mystic | b2b30b4435bb7ac9e8f7d31de2f2b6630252bafa435f0662f6daf56bff3fae3d

Analysis

max time kernel
170s
max time network
196s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2b30b4435bb7ac9e8f7d31de2f2b6630252bafa435f0662f6daf56bff3fae3d.exe
Size

928KB
MD5

bd90fc8a436f5229c18c16a8f2a88225
SHA1

68e08e1169f8eab32d2449ef48da7161c3a32519
SHA256

b2b30b4435bb7ac9e8f7d31de2f2b6630252bafa435f0662f6daf56bff3fae3d
SHA512

de5971d382739c3545da7ade6d1cc07d6fae07d61b69ca2d1279593995d6e8d5d73a12662566749e38ddeae57546dd54ed4865396691c346b607509d541f21e3
SSDEEP

24576:XyB07ndWd7epG40UYwKMsyowPFo88f5a:iB8ndxpGJvyre

Score

10^/10

mystic redline kendo infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kendo

77.91.124.82:19071

Attributes

auth_value
5a22a881561d49941415902859b51f14

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/4280-28-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4280-29-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4280-30-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4280-32-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
1364	x5167950.exe
5044	x4522794.exe
5020	x5254247.exe
3588	g9125590.exe
4540	h4863045.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x4522794.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x5254247.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b2b30b4435bb7ac9e8f7d31de2f2b6630252bafa435f0662f6daf56bff3fae3d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5167950.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3588 set thread context of 4280	3588	g9125590.exe	95

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4256	3588	WerFault.exe	93
3216	4280	WerFault.exe	95

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4464 wrote to memory of 1364	4464	b2b30b4435bb7ac9e8f7d31de2f2b6630252bafa435f0662f6daf56bff3fae3d.exe	90
PID 4464 wrote to memory of 1364	4464	b2b30b4435bb7ac9e8f7d31de2f2b6630252bafa435f0662f6daf56bff3fae3d.exe	90
PID 4464 wrote to memory of 1364	4464	b2b30b4435bb7ac9e8f7d31de2f2b6630252bafa435f0662f6daf56bff3fae3d.exe	90
PID 1364 wrote to memory of 5044	1364	x5167950.exe	91
PID 1364 wrote to memory of 5044	1364	x5167950.exe	91
PID 1364 wrote to memory of 5044	1364	x5167950.exe	91
PID 5044 wrote to memory of 5020	5044	x4522794.exe	92
PID 5044 wrote to memory of 5020	5044	x4522794.exe	92
PID 5044 wrote to memory of 5020	5044	x4522794.exe	92
PID 5020 wrote to memory of 3588	5020	x5254247.exe	93
PID 5020 wrote to memory of 3588	5020	x5254247.exe	93
PID 5020 wrote to memory of 3588	5020	x5254247.exe	93
PID 3588 wrote to memory of 4280	3588	g9125590.exe	95
PID 3588 wrote to memory of 4280	3588	g9125590.exe	95
PID 3588 wrote to memory of 4280	3588	g9125590.exe	95
PID 3588 wrote to memory of 4280	3588	g9125590.exe	95
PID 3588 wrote to memory of 4280	3588	g9125590.exe	95
PID 3588 wrote to memory of 4280	3588	g9125590.exe	95
PID 3588 wrote to memory of 4280	3588	g9125590.exe	95
PID 3588 wrote to memory of 4280	3588	g9125590.exe	95
PID 3588 wrote to memory of 4280	3588	g9125590.exe	95
PID 3588 wrote to memory of 4280	3588	g9125590.exe	95
PID 5020 wrote to memory of 4540	5020	x5254247.exe	100
PID 5020 wrote to memory of 4540	5020	x5254247.exe	100
PID 5020 wrote to memory of 4540	5020	x5254247.exe	100

C:\Users\Admin\AppData\Local\Temp\b2b30b4435bb7ac9e8f7d31de2f2b6630252bafa435f0662f6daf56bff3fae3d.exe
"C:\Users\Admin\AppData\Local\Temp\b2b30b4435bb7ac9e8f7d31de2f2b6630252bafa435f0662f6daf56bff3fae3d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5167950.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5167950.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4522794.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4522794.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5044
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5254247.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5254247.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:5020
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9125590.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9125590.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3588
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 540
        7⤵
        Program crash
        
        PID:3216
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 556
        6⤵
        Program crash
        
        PID:4256
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4863045.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4863045.exe
        5⤵
        Executes dropped EXE
        
        PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3588 -ip 3588
1⤵
PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4280 -ip 4280
1⤵
PID:452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5167950.exe

Filesize
826KB

MD5
924f26ea3865fc9586b64baa94f7a0eb

SHA1
69e32ff28c92622550959bcd26f63317e12f0a4c

SHA256
36b00119fd8613bf095d75ffa3682d0927859bc9a0bde11533e8719f8099094b

SHA512
741ae81f5faf26e04a6041d34e64a1e17f526a7043a660a4a07e56704edc9ed5cb8c221933ff77c8d6f0fbc972e903c6e40529c5303cbfa6017a60820dbf810c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5167950.exe

Filesize
826KB

MD5
924f26ea3865fc9586b64baa94f7a0eb

SHA1
69e32ff28c92622550959bcd26f63317e12f0a4c

SHA256
36b00119fd8613bf095d75ffa3682d0927859bc9a0bde11533e8719f8099094b

SHA512
741ae81f5faf26e04a6041d34e64a1e17f526a7043a660a4a07e56704edc9ed5cb8c221933ff77c8d6f0fbc972e903c6e40529c5303cbfa6017a60820dbf810c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4522794.exe

Filesize
555KB

MD5
8b718eddc8602fa2337948114f4b2158

SHA1
9d06d487809e9314f69cac12533dd4b486b0e93e

SHA256
2b6053e3f20017aac6f1cd57cae53cb0c74cc98d5e4ccf16c41a0b266cb03c8f

SHA512
a337ed40478ae01232d3b6faf9bf3c4cf9ba1b9e28bcedee80d02a248702cbce44421abfe64c73562caff7ec6de091d3e0acb130b858939d5ac55ac87bffb486

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4522794.exe

Filesize
555KB

MD5
8b718eddc8602fa2337948114f4b2158

SHA1
9d06d487809e9314f69cac12533dd4b486b0e93e

SHA256
2b6053e3f20017aac6f1cd57cae53cb0c74cc98d5e4ccf16c41a0b266cb03c8f

SHA512
a337ed40478ae01232d3b6faf9bf3c4cf9ba1b9e28bcedee80d02a248702cbce44421abfe64c73562caff7ec6de091d3e0acb130b858939d5ac55ac87bffb486

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5254247.exe

Filesize
390KB

MD5
dd61296907889e91119ac5f52f18700b

SHA1
77e21bbb98fb2d9d908b2c537f6357af1391a932

SHA256
0d3a9796cb7168b279f9d22d403c4ac184c9f9ec3e3674d7629986f6c301b43e

SHA512
4d0364f123d174ec77b07da6ebd211e4e50c7e36c6ab8a7bcab6731455cb930a90965743e8d23797e087921a71ffcafe2f4da654f69f2e1c857f0c63f5702de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5254247.exe

Filesize
390KB

MD5
dd61296907889e91119ac5f52f18700b

SHA1
77e21bbb98fb2d9d908b2c537f6357af1391a932

SHA256
0d3a9796cb7168b279f9d22d403c4ac184c9f9ec3e3674d7629986f6c301b43e

SHA512
4d0364f123d174ec77b07da6ebd211e4e50c7e36c6ab8a7bcab6731455cb930a90965743e8d23797e087921a71ffcafe2f4da654f69f2e1c857f0c63f5702de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9125590.exe

Filesize
364KB

MD5
53e8080b2a71957536b92cba7fb49a90

SHA1
7a04a75ca58633bf269d3d4a6b5b26ac0fbf16d8

SHA256
cbe48228e435357a0f4a34ce49a14e58a0b2fd606a78585f232f7753adc9027c

SHA512
5612f1d93eeca32e0050638f9a7c66585271d0d2efd945ecd81c5cc8877ee4ce6fd56b596cc477c5628d57edc898de28b2ddb811c5a33b176ac9e532e14da7a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9125590.exe

Filesize
364KB

MD5
53e8080b2a71957536b92cba7fb49a90

SHA1
7a04a75ca58633bf269d3d4a6b5b26ac0fbf16d8

SHA256
cbe48228e435357a0f4a34ce49a14e58a0b2fd606a78585f232f7753adc9027c

SHA512
5612f1d93eeca32e0050638f9a7c66585271d0d2efd945ecd81c5cc8877ee4ce6fd56b596cc477c5628d57edc898de28b2ddb811c5a33b176ac9e532e14da7a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4863045.exe

Filesize
173KB

MD5
f8a1e444c25eedd4c9090b09886e917e

SHA1
1402c1adae1496508bfa745fd313a153abfdc9c5

SHA256
505d6029ac8c18a7c6058d820c4e0d1d87b208424a0d4c543f3b97e120e1e961

SHA512
f2ac2118f8524f56be2bfc3f083c50bfc90b33017d139cc2869a1782b8674f9d0a844126b2125db0c25c593de9a034fcf43146522e38a8a5253c87be37fafcc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4863045.exe

Filesize
173KB

MD5
f8a1e444c25eedd4c9090b09886e917e

SHA1
1402c1adae1496508bfa745fd313a153abfdc9c5

SHA256
505d6029ac8c18a7c6058d820c4e0d1d87b208424a0d4c543f3b97e120e1e961

SHA512
f2ac2118f8524f56be2bfc3f083c50bfc90b33017d139cc2869a1782b8674f9d0a844126b2125db0c25c593de9a034fcf43146522e38a8a5253c87be37fafcc5

Download Submit
memory/4280-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4280-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4280-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4280-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4540-39-0x0000000073FA0000-0x0000000074750000-memory.dmp

Filesize
7.7MB

Download
memory/4540-37-0x00000000006F0000-0x0000000000720000-memory.dmp

Filesize
192KB

Download
memory/4540-38-0x0000000002B80000-0x0000000002B86000-memory.dmp

Filesize
24KB

Download
memory/4540-36-0x0000000073FA0000-0x0000000074750000-memory.dmp

Filesize
7.7MB

Download
memory/4540-40-0x00000000056C0000-0x0000000005CD8000-memory.dmp

Filesize
6.1MB

Download
memory/4540-41-0x00000000051B0000-0x00000000052BA000-memory.dmp

Filesize
1.0MB

Download
memory/4540-42-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/4540-43-0x00000000052E0000-0x00000000052F2000-memory.dmp

Filesize
72KB

Download
memory/4540-44-0x0000000005340000-0x000000000537C000-memory.dmp

Filesize
240KB

Download
memory/4540-45-0x0000000005380000-0x00000000053CC000-memory.dmp

Filesize
304KB

Download
memory/4540-46-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads