mystic | 3b3de6f1483c2e36638b183c5b4b1d16764a7f3a89b934cedddad6423bd101ef

Analysis

max time kernel
142s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2023 11:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.3b3de6f1483c2e36638b183c5b4b1d16764a7f3a89b934cedddad6423bd101ef_JC.exe
Size

1.2MB
MD5

963e4375037049d27ab3ffd5adc557a4
SHA1

4209b2805b0bdb64b0b1a33d282f0106dda5e4f7
SHA256

3b3de6f1483c2e36638b183c5b4b1d16764a7f3a89b934cedddad6423bd101ef
SHA512

c00f580e86dd507f4b4bb0f93341fdbca6e12983628d3f1bf4797d7c1b8357a3563829daf71a8f3f6ec81d2bce944be1b34142938ff64c4b7f49249ecd400148
SSDEEP

24576:2y8i1yIFHYMKqnG8O6DcEooZTmpi06YKofepIG:F8ayYK38O65ooZfEKP

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3924-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3924-36-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3924-37-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3924-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2zU904nC.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2zU904nC.exe	family_redline
behavioral2/memory/2736-44-0x0000000000C20000-0x0000000000C5E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

us0Yx9JW.exefU1wP1IX.exedZ1qT3MD.exeEz9yh3Qe.exe1eX99ZQ3.exe2zU904nC.exe

pid process

4936 us0Yx9JW.exe
908 fU1wP1IX.exe
4080 dZ1qT3MD.exe
4876 Ez9yh3Qe.exe
948 1eX99ZQ3.exe
2736 2zU904nC.exe

pid	process
4936	us0Yx9JW.exe
908	fU1wP1IX.exe
4080	dZ1qT3MD.exe
4876	Ez9yh3Qe.exe
948	1eX99ZQ3.exe
2736	2zU904nC.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

us0Yx9JW.exefU1wP1IX.exedZ1qT3MD.exeEz9yh3Qe.exeNEAS.3b3de6f1483c2e36638b183c5b4b1d16764a7f3a89b934cedddad6423bd101ef_JC.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	us0Yx9JW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	fU1wP1IX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	dZ1qT3MD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Ez9yh3Qe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.3b3de6f1483c2e36638b183c5b4b1d16764a7f3a89b934cedddad6423bd101ef_JC.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1eX99ZQ3.exe

description pid process target process

PID 948 set thread context of 3924 948 1eX99ZQ3.exe AppLaunch.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4400 948 WerFault.exe 1eX99ZQ3.exe
3856 3924 WerFault.exe AppLaunch.exe

description	pid	process	target process
PID 948 set thread context of 3924	948	1eX99ZQ3.exe	AppLaunch.exe

pid	pid_target	process	target process
4400	948	WerFault.exe	1eX99ZQ3.exe
3856	3924	WerFault.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

NEAS.3b3de6f1483c2e36638b183c5b4b1d16764a7f3a89b934cedddad6423bd101ef_JC.exeus0Yx9JW.exefU1wP1IX.exedZ1qT3MD.exeEz9yh3Qe.exe1eX99ZQ3.exe

description	pid	process	target process
PID 3148 wrote to memory of 4936	3148	NEAS.3b3de6f1483c2e36638b183c5b4b1d16764a7f3a89b934cedddad6423bd101ef_JC.exe	us0Yx9JW.exe
PID 3148 wrote to memory of 4936	3148	NEAS.3b3de6f1483c2e36638b183c5b4b1d16764a7f3a89b934cedddad6423bd101ef_JC.exe	us0Yx9JW.exe
PID 3148 wrote to memory of 4936	3148	NEAS.3b3de6f1483c2e36638b183c5b4b1d16764a7f3a89b934cedddad6423bd101ef_JC.exe	us0Yx9JW.exe
PID 4936 wrote to memory of 908	4936	us0Yx9JW.exe	fU1wP1IX.exe
PID 4936 wrote to memory of 908	4936	us0Yx9JW.exe	fU1wP1IX.exe
PID 4936 wrote to memory of 908	4936	us0Yx9JW.exe	fU1wP1IX.exe
PID 908 wrote to memory of 4080	908	fU1wP1IX.exe	dZ1qT3MD.exe
PID 908 wrote to memory of 4080	908	fU1wP1IX.exe	dZ1qT3MD.exe
PID 908 wrote to memory of 4080	908	fU1wP1IX.exe	dZ1qT3MD.exe
PID 4080 wrote to memory of 4876	4080	dZ1qT3MD.exe	Ez9yh3Qe.exe
PID 4080 wrote to memory of 4876	4080	dZ1qT3MD.exe	Ez9yh3Qe.exe
PID 4080 wrote to memory of 4876	4080	dZ1qT3MD.exe	Ez9yh3Qe.exe
PID 4876 wrote to memory of 948	4876	Ez9yh3Qe.exe	1eX99ZQ3.exe
PID 4876 wrote to memory of 948	4876	Ez9yh3Qe.exe	1eX99ZQ3.exe
PID 4876 wrote to memory of 948	4876	Ez9yh3Qe.exe	1eX99ZQ3.exe
PID 948 wrote to memory of 3924	948	1eX99ZQ3.exe	AppLaunch.exe
PID 948 wrote to memory of 3924	948	1eX99ZQ3.exe	AppLaunch.exe
PID 948 wrote to memory of 3924	948	1eX99ZQ3.exe	AppLaunch.exe
PID 948 wrote to memory of 3924	948	1eX99ZQ3.exe	AppLaunch.exe
PID 948 wrote to memory of 3924	948	1eX99ZQ3.exe	AppLaunch.exe
PID 948 wrote to memory of 3924	948	1eX99ZQ3.exe	AppLaunch.exe
PID 948 wrote to memory of 3924	948	1eX99ZQ3.exe	AppLaunch.exe
PID 948 wrote to memory of 3924	948	1eX99ZQ3.exe	AppLaunch.exe
PID 948 wrote to memory of 3924	948	1eX99ZQ3.exe	AppLaunch.exe
PID 948 wrote to memory of 3924	948	1eX99ZQ3.exe	AppLaunch.exe
PID 4876 wrote to memory of 2736	4876	Ez9yh3Qe.exe	2zU904nC.exe
PID 4876 wrote to memory of 2736	4876	Ez9yh3Qe.exe	2zU904nC.exe
PID 4876 wrote to memory of 2736	4876	Ez9yh3Qe.exe	2zU904nC.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.3b3de6f1483c2e36638b183c5b4b1d16764a7f3a89b934cedddad6423bd101ef_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.3b3de6f1483c2e36638b183c5b4b1d16764a7f3a89b934cedddad6423bd101ef_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3148

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us0Yx9JW.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us0Yx9JW.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4936

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fU1wP1IX.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fU1wP1IX.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:908

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dZ1qT3MD.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dZ1qT3MD.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4080

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ez9yh3Qe.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ez9yh3Qe.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4876

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1eX99ZQ3.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1eX99ZQ3.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 540
8⤵
- Program crash
PID:3856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 592
7⤵
- Program crash
PID:4400

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2zU904nC.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2zU904nC.exe
6⤵
- Executes dropped EXE
PID:2736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 948 -ip 948
1⤵
PID:564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3924 -ip 3924
1⤵
PID:1624

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us0Yx9JW.exe
Filesize
1.0MB

MD5
04988134fc34e3b002b0c4f4bf08d6d2

SHA1
d9fad07b22384d9eb3217a92cfd7ce1fd4dc6936

SHA256
20bd46e79eb2f92599ff92f912e1f0caa9f938ebe52d941ce6c41f1442d9fe76

SHA512
dbd25971d3527b5a8d74bc5b3c3bdf059266201b43b37c5f2f6d40071369b0ea81b140dce3d1aaa7278d658fdbb20d921a7ac742e8ea85a55c055193b95f1a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us0Yx9JW.exe
Filesize
1.0MB

MD5
04988134fc34e3b002b0c4f4bf08d6d2

SHA1
d9fad07b22384d9eb3217a92cfd7ce1fd4dc6936

SHA256
20bd46e79eb2f92599ff92f912e1f0caa9f938ebe52d941ce6c41f1442d9fe76

SHA512
dbd25971d3527b5a8d74bc5b3c3bdf059266201b43b37c5f2f6d40071369b0ea81b140dce3d1aaa7278d658fdbb20d921a7ac742e8ea85a55c055193b95f1a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fU1wP1IX.exe
Filesize
884KB

MD5
d12d69943b4a3117ca6fe762493a4037

SHA1
ed97c5373bd319d2555290ffb8f65e048cafacd6

SHA256
2167fdd07aed291de15afe0b2417fdef3c3c98e5310194443ba5132a2f707625

SHA512
8246fe99cd7e0bde766d878047bae32edbf56021e3841a95b9155b995e12cb4b1ce81ba5cb8ed98622ba78cc2a8c49f318f0d3f95074d40a5fe668a4fc34d470

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fU1wP1IX.exe
Filesize
884KB

MD5
d12d69943b4a3117ca6fe762493a4037

SHA1
ed97c5373bd319d2555290ffb8f65e048cafacd6

SHA256
2167fdd07aed291de15afe0b2417fdef3c3c98e5310194443ba5132a2f707625

SHA512
8246fe99cd7e0bde766d878047bae32edbf56021e3841a95b9155b995e12cb4b1ce81ba5cb8ed98622ba78cc2a8c49f318f0d3f95074d40a5fe668a4fc34d470

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dZ1qT3MD.exe
Filesize
590KB

MD5
cdd6b82cf45bde6268643c1264fa8853

SHA1
9674a0839641b050fc0e10c7beb844a64477b871

SHA256
17bfdfc4459d56f82bfa2d99a6057a964ec113b2a7a6947602c1551d058f4405

SHA512
317984df9d77e83653eecd6309d86393c034a0158687f3fb5edcdfec6041c093c1d1477a0e03b37f4b84bd389f076401b61d44d1582458066005e947ea86ebb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dZ1qT3MD.exe
Filesize
590KB

MD5
cdd6b82cf45bde6268643c1264fa8853

SHA1
9674a0839641b050fc0e10c7beb844a64477b871

SHA256
17bfdfc4459d56f82bfa2d99a6057a964ec113b2a7a6947602c1551d058f4405

SHA512
317984df9d77e83653eecd6309d86393c034a0158687f3fb5edcdfec6041c093c1d1477a0e03b37f4b84bd389f076401b61d44d1582458066005e947ea86ebb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ez9yh3Qe.exe
Filesize
417KB

MD5
925e051dd32695ed9f1732e5b34f5cfa

SHA1
9ea8bf3a790bd9e26fc6f6c5031e5895af548ec3

SHA256
6cc2b998986cc57a61ac9baa463c35da2d4a48514f102f692a5720fda6d0c2f6

SHA512
be11f563498344be41f34768b692aa0f7b51ed68348924892ddf805161754032b50104d33c0cc1218572caef9952747869533146190eb4c50fa5f10ac84b93d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ez9yh3Qe.exe
Filesize
417KB

MD5
925e051dd32695ed9f1732e5b34f5cfa

SHA1
9ea8bf3a790bd9e26fc6f6c5031e5895af548ec3

SHA256
6cc2b998986cc57a61ac9baa463c35da2d4a48514f102f692a5720fda6d0c2f6

SHA512
be11f563498344be41f34768b692aa0f7b51ed68348924892ddf805161754032b50104d33c0cc1218572caef9952747869533146190eb4c50fa5f10ac84b93d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1eX99ZQ3.exe
Filesize
378KB

MD5
83e6bc07d036f14d1f9eb9b5dd895d0b

SHA1
867cdc126ec79599f7a06add0cb7a3ce85fcb8b9

SHA256
76b2c629004bf66b8020b9705e0025da818af440d4378b1d7aebeeb9e0ebd160

SHA512
cad569f1ca25b62f157520e9a9b749da9075515296f5b692826292e359795227fbff3bc8c2bc9916a77c0b88ba7537d2fb12d47d1851aff699978b1857e254dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1eX99ZQ3.exe
Filesize
378KB

MD5
83e6bc07d036f14d1f9eb9b5dd895d0b

SHA1
867cdc126ec79599f7a06add0cb7a3ce85fcb8b9

SHA256
76b2c629004bf66b8020b9705e0025da818af440d4378b1d7aebeeb9e0ebd160

SHA512
cad569f1ca25b62f157520e9a9b749da9075515296f5b692826292e359795227fbff3bc8c2bc9916a77c0b88ba7537d2fb12d47d1851aff699978b1857e254dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2zU904nC.exe
Filesize
231KB

MD5
60102d70f9078178cf8411313a98ad32

SHA1
3eec6606d225334b2c4ea34b50cdc452f596b8fe

SHA256
57931076d26c2af49553792dcf23a42a5afe93603feee61ba18aacc257a35a05

SHA512
f2781999b91ff7e59ba6274f2e172b0a2447c2577f99b4fff3dc57e4ac0ed59750542f37249fbc4628a146abacca1628f106e743d938c612fb3c8adf8d09464a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2zU904nC.exe
Filesize
231KB

MD5
60102d70f9078178cf8411313a98ad32

SHA1
3eec6606d225334b2c4ea34b50cdc452f596b8fe

SHA256
57931076d26c2af49553792dcf23a42a5afe93603feee61ba18aacc257a35a05

SHA512
f2781999b91ff7e59ba6274f2e172b0a2447c2577f99b4fff3dc57e4ac0ed59750542f37249fbc4628a146abacca1628f106e743d938c612fb3c8adf8d09464a

Download Submit
memory/2736-46-0x0000000007B20000-0x0000000007BB2000-memory.dmp

Filesize
584KB

Download
memory/2736-43-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/2736-47-0x0000000007D10000-0x0000000007D20000-memory.dmp

Filesize
64KB

Download
memory/2736-55-0x0000000007D10000-0x0000000007D20000-memory.dmp

Filesize
64KB

Download
memory/2736-48-0x0000000007CD0000-0x0000000007CDA000-memory.dmp

Filesize
40KB

Download
memory/2736-44-0x0000000000C20000-0x0000000000C5E000-memory.dmp

Filesize
248KB

Download
memory/2736-45-0x0000000008030000-0x00000000085D4000-memory.dmp

Filesize
5.6MB

Download
memory/2736-49-0x0000000008C00000-0x0000000009218000-memory.dmp

Filesize
6.1MB

Download
memory/2736-54-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/2736-53-0x0000000007E50000-0x0000000007E9C000-memory.dmp

Filesize
304KB

Download
memory/2736-52-0x0000000007E10000-0x0000000007E4C000-memory.dmp

Filesize
240KB

Download
memory/2736-50-0x0000000007EE0000-0x0000000007FEA000-memory.dmp

Filesize
1.0MB

Download
memory/2736-51-0x0000000007DB0000-0x0000000007DC2000-memory.dmp

Filesize
72KB

Download
memory/3924-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3924-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3924-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3924-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download