mystic | bf7afa9679932b1c5be2688ae8a45e9d395c9f023919353c1b7a418c3f554106

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2023 13:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.bf7afa9679932b1c5be2688ae8a45e9d395c9f023919353c1b7a418c3f554106_JC.exe
Size

1.2MB
MD5

c40662d71abe74b77c23f41782c4563b
SHA1

a96324486d25f0ed772df1830ac7c639ca333675
SHA256

bf7afa9679932b1c5be2688ae8a45e9d395c9f023919353c1b7a418c3f554106
SHA512

52d68bfbe8663e679caa45eeacc2173e4a21d6367357698f58b3a4b24699ac761ada9f585e32c8aa48123014f4c975f6502d26c84fe6852d71126bb854175280
SSDEEP

24576:DyIJ4p1D4ZfVq1jEh+LXLMsVTt0QNgCNVsYK934QG9w6Og:WxofQj6XWTtoCD84np

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4164-36-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4164-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4164-37-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4164-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2aK431Uo.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2aK431Uo.exe	family_redline
behavioral2/memory/3804-43-0x0000000000F10000-0x0000000000F4E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

iM2XE4Rc.exeNh1WE5wn.exexe5cD4Nc.exeos4pE7AX.exe1wJ96jf8.exe2aK431Uo.exe

pid process

1744 iM2XE4Rc.exe
2656 Nh1WE5wn.exe
464 xe5cD4Nc.exe
3748 os4pE7AX.exe
4252 1wJ96jf8.exe
3804 2aK431Uo.exe

pid	process
1744	iM2XE4Rc.exe
2656	Nh1WE5wn.exe
464	xe5cD4Nc.exe
3748	os4pE7AX.exe
4252	1wJ96jf8.exe
3804	2aK431Uo.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

NEAS.bf7afa9679932b1c5be2688ae8a45e9d395c9f023919353c1b7a418c3f554106_JC.exeiM2XE4Rc.exeNh1WE5wn.exexe5cD4Nc.exeos4pE7AX.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.bf7afa9679932b1c5be2688ae8a45e9d395c9f023919353c1b7a418c3f554106_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	iM2XE4Rc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Nh1WE5wn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	xe5cD4Nc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	os4pE7AX.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1wJ96jf8.exe

description pid process target process

PID 4252 set thread context of 4164 4252 1wJ96jf8.exe AppLaunch.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2648 4252 WerFault.exe 1wJ96jf8.exe
3396 4164 WerFault.exe AppLaunch.exe

description	pid	process	target process
PID 4252 set thread context of 4164	4252	1wJ96jf8.exe	AppLaunch.exe

pid	pid_target	process	target process
2648	4252	WerFault.exe	1wJ96jf8.exe
3396	4164	WerFault.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

NEAS.bf7afa9679932b1c5be2688ae8a45e9d395c9f023919353c1b7a418c3f554106_JC.exeiM2XE4Rc.exeNh1WE5wn.exexe5cD4Nc.exeos4pE7AX.exe1wJ96jf8.exe

description	pid	process	target process
PID 4124 wrote to memory of 1744	4124	NEAS.bf7afa9679932b1c5be2688ae8a45e9d395c9f023919353c1b7a418c3f554106_JC.exe	iM2XE4Rc.exe
PID 4124 wrote to memory of 1744	4124	NEAS.bf7afa9679932b1c5be2688ae8a45e9d395c9f023919353c1b7a418c3f554106_JC.exe	iM2XE4Rc.exe
PID 4124 wrote to memory of 1744	4124	NEAS.bf7afa9679932b1c5be2688ae8a45e9d395c9f023919353c1b7a418c3f554106_JC.exe	iM2XE4Rc.exe
PID 1744 wrote to memory of 2656	1744	iM2XE4Rc.exe	Nh1WE5wn.exe
PID 1744 wrote to memory of 2656	1744	iM2XE4Rc.exe	Nh1WE5wn.exe
PID 1744 wrote to memory of 2656	1744	iM2XE4Rc.exe	Nh1WE5wn.exe
PID 2656 wrote to memory of 464	2656	Nh1WE5wn.exe	xe5cD4Nc.exe
PID 2656 wrote to memory of 464	2656	Nh1WE5wn.exe	xe5cD4Nc.exe
PID 2656 wrote to memory of 464	2656	Nh1WE5wn.exe	xe5cD4Nc.exe
PID 464 wrote to memory of 3748	464	xe5cD4Nc.exe	os4pE7AX.exe
PID 464 wrote to memory of 3748	464	xe5cD4Nc.exe	os4pE7AX.exe
PID 464 wrote to memory of 3748	464	xe5cD4Nc.exe	os4pE7AX.exe
PID 3748 wrote to memory of 4252	3748	os4pE7AX.exe	1wJ96jf8.exe
PID 3748 wrote to memory of 4252	3748	os4pE7AX.exe	1wJ96jf8.exe
PID 3748 wrote to memory of 4252	3748	os4pE7AX.exe	1wJ96jf8.exe
PID 4252 wrote to memory of 3340	4252	1wJ96jf8.exe	AppLaunch.exe
PID 4252 wrote to memory of 3340	4252	1wJ96jf8.exe	AppLaunch.exe
PID 4252 wrote to memory of 3340	4252	1wJ96jf8.exe	AppLaunch.exe
PID 4252 wrote to memory of 4164	4252	1wJ96jf8.exe	AppLaunch.exe
PID 4252 wrote to memory of 4164	4252	1wJ96jf8.exe	AppLaunch.exe
PID 4252 wrote to memory of 4164	4252	1wJ96jf8.exe	AppLaunch.exe
PID 4252 wrote to memory of 4164	4252	1wJ96jf8.exe	AppLaunch.exe
PID 4252 wrote to memory of 4164	4252	1wJ96jf8.exe	AppLaunch.exe
PID 4252 wrote to memory of 4164	4252	1wJ96jf8.exe	AppLaunch.exe
PID 4252 wrote to memory of 4164	4252	1wJ96jf8.exe	AppLaunch.exe
PID 4252 wrote to memory of 4164	4252	1wJ96jf8.exe	AppLaunch.exe
PID 4252 wrote to memory of 4164	4252	1wJ96jf8.exe	AppLaunch.exe
PID 4252 wrote to memory of 4164	4252	1wJ96jf8.exe	AppLaunch.exe
PID 3748 wrote to memory of 3804	3748	os4pE7AX.exe	2aK431Uo.exe
PID 3748 wrote to memory of 3804	3748	os4pE7AX.exe	2aK431Uo.exe
PID 3748 wrote to memory of 3804	3748	os4pE7AX.exe	2aK431Uo.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.bf7afa9679932b1c5be2688ae8a45e9d395c9f023919353c1b7a418c3f554106_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.bf7afa9679932b1c5be2688ae8a45e9d395c9f023919353c1b7a418c3f554106_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4124
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iM2XE4Rc.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iM2XE4Rc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Nh1WE5wn.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Nh1WE5wn.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xe5cD4Nc.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xe5cD4Nc.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:464
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\os4pE7AX.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\os4pE7AX.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3748
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wJ96jf8.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wJ96jf8.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3340
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 540
        8⤵
        Program crash
        
        PID:3396
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 148
        7⤵
        Program crash
        
        PID:2648
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2aK431Uo.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2aK431Uo.exe
        6⤵
        Executes dropped EXE
        
        PID:3804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4252 -ip 4252
1⤵
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4164 -ip 4164
1⤵
PID:3204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iM2XE4Rc.exe

Filesize
1.0MB

MD5
1042b3e1c325040371c314ebc88a3fb7

SHA1
9ae59ff5ba8d885474b5bc735751ecf6e901aeab

SHA256
25772d9460e5b8d2d3d88b0c2e47c622856e5aaedae397e1eaa31b3fd2d66090

SHA512
f0706a8769e955a25ad2bfdbc08f59ed4534146fae87e1761136fcdd2521fce164fd8afaadf2e4f26974b19ec60147bdb5c6773cfd92472a01121bad78614347

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iM2XE4Rc.exe

Filesize
1.0MB

MD5
1042b3e1c325040371c314ebc88a3fb7

SHA1
9ae59ff5ba8d885474b5bc735751ecf6e901aeab

SHA256
25772d9460e5b8d2d3d88b0c2e47c622856e5aaedae397e1eaa31b3fd2d66090

SHA512
f0706a8769e955a25ad2bfdbc08f59ed4534146fae87e1761136fcdd2521fce164fd8afaadf2e4f26974b19ec60147bdb5c6773cfd92472a01121bad78614347

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Nh1WE5wn.exe

Filesize
884KB

MD5
6e400eb9459b79a5a9a56b0a9499e29a

SHA1
d0e6234df27ac02318c7234ffbf6d100b47334e4

SHA256
e0897ef19e52f85a6e0d343d39800255d7e08e3502cbd5b5bddb34320f85c77b

SHA512
0442bca7908b03d3c2d532df4b52f19e6f28e1d0e37de9745410dce886a6e9606681d14ea12fc6700f0f8a6413b8cebe8dec55803ce1341b91e0186d1dfbb54f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Nh1WE5wn.exe

Filesize
884KB

MD5
6e400eb9459b79a5a9a56b0a9499e29a

SHA1
d0e6234df27ac02318c7234ffbf6d100b47334e4

SHA256
e0897ef19e52f85a6e0d343d39800255d7e08e3502cbd5b5bddb34320f85c77b

SHA512
0442bca7908b03d3c2d532df4b52f19e6f28e1d0e37de9745410dce886a6e9606681d14ea12fc6700f0f8a6413b8cebe8dec55803ce1341b91e0186d1dfbb54f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xe5cD4Nc.exe

Filesize
590KB

MD5
3686a6baeb741d7149fe70868e4fb4d9

SHA1
1324b652e57bf99aafa4d89530219218e6d2ff9a

SHA256
038a9e7c646d1e874a99553526eca18c07ac69cc592e88484a4089db196a55e4

SHA512
49201327c2c96d390d400b86e31f4b96a68b21dc80fd3fb3a9e700e94001a2a68dcaf5e20b10583a38db35984d1d90491ad5b2f4a2b9d6d6310b73856d16f3e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xe5cD4Nc.exe

Filesize
590KB

MD5
3686a6baeb741d7149fe70868e4fb4d9

SHA1
1324b652e57bf99aafa4d89530219218e6d2ff9a

SHA256
038a9e7c646d1e874a99553526eca18c07ac69cc592e88484a4089db196a55e4

SHA512
49201327c2c96d390d400b86e31f4b96a68b21dc80fd3fb3a9e700e94001a2a68dcaf5e20b10583a38db35984d1d90491ad5b2f4a2b9d6d6310b73856d16f3e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\os4pE7AX.exe

Filesize
417KB

MD5
ec80d5c154baf30f23f9d0fcc40ace02

SHA1
e5e5c37411a8abe82a94c68b63c0d7363b4b2121

SHA256
5969f82c6fc9f28308ff26894c66277dac48e9a1f4a27a4f7e00364b720a29e4

SHA512
b835e040a7ee9530c0cf8cc1d33247a553e6fdda7cb53a05aac370719e5f50890734d3e0245c7d8642bf2e060d8a1f4e45b1cf470528c711890f04961e77942f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\os4pE7AX.exe

Filesize
417KB

MD5
ec80d5c154baf30f23f9d0fcc40ace02

SHA1
e5e5c37411a8abe82a94c68b63c0d7363b4b2121

SHA256
5969f82c6fc9f28308ff26894c66277dac48e9a1f4a27a4f7e00364b720a29e4

SHA512
b835e040a7ee9530c0cf8cc1d33247a553e6fdda7cb53a05aac370719e5f50890734d3e0245c7d8642bf2e060d8a1f4e45b1cf470528c711890f04961e77942f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wJ96jf8.exe

Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wJ96jf8.exe

Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2aK431Uo.exe

Filesize
231KB

MD5
f29886eb2a71de6379ad43419de42c48

SHA1
5bcbc279cbd1a60e01d59c842840c916cda6b352

SHA256
451ca9ef9710a6f4971f37ea66c9ddd9fae6bae49ac901c1853ba89d8fd63d0c

SHA512
a818fcbd5fdeabc1368f172f35816a83faa0152543577160ca49d35f9e03ac776faadc8e95af64edf9644472200fb3a7a2dfd4321b6081228649838e55f8ab4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2aK431Uo.exe

Filesize
231KB

MD5
f29886eb2a71de6379ad43419de42c48

SHA1
5bcbc279cbd1a60e01d59c842840c916cda6b352

SHA256
451ca9ef9710a6f4971f37ea66c9ddd9fae6bae49ac901c1853ba89d8fd63d0c

SHA512
a818fcbd5fdeabc1368f172f35816a83faa0152543577160ca49d35f9e03ac776faadc8e95af64edf9644472200fb3a7a2dfd4321b6081228649838e55f8ab4a

Download Submit
memory/3804-46-0x0000000007D10000-0x0000000007DA2000-memory.dmp

Filesize
584KB

Download
memory/3804-44-0x0000000073C50000-0x0000000074400000-memory.dmp

Filesize
7.7MB

Download
memory/3804-47-0x0000000007ED0000-0x0000000007EE0000-memory.dmp

Filesize
64KB

Download
memory/3804-55-0x0000000007ED0000-0x0000000007EE0000-memory.dmp

Filesize
64KB

Download
memory/3804-48-0x0000000007CF0000-0x0000000007CFA000-memory.dmp

Filesize
40KB

Download
memory/3804-43-0x0000000000F10000-0x0000000000F4E000-memory.dmp

Filesize
248KB

Download
memory/3804-45-0x0000000008220000-0x00000000087C4000-memory.dmp

Filesize
5.6MB

Download
memory/3804-49-0x0000000008DF0000-0x0000000009408000-memory.dmp

Filesize
6.1MB

Download
memory/3804-54-0x0000000073C50000-0x0000000074400000-memory.dmp

Filesize
7.7MB

Download
memory/3804-53-0x0000000008150000-0x000000000819C000-memory.dmp

Filesize
304KB

Download
memory/3804-52-0x0000000008110000-0x000000000814C000-memory.dmp

Filesize
240KB

Download
memory/3804-50-0x00000000087D0000-0x00000000088DA000-memory.dmp

Filesize
1.0MB

Download
memory/3804-51-0x00000000080B0000-0x00000000080C2000-memory.dmp

Filesize
72KB

Download
memory/4164-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4164-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4164-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4164-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download