mystic | ff1f18c018d0343fb016ff98e2f455bb4ec921310d6b8c75c44fecd3ed73506b

Analysis

max time kernel
142s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2023 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.ff1f18c018d0343fb016ff98e2f455bb4ec921310d6b8c75c44fecd3ed73506b_JC.exe
Size

1.2MB
MD5

fbc5723c9ba994500b6db800dffb94e7
SHA1

19694e6ba766d924bc5e41b02b592e6364a628d3
SHA256

ff1f18c018d0343fb016ff98e2f455bb4ec921310d6b8c75c44fecd3ed73506b
SHA512

859f900632d369e470cdb87605d082c1252b6af1d9968b9c63d7b1c5eecec1031fa773b67999cbb6e622965f037d96d50c17a7651f38e868e34500185e46c66d
SSDEEP

24576:3ycwYDhpoFJsit+5rqUkQ33Go1pd742ZWT:CcwYFgs0vUkQHGo1r7428

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4456-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4456-36-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4456-37-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4456-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2zt842Pz.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2zt842Pz.exe	family_redline
behavioral2/memory/976-43-0x00000000001B0000-0x00000000001EE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

KG2cM4em.exewH0yQ6yH.exeJK5ar5Qx.exeJW8np8Io.exe1bo01qJ0.exe2zt842Pz.exe

pid process

2216 KG2cM4em.exe
2056 wH0yQ6yH.exe
5116 JK5ar5Qx.exe
1608 JW8np8Io.exe
1800 1bo01qJ0.exe
976 2zt842Pz.exe

pid	process
2216	KG2cM4em.exe
2056	wH0yQ6yH.exe
5116	JK5ar5Qx.exe
1608	JW8np8Io.exe
1800	1bo01qJ0.exe
976	2zt842Pz.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

KG2cM4em.exewH0yQ6yH.exeJK5ar5Qx.exeJW8np8Io.exeNEAS.ff1f18c018d0343fb016ff98e2f455bb4ec921310d6b8c75c44fecd3ed73506b_JC.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	KG2cM4em.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	wH0yQ6yH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	JK5ar5Qx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	JW8np8Io.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.ff1f18c018d0343fb016ff98e2f455bb4ec921310d6b8c75c44fecd3ed73506b_JC.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1bo01qJ0.exe

description pid process target process

PID 1800 set thread context of 4456 1800 1bo01qJ0.exe AppLaunch.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1976 1800 WerFault.exe 1bo01qJ0.exe
848 4456 WerFault.exe AppLaunch.exe

description	pid	process	target process
PID 1800 set thread context of 4456	1800	1bo01qJ0.exe	AppLaunch.exe

pid	pid_target	process	target process
1976	1800	WerFault.exe	1bo01qJ0.exe
848	4456	WerFault.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

NEAS.ff1f18c018d0343fb016ff98e2f455bb4ec921310d6b8c75c44fecd3ed73506b_JC.exeKG2cM4em.exewH0yQ6yH.exeJK5ar5Qx.exeJW8np8Io.exe1bo01qJ0.exe

description	pid	process	target process
PID 5100 wrote to memory of 2216	5100	NEAS.ff1f18c018d0343fb016ff98e2f455bb4ec921310d6b8c75c44fecd3ed73506b_JC.exe	KG2cM4em.exe
PID 5100 wrote to memory of 2216	5100	NEAS.ff1f18c018d0343fb016ff98e2f455bb4ec921310d6b8c75c44fecd3ed73506b_JC.exe	KG2cM4em.exe
PID 5100 wrote to memory of 2216	5100	NEAS.ff1f18c018d0343fb016ff98e2f455bb4ec921310d6b8c75c44fecd3ed73506b_JC.exe	KG2cM4em.exe
PID 2216 wrote to memory of 2056	2216	KG2cM4em.exe	wH0yQ6yH.exe
PID 2216 wrote to memory of 2056	2216	KG2cM4em.exe	wH0yQ6yH.exe
PID 2216 wrote to memory of 2056	2216	KG2cM4em.exe	wH0yQ6yH.exe
PID 2056 wrote to memory of 5116	2056	wH0yQ6yH.exe	JK5ar5Qx.exe
PID 2056 wrote to memory of 5116	2056	wH0yQ6yH.exe	JK5ar5Qx.exe
PID 2056 wrote to memory of 5116	2056	wH0yQ6yH.exe	JK5ar5Qx.exe
PID 5116 wrote to memory of 1608	5116	JK5ar5Qx.exe	JW8np8Io.exe
PID 5116 wrote to memory of 1608	5116	JK5ar5Qx.exe	JW8np8Io.exe
PID 5116 wrote to memory of 1608	5116	JK5ar5Qx.exe	JW8np8Io.exe
PID 1608 wrote to memory of 1800	1608	JW8np8Io.exe	1bo01qJ0.exe
PID 1608 wrote to memory of 1800	1608	JW8np8Io.exe	1bo01qJ0.exe
PID 1608 wrote to memory of 1800	1608	JW8np8Io.exe	1bo01qJ0.exe
PID 1800 wrote to memory of 3292	1800	1bo01qJ0.exe	AppLaunch.exe
PID 1800 wrote to memory of 3292	1800	1bo01qJ0.exe	AppLaunch.exe
PID 1800 wrote to memory of 3292	1800	1bo01qJ0.exe	AppLaunch.exe
PID 1800 wrote to memory of 428	1800	1bo01qJ0.exe	AppLaunch.exe
PID 1800 wrote to memory of 428	1800	1bo01qJ0.exe	AppLaunch.exe
PID 1800 wrote to memory of 428	1800	1bo01qJ0.exe	AppLaunch.exe
PID 1800 wrote to memory of 1748	1800	1bo01qJ0.exe	AppLaunch.exe
PID 1800 wrote to memory of 1748	1800	1bo01qJ0.exe	AppLaunch.exe
PID 1800 wrote to memory of 1748	1800	1bo01qJ0.exe	AppLaunch.exe
PID 1800 wrote to memory of 4456	1800	1bo01qJ0.exe	AppLaunch.exe
PID 1800 wrote to memory of 4456	1800	1bo01qJ0.exe	AppLaunch.exe
PID 1800 wrote to memory of 4456	1800	1bo01qJ0.exe	AppLaunch.exe
PID 1800 wrote to memory of 4456	1800	1bo01qJ0.exe	AppLaunch.exe
PID 1800 wrote to memory of 4456	1800	1bo01qJ0.exe	AppLaunch.exe
PID 1800 wrote to memory of 4456	1800	1bo01qJ0.exe	AppLaunch.exe
PID 1800 wrote to memory of 4456	1800	1bo01qJ0.exe	AppLaunch.exe
PID 1800 wrote to memory of 4456	1800	1bo01qJ0.exe	AppLaunch.exe
PID 1800 wrote to memory of 4456	1800	1bo01qJ0.exe	AppLaunch.exe
PID 1800 wrote to memory of 4456	1800	1bo01qJ0.exe	AppLaunch.exe
PID 1608 wrote to memory of 976	1608	JW8np8Io.exe	2zt842Pz.exe
PID 1608 wrote to memory of 976	1608	JW8np8Io.exe	2zt842Pz.exe
PID 1608 wrote to memory of 976	1608	JW8np8Io.exe	2zt842Pz.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.ff1f18c018d0343fb016ff98e2f455bb4ec921310d6b8c75c44fecd3ed73506b_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.ff1f18c018d0343fb016ff98e2f455bb4ec921310d6b8c75c44fecd3ed73506b_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5100

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KG2cM4em.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KG2cM4em.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2216

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wH0yQ6yH.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wH0yQ6yH.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2056

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK5ar5Qx.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK5ar5Qx.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5116

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JW8np8Io.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JW8np8Io.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1608

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bo01qJ0.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bo01qJ0.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:3292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 540
8⤵
- Program crash
PID:848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:1748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 152
7⤵
- Program crash
PID:1976

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2zt842Pz.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2zt842Pz.exe
6⤵
- Executes dropped EXE
PID:976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1800 -ip 1800
1⤵
PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4456 -ip 4456
1⤵
PID:3740

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KG2cM4em.exe
Filesize
1.0MB

MD5
0f152f95c32b20107e25ff51e4c95174

SHA1
d4a6f8288383aba662bb9586542275eae69e5065

SHA256
c7509f70e69e87cc89bc5cd724d2ed1713e305b0c8fd24c6b119065f90470b9c

SHA512
5b826bf62755c435953320b267774647c1dcb2b7d61655f1abf25950a884d1f0aeb4fc15fca53e561da69f6cb6b5d3394b34fb147716d799fb62b44debedcb81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KG2cM4em.exe
Filesize
1.0MB

MD5
0f152f95c32b20107e25ff51e4c95174

SHA1
d4a6f8288383aba662bb9586542275eae69e5065

SHA256
c7509f70e69e87cc89bc5cd724d2ed1713e305b0c8fd24c6b119065f90470b9c

SHA512
5b826bf62755c435953320b267774647c1dcb2b7d61655f1abf25950a884d1f0aeb4fc15fca53e561da69f6cb6b5d3394b34fb147716d799fb62b44debedcb81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wH0yQ6yH.exe
Filesize
884KB

MD5
dbc61c1620b4e0e2c5beea77e0b91fb1

SHA1
1b26c8e33147b1374b812cf547188d6aea7b8c37

SHA256
b02db25c1b3b9a05d10f30a331c25152b060b2ff22911bcfd206adad08ee2626

SHA512
682d7490e0e5d32a71c3a66512d98b3964e98c4322c0ae295835d47950783643aacc74972ac8c2e35b9f0a5982221f984fd82cefb68619de788f116605040201

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wH0yQ6yH.exe
Filesize
884KB

MD5
dbc61c1620b4e0e2c5beea77e0b91fb1

SHA1
1b26c8e33147b1374b812cf547188d6aea7b8c37

SHA256
b02db25c1b3b9a05d10f30a331c25152b060b2ff22911bcfd206adad08ee2626

SHA512
682d7490e0e5d32a71c3a66512d98b3964e98c4322c0ae295835d47950783643aacc74972ac8c2e35b9f0a5982221f984fd82cefb68619de788f116605040201

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK5ar5Qx.exe
Filesize
590KB

MD5
0f795888d25061eac211b0ec6707442a

SHA1
b47900848815444ddd6236450767462041c9aba0

SHA256
0887d0bfa0f6b3a824effa2e63e153a73670938639e919eca2ed3037211923af

SHA512
f905ccec953afdd35a771d42ec28d9857fd1ccf656dff88a3f581da02cc23128fa26b7a7b01039b1d28ae49cbec4c803f17d7bc275ffd6b8b99fb372c95ac5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK5ar5Qx.exe
Filesize
590KB

MD5
0f795888d25061eac211b0ec6707442a

SHA1
b47900848815444ddd6236450767462041c9aba0

SHA256
0887d0bfa0f6b3a824effa2e63e153a73670938639e919eca2ed3037211923af

SHA512
f905ccec953afdd35a771d42ec28d9857fd1ccf656dff88a3f581da02cc23128fa26b7a7b01039b1d28ae49cbec4c803f17d7bc275ffd6b8b99fb372c95ac5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JW8np8Io.exe
Filesize
417KB

MD5
9452f6996fc008394e3b6e5e95143d46

SHA1
6f6da4b78d7baf873756db3f300d996dba5a5fc9

SHA256
5b87b521525969d8db8c1bc4f1a6007f7bc2647323ee1dfd886be8433f9155bb

SHA512
380bbcb3c7ee75dfd8b5f4e51dd3d0135e987d5204195e6ab79e25885b75b78f9a6a0a82771559789dda7aae09e5125818bf0265a421668b8d3abdb504d3cd98

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JW8np8Io.exe
Filesize
417KB

MD5
9452f6996fc008394e3b6e5e95143d46

SHA1
6f6da4b78d7baf873756db3f300d996dba5a5fc9

SHA256
5b87b521525969d8db8c1bc4f1a6007f7bc2647323ee1dfd886be8433f9155bb

SHA512
380bbcb3c7ee75dfd8b5f4e51dd3d0135e987d5204195e6ab79e25885b75b78f9a6a0a82771559789dda7aae09e5125818bf0265a421668b8d3abdb504d3cd98

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bo01qJ0.exe
Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bo01qJ0.exe
Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2zt842Pz.exe
Filesize
231KB

MD5
b29b6bed017de5d06b755c1b01bbf2c3

SHA1
128ee6a53297dbfa35b6663cf12e6f4a070207b5

SHA256
2a40f8ff94c345b7faba2bf32965b99b061bcbb1622fc02b7a3fce6ae7a65661

SHA512
d1d660c33c546d9b346f0255a8ee1723c97b61a3707be16bcd1edc63346db7df1e78176b28946f3cb33e495cc73c61b06a1a769f3f9344f0c901b586ab94d1d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2zt842Pz.exe
Filesize
231KB

MD5
b29b6bed017de5d06b755c1b01bbf2c3

SHA1
128ee6a53297dbfa35b6663cf12e6f4a070207b5

SHA256
2a40f8ff94c345b7faba2bf32965b99b061bcbb1622fc02b7a3fce6ae7a65661

SHA512
d1d660c33c546d9b346f0255a8ee1723c97b61a3707be16bcd1edc63346db7df1e78176b28946f3cb33e495cc73c61b06a1a769f3f9344f0c901b586ab94d1d1

Download Submit
memory/976-46-0x0000000006F70000-0x0000000007002000-memory.dmp

Filesize
584KB

Download
memory/976-44-0x0000000073E00000-0x00000000745B0000-memory.dmp

Filesize
7.7MB

Download
memory/976-47-0x0000000006F30000-0x0000000006F40000-memory.dmp

Filesize
64KB

Download
memory/976-55-0x0000000006F30000-0x0000000006F40000-memory.dmp

Filesize
64KB

Download
memory/976-48-0x0000000007040000-0x000000000704A000-memory.dmp

Filesize
40KB

Download
memory/976-43-0x00000000001B0000-0x00000000001EE000-memory.dmp

Filesize
248KB

Download
memory/976-45-0x0000000007480000-0x0000000007A24000-memory.dmp

Filesize
5.6MB

Download
memory/976-49-0x0000000008050000-0x0000000008668000-memory.dmp

Filesize
6.1MB

Download
memory/976-54-0x0000000073E00000-0x00000000745B0000-memory.dmp

Filesize
7.7MB

Download
memory/976-53-0x00000000073F0000-0x000000000743C000-memory.dmp

Filesize
304KB

Download
memory/976-52-0x00000000073B0000-0x00000000073EC000-memory.dmp

Filesize
240KB

Download
memory/976-50-0x0000000007A30000-0x0000000007B3A000-memory.dmp

Filesize
1.0MB

Download
memory/976-51-0x0000000007350000-0x0000000007362000-memory.dmp

Filesize
72KB

Download
memory/4456-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4456-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4456-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4456-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download