mystic | 301dab91222f7ec5df8ac2e0b92a8a671697e53c29e55f14ad84643cc48bbed2

Analysis

max time kernel
139s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2023 11:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.301dab91222f7ec5df8ac2e0b92a8a671697e53c29e55f14ad84643cc48bbed2_JC.exe
Size

1.2MB
MD5

4ba30a08673fd97bcaeb27d725be1d2b
SHA1

9b5386126bd576af3af8aa7ae6e0475db49a11a9
SHA256

301dab91222f7ec5df8ac2e0b92a8a671697e53c29e55f14ad84643cc48bbed2
SHA512

733d3f779a5e29f48acfcfb9bf3c677884bba0926b05567ca2fc83b93f90539ba3667530218409a0ebfe52d22055d55f64ce39e29283e59056c7f08c8ac83243
SSDEEP

24576:XyO7T9Em/2HLhKM4mO+6YW+01hdA/KgMHdDVM5Ferg:iO72HLhhD6BFQKlHdDVM5Mr

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2104-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/2104-36-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/2104-37-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/2104-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Hf972PA.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Hf972PA.exe	family_redline
behavioral2/memory/4112-43-0x0000000000B20000-0x0000000000B5E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

wO8Aq2lq.exena6tL7Pn.exeGZ3NJ9gf.exeZj9SX3Gs.exe1HH11RY2.exe2Hf972PA.exe

pid process

1620 wO8Aq2lq.exe
1180 na6tL7Pn.exe
3852 GZ3NJ9gf.exe
3884 Zj9SX3Gs.exe
64 1HH11RY2.exe
4112 2Hf972PA.exe

pid	process
1620	wO8Aq2lq.exe
1180	na6tL7Pn.exe
3852	GZ3NJ9gf.exe
3884	Zj9SX3Gs.exe
64	1HH11RY2.exe
4112	2Hf972PA.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

na6tL7Pn.exeGZ3NJ9gf.exeZj9SX3Gs.exeNEAS.301dab91222f7ec5df8ac2e0b92a8a671697e53c29e55f14ad84643cc48bbed2_JC.exewO8Aq2lq.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	na6tL7Pn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	GZ3NJ9gf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Zj9SX3Gs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.301dab91222f7ec5df8ac2e0b92a8a671697e53c29e55f14ad84643cc48bbed2_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	wO8Aq2lq.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1HH11RY2.exe

description pid process target process

PID 64 set thread context of 2104 64 1HH11RY2.exe AppLaunch.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

768 2104 WerFault.exe AppLaunch.exe
4224 64 WerFault.exe 1HH11RY2.exe

description	pid	process	target process
PID 64 set thread context of 2104	64	1HH11RY2.exe	AppLaunch.exe

pid	pid_target	process	target process
768	2104	WerFault.exe	AppLaunch.exe
4224	64	WerFault.exe	1HH11RY2.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

NEAS.301dab91222f7ec5df8ac2e0b92a8a671697e53c29e55f14ad84643cc48bbed2_JC.exewO8Aq2lq.exena6tL7Pn.exeGZ3NJ9gf.exeZj9SX3Gs.exe1HH11RY2.exe

description	pid	process	target process
PID 1700 wrote to memory of 1620	1700	NEAS.301dab91222f7ec5df8ac2e0b92a8a671697e53c29e55f14ad84643cc48bbed2_JC.exe	wO8Aq2lq.exe
PID 1700 wrote to memory of 1620	1700	NEAS.301dab91222f7ec5df8ac2e0b92a8a671697e53c29e55f14ad84643cc48bbed2_JC.exe	wO8Aq2lq.exe
PID 1700 wrote to memory of 1620	1700	NEAS.301dab91222f7ec5df8ac2e0b92a8a671697e53c29e55f14ad84643cc48bbed2_JC.exe	wO8Aq2lq.exe
PID 1620 wrote to memory of 1180	1620	wO8Aq2lq.exe	na6tL7Pn.exe
PID 1620 wrote to memory of 1180	1620	wO8Aq2lq.exe	na6tL7Pn.exe
PID 1620 wrote to memory of 1180	1620	wO8Aq2lq.exe	na6tL7Pn.exe
PID 1180 wrote to memory of 3852	1180	na6tL7Pn.exe	GZ3NJ9gf.exe
PID 1180 wrote to memory of 3852	1180	na6tL7Pn.exe	GZ3NJ9gf.exe
PID 1180 wrote to memory of 3852	1180	na6tL7Pn.exe	GZ3NJ9gf.exe
PID 3852 wrote to memory of 3884	3852	GZ3NJ9gf.exe	Zj9SX3Gs.exe
PID 3852 wrote to memory of 3884	3852	GZ3NJ9gf.exe	Zj9SX3Gs.exe
PID 3852 wrote to memory of 3884	3852	GZ3NJ9gf.exe	Zj9SX3Gs.exe
PID 3884 wrote to memory of 64	3884	Zj9SX3Gs.exe	1HH11RY2.exe
PID 3884 wrote to memory of 64	3884	Zj9SX3Gs.exe	1HH11RY2.exe
PID 3884 wrote to memory of 64	3884	Zj9SX3Gs.exe	1HH11RY2.exe
PID 64 wrote to memory of 2104	64	1HH11RY2.exe	AppLaunch.exe
PID 64 wrote to memory of 2104	64	1HH11RY2.exe	AppLaunch.exe
PID 64 wrote to memory of 2104	64	1HH11RY2.exe	AppLaunch.exe
PID 64 wrote to memory of 2104	64	1HH11RY2.exe	AppLaunch.exe
PID 64 wrote to memory of 2104	64	1HH11RY2.exe	AppLaunch.exe
PID 64 wrote to memory of 2104	64	1HH11RY2.exe	AppLaunch.exe
PID 64 wrote to memory of 2104	64	1HH11RY2.exe	AppLaunch.exe
PID 64 wrote to memory of 2104	64	1HH11RY2.exe	AppLaunch.exe
PID 64 wrote to memory of 2104	64	1HH11RY2.exe	AppLaunch.exe
PID 64 wrote to memory of 2104	64	1HH11RY2.exe	AppLaunch.exe
PID 3884 wrote to memory of 4112	3884	Zj9SX3Gs.exe	2Hf972PA.exe
PID 3884 wrote to memory of 4112	3884	Zj9SX3Gs.exe	2Hf972PA.exe
PID 3884 wrote to memory of 4112	3884	Zj9SX3Gs.exe	2Hf972PA.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.301dab91222f7ec5df8ac2e0b92a8a671697e53c29e55f14ad84643cc48bbed2_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.301dab91222f7ec5df8ac2e0b92a8a671697e53c29e55f14ad84643cc48bbed2_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1700

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wO8Aq2lq.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wO8Aq2lq.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1620

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\na6tL7Pn.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\na6tL7Pn.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1180

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GZ3NJ9gf.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GZ3NJ9gf.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3852

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj9SX3Gs.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj9SX3Gs.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3884

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1HH11RY2.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1HH11RY2.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:64

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:2104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 540
8⤵
- Program crash
PID:768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 136
7⤵
- Program crash
PID:4224

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Hf972PA.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Hf972PA.exe
6⤵
- Executes dropped EXE
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2104 -ip 2104
1⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 64 -ip 64
1⤵
PID:776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wO8Aq2lq.exe
Filesize
1.0MB

MD5
f3e5abe7edeba1eed973bd079976ac1b

SHA1
7f7637334c5da8dd6c1f608cd395d46df7c39642

SHA256
5a15203c1e5951cf9d4a97749c31308ba0ddb3c122f22ff089b3cfadc571892f

SHA512
62bbf66f3c2f469a45344b4d9cc99bee8f7bf617a26e3824fabd90110df468edcffad3314f2bec05c90521bda54e170c0886b2ec90c9bfd7ed7ab163524db77a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wO8Aq2lq.exe
Filesize
1.0MB

MD5
f3e5abe7edeba1eed973bd079976ac1b

SHA1
7f7637334c5da8dd6c1f608cd395d46df7c39642

SHA256
5a15203c1e5951cf9d4a97749c31308ba0ddb3c122f22ff089b3cfadc571892f

SHA512
62bbf66f3c2f469a45344b4d9cc99bee8f7bf617a26e3824fabd90110df468edcffad3314f2bec05c90521bda54e170c0886b2ec90c9bfd7ed7ab163524db77a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\na6tL7Pn.exe
Filesize
885KB

MD5
83ab5b39ec2fcd55d695697e373cb55c

SHA1
593b5b65f6da80b620b6fc14c2e6f0f893172baf

SHA256
bbde4eb06fba00c9cfd38f849ecf86ae550c6f1dd4f0824798952e52636ec6bb

SHA512
d969bb28699958848f3e8555dafc2f47eb3428fc5c8a1d92709e202304cf23f051a4f0c55d3d4f6cb7867b31d42049e21f1a6a7bccc86558855965cc06bc4956

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\na6tL7Pn.exe
Filesize
885KB

MD5
83ab5b39ec2fcd55d695697e373cb55c

SHA1
593b5b65f6da80b620b6fc14c2e6f0f893172baf

SHA256
bbde4eb06fba00c9cfd38f849ecf86ae550c6f1dd4f0824798952e52636ec6bb

SHA512
d969bb28699958848f3e8555dafc2f47eb3428fc5c8a1d92709e202304cf23f051a4f0c55d3d4f6cb7867b31d42049e21f1a6a7bccc86558855965cc06bc4956

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GZ3NJ9gf.exe
Filesize
590KB

MD5
dd8c0898d75aa76eceb7f1a33be85708

SHA1
0c78577787cf4f0c83d005afaf70cbd65fbfc3c6

SHA256
0b8b7638a7bdb7de88011143da1f276110c5f108bcf8a4f0b8da81234f7a5fae

SHA512
9b3a3744d4678fa397977ba52e5400a790a7ef1f22906da8d93872edeaad0019b89905b0bb80de2898961e40efa323c700c863b0751e72b4e75cf43882554dc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GZ3NJ9gf.exe
Filesize
590KB

MD5
dd8c0898d75aa76eceb7f1a33be85708

SHA1
0c78577787cf4f0c83d005afaf70cbd65fbfc3c6

SHA256
0b8b7638a7bdb7de88011143da1f276110c5f108bcf8a4f0b8da81234f7a5fae

SHA512
9b3a3744d4678fa397977ba52e5400a790a7ef1f22906da8d93872edeaad0019b89905b0bb80de2898961e40efa323c700c863b0751e72b4e75cf43882554dc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj9SX3Gs.exe
Filesize
417KB

MD5
e7dba880314e9f98816aa24b7319f532

SHA1
614373b62f25636d1f4f89ad4960300b9bed7b26

SHA256
ec53a9d3d894367786306e87248b550ecaae629cc97e8a2540861f9553a85a0c

SHA512
5368f75943eea01a3056a8e7d2f46c4c795ebc29bb7b9d3cf4ce182f5b0e2b69d9be1b373da24efbea4a829cf4d9afe01c5dc85ffc5ae68f84a50e6b0dd568bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj9SX3Gs.exe
Filesize
417KB

MD5
e7dba880314e9f98816aa24b7319f532

SHA1
614373b62f25636d1f4f89ad4960300b9bed7b26

SHA256
ec53a9d3d894367786306e87248b550ecaae629cc97e8a2540861f9553a85a0c

SHA512
5368f75943eea01a3056a8e7d2f46c4c795ebc29bb7b9d3cf4ce182f5b0e2b69d9be1b373da24efbea4a829cf4d9afe01c5dc85ffc5ae68f84a50e6b0dd568bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1HH11RY2.exe
Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1HH11RY2.exe
Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Hf972PA.exe
Filesize
231KB

MD5
92ef0d09e9f6c105cf16d9e22d4c98fe

SHA1
3fc8699c738c94b66ccf8269ec3c1b67613e2b64

SHA256
ba34a9737f2006969b525bb929aa1b8b714c9d344332c31b9c76d480be791e21

SHA512
139c7321f27b03dfbbe1ecd09275bca0b7a7c6c28bbb6a5b0b2859cd598578623129ae92e79a3246db16cb8c53eaf4c05d1a5ca7e7ab4575053718c946e3d645

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Hf972PA.exe
Filesize
231KB

MD5
92ef0d09e9f6c105cf16d9e22d4c98fe

SHA1
3fc8699c738c94b66ccf8269ec3c1b67613e2b64

SHA256
ba34a9737f2006969b525bb929aa1b8b714c9d344332c31b9c76d480be791e21

SHA512
139c7321f27b03dfbbe1ecd09275bca0b7a7c6c28bbb6a5b0b2859cd598578623129ae92e79a3246db16cb8c53eaf4c05d1a5ca7e7ab4575053718c946e3d645

Download Submit
memory/2104-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2104-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2104-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2104-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4112-46-0x0000000007900000-0x0000000007992000-memory.dmp

Filesize
584KB

Download
memory/4112-44-0x0000000073C20000-0x00000000743D0000-memory.dmp

Filesize
7.7MB

Download
memory/4112-45-0x0000000007E10000-0x00000000083B4000-memory.dmp

Filesize
5.6MB

Download
memory/4112-43-0x0000000000B20000-0x0000000000B5E000-memory.dmp

Filesize
248KB

Download
memory/4112-47-0x0000000007B90000-0x0000000007BA0000-memory.dmp

Filesize
64KB

Download
memory/4112-48-0x00000000079A0000-0x00000000079AA000-memory.dmp

Filesize
40KB

Download
memory/4112-49-0x00000000089E0000-0x0000000008FF8000-memory.dmp

Filesize
6.1MB

Download
memory/4112-50-0x00000000083C0000-0x00000000084CA000-memory.dmp

Filesize
1.0MB

Download
memory/4112-51-0x0000000007CC0000-0x0000000007CD2000-memory.dmp

Filesize
72KB

Download
memory/4112-52-0x0000000007D20000-0x0000000007D5C000-memory.dmp

Filesize
240KB

Download
memory/4112-53-0x0000000007D60000-0x0000000007DAC000-memory.dmp

Filesize
304KB

Download
memory/4112-54-0x0000000073C20000-0x00000000743D0000-memory.dmp

Filesize
7.7MB

Download
memory/4112-55-0x0000000007B90000-0x0000000007BA0000-memory.dmp

Filesize
64KB

Download