mystic | b80c9ab2672602ab9d0267dbd15a2941836f3c1faaa6b913ee5d5d02272daa37

Analysis

max time kernel
151s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b80c9ab2672602ab9d0267dbd15a2941836f3c1faaa6b913ee5d5d02272daa37.exe
Size

942KB
MD5

503083f2b28105f8a816cee8ac31527d
SHA1

1c78c5e7ac9c163c636e44562c1fb80524b4b001
SHA256

b80c9ab2672602ab9d0267dbd15a2941836f3c1faaa6b913ee5d5d02272daa37
SHA512

23c4ea6f7d343b60ba109816e825c87c9856ad9d26823aeea40978ba296bd4468142058d75cccf442a30abb7b9a781a1948fbec3b4c26ad5d8643f552e922414
SSDEEP

12288:yMrKy90ZNuFZEgMAKrT3qdV93OOaIz+xuiGfs+b1s057ByY8uDMKjcZlXS+1UFXc:sy4oNSadV5t+efs+n1yagofX5z91Od

Score

10^/10

mystic redline kendo infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kendo

77.91.124.82:19071

Attributes

auth_value
5a22a881561d49941415902859b51f14

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/4508-28-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4508-29-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4508-30-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4508-32-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
4880	x1106576.exe
4224	x1003329.exe
3696	x9588010.exe
4700	g2659924.exe
848	h1995412.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x9588010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b80c9ab2672602ab9d0267dbd15a2941836f3c1faaa6b913ee5d5d02272daa37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1106576.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x1003329.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4700 set thread context of 4508	4700	g2659924.exe	92

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4364	4508	WerFault.exe	92
4712	4700	WerFault.exe	89

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 4880	1484	b80c9ab2672602ab9d0267dbd15a2941836f3c1faaa6b913ee5d5d02272daa37.exe	85
PID 1484 wrote to memory of 4880	1484	b80c9ab2672602ab9d0267dbd15a2941836f3c1faaa6b913ee5d5d02272daa37.exe	85
PID 1484 wrote to memory of 4880	1484	b80c9ab2672602ab9d0267dbd15a2941836f3c1faaa6b913ee5d5d02272daa37.exe	85
PID 4880 wrote to memory of 4224	4880	x1106576.exe	86
PID 4880 wrote to memory of 4224	4880	x1106576.exe	86
PID 4880 wrote to memory of 4224	4880	x1106576.exe	86
PID 4224 wrote to memory of 3696	4224	x1003329.exe	88
PID 4224 wrote to memory of 3696	4224	x1003329.exe	88
PID 4224 wrote to memory of 3696	4224	x1003329.exe	88
PID 3696 wrote to memory of 4700	3696	x9588010.exe	89
PID 3696 wrote to memory of 4700	3696	x9588010.exe	89
PID 3696 wrote to memory of 4700	3696	x9588010.exe	89
PID 4700 wrote to memory of 2236	4700	g2659924.exe	90
PID 4700 wrote to memory of 2236	4700	g2659924.exe	90
PID 4700 wrote to memory of 2236	4700	g2659924.exe	90
PID 4700 wrote to memory of 1612	4700	g2659924.exe	91
PID 4700 wrote to memory of 1612	4700	g2659924.exe	91
PID 4700 wrote to memory of 1612	4700	g2659924.exe	91
PID 4700 wrote to memory of 4508	4700	g2659924.exe	92
PID 4700 wrote to memory of 4508	4700	g2659924.exe	92
PID 4700 wrote to memory of 4508	4700	g2659924.exe	92
PID 4700 wrote to memory of 4508	4700	g2659924.exe	92
PID 4700 wrote to memory of 4508	4700	g2659924.exe	92
PID 4700 wrote to memory of 4508	4700	g2659924.exe	92
PID 4700 wrote to memory of 4508	4700	g2659924.exe	92
PID 4700 wrote to memory of 4508	4700	g2659924.exe	92
PID 4700 wrote to memory of 4508	4700	g2659924.exe	92
PID 4700 wrote to memory of 4508	4700	g2659924.exe	92
PID 3696 wrote to memory of 848	3696	x9588010.exe	98
PID 3696 wrote to memory of 848	3696	x9588010.exe	98
PID 3696 wrote to memory of 848	3696	x9588010.exe	98

C:\Users\Admin\AppData\Local\Temp\b80c9ab2672602ab9d0267dbd15a2941836f3c1faaa6b913ee5d5d02272daa37.exe
"C:\Users\Admin\AppData\Local\Temp\b80c9ab2672602ab9d0267dbd15a2941836f3c1faaa6b913ee5d5d02272daa37.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1106576.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1106576.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4880
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1003329.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1003329.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4224
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9588010.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9588010.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3696
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2659924.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2659924.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4700
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2236
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1612
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 540
        7⤵
        Program crash
        
        PID:4364
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 604
        6⤵
        Program crash
        
        PID:4712
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1995412.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1995412.exe
        5⤵
        Executes dropped EXE
        
        PID:848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4700 -ip 4700
1⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4508 -ip 4508
1⤵
PID:4108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1106576.exe

Filesize
841KB

MD5
b5a0698f280c628dbc4925ba5b8e5245

SHA1
df53e1c025c5bdacc50f34a9e8ada8b6dc5b68a6

SHA256
47ac7167e7624621a9cfe6b4186361fd417776e79aaf8af4ffbd9abf9f7468f5

SHA512
4895d17789ccefd003545994b952f54b96968c556d0016735036fe2340a1aa92145f35e3f2014e9daf8fccf6cfaba78f2f0f5e96edc12ce1b2da13935f128f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1106576.exe

Filesize
841KB

MD5
b5a0698f280c628dbc4925ba5b8e5245

SHA1
df53e1c025c5bdacc50f34a9e8ada8b6dc5b68a6

SHA256
47ac7167e7624621a9cfe6b4186361fd417776e79aaf8af4ffbd9abf9f7468f5

SHA512
4895d17789ccefd003545994b952f54b96968c556d0016735036fe2340a1aa92145f35e3f2014e9daf8fccf6cfaba78f2f0f5e96edc12ce1b2da13935f128f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1003329.exe

Filesize
563KB

MD5
ced399856eb2869844f5172b06db4416

SHA1
a4bf98d2f08da14ce7047fc388ba4167fec73bf2

SHA256
273ab4cf6b1a77c2563d1c4c30f07eb6623b506f0c4091ca88dea2298ea71e21

SHA512
1d66ca1119bed78203650d4d7fbbed991abebf3eff00cf7888f748fd442a234f919b69b6888021bf261fbb9a9abd8df24d737d88d754e674cbbd7e4082e09b2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1003329.exe

Filesize
563KB

MD5
ced399856eb2869844f5172b06db4416

SHA1
a4bf98d2f08da14ce7047fc388ba4167fec73bf2

SHA256
273ab4cf6b1a77c2563d1c4c30f07eb6623b506f0c4091ca88dea2298ea71e21

SHA512
1d66ca1119bed78203650d4d7fbbed991abebf3eff00cf7888f748fd442a234f919b69b6888021bf261fbb9a9abd8df24d737d88d754e674cbbd7e4082e09b2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9588010.exe

Filesize
397KB

MD5
a6646fe27b200baa5c3c566c6f5a1eb5

SHA1
16b7ffecb0c5d6b7fa5d8c2f8a58e1c1268bf5b8

SHA256
9f1f86884874c885a95ce54be6f296d75853a174f21e9a2e7aed6c1ff3eb553f

SHA512
bf7cee7bfd131d8bf905ccb4a2eb5afdd370f317d7115380b09ba0188abc9eb2d91a87acf6096540a56948665395cb1ac70adc5b5f0b4050e79ba1e6c55a85b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9588010.exe

Filesize
397KB

MD5
a6646fe27b200baa5c3c566c6f5a1eb5

SHA1
16b7ffecb0c5d6b7fa5d8c2f8a58e1c1268bf5b8

SHA256
9f1f86884874c885a95ce54be6f296d75853a174f21e9a2e7aed6c1ff3eb553f

SHA512
bf7cee7bfd131d8bf905ccb4a2eb5afdd370f317d7115380b09ba0188abc9eb2d91a87acf6096540a56948665395cb1ac70adc5b5f0b4050e79ba1e6c55a85b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2659924.exe

Filesize
379KB

MD5
400c1cc98151cd939061dae6b2443e8a

SHA1
71d6f0fca1e3f5c467506c943125a76c4f9dce6d

SHA256
ea830a0b8e8c8ac1fdb14cd943a25a17a6523c4516b070ed38e5379f69b1e006

SHA512
233c983e9f1edb196a354c941badbba84e64e1fd4819a561504447d96d79f69d374f1870adb1312134f13d35e38f65af2822329a9e4ce0b2125f90683711fe42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2659924.exe

Filesize
379KB

MD5
400c1cc98151cd939061dae6b2443e8a

SHA1
71d6f0fca1e3f5c467506c943125a76c4f9dce6d

SHA256
ea830a0b8e8c8ac1fdb14cd943a25a17a6523c4516b070ed38e5379f69b1e006

SHA512
233c983e9f1edb196a354c941badbba84e64e1fd4819a561504447d96d79f69d374f1870adb1312134f13d35e38f65af2822329a9e4ce0b2125f90683711fe42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1995412.exe

Filesize
174KB

MD5
d9144ae238beb610f76b95a2cc475637

SHA1
d1bcd93c19200d0a5828b724f02dc20554dd02f7

SHA256
63aec512bea42948e7d301e227a9d421399f2f8463243476200c3679b77088f7

SHA512
367c0e2e50c5d823d42422472ddc5abb3acfd4216ff390aa35dbe7e04a2a1decea30b69abfa8bf93b7b46a430f352b6f951526425889eaffa61bd9996c1395ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1995412.exe

Filesize
174KB

MD5
d9144ae238beb610f76b95a2cc475637

SHA1
d1bcd93c19200d0a5828b724f02dc20554dd02f7

SHA256
63aec512bea42948e7d301e227a9d421399f2f8463243476200c3679b77088f7

SHA512
367c0e2e50c5d823d42422472ddc5abb3acfd4216ff390aa35dbe7e04a2a1decea30b69abfa8bf93b7b46a430f352b6f951526425889eaffa61bd9996c1395ac

Download Submit
memory/848-39-0x0000000005AE0000-0x00000000060F8000-memory.dmp

Filesize
6.1MB

Download
memory/848-42-0x0000000005250000-0x0000000005262000-memory.dmp

Filesize
72KB

Download
memory/848-46-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download
memory/848-45-0x0000000074570000-0x0000000074D20000-memory.dmp

Filesize
7.7MB

Download
memory/848-36-0x0000000000990000-0x00000000009C0000-memory.dmp

Filesize
192KB

Download
memory/848-37-0x0000000074570000-0x0000000074D20000-memory.dmp

Filesize
7.7MB

Download
memory/848-44-0x0000000005500000-0x000000000554C000-memory.dmp

Filesize
304KB

Download
memory/848-40-0x00000000055D0000-0x00000000056DA000-memory.dmp

Filesize
1.0MB

Download
memory/848-38-0x0000000002B70000-0x0000000002B76000-memory.dmp

Filesize
24KB

Download
memory/848-41-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download
memory/848-43-0x00000000054C0000-0x00000000054FC000-memory.dmp

Filesize
240KB

Download
memory/4508-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4508-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4508-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4508-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads