mystic | e96dc95025fa52c1bae82541849c3f3673202bbe6f3a2f7060e4bdab597c32b5

Analysis

max time kernel
158s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
07/10/2023, 13:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.e96dc95025fa52c1bae82541849c3f3673202bbe6f3a2f7060e4bdab597c32b5_JC.exe
Size

1.2MB
MD5

24e91e9fceebc0e666be7d3205071aaa
SHA1

5a95aa8a5ff40cd34eae8b5bb75ca684e5757bf5
SHA256

e96dc95025fa52c1bae82541849c3f3673202bbe6f3a2f7060e4bdab597c32b5
SHA512

041688a0525c708666ec483804c8cbc21ef21eb05f1b4909789420e1029b39e82e86aebe3ffc81e431cd23b3f45eb7f99ba6aae1338aab5dcd99118d51f1e328
SSDEEP

24576:kyzkwomNFn+JqPpv1G+MAzjaxQGTLAnhuggNhgIbL4HfiQ:zzkDm7hvYeyxQGon4gUhN

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/400-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/400-36-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/400-37-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/400-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x00060000000231f6-41.dat	family_redline
behavioral2/files/0x00060000000231f6-42.dat	family_redline
behavioral2/memory/2848-43-0x00000000005F0000-0x000000000062E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
488	Im8XK3pr.exe
1948	Fg3VW6yQ.exe
2972	Ob2Ry3Kt.exe
2220	Ua1Of3ka.exe
4840	1uc05QX0.exe
2848	2Tq936yN.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Ua1Of3ka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.e96dc95025fa52c1bae82541849c3f3673202bbe6f3a2f7060e4bdab597c32b5_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Im8XK3pr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Fg3VW6yQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Ob2Ry3Kt.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4840 set thread context of 400	4840	1uc05QX0.exe	92

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5032	4840	WerFault.exe	90
2356	400	WerFault.exe	92

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4224 wrote to memory of 488	4224	NEAS.e96dc95025fa52c1bae82541849c3f3673202bbe6f3a2f7060e4bdab597c32b5_JC.exe	86
PID 4224 wrote to memory of 488	4224	NEAS.e96dc95025fa52c1bae82541849c3f3673202bbe6f3a2f7060e4bdab597c32b5_JC.exe	86
PID 4224 wrote to memory of 488	4224	NEAS.e96dc95025fa52c1bae82541849c3f3673202bbe6f3a2f7060e4bdab597c32b5_JC.exe	86
PID 488 wrote to memory of 1948	488	Im8XK3pr.exe	87
PID 488 wrote to memory of 1948	488	Im8XK3pr.exe	87
PID 488 wrote to memory of 1948	488	Im8XK3pr.exe	87
PID 1948 wrote to memory of 2972	1948	Fg3VW6yQ.exe	88
PID 1948 wrote to memory of 2972	1948	Fg3VW6yQ.exe	88
PID 1948 wrote to memory of 2972	1948	Fg3VW6yQ.exe	88
PID 2972 wrote to memory of 2220	2972	Ob2Ry3Kt.exe	89
PID 2972 wrote to memory of 2220	2972	Ob2Ry3Kt.exe	89
PID 2972 wrote to memory of 2220	2972	Ob2Ry3Kt.exe	89
PID 2220 wrote to memory of 4840	2220	Ua1Of3ka.exe	90
PID 2220 wrote to memory of 4840	2220	Ua1Of3ka.exe	90
PID 2220 wrote to memory of 4840	2220	Ua1Of3ka.exe	90
PID 4840 wrote to memory of 400	4840	1uc05QX0.exe	92
PID 4840 wrote to memory of 400	4840	1uc05QX0.exe	92
PID 4840 wrote to memory of 400	4840	1uc05QX0.exe	92
PID 4840 wrote to memory of 400	4840	1uc05QX0.exe	92
PID 4840 wrote to memory of 400	4840	1uc05QX0.exe	92
PID 4840 wrote to memory of 400	4840	1uc05QX0.exe	92
PID 4840 wrote to memory of 400	4840	1uc05QX0.exe	92
PID 4840 wrote to memory of 400	4840	1uc05QX0.exe	92
PID 4840 wrote to memory of 400	4840	1uc05QX0.exe	92
PID 4840 wrote to memory of 400	4840	1uc05QX0.exe	92
PID 2220 wrote to memory of 2848	2220	Ua1Of3ka.exe	99
PID 2220 wrote to memory of 2848	2220	Ua1Of3ka.exe	99
PID 2220 wrote to memory of 2848	2220	Ua1Of3ka.exe	99

C:\Users\Admin\AppData\Local\Temp\NEAS.e96dc95025fa52c1bae82541849c3f3673202bbe6f3a2f7060e4bdab597c32b5_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.e96dc95025fa52c1bae82541849c3f3673202bbe6f3a2f7060e4bdab597c32b5_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4224
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Im8XK3pr.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Im8XK3pr.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:488
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fg3VW6yQ.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fg3VW6yQ.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ob2Ry3Kt.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ob2Ry3Kt.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2972
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ua1Of3ka.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ua1Of3ka.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2220
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uc05QX0.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uc05QX0.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 540
        8⤵
        Program crash
        
        PID:2356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 616
        7⤵
        Program crash
        
        PID:5032
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Tq936yN.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Tq936yN.exe
        6⤵
        Executes dropped EXE
        
        PID:2848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4840 -ip 4840
1⤵
PID:3040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 400 -ip 400
1⤵
PID:3372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Im8XK3pr.exe

Filesize
1.0MB

MD5
2a3d9cd8e274d52f8240662cd5fd5350

SHA1
74af9e3bd9d20cbc4c909fa86be2d14c23022573

SHA256
25411d508ec5124eaeb5f2cb705eb5fb60c09a6567be031f7575638dc4384225

SHA512
d78ebaf21bb99394c91c589670331a20e78cc218e7f7bfd1a128afaee465443beb1f68bdd1e2a6bdf59ed0274bf35b0e3c3edbe72c91f4579fea762d048325ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Im8XK3pr.exe

Filesize
1.0MB

MD5
2a3d9cd8e274d52f8240662cd5fd5350

SHA1
74af9e3bd9d20cbc4c909fa86be2d14c23022573

SHA256
25411d508ec5124eaeb5f2cb705eb5fb60c09a6567be031f7575638dc4384225

SHA512
d78ebaf21bb99394c91c589670331a20e78cc218e7f7bfd1a128afaee465443beb1f68bdd1e2a6bdf59ed0274bf35b0e3c3edbe72c91f4579fea762d048325ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fg3VW6yQ.exe

Filesize
884KB

MD5
1255fa50845e549798a9687b653eabbb

SHA1
9f04249a8833ff7429da4b8cf3e758827454eeee

SHA256
2fe9a84781429606d73cae0dbb4db2859536f1506860c619bf2a08f0b55fc007

SHA512
9d258170870bab2bc8875f46b5d51b5c4c8d45eb619a0236b5df9215646ac79238f6db2c7025f330ebd87562d9ddc28967c5635de328977c6eead48350b4e13e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fg3VW6yQ.exe

Filesize
884KB

MD5
1255fa50845e549798a9687b653eabbb

SHA1
9f04249a8833ff7429da4b8cf3e758827454eeee

SHA256
2fe9a84781429606d73cae0dbb4db2859536f1506860c619bf2a08f0b55fc007

SHA512
9d258170870bab2bc8875f46b5d51b5c4c8d45eb619a0236b5df9215646ac79238f6db2c7025f330ebd87562d9ddc28967c5635de328977c6eead48350b4e13e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ob2Ry3Kt.exe

Filesize
590KB

MD5
5a121f586a75a6edca42d79451fb3360

SHA1
f33ba220f729b315d9e1845a7424ed4004c9d439

SHA256
9f0bd960f313ab8ce9da3b5fe94c6f9204554130e13dc953e55df8668d8cc9c7

SHA512
04ee79e11e4e1fb2ae62eb8563972d11c4bd2c848edd739f0856af14ecedc49f14eb1eae0da23730dbb9c887a53bcb2657b714eb26fdcbf0478088841d84e7bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ob2Ry3Kt.exe

Filesize
590KB

MD5
5a121f586a75a6edca42d79451fb3360

SHA1
f33ba220f729b315d9e1845a7424ed4004c9d439

SHA256
9f0bd960f313ab8ce9da3b5fe94c6f9204554130e13dc953e55df8668d8cc9c7

SHA512
04ee79e11e4e1fb2ae62eb8563972d11c4bd2c848edd739f0856af14ecedc49f14eb1eae0da23730dbb9c887a53bcb2657b714eb26fdcbf0478088841d84e7bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ua1Of3ka.exe

Filesize
417KB

MD5
6bbd597cdfdfc0d9b44c0f995d2d3e04

SHA1
28bc0d402e6e443f1ffadceba8bbb03d7de89c70

SHA256
a1b0471051ebff1d5687b86a670d419859f859a6bbabbc5fd3d20363e8e39c1c

SHA512
72003318cfd8505dafe4fb27627aab9d7033973a048726172d4a89f5e49cc8ac47cd34fbe14615be2205508cbbae89c83d66cd07f824d4a4fecad53998605d2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ua1Of3ka.exe

Filesize
417KB

MD5
6bbd597cdfdfc0d9b44c0f995d2d3e04

SHA1
28bc0d402e6e443f1ffadceba8bbb03d7de89c70

SHA256
a1b0471051ebff1d5687b86a670d419859f859a6bbabbc5fd3d20363e8e39c1c

SHA512
72003318cfd8505dafe4fb27627aab9d7033973a048726172d4a89f5e49cc8ac47cd34fbe14615be2205508cbbae89c83d66cd07f824d4a4fecad53998605d2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uc05QX0.exe

Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uc05QX0.exe

Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Tq936yN.exe

Filesize
231KB

MD5
cbe3a6daaba7499ac572aa1f66a90764

SHA1
5f131a2c7bf36f690141d174335be17ddde6e6b9

SHA256
5e1a46ec3b9d305445e3554b5dc4b3335ce9dd2457fcc213d2a04de3334aca54

SHA512
980ceab227e528c58e25558236835cdd37a9a1b27a86c069afba5b097d7563f9f0620019eee42808d1be3bfb53af238e1b62297f0820c1e0dee37c64ab793c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Tq936yN.exe

Filesize
231KB

MD5
cbe3a6daaba7499ac572aa1f66a90764

SHA1
5f131a2c7bf36f690141d174335be17ddde6e6b9

SHA256
5e1a46ec3b9d305445e3554b5dc4b3335ce9dd2457fcc213d2a04de3334aca54

SHA512
980ceab227e528c58e25558236835cdd37a9a1b27a86c069afba5b097d7563f9f0620019eee42808d1be3bfb53af238e1b62297f0820c1e0dee37c64ab793c46

Download Submit
memory/400-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/400-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/400-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/400-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2848-46-0x00000000074E0000-0x0000000007572000-memory.dmp

Filesize
584KB

Download
memory/2848-44-0x0000000074000000-0x00000000747B0000-memory.dmp

Filesize
7.7MB

Download
memory/2848-45-0x0000000007A90000-0x0000000008034000-memory.dmp

Filesize
5.6MB

Download
memory/2848-43-0x00000000005F0000-0x000000000062E000-memory.dmp

Filesize
248KB

Download
memory/2848-47-0x0000000007690000-0x00000000076A0000-memory.dmp

Filesize
64KB

Download
memory/2848-48-0x00000000076B0000-0x00000000076BA000-memory.dmp

Filesize
40KB

Download
memory/2848-49-0x0000000008660000-0x0000000008C78000-memory.dmp

Filesize
6.1MB

Download
memory/2848-50-0x0000000007870000-0x000000000797A000-memory.dmp

Filesize
1.0MB

Download
memory/2848-51-0x0000000007780000-0x0000000007792000-memory.dmp

Filesize
72KB

Download
memory/2848-52-0x00000000077E0000-0x000000000781C000-memory.dmp

Filesize
240KB

Download
memory/2848-53-0x0000000007980000-0x00000000079CC000-memory.dmp

Filesize
304KB

Download
memory/2848-54-0x0000000074000000-0x00000000747B0000-memory.dmp

Filesize
7.7MB

Download
memory/2848-55-0x0000000007690000-0x00000000076A0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads