mystic | 3b70b79d688fdb81d0a46581c15d1b7ac914f2bf6d5ed6482222a8822e4ca819

Analysis

max time kernel
145s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b70b79d688fdb81d0a46581c15d1b7ac914f2bf6d5ed6482222a8822e4ca819.exe
Size

928KB
MD5

aecfb0ac8ddfa8d08bfc6fb3de8d82cf
SHA1

388d75f2dccb7ddd1ddac151efbb1de161cf61b6
SHA256

3b70b79d688fdb81d0a46581c15d1b7ac914f2bf6d5ed6482222a8822e4ca819
SHA512

a6b38820deca050742ce32bdb91d4f36a686513476f4b85e098e43a23596254b7998f06e5bd8dc7c69ce546889c46634b8c659ac62c77dd0c7a116a00b3df37a
SSDEEP

24576:pyV2ELHT7A4JD1SW+qW3qhUxiannO9Jf:cVH3AGSWSAwGJ

Score

10^/10

mystic redline kendo infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kendo

77.91.124.82:19071

Attributes

auth_value
5a22a881561d49941415902859b51f14

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/3700-28-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3700-29-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3700-30-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3700-32-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
2480	x1280169.exe
3024	x5142417.exe
3220	x4623423.exe
2448	g2611125.exe
1536	h6277831.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x4623423.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3b70b79d688fdb81d0a46581c15d1b7ac914f2bf6d5ed6482222a8822e4ca819.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1280169.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x5142417.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2448 set thread context of 3700	2448	g2611125.exe	91

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4516	3700	WerFault.exe	91
1572	2448	WerFault.exe	90

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4188 wrote to memory of 2480	4188	3b70b79d688fdb81d0a46581c15d1b7ac914f2bf6d5ed6482222a8822e4ca819.exe	86
PID 4188 wrote to memory of 2480	4188	3b70b79d688fdb81d0a46581c15d1b7ac914f2bf6d5ed6482222a8822e4ca819.exe	86
PID 4188 wrote to memory of 2480	4188	3b70b79d688fdb81d0a46581c15d1b7ac914f2bf6d5ed6482222a8822e4ca819.exe	86
PID 2480 wrote to memory of 3024	2480	x1280169.exe	87
PID 2480 wrote to memory of 3024	2480	x1280169.exe	87
PID 2480 wrote to memory of 3024	2480	x1280169.exe	87
PID 3024 wrote to memory of 3220	3024	x5142417.exe	88
PID 3024 wrote to memory of 3220	3024	x5142417.exe	88
PID 3024 wrote to memory of 3220	3024	x5142417.exe	88
PID 3220 wrote to memory of 2448	3220	x4623423.exe	90
PID 3220 wrote to memory of 2448	3220	x4623423.exe	90
PID 3220 wrote to memory of 2448	3220	x4623423.exe	90
PID 2448 wrote to memory of 3700	2448	g2611125.exe	91
PID 2448 wrote to memory of 3700	2448	g2611125.exe	91
PID 2448 wrote to memory of 3700	2448	g2611125.exe	91
PID 2448 wrote to memory of 3700	2448	g2611125.exe	91
PID 2448 wrote to memory of 3700	2448	g2611125.exe	91
PID 2448 wrote to memory of 3700	2448	g2611125.exe	91
PID 2448 wrote to memory of 3700	2448	g2611125.exe	91
PID 2448 wrote to memory of 3700	2448	g2611125.exe	91
PID 2448 wrote to memory of 3700	2448	g2611125.exe	91
PID 2448 wrote to memory of 3700	2448	g2611125.exe	91
PID 3220 wrote to memory of 1536	3220	x4623423.exe	98
PID 3220 wrote to memory of 1536	3220	x4623423.exe	98
PID 3220 wrote to memory of 1536	3220	x4623423.exe	98

C:\Users\Admin\AppData\Local\Temp\3b70b79d688fdb81d0a46581c15d1b7ac914f2bf6d5ed6482222a8822e4ca819.exe
"C:\Users\Admin\AppData\Local\Temp\3b70b79d688fdb81d0a46581c15d1b7ac914f2bf6d5ed6482222a8822e4ca819.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4188
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1280169.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1280169.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5142417.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5142417.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4623423.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4623423.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3220
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2611125.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2611125.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2448
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 540
        7⤵
        Program crash
        
        PID:4516
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 572
        6⤵
        Program crash
        
        PID:1572
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h6277831.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h6277831.exe
        5⤵
        Executes dropped EXE
        
        PID:1536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2448 -ip 2448
1⤵
PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3700 -ip 3700
1⤵
PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1280169.exe

Filesize
826KB

MD5
c01e5ebc84110b2460078272c6904bf9

SHA1
c5b277a5ecf1dfc443f57da05bc8e195b62c36dd

SHA256
e4e94b867fc5fb6c82a319d3faa5ba95187287f62cae2ef4b0df6bdf3fbb449e

SHA512
181178ee9b0e99735a7261c4903d3f66384765af1e867c048a2feb4ca46efe114cb249ff3bd4b74d66511329f71ecf8162b90d64c08eebd31d1ef954adafdeb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1280169.exe

Filesize
826KB

MD5
c01e5ebc84110b2460078272c6904bf9

SHA1
c5b277a5ecf1dfc443f57da05bc8e195b62c36dd

SHA256
e4e94b867fc5fb6c82a319d3faa5ba95187287f62cae2ef4b0df6bdf3fbb449e

SHA512
181178ee9b0e99735a7261c4903d3f66384765af1e867c048a2feb4ca46efe114cb249ff3bd4b74d66511329f71ecf8162b90d64c08eebd31d1ef954adafdeb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5142417.exe

Filesize
555KB

MD5
2fa89f2e4b0e14668ea12e73601c9a7a

SHA1
5700b19c0583678e267838f7f3a52018dca0b5aa

SHA256
9ac99e494441429a529bd823efb53d558f43334687d8a6863264bedb01ea9130

SHA512
57ea761177260f4d23385268e36afaab37b13bab3ab769ee6eda10d2f796e80bc1dd95de1dc0986012e6f7352f371097a2d9704e0c53e5976da976b01325c669

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5142417.exe

Filesize
555KB

MD5
2fa89f2e4b0e14668ea12e73601c9a7a

SHA1
5700b19c0583678e267838f7f3a52018dca0b5aa

SHA256
9ac99e494441429a529bd823efb53d558f43334687d8a6863264bedb01ea9130

SHA512
57ea761177260f4d23385268e36afaab37b13bab3ab769ee6eda10d2f796e80bc1dd95de1dc0986012e6f7352f371097a2d9704e0c53e5976da976b01325c669

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4623423.exe

Filesize
390KB

MD5
005bca875abba38e0dd3cd66bdb57356

SHA1
e927fe86c357fa038763b67658768372a28805c7

SHA256
33c8c70b6fd4d954a3b340d777c0ba83ba4584222cde1888576f4998db19817a

SHA512
8a1ec47045d183eec716d675332d95be0a3b890c1d36f466fdbecc3b92123d7e8a7ae5cb761d9a7009953d5e5f3c5cb85e4f99c16960e9db6b61f367510982d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4623423.exe

Filesize
390KB

MD5
005bca875abba38e0dd3cd66bdb57356

SHA1
e927fe86c357fa038763b67658768372a28805c7

SHA256
33c8c70b6fd4d954a3b340d777c0ba83ba4584222cde1888576f4998db19817a

SHA512
8a1ec47045d183eec716d675332d95be0a3b890c1d36f466fdbecc3b92123d7e8a7ae5cb761d9a7009953d5e5f3c5cb85e4f99c16960e9db6b61f367510982d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2611125.exe

Filesize
364KB

MD5
c2b7cfee0f6b1a1ec59622651d8400d1

SHA1
5bbd79c6c7a9a2cc455597f68f045110991ff1c7

SHA256
dd4b1dc4a9dc5f482947f035e307911b2d2a75ca5c9beb7022ded804011ba09a

SHA512
636f25dec26ab5733f6655ed758212a654d3e8ed1da3af350d561d33781543f2d6e665eb0a4587f54a56a9d5b76a8c61c80edf86c4ff22df6d04c22fc1c2dc7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2611125.exe

Filesize
364KB

MD5
c2b7cfee0f6b1a1ec59622651d8400d1

SHA1
5bbd79c6c7a9a2cc455597f68f045110991ff1c7

SHA256
dd4b1dc4a9dc5f482947f035e307911b2d2a75ca5c9beb7022ded804011ba09a

SHA512
636f25dec26ab5733f6655ed758212a654d3e8ed1da3af350d561d33781543f2d6e665eb0a4587f54a56a9d5b76a8c61c80edf86c4ff22df6d04c22fc1c2dc7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h6277831.exe

Filesize
173KB

MD5
7006f06f4122601eff2705b87e8e8335

SHA1
a63cd32753c2bbb1f2998bbf977788457aca66e6

SHA256
b2ec29e9acff5291e31d30a68ce9021d8959ce7e0f99838cb18348d05805ae70

SHA512
4a066ec16af63fbcbc8642ef016288ffa972a688a33a44850d08a4047e57407c823abefe02c20d5519100d484f8cc0bd24edd9897ee5c6b9b151833b63493170

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h6277831.exe

Filesize
173KB

MD5
7006f06f4122601eff2705b87e8e8335

SHA1
a63cd32753c2bbb1f2998bbf977788457aca66e6

SHA256
b2ec29e9acff5291e31d30a68ce9021d8959ce7e0f99838cb18348d05805ae70

SHA512
4a066ec16af63fbcbc8642ef016288ffa972a688a33a44850d08a4047e57407c823abefe02c20d5519100d484f8cc0bd24edd9897ee5c6b9b151833b63493170

Download Submit
memory/1536-39-0x0000000005E90000-0x00000000064A8000-memory.dmp

Filesize
6.1MB

Download
memory/1536-40-0x0000000005980000-0x0000000005A8A000-memory.dmp

Filesize
1.0MB

Download
memory/1536-46-0x0000000005860000-0x0000000005870000-memory.dmp

Filesize
64KB

Download
memory/1536-45-0x00000000737D0000-0x0000000073F80000-memory.dmp

Filesize
7.7MB

Download
memory/1536-36-0x0000000000D60000-0x0000000000D90000-memory.dmp

Filesize
192KB

Download
memory/1536-37-0x00000000737D0000-0x0000000073F80000-memory.dmp

Filesize
7.7MB

Download
memory/1536-44-0x00000000058F0000-0x000000000593C000-memory.dmp

Filesize
304KB

Download
memory/1536-43-0x00000000058B0000-0x00000000058EC000-memory.dmp

Filesize
240KB

Download
memory/1536-38-0x00000000030F0000-0x00000000030F6000-memory.dmp

Filesize
24KB

Download
memory/1536-41-0x0000000005860000-0x0000000005870000-memory.dmp

Filesize
64KB

Download
memory/1536-42-0x0000000005820000-0x0000000005832000-memory.dmp

Filesize
72KB

Download
memory/3700-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3700-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3700-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3700-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads