mystic | 35882445f7d20592fa0206bcd8675c7cedc00d69e633e598c47d2c2a7a3256c0

Analysis

max time kernel
174s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2023 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.35882445f7d20592fa0206bcd8675c7cedc00d69e633e598c47d2c2a7a3256c0_JC.exe
Size

1.2MB
MD5

89a26436bab56e41e4afb25c6ff499ed
SHA1

943e678bfdae15d90b4c38831d41f3c11686c91e
SHA256

35882445f7d20592fa0206bcd8675c7cedc00d69e633e598c47d2c2a7a3256c0
SHA512

da206fa610c8c754ec4a21ac50f35584d65cb6a248eb96e175ac44de4db1734f27a16672a568c51178232bd4915c14f36652b7469d33eeb98c051fef33fe2075
SSDEEP

24576:5yYyYM1Mi6mlwjuBQk6bLr1fkt3xnNodkhq9wB3npZ9ClZ:sYyY6M/mGLw2ZIH9

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4480-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4480-36-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4480-37-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4480-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2KQ769nZ.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2KQ769nZ.exe	family_redline
behavioral2/memory/4816-43-0x0000000000FF0000-0x000000000102E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

NQ4hd6Jq.exehD9RV8nX.exeXS7ZM9jX.exeaB9YA7Te.exe1uy08nd5.exe2KQ769nZ.exe

pid process

2040 NQ4hd6Jq.exe
3708 hD9RV8nX.exe
4592 XS7ZM9jX.exe
4824 aB9YA7Te.exe
3848 1uy08nd5.exe
4816 2KQ769nZ.exe

pid	process
2040	NQ4hd6Jq.exe
3708	hD9RV8nX.exe
4592	XS7ZM9jX.exe
4824	aB9YA7Te.exe
3848	1uy08nd5.exe
4816	2KQ769nZ.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

NEAS.35882445f7d20592fa0206bcd8675c7cedc00d69e633e598c47d2c2a7a3256c0_JC.exeNQ4hd6Jq.exehD9RV8nX.exeXS7ZM9jX.exeaB9YA7Te.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.35882445f7d20592fa0206bcd8675c7cedc00d69e633e598c47d2c2a7a3256c0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	NQ4hd6Jq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	hD9RV8nX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	XS7ZM9jX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	aB9YA7Te.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1uy08nd5.exe

description pid process target process

PID 3848 set thread context of 4480 3848 1uy08nd5.exe AppLaunch.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2068 4480 WerFault.exe AppLaunch.exe
1468 3848 WerFault.exe 1uy08nd5.exe

description	pid	process	target process
PID 3848 set thread context of 4480	3848	1uy08nd5.exe	AppLaunch.exe

pid	pid_target	process	target process
2068	4480	WerFault.exe	AppLaunch.exe
1468	3848	WerFault.exe	1uy08nd5.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

NEAS.35882445f7d20592fa0206bcd8675c7cedc00d69e633e598c47d2c2a7a3256c0_JC.exeNQ4hd6Jq.exehD9RV8nX.exeXS7ZM9jX.exeaB9YA7Te.exe1uy08nd5.exe

description	pid	process	target process
PID 1804 wrote to memory of 2040	1804	NEAS.35882445f7d20592fa0206bcd8675c7cedc00d69e633e598c47d2c2a7a3256c0_JC.exe	NQ4hd6Jq.exe
PID 1804 wrote to memory of 2040	1804	NEAS.35882445f7d20592fa0206bcd8675c7cedc00d69e633e598c47d2c2a7a3256c0_JC.exe	NQ4hd6Jq.exe
PID 1804 wrote to memory of 2040	1804	NEAS.35882445f7d20592fa0206bcd8675c7cedc00d69e633e598c47d2c2a7a3256c0_JC.exe	NQ4hd6Jq.exe
PID 2040 wrote to memory of 3708	2040	NQ4hd6Jq.exe	hD9RV8nX.exe
PID 2040 wrote to memory of 3708	2040	NQ4hd6Jq.exe	hD9RV8nX.exe
PID 2040 wrote to memory of 3708	2040	NQ4hd6Jq.exe	hD9RV8nX.exe
PID 3708 wrote to memory of 4592	3708	hD9RV8nX.exe	XS7ZM9jX.exe
PID 3708 wrote to memory of 4592	3708	hD9RV8nX.exe	XS7ZM9jX.exe
PID 3708 wrote to memory of 4592	3708	hD9RV8nX.exe	XS7ZM9jX.exe
PID 4592 wrote to memory of 4824	4592	XS7ZM9jX.exe	aB9YA7Te.exe
PID 4592 wrote to memory of 4824	4592	XS7ZM9jX.exe	aB9YA7Te.exe
PID 4592 wrote to memory of 4824	4592	XS7ZM9jX.exe	aB9YA7Te.exe
PID 4824 wrote to memory of 3848	4824	aB9YA7Te.exe	1uy08nd5.exe
PID 4824 wrote to memory of 3848	4824	aB9YA7Te.exe	1uy08nd5.exe
PID 4824 wrote to memory of 3848	4824	aB9YA7Te.exe	1uy08nd5.exe
PID 3848 wrote to memory of 4480	3848	1uy08nd5.exe	AppLaunch.exe
PID 3848 wrote to memory of 4480	3848	1uy08nd5.exe	AppLaunch.exe
PID 3848 wrote to memory of 4480	3848	1uy08nd5.exe	AppLaunch.exe
PID 3848 wrote to memory of 4480	3848	1uy08nd5.exe	AppLaunch.exe
PID 3848 wrote to memory of 4480	3848	1uy08nd5.exe	AppLaunch.exe
PID 3848 wrote to memory of 4480	3848	1uy08nd5.exe	AppLaunch.exe
PID 3848 wrote to memory of 4480	3848	1uy08nd5.exe	AppLaunch.exe
PID 3848 wrote to memory of 4480	3848	1uy08nd5.exe	AppLaunch.exe
PID 3848 wrote to memory of 4480	3848	1uy08nd5.exe	AppLaunch.exe
PID 3848 wrote to memory of 4480	3848	1uy08nd5.exe	AppLaunch.exe
PID 4824 wrote to memory of 4816	4824	aB9YA7Te.exe	2KQ769nZ.exe
PID 4824 wrote to memory of 4816	4824	aB9YA7Te.exe	2KQ769nZ.exe
PID 4824 wrote to memory of 4816	4824	aB9YA7Te.exe	2KQ769nZ.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.35882445f7d20592fa0206bcd8675c7cedc00d69e633e598c47d2c2a7a3256c0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.35882445f7d20592fa0206bcd8675c7cedc00d69e633e598c47d2c2a7a3256c0_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1804

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NQ4hd6Jq.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NQ4hd6Jq.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hD9RV8nX.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hD9RV8nX.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3708

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\XS7ZM9jX.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\XS7ZM9jX.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4592

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aB9YA7Te.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aB9YA7Te.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4824

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uy08nd5.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uy08nd5.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 568
8⤵
- Program crash
PID:2068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 596
7⤵
- Program crash
PID:1468

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2KQ769nZ.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2KQ769nZ.exe
6⤵
- Executes dropped EXE
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3848 -ip 3848
1⤵
PID:2596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4480 -ip 4480
1⤵
PID:2044

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NQ4hd6Jq.exe
Filesize
1.0MB

MD5
5363284b5468f75413d70146ccd9eace

SHA1
a71d2d09ce934b43f0b050fdf2b8184ef1e7315b

SHA256
3a0bdbc6ab9dd9aa53acf12d456781ea49e5ec077278db9dc778093783d375b0

SHA512
b1106af122a07894754cdb61283f33d46642c1b037959edbc51f4863497a4a779fa20488105335db9fd0f43959c67af756d25eaec1fa3cab3b91a568c4a16347

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NQ4hd6Jq.exe
Filesize
1.0MB

MD5
5363284b5468f75413d70146ccd9eace

SHA1
a71d2d09ce934b43f0b050fdf2b8184ef1e7315b

SHA256
3a0bdbc6ab9dd9aa53acf12d456781ea49e5ec077278db9dc778093783d375b0

SHA512
b1106af122a07894754cdb61283f33d46642c1b037959edbc51f4863497a4a779fa20488105335db9fd0f43959c67af756d25eaec1fa3cab3b91a568c4a16347

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hD9RV8nX.exe
Filesize
884KB

MD5
4131a66249649f5d2d7b26994069f68a

SHA1
a328c56684b0ae7726e966975bb8c34606acb1cf

SHA256
7969bcb09ebc9f9c7719f3d629dc5da56e6387543713052b0d6da986f373ce27

SHA512
9e5fff7b348ad82efc628a1033ccaa6a1c23ac8385bd1be092cddec761d8e6afcb96c482cce90c2ba2c59490ca89679bca092d45e7c40b841550725789d43e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hD9RV8nX.exe
Filesize
884KB

MD5
4131a66249649f5d2d7b26994069f68a

SHA1
a328c56684b0ae7726e966975bb8c34606acb1cf

SHA256
7969bcb09ebc9f9c7719f3d629dc5da56e6387543713052b0d6da986f373ce27

SHA512
9e5fff7b348ad82efc628a1033ccaa6a1c23ac8385bd1be092cddec761d8e6afcb96c482cce90c2ba2c59490ca89679bca092d45e7c40b841550725789d43e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\XS7ZM9jX.exe
Filesize
590KB

MD5
868eeadc53e30457bc9c77fefdcc3be1

SHA1
805d0bb1c8f13e285681a29ebbe2b203f74eeb0c

SHA256
0df15e9f6070a740633f279620563e4f19995d2c51d74ffb45a1c1df94db32ee

SHA512
f57bfb99550328e46f5f78226c17f46d3991f4cc8ca52c5378a9e25a0f1a38bad517f38cde65dfa087c908ce83ab073a97847e97de30a6dd9817084e8dd5546c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\XS7ZM9jX.exe
Filesize
590KB

MD5
868eeadc53e30457bc9c77fefdcc3be1

SHA1
805d0bb1c8f13e285681a29ebbe2b203f74eeb0c

SHA256
0df15e9f6070a740633f279620563e4f19995d2c51d74ffb45a1c1df94db32ee

SHA512
f57bfb99550328e46f5f78226c17f46d3991f4cc8ca52c5378a9e25a0f1a38bad517f38cde65dfa087c908ce83ab073a97847e97de30a6dd9817084e8dd5546c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aB9YA7Te.exe
Filesize
417KB

MD5
ce55b9feee9adc1e5b9fe6078c97518f

SHA1
bbcabfa8bfafe387af8f7d82dfd8d9d2a3b9291b

SHA256
0c6c787b440e33869380a9849b0a0b997cc446f36674f14144a05b872e7be092

SHA512
dfd321749f017161210444823d8c031654337f4d03375c271d21360de34304becc3be0f322d0a8a8ab765b0410baf46d878ac01aae69fbffe47cdf38d656793a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aB9YA7Te.exe
Filesize
417KB

MD5
ce55b9feee9adc1e5b9fe6078c97518f

SHA1
bbcabfa8bfafe387af8f7d82dfd8d9d2a3b9291b

SHA256
0c6c787b440e33869380a9849b0a0b997cc446f36674f14144a05b872e7be092

SHA512
dfd321749f017161210444823d8c031654337f4d03375c271d21360de34304becc3be0f322d0a8a8ab765b0410baf46d878ac01aae69fbffe47cdf38d656793a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uy08nd5.exe
Filesize
378KB

MD5
0c52faf51425b8558d4830d1af3c68d2

SHA1
b9ba6ecf0e18add5b4ca3b8245a409ec62d712e0

SHA256
576d1fe3d347326e97f8b4dcb36103cdd68a13afcd60c505412c01fe178cf0ef

SHA512
1c55e8cd57f23841c831f8e9450da5a2bc10c97d385714fcc42aa585d8c7198f3f8d4a4ff1766e7ea25ffab73eb579f784831e8386d80a5f0bbb3827ae0cb401

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uy08nd5.exe
Filesize
378KB

MD5
0c52faf51425b8558d4830d1af3c68d2

SHA1
b9ba6ecf0e18add5b4ca3b8245a409ec62d712e0

SHA256
576d1fe3d347326e97f8b4dcb36103cdd68a13afcd60c505412c01fe178cf0ef

SHA512
1c55e8cd57f23841c831f8e9450da5a2bc10c97d385714fcc42aa585d8c7198f3f8d4a4ff1766e7ea25ffab73eb579f784831e8386d80a5f0bbb3827ae0cb401

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2KQ769nZ.exe
Filesize
231KB

MD5
6fe52d10b5ded2be806038908faf676c

SHA1
e7c0c40250301dfaf14fc67a493abf499212c09a

SHA256
b3fd9f203aa310ef52690cfc03571a21db600eaf6949547f464c02129f49e2d9

SHA512
56a8ad37a5c5535c968756135fe992b680ee53496779bffad33627847c36efdb58f821fe202337ac91c2c9cc09e365647c024e1b8a80db9b6f1af53dc9f83dfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2KQ769nZ.exe
Filesize
231KB

MD5
6fe52d10b5ded2be806038908faf676c

SHA1
e7c0c40250301dfaf14fc67a493abf499212c09a

SHA256
b3fd9f203aa310ef52690cfc03571a21db600eaf6949547f464c02129f49e2d9

SHA512
56a8ad37a5c5535c968756135fe992b680ee53496779bffad33627847c36efdb58f821fe202337ac91c2c9cc09e365647c024e1b8a80db9b6f1af53dc9f83dfe

Download Submit
memory/4480-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4480-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4480-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4480-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4816-46-0x0000000007F20000-0x0000000007FB2000-memory.dmp

Filesize
584KB

Download
memory/4816-44-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/4816-45-0x0000000008430000-0x00000000089D4000-memory.dmp

Filesize
5.6MB

Download
memory/4816-43-0x0000000000FF0000-0x000000000102E000-memory.dmp

Filesize
248KB

Download
memory/4816-47-0x0000000008150000-0x0000000008160000-memory.dmp

Filesize
64KB

Download
memory/4816-48-0x0000000007F10000-0x0000000007F1A000-memory.dmp

Filesize
40KB

Download
memory/4816-49-0x0000000009000000-0x0000000009618000-memory.dmp

Filesize
6.1MB

Download
memory/4816-50-0x0000000008320000-0x000000000842A000-memory.dmp

Filesize
1.0MB

Download
memory/4816-51-0x0000000008180000-0x0000000008192000-memory.dmp

Filesize
72KB

Download
memory/4816-52-0x00000000081E0000-0x000000000821C000-memory.dmp

Filesize
240KB

Download
memory/4816-53-0x0000000008220000-0x000000000826C000-memory.dmp

Filesize
304KB

Download
memory/4816-54-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/4816-55-0x0000000008150000-0x0000000008160000-memory.dmp

Filesize
64KB

Download