mystic | db1ca000ab9c6c34c355316ae707d790c1d9c6117d99b1d0ca0c8c178240c8ea

Analysis

max time kernel
140s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
07/10/2023, 13:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.db1ca000ab9c6c34c355316ae707d790c1d9c6117d99b1d0ca0c8c178240c8ea_JC.exe
Size

1.2MB
MD5

475bde55882d471dffce2077b6067cb2
SHA1

7a54de2341ec642deb689677cc9119c89f67639e
SHA256

db1ca000ab9c6c34c355316ae707d790c1d9c6117d99b1d0ca0c8c178240c8ea
SHA512

86dd01b77055d37752673f13b54f7d4e84f562946f53fd5e161c22d7e98c6c1ffc5d0980c6e84985ba249994b382e9e6e90c645ab3448c830d0fdb67a6068bb7
SSDEEP

24576:Yy4dVc+wuEiIMa9pxnHDqv6F9rulsrq1pb1eNfj:f41sNMa9pZDtF9rbrWb1wf

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/4504-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4504-36-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4504-37-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4504-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000700000002325a-41.dat	family_redline
behavioral2/files/0x000700000002325a-42.dat	family_redline
behavioral2/memory/2968-43-0x0000000000070000-0x00000000000AE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
4112	je1hx8bq.exe
3724	PE2YJ5SP.exe
964	ZT3ll3un.exe
4964	sL1la8sd.exe
2896	1ir97Re3.exe
2968	2Ps941Nd.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.db1ca000ab9c6c34c355316ae707d790c1d9c6117d99b1d0ca0c8c178240c8ea_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	je1hx8bq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	PE2YJ5SP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	ZT3ll3un.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	sL1la8sd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2896 set thread context of 4504	2896	1ir97Re3.exe	90

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4036	2896	WerFault.exe	88
2692	4504	WerFault.exe	90

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4660 wrote to memory of 4112	4660	NEAS.db1ca000ab9c6c34c355316ae707d790c1d9c6117d99b1d0ca0c8c178240c8ea_JC.exe	83
PID 4660 wrote to memory of 4112	4660	NEAS.db1ca000ab9c6c34c355316ae707d790c1d9c6117d99b1d0ca0c8c178240c8ea_JC.exe	83
PID 4660 wrote to memory of 4112	4660	NEAS.db1ca000ab9c6c34c355316ae707d790c1d9c6117d99b1d0ca0c8c178240c8ea_JC.exe	83
PID 4112 wrote to memory of 3724	4112	je1hx8bq.exe	84
PID 4112 wrote to memory of 3724	4112	je1hx8bq.exe	84
PID 4112 wrote to memory of 3724	4112	je1hx8bq.exe	84
PID 3724 wrote to memory of 964	3724	PE2YJ5SP.exe	85
PID 3724 wrote to memory of 964	3724	PE2YJ5SP.exe	85
PID 3724 wrote to memory of 964	3724	PE2YJ5SP.exe	85
PID 964 wrote to memory of 4964	964	ZT3ll3un.exe	86
PID 964 wrote to memory of 4964	964	ZT3ll3un.exe	86
PID 964 wrote to memory of 4964	964	ZT3ll3un.exe	86
PID 4964 wrote to memory of 2896	4964	sL1la8sd.exe	88
PID 4964 wrote to memory of 2896	4964	sL1la8sd.exe	88
PID 4964 wrote to memory of 2896	4964	sL1la8sd.exe	88
PID 2896 wrote to memory of 4504	2896	1ir97Re3.exe	90
PID 2896 wrote to memory of 4504	2896	1ir97Re3.exe	90
PID 2896 wrote to memory of 4504	2896	1ir97Re3.exe	90
PID 2896 wrote to memory of 4504	2896	1ir97Re3.exe	90
PID 2896 wrote to memory of 4504	2896	1ir97Re3.exe	90
PID 2896 wrote to memory of 4504	2896	1ir97Re3.exe	90
PID 2896 wrote to memory of 4504	2896	1ir97Re3.exe	90
PID 2896 wrote to memory of 4504	2896	1ir97Re3.exe	90
PID 2896 wrote to memory of 4504	2896	1ir97Re3.exe	90
PID 2896 wrote to memory of 4504	2896	1ir97Re3.exe	90
PID 4964 wrote to memory of 2968	4964	sL1la8sd.exe	96
PID 4964 wrote to memory of 2968	4964	sL1la8sd.exe	96
PID 4964 wrote to memory of 2968	4964	sL1la8sd.exe	96

C:\Users\Admin\AppData\Local\Temp\NEAS.db1ca000ab9c6c34c355316ae707d790c1d9c6117d99b1d0ca0c8c178240c8ea_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.db1ca000ab9c6c34c355316ae707d790c1d9c6117d99b1d0ca0c8c178240c8ea_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4660
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\je1hx8bq.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\je1hx8bq.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4112
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PE2YJ5SP.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PE2YJ5SP.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3724
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZT3ll3un.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZT3ll3un.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:964
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sL1la8sd.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sL1la8sd.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4964
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ir97Re3.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ir97Re3.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 540
        8⤵
        Program crash
        
        PID:2692
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 592
        7⤵
        Program crash
        
        PID:4036
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ps941Nd.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ps941Nd.exe
        6⤵
        Executes dropped EXE
        
        PID:2968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2896 -ip 2896
1⤵
PID:1064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4504 -ip 4504
1⤵
PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\je1hx8bq.exe

Filesize
1.0MB

MD5
89ffd4695c04e410af297ea184138760

SHA1
e0a87c0e27fb3fc6dc9e00d0cb49b1640e339163

SHA256
80a7f9e96a82731f38fc8de07a24d98701bdf2f3c65245e9fbd8215807de820a

SHA512
ef3e08d35329f1728c31a185deee3ec4138df72036d785679a32ac4b6c34a2f43076354f26d5cc551c51fd480db74d332d80cac9cbd33407dfa2e5f57173575c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\je1hx8bq.exe

Filesize
1.0MB

MD5
89ffd4695c04e410af297ea184138760

SHA1
e0a87c0e27fb3fc6dc9e00d0cb49b1640e339163

SHA256
80a7f9e96a82731f38fc8de07a24d98701bdf2f3c65245e9fbd8215807de820a

SHA512
ef3e08d35329f1728c31a185deee3ec4138df72036d785679a32ac4b6c34a2f43076354f26d5cc551c51fd480db74d332d80cac9cbd33407dfa2e5f57173575c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PE2YJ5SP.exe

Filesize
884KB

MD5
2e7a5332c0515b652e8815ab66089327

SHA1
48705354bd9b3ad5026903f62cf3dc0d87169a60

SHA256
d4cb4b0c276ef8796dd87c19c0acbc6f763d529d782f25ad39d0c730c571b8cd

SHA512
06f3a212c2bfb5c7143a591aa143491fdf46b0a11d6bfa4ed6925af972bec241d84f15f9b64f1642ba0d8bcd65fedb11e8a4f5262f2c466b829a05660f9434fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PE2YJ5SP.exe

Filesize
884KB

MD5
2e7a5332c0515b652e8815ab66089327

SHA1
48705354bd9b3ad5026903f62cf3dc0d87169a60

SHA256
d4cb4b0c276ef8796dd87c19c0acbc6f763d529d782f25ad39d0c730c571b8cd

SHA512
06f3a212c2bfb5c7143a591aa143491fdf46b0a11d6bfa4ed6925af972bec241d84f15f9b64f1642ba0d8bcd65fedb11e8a4f5262f2c466b829a05660f9434fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZT3ll3un.exe

Filesize
590KB

MD5
397bfd5e26fdf693fef266903896ee82

SHA1
5402b95afb9d11e29102e45c709a005b58475f64

SHA256
f25b134f6de401a1c97f79132bccb2f5c7697444ca7516dda4f3e778f3261045

SHA512
f8c62a5e8d203737b90d4200d12053aa283911b024de481680901922dad696738a20cd310326f20881e602070dfad63db3e71a37075dd26d68c91ecb2f791c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZT3ll3un.exe

Filesize
590KB

MD5
397bfd5e26fdf693fef266903896ee82

SHA1
5402b95afb9d11e29102e45c709a005b58475f64

SHA256
f25b134f6de401a1c97f79132bccb2f5c7697444ca7516dda4f3e778f3261045

SHA512
f8c62a5e8d203737b90d4200d12053aa283911b024de481680901922dad696738a20cd310326f20881e602070dfad63db3e71a37075dd26d68c91ecb2f791c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sL1la8sd.exe

Filesize
417KB

MD5
6f686dc8b65fbcd2d212aa99b47a7393

SHA1
ef5ab7d579e8350e6c647111b623381ef7fc4828

SHA256
d3974bed1018b5a46f78005f8be0d4c4bc19b1bad32bce2615801df57c57a5d3

SHA512
0e822deedc2161f9af5b43ddeeabd93befe97f0c6fbc9fe54b01d2499e7ccc51499216a24ef73552291b4b8ea46c3826b9edfe2604e1d564a99a1b11fd7cd9ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sL1la8sd.exe

Filesize
417KB

MD5
6f686dc8b65fbcd2d212aa99b47a7393

SHA1
ef5ab7d579e8350e6c647111b623381ef7fc4828

SHA256
d3974bed1018b5a46f78005f8be0d4c4bc19b1bad32bce2615801df57c57a5d3

SHA512
0e822deedc2161f9af5b43ddeeabd93befe97f0c6fbc9fe54b01d2499e7ccc51499216a24ef73552291b4b8ea46c3826b9edfe2604e1d564a99a1b11fd7cd9ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ir97Re3.exe

Filesize
378KB

MD5
3b81f5692c8fe4b8c96054b914ebb40b

SHA1
b9c969ca2a65d679e9e47289fbe632e6d502e3e9

SHA256
e0f8e54e8563c675ef99d12f0cebf5c2e32a1cf390f67bd2c4f7fad2a4675893

SHA512
f18b0941ff6533751346c72b3e72c6a28e33a4f577ae9f4d302fe61d9b1e2acde9d5e8a4bef84334f59ee475ea9fc4f696b6ac84bfe3536b399aabfa5550bf1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ir97Re3.exe

Filesize
378KB

MD5
3b81f5692c8fe4b8c96054b914ebb40b

SHA1
b9c969ca2a65d679e9e47289fbe632e6d502e3e9

SHA256
e0f8e54e8563c675ef99d12f0cebf5c2e32a1cf390f67bd2c4f7fad2a4675893

SHA512
f18b0941ff6533751346c72b3e72c6a28e33a4f577ae9f4d302fe61d9b1e2acde9d5e8a4bef84334f59ee475ea9fc4f696b6ac84bfe3536b399aabfa5550bf1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ps941Nd.exe

Filesize
231KB

MD5
4c47013265e46ade2079eaf51f04d266

SHA1
ccb4e70255d30fed30120ba89c42e25a9b3582fc

SHA256
a5daa42601f57f25715f5086a605cedd60e3fed907099f35c3c4aaead7f8df6b

SHA512
11aa87b7e6d051cd358c15ef6a9ce2f9e146b650658de790456c5bd902c997946c54a71e27900a2f6f75a7239a8e950963b2aba39305ab2c956f4d55caf977b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ps941Nd.exe

Filesize
231KB

MD5
4c47013265e46ade2079eaf51f04d266

SHA1
ccb4e70255d30fed30120ba89c42e25a9b3582fc

SHA256
a5daa42601f57f25715f5086a605cedd60e3fed907099f35c3c4aaead7f8df6b

SHA512
11aa87b7e6d051cd358c15ef6a9ce2f9e146b650658de790456c5bd902c997946c54a71e27900a2f6f75a7239a8e950963b2aba39305ab2c956f4d55caf977b1

Download Submit
memory/2968-46-0x0000000006F30000-0x0000000006FC2000-memory.dmp

Filesize
584KB

Download
memory/2968-48-0x0000000007030000-0x000000000703A000-memory.dmp

Filesize
40KB

Download
memory/2968-55-0x0000000007050000-0x0000000007060000-memory.dmp

Filesize
64KB

Download
memory/2968-54-0x0000000074530000-0x0000000074CE0000-memory.dmp

Filesize
7.7MB

Download
memory/2968-43-0x0000000000070000-0x00000000000AE000-memory.dmp

Filesize
248KB

Download
memory/2968-44-0x0000000074530000-0x0000000074CE0000-memory.dmp

Filesize
7.7MB

Download
memory/2968-45-0x0000000007440000-0x00000000079E4000-memory.dmp

Filesize
5.6MB

Download
memory/2968-53-0x00000000072C0000-0x000000000730C000-memory.dmp

Filesize
304KB

Download
memory/2968-52-0x0000000007280000-0x00000000072BC000-memory.dmp

Filesize
240KB

Download
memory/2968-49-0x0000000008010000-0x0000000008628000-memory.dmp

Filesize
6.1MB

Download
memory/2968-47-0x0000000007050000-0x0000000007060000-memory.dmp

Filesize
64KB

Download
memory/2968-50-0x0000000007330000-0x000000000743A000-memory.dmp

Filesize
1.0MB

Download
memory/2968-51-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/4504-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4504-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4504-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4504-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads