mystic | 35706e6913d750d2a1d1b11b6a5c919a0a1b55fbe88438d7df42553b09d82c35

Analysis

max time kernel
152s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
07/10/2023, 11:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.35706e6913d750d2a1d1b11b6a5c919a0a1b55fbe88438d7df42553b09d82c35_JC.exe
Size

1.2MB
MD5

0ce38a1f0d411f9371599fba05bf1b69
SHA1

8d436cd3de377e5f064d0d842a78a15a5b3a35d6
SHA256

35706e6913d750d2a1d1b11b6a5c919a0a1b55fbe88438d7df42553b09d82c35
SHA512

36e01ee5d75c06e8a39cd59604e7ea58abf16bb0c170adb8c22a6230061810fbf3e1668932d8220e49cf476f4ec3315065cb5770049f45e6ed98e4bcd4833bd6
SSDEEP

24576:YykdtDvTsF4G5mhXLNSVQfey1+8bqAx8FuJ2YjuiqV7ALhgD09dhn1:fkdtDbsF45h7NSVQfeUPdx8FuJ2YokLd

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/1776-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1776-36-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1776-37-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1776-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000900000002302a-41.dat	family_redline
behavioral2/files/0x000900000002302a-42.dat	family_redline
behavioral2/memory/4392-44-0x0000000000010000-0x000000000004E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
1000	qK1JO8XT.exe
4160	Ck6MS5vw.exe
4708	tQ2Xk3xs.exe
572	BV7uH4TV.exe
436	1MO50UJ4.exe
4392	2Da035Eh.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Ck6MS5vw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	tQ2Xk3xs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	BV7uH4TV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.35706e6913d750d2a1d1b11b6a5c919a0a1b55fbe88438d7df42553b09d82c35_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	qK1JO8XT.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 436 set thread context of 1776	436	1MO50UJ4.exe	93

Program crash 2 IoCs

pid	pid_target	Process	procid_target
212	436	WerFault.exe	91
216	1776	WerFault.exe	93

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 1000	1852	NEAS.35706e6913d750d2a1d1b11b6a5c919a0a1b55fbe88438d7df42553b09d82c35_JC.exe	87
PID 1852 wrote to memory of 1000	1852	NEAS.35706e6913d750d2a1d1b11b6a5c919a0a1b55fbe88438d7df42553b09d82c35_JC.exe	87
PID 1852 wrote to memory of 1000	1852	NEAS.35706e6913d750d2a1d1b11b6a5c919a0a1b55fbe88438d7df42553b09d82c35_JC.exe	87
PID 1000 wrote to memory of 4160	1000	qK1JO8XT.exe	88
PID 1000 wrote to memory of 4160	1000	qK1JO8XT.exe	88
PID 1000 wrote to memory of 4160	1000	qK1JO8XT.exe	88
PID 4160 wrote to memory of 4708	4160	Ck6MS5vw.exe	89
PID 4160 wrote to memory of 4708	4160	Ck6MS5vw.exe	89
PID 4160 wrote to memory of 4708	4160	Ck6MS5vw.exe	89
PID 4708 wrote to memory of 572	4708	tQ2Xk3xs.exe	90
PID 4708 wrote to memory of 572	4708	tQ2Xk3xs.exe	90
PID 4708 wrote to memory of 572	4708	tQ2Xk3xs.exe	90
PID 572 wrote to memory of 436	572	BV7uH4TV.exe	91
PID 572 wrote to memory of 436	572	BV7uH4TV.exe	91
PID 572 wrote to memory of 436	572	BV7uH4TV.exe	91
PID 436 wrote to memory of 1776	436	1MO50UJ4.exe	93
PID 436 wrote to memory of 1776	436	1MO50UJ4.exe	93
PID 436 wrote to memory of 1776	436	1MO50UJ4.exe	93
PID 436 wrote to memory of 1776	436	1MO50UJ4.exe	93
PID 436 wrote to memory of 1776	436	1MO50UJ4.exe	93
PID 436 wrote to memory of 1776	436	1MO50UJ4.exe	93
PID 436 wrote to memory of 1776	436	1MO50UJ4.exe	93
PID 436 wrote to memory of 1776	436	1MO50UJ4.exe	93
PID 436 wrote to memory of 1776	436	1MO50UJ4.exe	93
PID 436 wrote to memory of 1776	436	1MO50UJ4.exe	93
PID 572 wrote to memory of 4392	572	BV7uH4TV.exe	98
PID 572 wrote to memory of 4392	572	BV7uH4TV.exe	98
PID 572 wrote to memory of 4392	572	BV7uH4TV.exe	98

C:\Users\Admin\AppData\Local\Temp\NEAS.35706e6913d750d2a1d1b11b6a5c919a0a1b55fbe88438d7df42553b09d82c35_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.35706e6913d750d2a1d1b11b6a5c919a0a1b55fbe88438d7df42553b09d82c35_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qK1JO8XT.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qK1JO8XT.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1000
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ck6MS5vw.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ck6MS5vw.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4160
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tQ2Xk3xs.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tQ2Xk3xs.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4708
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\BV7uH4TV.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\BV7uH4TV.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:572
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1MO50UJ4.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1MO50UJ4.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 540
        8⤵
        Program crash
        
        PID:216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 592
        7⤵
        Program crash
        
        PID:212
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Da035Eh.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Da035Eh.exe
        6⤵
        Executes dropped EXE
        
        PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1776 -ip 1776
1⤵
PID:3872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 436 -ip 436
1⤵
PID:5104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qK1JO8XT.exe

Filesize
1.0MB

MD5
49bdc3fe93a96f942290053b2838e353

SHA1
16e05a49dcafc3ffcd097293a7b0f6620fd8dce4

SHA256
22660f42d86c8e5d8dc40d09d5efa815f736a9a29285f92783c14569922fbe3d

SHA512
b8f7ef263fef20f55a159e02b104605f1d365d67c10fc0e88ad2182692d1934b5ebe445a806d8cc46ac22648f1a548c8bff4df70eb89be5623bd95f109b18b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qK1JO8XT.exe

Filesize
1.0MB

MD5
49bdc3fe93a96f942290053b2838e353

SHA1
16e05a49dcafc3ffcd097293a7b0f6620fd8dce4

SHA256
22660f42d86c8e5d8dc40d09d5efa815f736a9a29285f92783c14569922fbe3d

SHA512
b8f7ef263fef20f55a159e02b104605f1d365d67c10fc0e88ad2182692d1934b5ebe445a806d8cc46ac22648f1a548c8bff4df70eb89be5623bd95f109b18b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ck6MS5vw.exe

Filesize
884KB

MD5
392685fd0e969cff294232f1fa6c42ee

SHA1
c14605dc273b5b69571faefaa9efc1d2ef366f60

SHA256
15ca54d31707fa63bd976c3341e10e21a9ec75523caf7795cde81e307a97e2ed

SHA512
37a9db66a132a6a855e1ee37c4f01e560deff7bd6e24ea010a276e9cf457601bf33cc4655c8a9cd67f8a38614f76267c4322540c99c72a3ac9f9b3024b550ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ck6MS5vw.exe

Filesize
884KB

MD5
392685fd0e969cff294232f1fa6c42ee

SHA1
c14605dc273b5b69571faefaa9efc1d2ef366f60

SHA256
15ca54d31707fa63bd976c3341e10e21a9ec75523caf7795cde81e307a97e2ed

SHA512
37a9db66a132a6a855e1ee37c4f01e560deff7bd6e24ea010a276e9cf457601bf33cc4655c8a9cd67f8a38614f76267c4322540c99c72a3ac9f9b3024b550ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tQ2Xk3xs.exe

Filesize
590KB

MD5
9862bf9623b59844a0ef43e6288686cf

SHA1
fd6fd25dc634d54992e31158a95c70dab043c2c4

SHA256
2cd2cee1b2632ddf26e9ac8dcbe6c754c358d3b9f7cd92b5ec737f5eaea2b47a

SHA512
76db8a56a9f5f2b6f28798aa06f037aae99d48249eabad387f5dca0f74a77e88d2e4b665014fedb656264a332ca185a0e0f99484508a7da10dd1824b397300cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tQ2Xk3xs.exe

Filesize
590KB

MD5
9862bf9623b59844a0ef43e6288686cf

SHA1
fd6fd25dc634d54992e31158a95c70dab043c2c4

SHA256
2cd2cee1b2632ddf26e9ac8dcbe6c754c358d3b9f7cd92b5ec737f5eaea2b47a

SHA512
76db8a56a9f5f2b6f28798aa06f037aae99d48249eabad387f5dca0f74a77e88d2e4b665014fedb656264a332ca185a0e0f99484508a7da10dd1824b397300cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\BV7uH4TV.exe

Filesize
417KB

MD5
4255bd8ec2b9999216490f29bc04507a

SHA1
969e435d7de1155b0c44906a2d8c5452f43d1e5e

SHA256
f24a3a16f5964629ea18ad3883c30f927be2678b3b61ff33c6eff7025e00211b

SHA512
faf612c1b10f2fb70632c9115114b74247270d534077ae26d9c90d8587619523c6a655930377b29c1623dde7e84c8831d2626f5a227eefe59368ef9802ae1f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\BV7uH4TV.exe

Filesize
417KB

MD5
4255bd8ec2b9999216490f29bc04507a

SHA1
969e435d7de1155b0c44906a2d8c5452f43d1e5e

SHA256
f24a3a16f5964629ea18ad3883c30f927be2678b3b61ff33c6eff7025e00211b

SHA512
faf612c1b10f2fb70632c9115114b74247270d534077ae26d9c90d8587619523c6a655930377b29c1623dde7e84c8831d2626f5a227eefe59368ef9802ae1f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1MO50UJ4.exe

Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1MO50UJ4.exe

Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Da035Eh.exe

Filesize
231KB

MD5
d58eaf88f212e928f09ccf16d0c21f3c

SHA1
ad2c02b7075009567e0d5d7257e48784b8846f28

SHA256
0fa165a283db656207e88a76011a7855c74de60ce87cc3c59dd1b8198619bfa4

SHA512
778bfa60e18b4b98d0dba5b3a33e787bddf4995172f310b73f11871ba5f55820f8f08953cdf7cf831d9b0bd3d84417958ec1ebe93a568b1ae8323d7ec5f5e125

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Da035Eh.exe

Filesize
231KB

MD5
d58eaf88f212e928f09ccf16d0c21f3c

SHA1
ad2c02b7075009567e0d5d7257e48784b8846f28

SHA256
0fa165a283db656207e88a76011a7855c74de60ce87cc3c59dd1b8198619bfa4

SHA512
778bfa60e18b4b98d0dba5b3a33e787bddf4995172f310b73f11871ba5f55820f8f08953cdf7cf831d9b0bd3d84417958ec1ebe93a568b1ae8323d7ec5f5e125

Download Submit
memory/1776-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1776-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1776-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1776-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4392-46-0x0000000006F00000-0x0000000006F92000-memory.dmp

Filesize
584KB

Download
memory/4392-44-0x0000000000010000-0x000000000004E000-memory.dmp

Filesize
248KB

Download
memory/4392-45-0x0000000007410000-0x00000000079B4000-memory.dmp

Filesize
5.6MB

Download
memory/4392-43-0x00000000747F0000-0x0000000074FA0000-memory.dmp

Filesize
7.7MB

Download
memory/4392-47-0x00000000747F0000-0x0000000074FA0000-memory.dmp

Filesize
7.7MB

Download
memory/4392-48-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/4392-49-0x00000000070E0000-0x00000000070EA000-memory.dmp

Filesize
40KB

Download
memory/4392-50-0x0000000007FE0000-0x00000000085F8000-memory.dmp

Filesize
6.1MB

Download
memory/4392-51-0x0000000007280000-0x000000000738A000-memory.dmp

Filesize
1.0MB

Download
memory/4392-52-0x00000000071B0000-0x00000000071C2000-memory.dmp

Filesize
72KB

Download
memory/4392-53-0x0000000007210000-0x000000000724C000-memory.dmp

Filesize
240KB

Download
memory/4392-54-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/4392-55-0x0000000007390000-0x00000000073DC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads