a7d2ef8181aa1f7801ca12726c716d00c3a2ca4f3e872ef06ac03

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Eh1qW6xm.exe
Filesize
590KB

MD5
1810288ba1d5b4b59bcec664939757fe

SHA1
8a679dc013ad8e6c1405a09b41e3d4a3836e858d

SHA256
e088c4dac1c93edab41ab7f6f71732e95e2497fde0d115239ba5b92f40cb58b5

SHA512
9cd2bbb662f037506dddcfb2e5bdfd32c237247b489689df7d7cbfa55d1736b61e9086b9532a7d2ef8181aa1f7801ca12726c716d00c3a2ca4f3e872ef06ac03

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\eT7Hy0ig.exe
Filesize
417KB

MD5
5499e6f557e0ae005782bc7a734045e3

SHA1
543ca46fcbed1088583fb8d06803b72ddc53b4bc

SHA256
dedac6680f181bc96085142e87bf48bb756c909858a286d010121efcc87072a7

SHA512
cd1b019332e59a3f59b8fd7b6751b066c6c9398b49431ccf60242109aa1dfd902710e736d6fe2c8a97c32e316d9d9d52b80d12a6862ea422f479c59b7164bbd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\eT7Hy0ig.exe
Filesize
417KB

MD5
5499e6f557e0ae005782bc7a734045e3

SHA1
543ca46fcbed1088583fb8d06803b72ddc53b4bc

SHA256
dedac6680f181bc96085142e87bf48bb756c909858a286d010121efcc87072a7

SHA512
cd1b019332e59a3f59b8fd7b6751b066c6c9398b49431ccf60242109aa1dfd902710e736d6fe2c8a97c32e316d9d9d52b80d12a6862ea422f479c59b7164bbd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1sO22SA3.exe
Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1sO22SA3.exe
Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yb105Ti.exe
Filesize
231KB

MD5
3c97798112f2b7c7c1c010fe316734d9

SHA1
4858de40ddb79a60f19463c96fae121645eaba5f

SHA256
54777d4bef5b191bd19f661f8c4dbb5a07dd1131d9fcebcb60b2e3de76e2ccf9

SHA512
0f2993df27a79c67cf974f8e4c7415f60ca0239b5891f1c71f84fb1f805e1e85aa9b01a0a8bf363afe5b57d6a09d48a96064fbe13be6b16ddb5ae883945b5286

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yb105Ti.exe
Filesize
231KB

MD5
3c97798112f2b7c7c1c010fe316734d9

SHA1
4858de40ddb79a60f19463c96fae121645eaba5f

SHA256
54777d4bef5b191bd19f661f8c4dbb5a07dd1131d9fcebcb60b2e3de76e2ccf9

SHA512
0f2993df27a79c67cf974f8e4c7415f60ca0239b5891f1c71f84fb1f805e1e85aa9b01a0a8bf363afe5b57d6a09d48a96064fbe13be6b16ddb5ae883945b5286

Download Submit
memory/2568-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2568-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2568-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2568-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4836-46-0x0000000006E40000-0x0000000006ED2000-memory.dmp

Filesize
584KB

Download
memory/4836-43-0x0000000000090000-0x00000000000CE000-memory.dmp

Filesize
248KB

Download
memory/4836-45-0x0000000007350000-0x00000000078F4000-memory.dmp

Filesize
5.6MB

Download
memory/4836-44-0x0000000074160000-0x0000000074910000-memory.dmp

Filesize
7.7MB

Download
memory/4836-47-0x00000000070B0000-0x00000000070C0000-memory.dmp

Filesize
64KB

Download
memory/4836-48-0x0000000006F10000-0x0000000006F1A000-memory.dmp

Filesize
40KB

Download
memory/4836-49-0x0000000074160000-0x0000000074910000-memory.dmp

Filesize
7.7MB

Download
memory/4836-50-0x00000000070B0000-0x00000000070C0000-memory.dmp

Filesize
64KB

Download
memory/4836-51-0x0000000007F20000-0x0000000008538000-memory.dmp

Filesize
6.1MB

Download
memory/4836-52-0x00000000071D0000-0x00000000072DA000-memory.dmp

Filesize
1.0MB

Download
memory/4836-53-0x0000000004920000-0x0000000004932000-memory.dmp

Filesize
72KB

Download
memory/4836-54-0x0000000004980000-0x00000000049BC000-memory.dmp

Filesize
240KB

Download
memory/4836-55-0x00000000049C0000-0x0000000004A0C000-memory.dmp

Filesize
304KB

Download