mystic | 55a160f1c9f2e195ab3eb9aa9612ccb61d4217161db578aaf05071be4041e733

Analysis

max time kernel
178s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55a160f1c9f2e195ab3eb9aa9612ccb61d4217161db578aaf05071be4041e733.exe
Size

943KB
MD5

e31ab4c222f7e2c4b70cd9a9f34b2ed9
SHA1

bc01a00bcced4f40decd3ce0952fc7da2dc47c15
SHA256

55a160f1c9f2e195ab3eb9aa9612ccb61d4217161db578aaf05071be4041e733
SHA512

b5038fa5756f9f5320d1bd9fbb629a79a42c2dc2e69d36a5d1fefab20c6779ab0599d3a29fb8d24647041c05b348ecd55ea5b87b55a4f63d19251ca74912a017
SSDEEP

24576:syRS1fhUx+W5y4tGccJHohthBM+D9jTQ:b+adGDythBM+Dx

Score

10^/10

mystic redline kendo infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kendo

77.91.124.82:19071

Attributes

auth_value
5a22a881561d49941415902859b51f14

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/2436-28-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/2436-29-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/2436-30-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/2436-32-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
4840	x3482203.exe
3572	x9604015.exe
2244	x2869829.exe
4988	g7760994.exe
3528	h3738292.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x9604015.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x2869829.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	55a160f1c9f2e195ab3eb9aa9612ccb61d4217161db578aaf05071be4041e733.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3482203.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4988 set thread context of 2436	4988	g7760994.exe	92

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1588	2436	WerFault.exe	92
5024	4988	WerFault.exe	91

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 4840	840	55a160f1c9f2e195ab3eb9aa9612ccb61d4217161db578aaf05071be4041e733.exe	88
PID 840 wrote to memory of 4840	840	55a160f1c9f2e195ab3eb9aa9612ccb61d4217161db578aaf05071be4041e733.exe	88
PID 840 wrote to memory of 4840	840	55a160f1c9f2e195ab3eb9aa9612ccb61d4217161db578aaf05071be4041e733.exe	88
PID 4840 wrote to memory of 3572	4840	x3482203.exe	89
PID 4840 wrote to memory of 3572	4840	x3482203.exe	89
PID 4840 wrote to memory of 3572	4840	x3482203.exe	89
PID 3572 wrote to memory of 2244	3572	x9604015.exe	90
PID 3572 wrote to memory of 2244	3572	x9604015.exe	90
PID 3572 wrote to memory of 2244	3572	x9604015.exe	90
PID 2244 wrote to memory of 4988	2244	x2869829.exe	91
PID 2244 wrote to memory of 4988	2244	x2869829.exe	91
PID 2244 wrote to memory of 4988	2244	x2869829.exe	91
PID 4988 wrote to memory of 2436	4988	g7760994.exe	92
PID 4988 wrote to memory of 2436	4988	g7760994.exe	92
PID 4988 wrote to memory of 2436	4988	g7760994.exe	92
PID 4988 wrote to memory of 2436	4988	g7760994.exe	92
PID 4988 wrote to memory of 2436	4988	g7760994.exe	92
PID 4988 wrote to memory of 2436	4988	g7760994.exe	92
PID 4988 wrote to memory of 2436	4988	g7760994.exe	92
PID 4988 wrote to memory of 2436	4988	g7760994.exe	92
PID 4988 wrote to memory of 2436	4988	g7760994.exe	92
PID 4988 wrote to memory of 2436	4988	g7760994.exe	92
PID 2244 wrote to memory of 3528	2244	x2869829.exe	99
PID 2244 wrote to memory of 3528	2244	x2869829.exe	99
PID 2244 wrote to memory of 3528	2244	x2869829.exe	99

C:\Users\Admin\AppData\Local\Temp\55a160f1c9f2e195ab3eb9aa9612ccb61d4217161db578aaf05071be4041e733.exe
"C:\Users\Admin\AppData\Local\Temp\55a160f1c9f2e195ab3eb9aa9612ccb61d4217161db578aaf05071be4041e733.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:840
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3482203.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3482203.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4840
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9604015.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9604015.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3572
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2869829.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2869829.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2244
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7760994.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7760994.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4988
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 540
        7⤵
        Program crash
        
        PID:1588
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 572
        6⤵
        Program crash
        
        PID:5024
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3738292.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3738292.exe
        5⤵
        Executes dropped EXE
        
        PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4988 -ip 4988
1⤵
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2436 -ip 2436
1⤵
PID:1368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3482203.exe

Filesize
841KB

MD5
2281a7c2af155ec1da27b3d074fcb558

SHA1
febfa84687c985df7bef45e31a69b0edfbeb2bbb

SHA256
9f8346f2e8c339dd570e821c7d0a352843854da04b8303dbd51fdbd91aa1252b

SHA512
9e20e30edb121abe7926a95acfc79702bcce6c009f536661dbd21887a620d9600327f4fa127658cbfe7e3f342e4564c11911782577b7854cca0f89ffd462d5ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3482203.exe

Filesize
841KB

MD5
2281a7c2af155ec1da27b3d074fcb558

SHA1
febfa84687c985df7bef45e31a69b0edfbeb2bbb

SHA256
9f8346f2e8c339dd570e821c7d0a352843854da04b8303dbd51fdbd91aa1252b

SHA512
9e20e30edb121abe7926a95acfc79702bcce6c009f536661dbd21887a620d9600327f4fa127658cbfe7e3f342e4564c11911782577b7854cca0f89ffd462d5ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9604015.exe

Filesize
563KB

MD5
37d36ca7c7d887e14261c617fa477a09

SHA1
4fe22821665bf0a10299841ca97f30830c147364

SHA256
8902cd20f1ebb20642b77d2fda6fd397039c0f02489ea5bd0be3dccd29a03c54

SHA512
3f4113bc44dddd08325ce1ad8e6a59578888ec8fc92635bb8cdbe5def51e72f69b7c4ca34da5e55f59bf5deead88fbe5dc2c512b0a9d63543f77e631bc6ee8e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9604015.exe

Filesize
563KB

MD5
37d36ca7c7d887e14261c617fa477a09

SHA1
4fe22821665bf0a10299841ca97f30830c147364

SHA256
8902cd20f1ebb20642b77d2fda6fd397039c0f02489ea5bd0be3dccd29a03c54

SHA512
3f4113bc44dddd08325ce1ad8e6a59578888ec8fc92635bb8cdbe5def51e72f69b7c4ca34da5e55f59bf5deead88fbe5dc2c512b0a9d63543f77e631bc6ee8e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2869829.exe

Filesize
397KB

MD5
9b0a0a5d59c0d341a9f02954db4e9369

SHA1
112fe6de33dc20531146eead854e4f96e3f27912

SHA256
a2f2524b62e2d953eeffaa3b269d34b5bdc0507c0205c215ef38524807d496a6

SHA512
d526ef03e39c9961965c0e2e811c0852a5e59a981f82bd8ad25c410ddad56680aae8ebce833340ca6c5036266cd9e349b03d793027b0c1749d3f2f21f4404002

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2869829.exe

Filesize
397KB

MD5
9b0a0a5d59c0d341a9f02954db4e9369

SHA1
112fe6de33dc20531146eead854e4f96e3f27912

SHA256
a2f2524b62e2d953eeffaa3b269d34b5bdc0507c0205c215ef38524807d496a6

SHA512
d526ef03e39c9961965c0e2e811c0852a5e59a981f82bd8ad25c410ddad56680aae8ebce833340ca6c5036266cd9e349b03d793027b0c1749d3f2f21f4404002

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7760994.exe

Filesize
379KB

MD5
8e363a1912d25cef180c54846648abd5

SHA1
c9a238ea6ca27085aabd381595aff534fa93758a

SHA256
9e00622d8ed5819bb618d170eee6590b82cea38b3f1cde0bc405298349029682

SHA512
ba3d0c89b2575a7293e7b75e0d47959e0bda0b3beed1131fd426606057e398125e8b390ca013a7530ff133970a684b7b4d5d62a94737b19e06b1edc4efa4cedf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7760994.exe

Filesize
379KB

MD5
8e363a1912d25cef180c54846648abd5

SHA1
c9a238ea6ca27085aabd381595aff534fa93758a

SHA256
9e00622d8ed5819bb618d170eee6590b82cea38b3f1cde0bc405298349029682

SHA512
ba3d0c89b2575a7293e7b75e0d47959e0bda0b3beed1131fd426606057e398125e8b390ca013a7530ff133970a684b7b4d5d62a94737b19e06b1edc4efa4cedf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3738292.exe

Filesize
174KB

MD5
6cbaf1c812713d856df818929ff616bd

SHA1
aebe157a35fda8999e39771ba6475f4b489ce57e

SHA256
4e2b4df3247f5527a2e309066721dbb5033f112aa16b97382ccafd7f7c9ab690

SHA512
8bffbaf1a4aed7e82c3faf24f44d087f9deb7859be9aa6eff128eaf1c6ab00a3d3cbcfb1385b8fb47c439f7cc7f314373d53bd2e5f93c0902b0e074780bc0d54

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3738292.exe

Filesize
174KB

MD5
6cbaf1c812713d856df818929ff616bd

SHA1
aebe157a35fda8999e39771ba6475f4b489ce57e

SHA256
4e2b4df3247f5527a2e309066721dbb5033f112aa16b97382ccafd7f7c9ab690

SHA512
8bffbaf1a4aed7e82c3faf24f44d087f9deb7859be9aa6eff128eaf1c6ab00a3d3cbcfb1385b8fb47c439f7cc7f314373d53bd2e5f93c0902b0e074780bc0d54

Download Submit
memory/2436-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2436-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2436-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2436-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3528-39-0x00000000057C0000-0x0000000005DD8000-memory.dmp

Filesize
6.1MB

Download
memory/3528-37-0x00000000746B0000-0x0000000074E60000-memory.dmp

Filesize
7.7MB

Download
memory/3528-38-0x0000000005140000-0x0000000005146000-memory.dmp

Filesize
24KB

Download
memory/3528-36-0x0000000000820000-0x0000000000850000-memory.dmp

Filesize
192KB

Download
memory/3528-40-0x00000000052B0000-0x00000000053BA000-memory.dmp

Filesize
1.0MB

Download
memory/3528-41-0x0000000005190000-0x00000000051A0000-memory.dmp

Filesize
64KB

Download
memory/3528-42-0x00000000051C0000-0x00000000051D2000-memory.dmp

Filesize
72KB

Download
memory/3528-43-0x0000000005220000-0x000000000525C000-memory.dmp

Filesize
240KB

Download
memory/3528-44-0x0000000005260000-0x00000000052AC000-memory.dmp

Filesize
304KB

Download
memory/3528-45-0x00000000746B0000-0x0000000074E60000-memory.dmp

Filesize
7.7MB

Download
memory/3528-46-0x0000000005190000-0x00000000051A0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads