mystic | cfb43a8521b91093cc4c585e28556ea093351fade2937e840921fbc278f763b2

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2023 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.cfb43a8521b91093cc4c585e28556ea093351fade2937e840921fbc278f763b2_JC.exe
Size

1.2MB
MD5

1052f8a9850ff2cdb3305c4693fb3bc2
SHA1

32363959f3f2db69aa1311d268affce5f7e5a130
SHA256

cfb43a8521b91093cc4c585e28556ea093351fade2937e840921fbc278f763b2
SHA512

1f65110317fc5bea56d95df856de912aae3cbeea853d62fcbf0487d47de212fb95740d6400088177bd1a313932df06460547a68910b2d62d4362cb6d895908b7
SSDEEP

24576:Py8i+Ca4HSc3QJthXZ+8LKwtWPoq+aNQO418UgpMc/eSpQ:a8i+CmuqhJswvq7OO4WUa/eSp

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1068-36-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1068-37-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1068-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1068-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2QV881ok.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2QV881ok.exe	family_redline
behavioral2/memory/3340-44-0x00000000000B0000-0x00000000000EE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

DR4Js2RZ.exevu5oz0II.exegq2QF8qe.exetu4Rx4jE.exe1bc01Bf3.exe2QV881ok.exe

pid process

2716 DR4Js2RZ.exe
3496 vu5oz0II.exe
5112 gq2QF8qe.exe
1372 tu4Rx4jE.exe
3140 1bc01Bf3.exe
3340 2QV881ok.exe

pid	process
2716	DR4Js2RZ.exe
3496	vu5oz0II.exe
5112	gq2QF8qe.exe
1372	tu4Rx4jE.exe
3140	1bc01Bf3.exe
3340	2QV881ok.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

DR4Js2RZ.exevu5oz0II.exegq2QF8qe.exetu4Rx4jE.exeNEAS.cfb43a8521b91093cc4c585e28556ea093351fade2937e840921fbc278f763b2_JC.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	DR4Js2RZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	vu5oz0II.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	gq2QF8qe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	tu4Rx4jE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.cfb43a8521b91093cc4c585e28556ea093351fade2937e840921fbc278f763b2_JC.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1bc01Bf3.exe

description pid process target process

PID 3140 set thread context of 1068 3140 1bc01Bf3.exe AppLaunch.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3556 3140 WerFault.exe 1bc01Bf3.exe
2212 1068 WerFault.exe AppLaunch.exe

description	pid	process	target process
PID 3140 set thread context of 1068	3140	1bc01Bf3.exe	AppLaunch.exe

pid	pid_target	process	target process
3556	3140	WerFault.exe	1bc01Bf3.exe
2212	1068	WerFault.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

NEAS.cfb43a8521b91093cc4c585e28556ea093351fade2937e840921fbc278f763b2_JC.exeDR4Js2RZ.exevu5oz0II.exegq2QF8qe.exetu4Rx4jE.exe1bc01Bf3.exe

description	pid	process	target process
PID 2664 wrote to memory of 2716	2664	NEAS.cfb43a8521b91093cc4c585e28556ea093351fade2937e840921fbc278f763b2_JC.exe	DR4Js2RZ.exe
PID 2664 wrote to memory of 2716	2664	NEAS.cfb43a8521b91093cc4c585e28556ea093351fade2937e840921fbc278f763b2_JC.exe	DR4Js2RZ.exe
PID 2664 wrote to memory of 2716	2664	NEAS.cfb43a8521b91093cc4c585e28556ea093351fade2937e840921fbc278f763b2_JC.exe	DR4Js2RZ.exe
PID 2716 wrote to memory of 3496	2716	DR4Js2RZ.exe	vu5oz0II.exe
PID 2716 wrote to memory of 3496	2716	DR4Js2RZ.exe	vu5oz0II.exe
PID 2716 wrote to memory of 3496	2716	DR4Js2RZ.exe	vu5oz0II.exe
PID 3496 wrote to memory of 5112	3496	vu5oz0II.exe	gq2QF8qe.exe
PID 3496 wrote to memory of 5112	3496	vu5oz0II.exe	gq2QF8qe.exe
PID 3496 wrote to memory of 5112	3496	vu5oz0II.exe	gq2QF8qe.exe
PID 5112 wrote to memory of 1372	5112	gq2QF8qe.exe	tu4Rx4jE.exe
PID 5112 wrote to memory of 1372	5112	gq2QF8qe.exe	tu4Rx4jE.exe
PID 5112 wrote to memory of 1372	5112	gq2QF8qe.exe	tu4Rx4jE.exe
PID 1372 wrote to memory of 3140	1372	tu4Rx4jE.exe	1bc01Bf3.exe
PID 1372 wrote to memory of 3140	1372	tu4Rx4jE.exe	1bc01Bf3.exe
PID 1372 wrote to memory of 3140	1372	tu4Rx4jE.exe	1bc01Bf3.exe
PID 3140 wrote to memory of 312	3140	1bc01Bf3.exe	AppLaunch.exe
PID 3140 wrote to memory of 312	3140	1bc01Bf3.exe	AppLaunch.exe
PID 3140 wrote to memory of 312	3140	1bc01Bf3.exe	AppLaunch.exe
PID 3140 wrote to memory of 1068	3140	1bc01Bf3.exe	AppLaunch.exe
PID 3140 wrote to memory of 1068	3140	1bc01Bf3.exe	AppLaunch.exe
PID 3140 wrote to memory of 1068	3140	1bc01Bf3.exe	AppLaunch.exe
PID 3140 wrote to memory of 1068	3140	1bc01Bf3.exe	AppLaunch.exe
PID 3140 wrote to memory of 1068	3140	1bc01Bf3.exe	AppLaunch.exe
PID 3140 wrote to memory of 1068	3140	1bc01Bf3.exe	AppLaunch.exe
PID 3140 wrote to memory of 1068	3140	1bc01Bf3.exe	AppLaunch.exe
PID 3140 wrote to memory of 1068	3140	1bc01Bf3.exe	AppLaunch.exe
PID 3140 wrote to memory of 1068	3140	1bc01Bf3.exe	AppLaunch.exe
PID 3140 wrote to memory of 1068	3140	1bc01Bf3.exe	AppLaunch.exe
PID 1372 wrote to memory of 3340	1372	tu4Rx4jE.exe	2QV881ok.exe
PID 1372 wrote to memory of 3340	1372	tu4Rx4jE.exe	2QV881ok.exe
PID 1372 wrote to memory of 3340	1372	tu4Rx4jE.exe	2QV881ok.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.cfb43a8521b91093cc4c585e28556ea093351fade2937e840921fbc278f763b2_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.cfb43a8521b91093cc4c585e28556ea093351fade2937e840921fbc278f763b2_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2664

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DR4Js2RZ.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DR4Js2RZ.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2716

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vu5oz0II.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vu5oz0II.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3496

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gq2QF8qe.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gq2QF8qe.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5112

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tu4Rx4jE.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tu4Rx4jE.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1372

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bc01Bf3.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bc01Bf3.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 540
8⤵
- Program crash
PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 600
7⤵
- Program crash
PID:3556

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2QV881ok.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2QV881ok.exe
6⤵
- Executes dropped EXE
PID:3340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3140 -ip 3140
1⤵
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1068 -ip 1068
1⤵
PID:5068

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DR4Js2RZ.exe
Filesize
1.0MB

MD5
0a41ad264f28d5bac008878258724c36

SHA1
95fc25fc8cd6aaa0ffc6e444dbe0587fbe7ab901

SHA256
78c15c22931d8f8495bb47a9caa3d79ed1c3622beb62b47ccfea0a098aa85def

SHA512
242ce7f52cacb37e773305cd6e65c2cb65ce713696afe6b13a9371fa44b3cef4b93505bdce3181ef9c286750d5d9d1808253fa0de990e06780073af411eacb36

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DR4Js2RZ.exe
Filesize
1.0MB

MD5
0a41ad264f28d5bac008878258724c36

SHA1
95fc25fc8cd6aaa0ffc6e444dbe0587fbe7ab901

SHA256
78c15c22931d8f8495bb47a9caa3d79ed1c3622beb62b47ccfea0a098aa85def

SHA512
242ce7f52cacb37e773305cd6e65c2cb65ce713696afe6b13a9371fa44b3cef4b93505bdce3181ef9c286750d5d9d1808253fa0de990e06780073af411eacb36

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vu5oz0II.exe
Filesize
884KB

MD5
96db83d327c93a4fb7212f0f553e7de2

SHA1
8e8a2d9f2a9546d8003cc5f9f08a41acc64abd6c

SHA256
d513154dad1489fdc8453b344ff96c6fb2c597ce590ad7c8e17e598ac0915ea6

SHA512
b56aa38bcf058910713f65313abc83c3cae4191371c0d8cf90f61e8c1d2aba36054d7f37771607f1eea2934b31a06682a69333185281e27f17810ac2d2dfbebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vu5oz0II.exe
Filesize
884KB

MD5
96db83d327c93a4fb7212f0f553e7de2

SHA1
8e8a2d9f2a9546d8003cc5f9f08a41acc64abd6c

SHA256
d513154dad1489fdc8453b344ff96c6fb2c597ce590ad7c8e17e598ac0915ea6

SHA512
b56aa38bcf058910713f65313abc83c3cae4191371c0d8cf90f61e8c1d2aba36054d7f37771607f1eea2934b31a06682a69333185281e27f17810ac2d2dfbebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gq2QF8qe.exe
Filesize
590KB

MD5
91541a356aa833e317372955fc608c91

SHA1
3aa2b1ec921141f7a98784aafcb91398d767b0f3

SHA256
3a2b688ff4f95b0362fc13e6e9daef69a48adfc1ac966408d916881296c1287f

SHA512
0163e3f14babfaa7c4d58a4e5bc618fde5764ee2b228222971b668690275868d0a0d6b81c919c151b54591d8b130e5c38551f380dbc69bd27efa3e84497fc054

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gq2QF8qe.exe
Filesize
590KB

MD5
91541a356aa833e317372955fc608c91

SHA1
3aa2b1ec921141f7a98784aafcb91398d767b0f3

SHA256
3a2b688ff4f95b0362fc13e6e9daef69a48adfc1ac966408d916881296c1287f

SHA512
0163e3f14babfaa7c4d58a4e5bc618fde5764ee2b228222971b668690275868d0a0d6b81c919c151b54591d8b130e5c38551f380dbc69bd27efa3e84497fc054

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tu4Rx4jE.exe
Filesize
417KB

MD5
c15a13585420061933c2b1e3e61c3b37

SHA1
07f4537bd6f372694765d7ac425d2424a9293147

SHA256
07e5e9eeb408cecb9698d888c7f7b109fea64003495532c8fc1784118bca02b7

SHA512
ce8c4331217b10ad2752369485cb36811a31402c188cff20bb8068f72067d455d9af2c2ef7b38b19398eb4da983e16383b772274b97cbca5225b5080b30fafeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tu4Rx4jE.exe
Filesize
417KB

MD5
c15a13585420061933c2b1e3e61c3b37

SHA1
07f4537bd6f372694765d7ac425d2424a9293147

SHA256
07e5e9eeb408cecb9698d888c7f7b109fea64003495532c8fc1784118bca02b7

SHA512
ce8c4331217b10ad2752369485cb36811a31402c188cff20bb8068f72067d455d9af2c2ef7b38b19398eb4da983e16383b772274b97cbca5225b5080b30fafeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bc01Bf3.exe
Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bc01Bf3.exe
Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2QV881ok.exe
Filesize
231KB

MD5
80f0a7d60ab9bdeb6af6b3565e6a32b4

SHA1
e965b40b6929e60f3ccd39c5d3e97165e960ff80

SHA256
f59d1f9b8fc4bbaf6edb887224abe2ced9ab9d00147ad4b62c1ace301dbd05be

SHA512
55d4f1dd597356d3b2666ea3a1aff52276cee7489e0e168c7718c37900b30df1c0a2dd806e39bfc6b6c55fbab79eb6ce5d916f3252701834e365c2266abee490

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2QV881ok.exe
Filesize
231KB

MD5
80f0a7d60ab9bdeb6af6b3565e6a32b4

SHA1
e965b40b6929e60f3ccd39c5d3e97165e960ff80

SHA256
f59d1f9b8fc4bbaf6edb887224abe2ced9ab9d00147ad4b62c1ace301dbd05be

SHA512
55d4f1dd597356d3b2666ea3a1aff52276cee7489e0e168c7718c37900b30df1c0a2dd806e39bfc6b6c55fbab79eb6ce5d916f3252701834e365c2266abee490

Download Submit
memory/1068-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1068-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1068-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1068-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3340-46-0x0000000007010000-0x00000000070A2000-memory.dmp

Filesize
584KB

Download
memory/3340-43-0x00000000742C0000-0x0000000074A70000-memory.dmp

Filesize
7.7MB

Download
memory/3340-45-0x0000000007520000-0x0000000007AC4000-memory.dmp

Filesize
5.6MB

Download
memory/3340-44-0x00000000000B0000-0x00000000000EE000-memory.dmp

Filesize
248KB

Download
memory/3340-47-0x0000000007280000-0x0000000007290000-memory.dmp

Filesize
64KB

Download
memory/3340-48-0x0000000006FD0000-0x0000000006FDA000-memory.dmp

Filesize
40KB

Download
memory/3340-49-0x00000000080F0000-0x0000000008708000-memory.dmp

Filesize
6.1MB

Download
memory/3340-50-0x00000000073A0000-0x00000000074AA000-memory.dmp

Filesize
1.0MB

Download
memory/3340-51-0x0000000007140000-0x0000000007152000-memory.dmp

Filesize
72KB

Download
memory/3340-52-0x00000000072D0000-0x000000000730C000-memory.dmp

Filesize
240KB

Download
memory/3340-53-0x0000000007310000-0x000000000735C000-memory.dmp

Filesize
304KB

Download
memory/3340-54-0x00000000742C0000-0x0000000074A70000-memory.dmp

Filesize
7.7MB

Download
memory/3340-55-0x0000000007280000-0x0000000007290000-memory.dmp

Filesize
64KB

Download