mystic | 95d24db14cc444f15f37de7be78ecff92ac4307aa25440a77fb45e9a0f9d19e9

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2023 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.95d24db14cc444f15f37de7be78ecff92ac4307aa25440a77fb45e9a0f9d19e9_JC.exe
Size

1.2MB
MD5

df0c4b3ef4ae8a32f9a0ea69a221d108
SHA1

d30e93a9136809f1999fc03b39caf8d7b04547c9
SHA256

95d24db14cc444f15f37de7be78ecff92ac4307aa25440a77fb45e9a0f9d19e9
SHA512

bf96432e8ea9140d2d472794708eba7cb6b2a94b274e5110182eddfc50ff3d8fcb0ef8d483b8091bc7544b0425124ef1ad1345b0e4bb0a18b6e3f3b16e0778d1
SSDEEP

24576:PyemnQyfJDul5UuCEao7y98P9+QPru6pIx4HOSBo:aeqVfJDul5U5Ev7C8V5ruhxlS

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1284-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1284-36-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1284-37-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1284-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Qq019gd.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Qq019gd.exe	family_redline
behavioral2/memory/2460-43-0x0000000000070000-0x00000000000AE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

yr6dV2Sq.exevK2Hj2gA.exexo6VP8CV.exerl4DN7Ty.exe1Oo51gR7.exe2Qq019gd.exe

pid process

3480 yr6dV2Sq.exe
4376 vK2Hj2gA.exe
4120 xo6VP8CV.exe
3548 rl4DN7Ty.exe
4628 1Oo51gR7.exe
2460 2Qq019gd.exe

pid	process
3480	yr6dV2Sq.exe
4376	vK2Hj2gA.exe
4120	xo6VP8CV.exe
3548	rl4DN7Ty.exe
4628	1Oo51gR7.exe
2460	2Qq019gd.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

NEAS.95d24db14cc444f15f37de7be78ecff92ac4307aa25440a77fb45e9a0f9d19e9_JC.exeyr6dV2Sq.exevK2Hj2gA.exexo6VP8CV.exerl4DN7Ty.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.95d24db14cc444f15f37de7be78ecff92ac4307aa25440a77fb45e9a0f9d19e9_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	yr6dV2Sq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	vK2Hj2gA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	xo6VP8CV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	rl4DN7Ty.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1Oo51gR7.exe

description pid process target process

PID 4628 set thread context of 1284 4628 1Oo51gR7.exe AppLaunch.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3948 1284 WerFault.exe AppLaunch.exe
2192 4628 WerFault.exe 1Oo51gR7.exe

description	pid	process	target process
PID 4628 set thread context of 1284	4628	1Oo51gR7.exe	AppLaunch.exe

pid	pid_target	process	target process
3948	1284	WerFault.exe	AppLaunch.exe
2192	4628	WerFault.exe	1Oo51gR7.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

NEAS.95d24db14cc444f15f37de7be78ecff92ac4307aa25440a77fb45e9a0f9d19e9_JC.exeyr6dV2Sq.exevK2Hj2gA.exexo6VP8CV.exerl4DN7Ty.exe1Oo51gR7.exe

description	pid	process	target process
PID 1968 wrote to memory of 3480	1968	NEAS.95d24db14cc444f15f37de7be78ecff92ac4307aa25440a77fb45e9a0f9d19e9_JC.exe	yr6dV2Sq.exe
PID 1968 wrote to memory of 3480	1968	NEAS.95d24db14cc444f15f37de7be78ecff92ac4307aa25440a77fb45e9a0f9d19e9_JC.exe	yr6dV2Sq.exe
PID 1968 wrote to memory of 3480	1968	NEAS.95d24db14cc444f15f37de7be78ecff92ac4307aa25440a77fb45e9a0f9d19e9_JC.exe	yr6dV2Sq.exe
PID 3480 wrote to memory of 4376	3480	yr6dV2Sq.exe	vK2Hj2gA.exe
PID 3480 wrote to memory of 4376	3480	yr6dV2Sq.exe	vK2Hj2gA.exe
PID 3480 wrote to memory of 4376	3480	yr6dV2Sq.exe	vK2Hj2gA.exe
PID 4376 wrote to memory of 4120	4376	vK2Hj2gA.exe	xo6VP8CV.exe
PID 4376 wrote to memory of 4120	4376	vK2Hj2gA.exe	xo6VP8CV.exe
PID 4376 wrote to memory of 4120	4376	vK2Hj2gA.exe	xo6VP8CV.exe
PID 4120 wrote to memory of 3548	4120	xo6VP8CV.exe	rl4DN7Ty.exe
PID 4120 wrote to memory of 3548	4120	xo6VP8CV.exe	rl4DN7Ty.exe
PID 4120 wrote to memory of 3548	4120	xo6VP8CV.exe	rl4DN7Ty.exe
PID 3548 wrote to memory of 4628	3548	rl4DN7Ty.exe	1Oo51gR7.exe
PID 3548 wrote to memory of 4628	3548	rl4DN7Ty.exe	1Oo51gR7.exe
PID 3548 wrote to memory of 4628	3548	rl4DN7Ty.exe	1Oo51gR7.exe
PID 4628 wrote to memory of 4604	4628	1Oo51gR7.exe	AppLaunch.exe
PID 4628 wrote to memory of 4604	4628	1Oo51gR7.exe	AppLaunch.exe
PID 4628 wrote to memory of 4604	4628	1Oo51gR7.exe	AppLaunch.exe
PID 4628 wrote to memory of 220	4628	1Oo51gR7.exe	AppLaunch.exe
PID 4628 wrote to memory of 220	4628	1Oo51gR7.exe	AppLaunch.exe
PID 4628 wrote to memory of 220	4628	1Oo51gR7.exe	AppLaunch.exe
PID 4628 wrote to memory of 1284	4628	1Oo51gR7.exe	AppLaunch.exe
PID 4628 wrote to memory of 1284	4628	1Oo51gR7.exe	AppLaunch.exe
PID 4628 wrote to memory of 1284	4628	1Oo51gR7.exe	AppLaunch.exe
PID 4628 wrote to memory of 1284	4628	1Oo51gR7.exe	AppLaunch.exe
PID 4628 wrote to memory of 1284	4628	1Oo51gR7.exe	AppLaunch.exe
PID 4628 wrote to memory of 1284	4628	1Oo51gR7.exe	AppLaunch.exe
PID 4628 wrote to memory of 1284	4628	1Oo51gR7.exe	AppLaunch.exe
PID 4628 wrote to memory of 1284	4628	1Oo51gR7.exe	AppLaunch.exe
PID 4628 wrote to memory of 1284	4628	1Oo51gR7.exe	AppLaunch.exe
PID 4628 wrote to memory of 1284	4628	1Oo51gR7.exe	AppLaunch.exe
PID 3548 wrote to memory of 2460	3548	rl4DN7Ty.exe	2Qq019gd.exe
PID 3548 wrote to memory of 2460	3548	rl4DN7Ty.exe	2Qq019gd.exe
PID 3548 wrote to memory of 2460	3548	rl4DN7Ty.exe	2Qq019gd.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.95d24db14cc444f15f37de7be78ecff92ac4307aa25440a77fb45e9a0f9d19e9_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.95d24db14cc444f15f37de7be78ecff92ac4307aa25440a77fb45e9a0f9d19e9_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1968

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yr6dV2Sq.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yr6dV2Sq.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3480

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vK2Hj2gA.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vK2Hj2gA.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4376

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xo6VP8CV.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xo6VP8CV.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4120

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rl4DN7Ty.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rl4DN7Ty.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3548

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Oo51gR7.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Oo51gR7.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:4604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 540
8⤵
- Program crash
PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 624
7⤵
- Program crash
PID:2192

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Qq019gd.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Qq019gd.exe
6⤵
- Executes dropped EXE
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4628 -ip 4628
1⤵
PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1284 -ip 1284
1⤵
PID:2464

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yr6dV2Sq.exe
Filesize
1.0MB

MD5
c207bb98525b845b6698c51c47a893bd

SHA1
eabd54cb2c24023d1fd8357d65409310aa993313

SHA256
4d3a790a16a89d2b5375037fe7492167e7b171ae2549ed53f030161c3a1f53b2

SHA512
0a65e41d0416a39349041cb778463e87e13ad3d0f2c043b9725f0408956e23288be4c12934d3eecd4e03db8cdb9bf134e3c5d18d1db05bad4cbeba7a56ec95b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yr6dV2Sq.exe
Filesize
1.0MB

MD5
c207bb98525b845b6698c51c47a893bd

SHA1
eabd54cb2c24023d1fd8357d65409310aa993313

SHA256
4d3a790a16a89d2b5375037fe7492167e7b171ae2549ed53f030161c3a1f53b2

SHA512
0a65e41d0416a39349041cb778463e87e13ad3d0f2c043b9725f0408956e23288be4c12934d3eecd4e03db8cdb9bf134e3c5d18d1db05bad4cbeba7a56ec95b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vK2Hj2gA.exe
Filesize
884KB

MD5
cff291b6910b081568560686349502cf

SHA1
0918066148033fd7f2c82533f599a478d0bc05ce

SHA256
32bdca35b2723260af5a0215a81c86d2bcc5d11dd2f31a35086dcfcb7f73a5bd

SHA512
da6c8a1ef6749ed4aee0d6992936f7741209192f5a7535077cf919d65bf6937b7faaaa25450dd490aa0a2a9a4ae94c11c752db56d9541444afe3589bf4d5174b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vK2Hj2gA.exe
Filesize
884KB

MD5
cff291b6910b081568560686349502cf

SHA1
0918066148033fd7f2c82533f599a478d0bc05ce

SHA256
32bdca35b2723260af5a0215a81c86d2bcc5d11dd2f31a35086dcfcb7f73a5bd

SHA512
da6c8a1ef6749ed4aee0d6992936f7741209192f5a7535077cf919d65bf6937b7faaaa25450dd490aa0a2a9a4ae94c11c752db56d9541444afe3589bf4d5174b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xo6VP8CV.exe
Filesize
590KB

MD5
1ef216c27277f961edd25066a3df1830

SHA1
04f91633e67296e651bdeeb688eeb913a0c40df7

SHA256
0aac5ed5954a9f210d0bc87606977aecf6474b3824491aa5ade6cb5d21fdec9d

SHA512
05a4d675df330c2136ea03a8405eba7d665c1a1ac187c943351eeef399dc9c86b8672dc8c01acf40736abe4b07fbca09d4f1755e857fae79ce714dd83fcf3db8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xo6VP8CV.exe
Filesize
590KB

MD5
1ef216c27277f961edd25066a3df1830

SHA1
04f91633e67296e651bdeeb688eeb913a0c40df7

SHA256
0aac5ed5954a9f210d0bc87606977aecf6474b3824491aa5ade6cb5d21fdec9d

SHA512
05a4d675df330c2136ea03a8405eba7d665c1a1ac187c943351eeef399dc9c86b8672dc8c01acf40736abe4b07fbca09d4f1755e857fae79ce714dd83fcf3db8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rl4DN7Ty.exe
Filesize
417KB

MD5
c4db66c858a96527bc01df7886f9f7e9

SHA1
afafacb38aa3e5afba841037409aa5d011158b8b

SHA256
82d1dbddf44603e83dee5133890c754f8ce10724bab5559b0f6959b9f761da3f

SHA512
750a25353a19d1dcc651573618fb8206bbc2a6cfaf51dcf3053a13267ab19ec1942afbf54016be447a9564aa40c58d0d8b1479c00fc3da502857fc70e75625f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rl4DN7Ty.exe
Filesize
417KB

MD5
c4db66c858a96527bc01df7886f9f7e9

SHA1
afafacb38aa3e5afba841037409aa5d011158b8b

SHA256
82d1dbddf44603e83dee5133890c754f8ce10724bab5559b0f6959b9f761da3f

SHA512
750a25353a19d1dcc651573618fb8206bbc2a6cfaf51dcf3053a13267ab19ec1942afbf54016be447a9564aa40c58d0d8b1479c00fc3da502857fc70e75625f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Oo51gR7.exe
Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Oo51gR7.exe
Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Qq019gd.exe
Filesize
231KB

MD5
1a905ba633fc82f3407bad725e0f18a4

SHA1
1413dab7a235c19978b23e894f77f15025e6e202

SHA256
b7ac503a6d3b44070b2490ce374af8c6f9db8747473cead45228ee20e98f47c5

SHA512
109daa79cc5d02af98a7f04c0fc713e1aaf9781cb04d48b349fd2ca98f575eaf78e5609054d50a3525d0b1b9cdf442a4978e1cab76d22696f403fc7d40bdfe20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Qq019gd.exe
Filesize
231KB

MD5
1a905ba633fc82f3407bad725e0f18a4

SHA1
1413dab7a235c19978b23e894f77f15025e6e202

SHA256
b7ac503a6d3b44070b2490ce374af8c6f9db8747473cead45228ee20e98f47c5

SHA512
109daa79cc5d02af98a7f04c0fc713e1aaf9781cb04d48b349fd2ca98f575eaf78e5609054d50a3525d0b1b9cdf442a4978e1cab76d22696f403fc7d40bdfe20

Download Submit
memory/1284-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1284-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1284-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1284-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2460-46-0x0000000006FD0000-0x0000000007062000-memory.dmp

Filesize
584KB

Download
memory/2460-44-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/2460-45-0x00000000074E0000-0x0000000007A84000-memory.dmp

Filesize
5.6MB

Download
memory/2460-43-0x0000000000070000-0x00000000000AE000-memory.dmp

Filesize
248KB

Download
memory/2460-47-0x0000000007130000-0x0000000007140000-memory.dmp

Filesize
64KB

Download
memory/2460-48-0x0000000006F90000-0x0000000006F9A000-memory.dmp

Filesize
40KB

Download
memory/2460-49-0x00000000080B0000-0x00000000086C8000-memory.dmp

Filesize
6.1MB

Download
memory/2460-50-0x0000000007340000-0x000000000744A000-memory.dmp

Filesize
1.0MB

Download
memory/2460-51-0x0000000007110000-0x0000000007122000-memory.dmp

Filesize
72KB

Download
memory/2460-52-0x0000000007270000-0x00000000072AC000-memory.dmp

Filesize
240KB

Download
memory/2460-53-0x00000000072B0000-0x00000000072FC000-memory.dmp

Filesize
304KB

Download
memory/2460-54-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/2460-55-0x0000000007130000-0x0000000007140000-memory.dmp

Filesize
64KB

Download