mystic | 8152ac23e0f47c5a47d372652f130249d1881d3b6398e8949e1a658e0980a64c

Analysis

max time kernel
163s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2023 12:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.8152ac23e0f47c5a47d372652f130249d1881d3b6398e8949e1a658e0980a64c_JC.exe
Size

1.2MB
MD5

4e69ba0391db6de4be9f9ecbb59704fe
SHA1

efc1f299ad11e1cb690c83b1179f701c44e92c4b
SHA256

8152ac23e0f47c5a47d372652f130249d1881d3b6398e8949e1a658e0980a64c
SHA512

2cdde6f5d4cedf3a12859577459e21ccd4fb956744fb38c81a87861254f3e1d2088e761144cc7679bdc65f12ba9bdcbd3bbbdb343d6b0943ef2d480c9c91b68f
SSDEEP

24576:ayeKinFUsJyOj+lpQ+QX8slAv1YABa5fLNQ:heLJ0letI1H0T

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3288-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3288-36-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3288-37-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3288-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ia429ZG.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ia429ZG.exe	family_redline
behavioral2/memory/3704-43-0x0000000000C40000-0x0000000000C7E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

xB0px1HA.exejD9tk4lf.exeMZ7KL5zy.exeSJ1IC7wu.exe1eb94zF8.exe2ia429ZG.exe

pid process

4552 xB0px1HA.exe
4216 jD9tk4lf.exe
1604 MZ7KL5zy.exe
3876 SJ1IC7wu.exe
2704 1eb94zF8.exe
3704 2ia429ZG.exe

pid	process
4552	xB0px1HA.exe
4216	jD9tk4lf.exe
1604	MZ7KL5zy.exe
3876	SJ1IC7wu.exe
2704	1eb94zF8.exe
3704	2ia429ZG.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

NEAS.8152ac23e0f47c5a47d372652f130249d1881d3b6398e8949e1a658e0980a64c_JC.exexB0px1HA.exejD9tk4lf.exeMZ7KL5zy.exeSJ1IC7wu.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.8152ac23e0f47c5a47d372652f130249d1881d3b6398e8949e1a658e0980a64c_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	xB0px1HA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	jD9tk4lf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	MZ7KL5zy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	SJ1IC7wu.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1eb94zF8.exe

description pid process target process

PID 2704 set thread context of 3288 2704 1eb94zF8.exe AppLaunch.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

780 2704 WerFault.exe 1eb94zF8.exe
5080 3288 WerFault.exe AppLaunch.exe

description	pid	process	target process
PID 2704 set thread context of 3288	2704	1eb94zF8.exe	AppLaunch.exe

pid	pid_target	process	target process
780	2704	WerFault.exe	1eb94zF8.exe
5080	3288	WerFault.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

NEAS.8152ac23e0f47c5a47d372652f130249d1881d3b6398e8949e1a658e0980a64c_JC.exexB0px1HA.exejD9tk4lf.exeMZ7KL5zy.exeSJ1IC7wu.exe1eb94zF8.exe

description	pid	process	target process
PID 2348 wrote to memory of 4552	2348	NEAS.8152ac23e0f47c5a47d372652f130249d1881d3b6398e8949e1a658e0980a64c_JC.exe	xB0px1HA.exe
PID 2348 wrote to memory of 4552	2348	NEAS.8152ac23e0f47c5a47d372652f130249d1881d3b6398e8949e1a658e0980a64c_JC.exe	xB0px1HA.exe
PID 2348 wrote to memory of 4552	2348	NEAS.8152ac23e0f47c5a47d372652f130249d1881d3b6398e8949e1a658e0980a64c_JC.exe	xB0px1HA.exe
PID 4552 wrote to memory of 4216	4552	xB0px1HA.exe	jD9tk4lf.exe
PID 4552 wrote to memory of 4216	4552	xB0px1HA.exe	jD9tk4lf.exe
PID 4552 wrote to memory of 4216	4552	xB0px1HA.exe	jD9tk4lf.exe
PID 4216 wrote to memory of 1604	4216	jD9tk4lf.exe	MZ7KL5zy.exe
PID 4216 wrote to memory of 1604	4216	jD9tk4lf.exe	MZ7KL5zy.exe
PID 4216 wrote to memory of 1604	4216	jD9tk4lf.exe	MZ7KL5zy.exe
PID 1604 wrote to memory of 3876	1604	MZ7KL5zy.exe	SJ1IC7wu.exe
PID 1604 wrote to memory of 3876	1604	MZ7KL5zy.exe	SJ1IC7wu.exe
PID 1604 wrote to memory of 3876	1604	MZ7KL5zy.exe	SJ1IC7wu.exe
PID 3876 wrote to memory of 2704	3876	SJ1IC7wu.exe	1eb94zF8.exe
PID 3876 wrote to memory of 2704	3876	SJ1IC7wu.exe	1eb94zF8.exe
PID 3876 wrote to memory of 2704	3876	SJ1IC7wu.exe	1eb94zF8.exe
PID 2704 wrote to memory of 2832	2704	1eb94zF8.exe	AppLaunch.exe
PID 2704 wrote to memory of 2832	2704	1eb94zF8.exe	AppLaunch.exe
PID 2704 wrote to memory of 2832	2704	1eb94zF8.exe	AppLaunch.exe
PID 2704 wrote to memory of 3288	2704	1eb94zF8.exe	AppLaunch.exe
PID 2704 wrote to memory of 3288	2704	1eb94zF8.exe	AppLaunch.exe
PID 2704 wrote to memory of 3288	2704	1eb94zF8.exe	AppLaunch.exe
PID 2704 wrote to memory of 3288	2704	1eb94zF8.exe	AppLaunch.exe
PID 2704 wrote to memory of 3288	2704	1eb94zF8.exe	AppLaunch.exe
PID 2704 wrote to memory of 3288	2704	1eb94zF8.exe	AppLaunch.exe
PID 2704 wrote to memory of 3288	2704	1eb94zF8.exe	AppLaunch.exe
PID 2704 wrote to memory of 3288	2704	1eb94zF8.exe	AppLaunch.exe
PID 2704 wrote to memory of 3288	2704	1eb94zF8.exe	AppLaunch.exe
PID 2704 wrote to memory of 3288	2704	1eb94zF8.exe	AppLaunch.exe
PID 3876 wrote to memory of 3704	3876	SJ1IC7wu.exe	2ia429ZG.exe
PID 3876 wrote to memory of 3704	3876	SJ1IC7wu.exe	2ia429ZG.exe
PID 3876 wrote to memory of 3704	3876	SJ1IC7wu.exe	2ia429ZG.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.8152ac23e0f47c5a47d372652f130249d1881d3b6398e8949e1a658e0980a64c_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.8152ac23e0f47c5a47d372652f130249d1881d3b6398e8949e1a658e0980a64c_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2348

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xB0px1HA.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xB0px1HA.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4552

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jD9tk4lf.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jD9tk4lf.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4216

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MZ7KL5zy.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MZ7KL5zy.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1604

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\SJ1IC7wu.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\SJ1IC7wu.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3876

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1eb94zF8.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1eb94zF8.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:2832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:3288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 540
8⤵
- Program crash
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 608
7⤵
- Program crash
PID:780

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ia429ZG.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ia429ZG.exe
6⤵
- Executes dropped EXE
PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3288 -ip 3288
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2704 -ip 2704
1⤵
PID:2336

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xB0px1HA.exe
Filesize
1.0MB

MD5
239743273fcebe54758e36092bb3f640

SHA1
f836e6e55f5bb9a665d50ab0a2d64bec460d956b

SHA256
c75348c69c305ab2ab2615aa7f3b5709d83d48b5911ff961562d866baf2d68ef

SHA512
aebef90182f82b1682339b13f38e23a5c33055a743f1cf4572685fb9dae6481467b64f03bf8714f68dc1020643baaab6deba179c6f88fc03c7d5fc0dbf7c6bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xB0px1HA.exe
Filesize
1.0MB

MD5
239743273fcebe54758e36092bb3f640

SHA1
f836e6e55f5bb9a665d50ab0a2d64bec460d956b

SHA256
c75348c69c305ab2ab2615aa7f3b5709d83d48b5911ff961562d866baf2d68ef

SHA512
aebef90182f82b1682339b13f38e23a5c33055a743f1cf4572685fb9dae6481467b64f03bf8714f68dc1020643baaab6deba179c6f88fc03c7d5fc0dbf7c6bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jD9tk4lf.exe
Filesize
884KB

MD5
4da2941e30c7af9f4fa46c4ae7e17064

SHA1
f697fadd4f46a5caa54caa8dfef0a3023276028e

SHA256
378cca0d0caf0cf0e3e53a89eec0d892696e8dbf17cbdad0e9d8197c91d78ce4

SHA512
6862c336a7c5dc677da19f345acd02b585f1152d8a59ad0e4cab79f459160e8a1e38c0b9ad5241c797eb102f2041008d0620922958adb4d8ed908f6f1f1fcdd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jD9tk4lf.exe
Filesize
884KB

MD5
4da2941e30c7af9f4fa46c4ae7e17064

SHA1
f697fadd4f46a5caa54caa8dfef0a3023276028e

SHA256
378cca0d0caf0cf0e3e53a89eec0d892696e8dbf17cbdad0e9d8197c91d78ce4

SHA512
6862c336a7c5dc677da19f345acd02b585f1152d8a59ad0e4cab79f459160e8a1e38c0b9ad5241c797eb102f2041008d0620922958adb4d8ed908f6f1f1fcdd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MZ7KL5zy.exe
Filesize
590KB

MD5
cbfeb67c6572cefca1c2114e30419d09

SHA1
f02f5daa883a3f1743852f79b9c6d05da6e3fd72

SHA256
96663fe6fdce6b8f1bb7fa22238825d3ca986bf8ebf50192aacb1f4e719b6219

SHA512
4974166f1f7450d517183f6c90348779b8ddccb63ee0c19f6c9683ca11bd994172a76559138ca6db44ecb61fd3f70dcbb2ba790135e7c3e4bbfa2c08daaa403e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MZ7KL5zy.exe
Filesize
590KB

MD5
cbfeb67c6572cefca1c2114e30419d09

SHA1
f02f5daa883a3f1743852f79b9c6d05da6e3fd72

SHA256
96663fe6fdce6b8f1bb7fa22238825d3ca986bf8ebf50192aacb1f4e719b6219

SHA512
4974166f1f7450d517183f6c90348779b8ddccb63ee0c19f6c9683ca11bd994172a76559138ca6db44ecb61fd3f70dcbb2ba790135e7c3e4bbfa2c08daaa403e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\SJ1IC7wu.exe
Filesize
417KB

MD5
69aafa9ec0bd509f7b9bece2ce70fbcb

SHA1
ce0f3adc5af525395b05da5c4121ba9d37a901b3

SHA256
822485cd1a028d072d52394c9bc4e0cb75392a591824071ced74e96f88facab7

SHA512
15b0c8ee0278c8183b225669912e1294d7fd251ea404f5bc06a4a19a5210eb643ce4c662cbef6d6a88db2b50d57606d90fdfbf5dfc4bcef2db1d28062e8a43eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\SJ1IC7wu.exe
Filesize
417KB

MD5
69aafa9ec0bd509f7b9bece2ce70fbcb

SHA1
ce0f3adc5af525395b05da5c4121ba9d37a901b3

SHA256
822485cd1a028d072d52394c9bc4e0cb75392a591824071ced74e96f88facab7

SHA512
15b0c8ee0278c8183b225669912e1294d7fd251ea404f5bc06a4a19a5210eb643ce4c662cbef6d6a88db2b50d57606d90fdfbf5dfc4bcef2db1d28062e8a43eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1eb94zF8.exe
Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1eb94zF8.exe
Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ia429ZG.exe
Filesize
231KB

MD5
cb6e727792178dcd105a55697b2ed476

SHA1
c424c2656a7df014d01b5300d008968e0c5ecd72

SHA256
5aaec179e3879f9818bb96600ec39efbba6b147cae3aff236c9257172f90cebc

SHA512
950d59841368127c2634fbec952dc5f16da9295f8b034098c58093d2c4573682a4defb1effedba3e910b1aec1a849dfce44b94c10a2915d280080db2bc5e80b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ia429ZG.exe
Filesize
231KB

MD5
cb6e727792178dcd105a55697b2ed476

SHA1
c424c2656a7df014d01b5300d008968e0c5ecd72

SHA256
5aaec179e3879f9818bb96600ec39efbba6b147cae3aff236c9257172f90cebc

SHA512
950d59841368127c2634fbec952dc5f16da9295f8b034098c58093d2c4573682a4defb1effedba3e910b1aec1a849dfce44b94c10a2915d280080db2bc5e80b6

Download Submit
memory/3288-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3288-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3288-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3288-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3704-46-0x0000000007B80000-0x0000000007C12000-memory.dmp

Filesize
584KB

Download
memory/3704-44-0x0000000074960000-0x0000000075110000-memory.dmp

Filesize
7.7MB

Download
memory/3704-45-0x0000000008090000-0x0000000008634000-memory.dmp

Filesize
5.6MB

Download
memory/3704-43-0x0000000000C40000-0x0000000000C7E000-memory.dmp

Filesize
248KB

Download
memory/3704-47-0x0000000007B70000-0x0000000007B80000-memory.dmp

Filesize
64KB

Download
memory/3704-48-0x0000000007B60000-0x0000000007B6A000-memory.dmp

Filesize
40KB

Download
memory/3704-49-0x0000000008C60000-0x0000000009278000-memory.dmp

Filesize
6.1MB

Download
memory/3704-50-0x0000000007F10000-0x000000000801A000-memory.dmp

Filesize
1.0MB

Download
memory/3704-51-0x0000000007CE0000-0x0000000007CF2000-memory.dmp

Filesize
72KB

Download
memory/3704-52-0x0000000007E40000-0x0000000007E7C000-memory.dmp

Filesize
240KB

Download
memory/3704-53-0x0000000007E80000-0x0000000007ECC000-memory.dmp

Filesize
304KB

Download
memory/3704-54-0x0000000074960000-0x0000000075110000-memory.dmp

Filesize
7.7MB

Download
memory/3704-55-0x0000000007B70000-0x0000000007B80000-memory.dmp

Filesize
64KB

Download