mystic | 48dc5abf242d433e67fb2282576087ac89d1873995b4dea68d055d3acb093d47

Analysis

max time kernel
143s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 16:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48dc5abf242d433e67fb2282576087ac89d1873995b4dea68d055d3acb093d47.exe
Size

929KB
MD5

4f6bcdc8cd0bf2db7c617bf1e15ab3e3
SHA1

9a35e82cfd978b0ca31ed66040f2249fc6209aac
SHA256

48dc5abf242d433e67fb2282576087ac89d1873995b4dea68d055d3acb093d47
SHA512

524e820a0e33709bcfa7f19e789be4938ff9d3eafc30f79d852ccaaa4f81feec0af5f1e168b3ef9f9f1f0a1018b8793563bbb306cd125046752dbd4528a7ad4a
SSDEEP

24576:my7I6JpuXR1wXhb8fCV9dsiJ3BK0Qm5Rzl9AHXCx:17BU1AyCzCHQ/zHAS

Score

10^/10

mystic redline kendo infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kendo

77.91.124.82:19071

Attributes

auth_value
5a22a881561d49941415902859b51f14

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/5060-28-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/5060-29-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/5060-30-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/5060-32-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
4052	x9795912.exe
840	x3046987.exe
4020	x5651660.exe
2476	g4665713.exe
1616	h0730892.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	48dc5abf242d433e67fb2282576087ac89d1873995b4dea68d055d3acb093d47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9795912.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x3046987.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x5651660.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2476 set thread context of 5060	2476	g4665713.exe	90

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5024	2476	WerFault.exe	89
5100	5060	WerFault.exe	90

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4388 wrote to memory of 4052	4388	48dc5abf242d433e67fb2282576087ac89d1873995b4dea68d055d3acb093d47.exe	86
PID 4388 wrote to memory of 4052	4388	48dc5abf242d433e67fb2282576087ac89d1873995b4dea68d055d3acb093d47.exe	86
PID 4388 wrote to memory of 4052	4388	48dc5abf242d433e67fb2282576087ac89d1873995b4dea68d055d3acb093d47.exe	86
PID 4052 wrote to memory of 840	4052	x9795912.exe	87
PID 4052 wrote to memory of 840	4052	x9795912.exe	87
PID 4052 wrote to memory of 840	4052	x9795912.exe	87
PID 840 wrote to memory of 4020	840	x3046987.exe	88
PID 840 wrote to memory of 4020	840	x3046987.exe	88
PID 840 wrote to memory of 4020	840	x3046987.exe	88
PID 4020 wrote to memory of 2476	4020	x5651660.exe	89
PID 4020 wrote to memory of 2476	4020	x5651660.exe	89
PID 4020 wrote to memory of 2476	4020	x5651660.exe	89
PID 2476 wrote to memory of 5060	2476	g4665713.exe	90
PID 2476 wrote to memory of 5060	2476	g4665713.exe	90
PID 2476 wrote to memory of 5060	2476	g4665713.exe	90
PID 2476 wrote to memory of 5060	2476	g4665713.exe	90
PID 2476 wrote to memory of 5060	2476	g4665713.exe	90
PID 2476 wrote to memory of 5060	2476	g4665713.exe	90
PID 2476 wrote to memory of 5060	2476	g4665713.exe	90
PID 2476 wrote to memory of 5060	2476	g4665713.exe	90
PID 2476 wrote to memory of 5060	2476	g4665713.exe	90
PID 2476 wrote to memory of 5060	2476	g4665713.exe	90
PID 4020 wrote to memory of 1616	4020	x5651660.exe	103
PID 4020 wrote to memory of 1616	4020	x5651660.exe	103
PID 4020 wrote to memory of 1616	4020	x5651660.exe	103

C:\Users\Admin\AppData\Local\Temp\48dc5abf242d433e67fb2282576087ac89d1873995b4dea68d055d3acb093d47.exe
"C:\Users\Admin\AppData\Local\Temp\48dc5abf242d433e67fb2282576087ac89d1873995b4dea68d055d3acb093d47.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9795912.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9795912.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4052
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3046987.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3046987.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:840
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5651660.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5651660.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4020
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4665713.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4665713.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2476
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 540
        7⤵
        Program crash
        
        PID:5100
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 552
        6⤵
        Program crash
        
        PID:5024
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0730892.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0730892.exe
        5⤵
        Executes dropped EXE
        
        PID:1616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5060 -ip 5060
1⤵
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2476 -ip 2476
1⤵
PID:4484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9795912.exe

Filesize
827KB

MD5
8920d63c4bb68da11c3c36059587d4b9

SHA1
bfe9b45c1e52d6bb0d8ae68195d9c7f9bfd211ae

SHA256
6d3f1c36b73adb9199562617a4318cc6bde5ed0670f011d291a0b9bf8b8ed9e3

SHA512
b422724ec091482a2458af327650fbd698f97bbb13584dd302a17ee75df7fdd2c89d32cccfe038542c7b4e42d4504ca6b051bd285c930f3144766c6831e7f702

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9795912.exe

Filesize
827KB

MD5
8920d63c4bb68da11c3c36059587d4b9

SHA1
bfe9b45c1e52d6bb0d8ae68195d9c7f9bfd211ae

SHA256
6d3f1c36b73adb9199562617a4318cc6bde5ed0670f011d291a0b9bf8b8ed9e3

SHA512
b422724ec091482a2458af327650fbd698f97bbb13584dd302a17ee75df7fdd2c89d32cccfe038542c7b4e42d4504ca6b051bd285c930f3144766c6831e7f702

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3046987.exe

Filesize
556KB

MD5
c759b5e6c12fa91841c0cb2be5e05b0a

SHA1
b776eab718ab2d114174a2fe8e1137ea91d8fba4

SHA256
07f97194254429cd44cfd56ce074d00bb5a6fbf2d3a2d286d7a46b5b5772f1d6

SHA512
438a879ee937906f69fcd4cb71e30375b5c1a4e6d23a640d77287c21ab5b5d3684d18e18e2ecd28b904fc93bfc3335a647833e60c1cb651a0f97b8fe627dacaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3046987.exe

Filesize
556KB

MD5
c759b5e6c12fa91841c0cb2be5e05b0a

SHA1
b776eab718ab2d114174a2fe8e1137ea91d8fba4

SHA256
07f97194254429cd44cfd56ce074d00bb5a6fbf2d3a2d286d7a46b5b5772f1d6

SHA512
438a879ee937906f69fcd4cb71e30375b5c1a4e6d23a640d77287c21ab5b5d3684d18e18e2ecd28b904fc93bfc3335a647833e60c1cb651a0f97b8fe627dacaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5651660.exe

Filesize
390KB

MD5
8bf2288317829c4a3fb9b3ab3be93645

SHA1
e59530164d4468e7ba6dfa77501c693881d12e7b

SHA256
039656c7afb1bfae9474317f6b13e09e2f9e7ae613ff058ebeaf57ba3f3f84c9

SHA512
43fc7fd0d88d95d6d7ef6160974b131a3883fc5489b912a7ddf1ae93e8bce9c461ad0ee03c01d989657c2cf52cae6f0c484b7d864a2c5dc2ca463c9d7dfa74e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5651660.exe

Filesize
390KB

MD5
8bf2288317829c4a3fb9b3ab3be93645

SHA1
e59530164d4468e7ba6dfa77501c693881d12e7b

SHA256
039656c7afb1bfae9474317f6b13e09e2f9e7ae613ff058ebeaf57ba3f3f84c9

SHA512
43fc7fd0d88d95d6d7ef6160974b131a3883fc5489b912a7ddf1ae93e8bce9c461ad0ee03c01d989657c2cf52cae6f0c484b7d864a2c5dc2ca463c9d7dfa74e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4665713.exe

Filesize
364KB

MD5
0f7fbe978e9bfe27c05f58be8725bf80

SHA1
f07ee35597867a09ba0d1105a2afb3617bf2393e

SHA256
26e1dfbe7f76a9d93e25731aeeeeed04f16ad15ba304c37adc5c725110f4c99a

SHA512
658d1d5c3621e8c2fde4d2fec821ddae25a269c0a23f20210d41abd42f75e83f6d90a443b89bc6a216e0faed5c3606673cc829604bc777805f46cb1a5c9cca7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4665713.exe

Filesize
364KB

MD5
0f7fbe978e9bfe27c05f58be8725bf80

SHA1
f07ee35597867a09ba0d1105a2afb3617bf2393e

SHA256
26e1dfbe7f76a9d93e25731aeeeeed04f16ad15ba304c37adc5c725110f4c99a

SHA512
658d1d5c3621e8c2fde4d2fec821ddae25a269c0a23f20210d41abd42f75e83f6d90a443b89bc6a216e0faed5c3606673cc829604bc777805f46cb1a5c9cca7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0730892.exe

Filesize
173KB

MD5
39a55d8248f98dfcc15f8508a843bef3

SHA1
1467c5f45aba0f700d57e8bcd7f7eff12948662c

SHA256
b5c6571e18d80e9fbce3482047ff7f326e937b5af7e23e3a966122d1039a5181

SHA512
46067acdfd6cd5850d19cf1ee7933fe4cbb818301a91ffc784d60965fb6b17c34c9b332e2bb4ebaa44787003966e5847ff8c1827699459cfed588e0f240c4b1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0730892.exe

Filesize
173KB

MD5
39a55d8248f98dfcc15f8508a843bef3

SHA1
1467c5f45aba0f700d57e8bcd7f7eff12948662c

SHA256
b5c6571e18d80e9fbce3482047ff7f326e937b5af7e23e3a966122d1039a5181

SHA512
46067acdfd6cd5850d19cf1ee7933fe4cbb818301a91ffc784d60965fb6b17c34c9b332e2bb4ebaa44787003966e5847ff8c1827699459cfed588e0f240c4b1b

Download Submit
memory/1616-39-0x000000000A5D0000-0x000000000ABE8000-memory.dmp

Filesize
6.1MB

Download
memory/1616-42-0x000000000A000000-0x000000000A012000-memory.dmp

Filesize
72KB

Download
memory/1616-46-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/1616-45-0x0000000074770000-0x0000000074F20000-memory.dmp

Filesize
7.7MB

Download
memory/1616-36-0x0000000074770000-0x0000000074F20000-memory.dmp

Filesize
7.7MB

Download
memory/1616-37-0x0000000000110000-0x0000000000140000-memory.dmp

Filesize
192KB

Download
memory/1616-44-0x000000000A1D0000-0x000000000A21C000-memory.dmp

Filesize
304KB

Download
memory/1616-40-0x000000000A0C0000-0x000000000A1CA000-memory.dmp

Filesize
1.0MB

Download
memory/1616-38-0x00000000023B0000-0x00000000023B6000-memory.dmp

Filesize
24KB

Download
memory/1616-41-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/1616-43-0x000000000A060000-0x000000000A09C000-memory.dmp

Filesize
240KB

Download
memory/5060-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5060-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5060-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5060-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads