mystic | 46684b490d4eb97695320700dd3d11c4179e0b6ff02dbe1096e7ef1b285a39b7

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2023 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.46684b490d4eb97695320700dd3d11c4179e0b6ff02dbe1096e7ef1b285a39b7_JC.exe
Size

1.2MB
MD5

4282879a7476bad218d36efb1e6be79a
SHA1

99fbb8927f550eb95968cc2b4ebcbf794b819724
SHA256

46684b490d4eb97695320700dd3d11c4179e0b6ff02dbe1096e7ef1b285a39b7
SHA512

934c0585cbb94b719be9cd1682a6520728ca0859a77aca5f3823fa135e2ae26a5c1b5e923194e6c1d9e934112ed2f8348c3cefd0ecf6823b0062ac460d4b7608
SSDEEP

24576:myQE/Lp8E3ZEnYYWU+vH/cBMfLuqHGqpCVOZ3C8iEr6W0VNsbp:1Qkl8xnYYVOcfmNrCXVm

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4044-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4044-36-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4044-37-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4044-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ol072iD.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ol072iD.exe	family_redline
behavioral2/memory/2944-44-0x00000000008C0000-0x00000000008FE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

DB0Sa5gO.exemj9mc4tw.exeWY0TD8gS.exedf5zO8SI.exe1bL52Sl9.exe2ol072iD.exe

pid process

4388 DB0Sa5gO.exe
2976 mj9mc4tw.exe
4980 WY0TD8gS.exe
3004 df5zO8SI.exe
3948 1bL52Sl9.exe
2944 2ol072iD.exe

pid	process
4388	DB0Sa5gO.exe
2976	mj9mc4tw.exe
4980	WY0TD8gS.exe
3004	df5zO8SI.exe
3948	1bL52Sl9.exe
2944	2ol072iD.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

df5zO8SI.exeNEAS.46684b490d4eb97695320700dd3d11c4179e0b6ff02dbe1096e7ef1b285a39b7_JC.exeDB0Sa5gO.exemj9mc4tw.exeWY0TD8gS.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	df5zO8SI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.46684b490d4eb97695320700dd3d11c4179e0b6ff02dbe1096e7ef1b285a39b7_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	DB0Sa5gO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	mj9mc4tw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	WY0TD8gS.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1bL52Sl9.exe

description pid process target process

PID 3948 set thread context of 4044 3948 1bL52Sl9.exe AppLaunch.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

628 4044 WerFault.exe AppLaunch.exe
1164 3948 WerFault.exe 1bL52Sl9.exe

description	pid	process	target process
PID 3948 set thread context of 4044	3948	1bL52Sl9.exe	AppLaunch.exe

pid	pid_target	process	target process
628	4044	WerFault.exe	AppLaunch.exe
1164	3948	WerFault.exe	1bL52Sl9.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

NEAS.46684b490d4eb97695320700dd3d11c4179e0b6ff02dbe1096e7ef1b285a39b7_JC.exeDB0Sa5gO.exemj9mc4tw.exeWY0TD8gS.exedf5zO8SI.exe1bL52Sl9.exe

description	pid	process	target process
PID 4724 wrote to memory of 4388	4724	NEAS.46684b490d4eb97695320700dd3d11c4179e0b6ff02dbe1096e7ef1b285a39b7_JC.exe	DB0Sa5gO.exe
PID 4724 wrote to memory of 4388	4724	NEAS.46684b490d4eb97695320700dd3d11c4179e0b6ff02dbe1096e7ef1b285a39b7_JC.exe	DB0Sa5gO.exe
PID 4724 wrote to memory of 4388	4724	NEAS.46684b490d4eb97695320700dd3d11c4179e0b6ff02dbe1096e7ef1b285a39b7_JC.exe	DB0Sa5gO.exe
PID 4388 wrote to memory of 2976	4388	DB0Sa5gO.exe	mj9mc4tw.exe
PID 4388 wrote to memory of 2976	4388	DB0Sa5gO.exe	mj9mc4tw.exe
PID 4388 wrote to memory of 2976	4388	DB0Sa5gO.exe	mj9mc4tw.exe
PID 2976 wrote to memory of 4980	2976	mj9mc4tw.exe	WY0TD8gS.exe
PID 2976 wrote to memory of 4980	2976	mj9mc4tw.exe	WY0TD8gS.exe
PID 2976 wrote to memory of 4980	2976	mj9mc4tw.exe	WY0TD8gS.exe
PID 4980 wrote to memory of 3004	4980	WY0TD8gS.exe	df5zO8SI.exe
PID 4980 wrote to memory of 3004	4980	WY0TD8gS.exe	df5zO8SI.exe
PID 4980 wrote to memory of 3004	4980	WY0TD8gS.exe	df5zO8SI.exe
PID 3004 wrote to memory of 3948	3004	df5zO8SI.exe	1bL52Sl9.exe
PID 3004 wrote to memory of 3948	3004	df5zO8SI.exe	1bL52Sl9.exe
PID 3004 wrote to memory of 3948	3004	df5zO8SI.exe	1bL52Sl9.exe
PID 3948 wrote to memory of 872	3948	1bL52Sl9.exe	AppLaunch.exe
PID 3948 wrote to memory of 872	3948	1bL52Sl9.exe	AppLaunch.exe
PID 3948 wrote to memory of 872	3948	1bL52Sl9.exe	AppLaunch.exe
PID 3948 wrote to memory of 700	3948	1bL52Sl9.exe	AppLaunch.exe
PID 3948 wrote to memory of 700	3948	1bL52Sl9.exe	AppLaunch.exe
PID 3948 wrote to memory of 700	3948	1bL52Sl9.exe	AppLaunch.exe
PID 3948 wrote to memory of 2828	3948	1bL52Sl9.exe	AppLaunch.exe
PID 3948 wrote to memory of 2828	3948	1bL52Sl9.exe	AppLaunch.exe
PID 3948 wrote to memory of 2828	3948	1bL52Sl9.exe	AppLaunch.exe
PID 3948 wrote to memory of 4044	3948	1bL52Sl9.exe	AppLaunch.exe
PID 3948 wrote to memory of 4044	3948	1bL52Sl9.exe	AppLaunch.exe
PID 3948 wrote to memory of 4044	3948	1bL52Sl9.exe	AppLaunch.exe
PID 3948 wrote to memory of 4044	3948	1bL52Sl9.exe	AppLaunch.exe
PID 3948 wrote to memory of 4044	3948	1bL52Sl9.exe	AppLaunch.exe
PID 3948 wrote to memory of 4044	3948	1bL52Sl9.exe	AppLaunch.exe
PID 3948 wrote to memory of 4044	3948	1bL52Sl9.exe	AppLaunch.exe
PID 3948 wrote to memory of 4044	3948	1bL52Sl9.exe	AppLaunch.exe
PID 3948 wrote to memory of 4044	3948	1bL52Sl9.exe	AppLaunch.exe
PID 3948 wrote to memory of 4044	3948	1bL52Sl9.exe	AppLaunch.exe
PID 3004 wrote to memory of 2944	3004	df5zO8SI.exe	2ol072iD.exe
PID 3004 wrote to memory of 2944	3004	df5zO8SI.exe	2ol072iD.exe
PID 3004 wrote to memory of 2944	3004	df5zO8SI.exe	2ol072iD.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.46684b490d4eb97695320700dd3d11c4179e0b6ff02dbe1096e7ef1b285a39b7_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.46684b490d4eb97695320700dd3d11c4179e0b6ff02dbe1096e7ef1b285a39b7_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4724

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DB0Sa5gO.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DB0Sa5gO.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4388

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mj9mc4tw.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mj9mc4tw.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2976

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WY0TD8gS.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WY0TD8gS.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4980

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\df5zO8SI.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\df5zO8SI.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3004

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bL52Sl9.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bL52Sl9.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:2828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 540
8⤵
- Program crash
PID:628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 624
7⤵
- Program crash
PID:1164

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ol072iD.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ol072iD.exe
6⤵
- Executes dropped EXE
PID:2944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3948 -ip 3948
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4044 -ip 4044
1⤵
PID:5088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DB0Sa5gO.exe
Filesize
1.0MB

MD5
d6a45b154023a35cbfa3fdb18f4a1ad7

SHA1
3d74aea6b9a6eb7599d378f4978f3d67c078e3f4

SHA256
91908f5458327e5d6bc8aa519568503a38307b7ee5c0bce2a7537c64fedb78c5

SHA512
ced8b5024aaa1dbbd390a279d2870d40a62bb62f163228f7529c39634d596577151704c070e805f32b0112919a3403b5d700471ea69fa996a5d5fdfe8b5d9c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DB0Sa5gO.exe
Filesize
1.0MB

MD5
d6a45b154023a35cbfa3fdb18f4a1ad7

SHA1
3d74aea6b9a6eb7599d378f4978f3d67c078e3f4

SHA256
91908f5458327e5d6bc8aa519568503a38307b7ee5c0bce2a7537c64fedb78c5

SHA512
ced8b5024aaa1dbbd390a279d2870d40a62bb62f163228f7529c39634d596577151704c070e805f32b0112919a3403b5d700471ea69fa996a5d5fdfe8b5d9c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mj9mc4tw.exe
Filesize
884KB

MD5
c333055afa948f4216511b1435fbfa8b

SHA1
c3bebb80d4ecaca464b80bd5858b9def1d7191fa

SHA256
709f171bb10a4752d666eb416109523c8fd3c54d34349d3575ac5f97d126d022

SHA512
9b06c68d9c07ce84b47986d41553c2a9b95bcf41b7b2f788c18f5ed4ee84c2ea9b71f612eeafc745966566dd713cc0b432dad27d120a7bdea044d4b9bb13c2b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mj9mc4tw.exe
Filesize
884KB

MD5
c333055afa948f4216511b1435fbfa8b

SHA1
c3bebb80d4ecaca464b80bd5858b9def1d7191fa

SHA256
709f171bb10a4752d666eb416109523c8fd3c54d34349d3575ac5f97d126d022

SHA512
9b06c68d9c07ce84b47986d41553c2a9b95bcf41b7b2f788c18f5ed4ee84c2ea9b71f612eeafc745966566dd713cc0b432dad27d120a7bdea044d4b9bb13c2b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WY0TD8gS.exe
Filesize
590KB

MD5
f01698dab6c802aa09cd6669337603b0

SHA1
dfe6fadf64f1fadacf35bcd126fb24e7a4c5ada9

SHA256
cfbe72b0137c28154cb852bde6efb07f0972faf0f82eefb1b7bc12da0a4fe0ef

SHA512
f00e04ca553ae3fa29b2a5c53f26cfc2a65c32b8e4c192247db1893b493c440189d8a780bb498d95c0acbf68d876f99b1d91b6a31267a6f1f8d27615f1b5ec7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WY0TD8gS.exe
Filesize
590KB

MD5
f01698dab6c802aa09cd6669337603b0

SHA1
dfe6fadf64f1fadacf35bcd126fb24e7a4c5ada9

SHA256
cfbe72b0137c28154cb852bde6efb07f0972faf0f82eefb1b7bc12da0a4fe0ef

SHA512
f00e04ca553ae3fa29b2a5c53f26cfc2a65c32b8e4c192247db1893b493c440189d8a780bb498d95c0acbf68d876f99b1d91b6a31267a6f1f8d27615f1b5ec7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\df5zO8SI.exe
Filesize
417KB

MD5
c2c40d1ecb677cadc1245f5a1cc04a88

SHA1
94fa8e98c6ef8f3f03b23d93c70f7a6b1912fc28

SHA256
4524890731b032838da5fb2745b8383c8c56ce6c1c35015d423fee310691a3fb

SHA512
ab2e21d4081856f0113d1e8222ed8c1d820b8493817b15ed9f9377ac442fa182e60d02bd90dd22d4e3e5649e18d45ceebd13e55b6049af876838a691beb99764

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\df5zO8SI.exe
Filesize
417KB

MD5
c2c40d1ecb677cadc1245f5a1cc04a88

SHA1
94fa8e98c6ef8f3f03b23d93c70f7a6b1912fc28

SHA256
4524890731b032838da5fb2745b8383c8c56ce6c1c35015d423fee310691a3fb

SHA512
ab2e21d4081856f0113d1e8222ed8c1d820b8493817b15ed9f9377ac442fa182e60d02bd90dd22d4e3e5649e18d45ceebd13e55b6049af876838a691beb99764

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bL52Sl9.exe
Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bL52Sl9.exe
Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ol072iD.exe
Filesize
231KB

MD5
e871bbb58925e4dfc45dfc9e4671edda

SHA1
24af062a7bf4d5336fa966dfee040c0b15f1a3a3

SHA256
d045d03cecc7ce265744cde52448625e51491397f43a1c235ecfde92442164d3

SHA512
176332e2f6876d1067ecc61db19adfadb4b1831a7cea0236ff0bf2fdc897d7ada3246556ba6f00bfcb542674bb5349c4678ac5c128b82677d3bb7106200ea353

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ol072iD.exe
Filesize
231KB

MD5
e871bbb58925e4dfc45dfc9e4671edda

SHA1
24af062a7bf4d5336fa966dfee040c0b15f1a3a3

SHA256
d045d03cecc7ce265744cde52448625e51491397f43a1c235ecfde92442164d3

SHA512
176332e2f6876d1067ecc61db19adfadb4b1831a7cea0236ff0bf2fdc897d7ada3246556ba6f00bfcb542674bb5349c4678ac5c128b82677d3bb7106200ea353

Download Submit
memory/2944-46-0x0000000007680000-0x0000000007712000-memory.dmp

Filesize
584KB

Download
memory/2944-43-0x00000000740A0000-0x0000000074850000-memory.dmp

Filesize
7.7MB

Download
memory/2944-47-0x0000000007630000-0x0000000007640000-memory.dmp

Filesize
64KB

Download
memory/2944-55-0x0000000007630000-0x0000000007640000-memory.dmp

Filesize
64KB

Download
memory/2944-48-0x0000000007840000-0x000000000784A000-memory.dmp

Filesize
40KB

Download
memory/2944-44-0x00000000008C0000-0x00000000008FE000-memory.dmp

Filesize
248KB

Download
memory/2944-45-0x0000000007B80000-0x0000000008124000-memory.dmp

Filesize
5.6MB

Download
memory/2944-49-0x0000000008750000-0x0000000008D68000-memory.dmp

Filesize
6.1MB

Download
memory/2944-54-0x00000000740A0000-0x0000000074850000-memory.dmp

Filesize
7.7MB

Download
memory/2944-53-0x0000000007B00000-0x0000000007B4C000-memory.dmp

Filesize
304KB

Download
memory/2944-52-0x0000000007AC0000-0x0000000007AFC000-memory.dmp

Filesize
240KB

Download
memory/2944-50-0x0000000008130000-0x000000000823A000-memory.dmp

Filesize
1.0MB

Download
memory/2944-51-0x0000000007A60000-0x0000000007A72000-memory.dmp

Filesize
72KB

Download
memory/4044-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4044-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4044-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4044-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download