mystic | 4d5ad17afba094be5ae7ab14a5bd7c816ed861ad2fb2d6ba711dddf0f40bec0e

General

Target

4d5ad17afba094be5ae7ab14a5bd7c816ed861ad2fb2d6ba711dddf0f40bec0e.exe
Size

2.5MB
MD5

3d91b4b4877130321fe2dff023f31b4b
SHA1

e857122f0f46d22036c64f58d52dd3387ea2c582
SHA256

4d5ad17afba094be5ae7ab14a5bd7c816ed861ad2fb2d6ba711dddf0f40bec0e
SHA512

ca6df76d3ca8d64adbbfbd6466b30ab0d715134b7a637087827bf3dfeb5210ab49e1f7f2852d27a30b341bafca3b8cd5ff0511c2967ddc44bf852daf104988f6
SSDEEP

24576:tMwN6yuB40zA0pHxV+L3DkU6KJi6a9Dhvh5wFbykjTJijcwEkeOR4/4z71+jsJR/:N6tzA0pHxVmkv6a3vgm+TEQ6ngd03z

Score

10^/10

mystic redline ramon infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

ramon

C2

77.91.124.82:19071

Attributes

auth_value
3197576965d9513f115338c233015b40

Signatures

Detect Mystic stealer payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023244-17.dat	family_mystic
behavioral2/files/0x0008000000023244-16.dat	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4100	y5475781.exe
3028	m1249957.exe
4688	n1886076.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y5475781.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4720 set thread context of 4412	4720	4d5ad17afba094be5ae7ab14a5bd7c816ed861ad2fb2d6ba711dddf0f40bec0e.exe	96

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4720 wrote to memory of 4264	4720	4d5ad17afba094be5ae7ab14a5bd7c816ed861ad2fb2d6ba711dddf0f40bec0e.exe	95
PID 4720 wrote to memory of 4264	4720	4d5ad17afba094be5ae7ab14a5bd7c816ed861ad2fb2d6ba711dddf0f40bec0e.exe	95
PID 4720 wrote to memory of 4264	4720	4d5ad17afba094be5ae7ab14a5bd7c816ed861ad2fb2d6ba711dddf0f40bec0e.exe	95
PID 4720 wrote to memory of 4412	4720	4d5ad17afba094be5ae7ab14a5bd7c816ed861ad2fb2d6ba711dddf0f40bec0e.exe	96
PID 4720 wrote to memory of 4412	4720	4d5ad17afba094be5ae7ab14a5bd7c816ed861ad2fb2d6ba711dddf0f40bec0e.exe	96
PID 4720 wrote to memory of 4412	4720	4d5ad17afba094be5ae7ab14a5bd7c816ed861ad2fb2d6ba711dddf0f40bec0e.exe	96
PID 4720 wrote to memory of 4412	4720	4d5ad17afba094be5ae7ab14a5bd7c816ed861ad2fb2d6ba711dddf0f40bec0e.exe	96
PID 4720 wrote to memory of 4412	4720	4d5ad17afba094be5ae7ab14a5bd7c816ed861ad2fb2d6ba711dddf0f40bec0e.exe	96
PID 4720 wrote to memory of 4412	4720	4d5ad17afba094be5ae7ab14a5bd7c816ed861ad2fb2d6ba711dddf0f40bec0e.exe	96
PID 4720 wrote to memory of 4412	4720	4d5ad17afba094be5ae7ab14a5bd7c816ed861ad2fb2d6ba711dddf0f40bec0e.exe	96
PID 4720 wrote to memory of 4412	4720	4d5ad17afba094be5ae7ab14a5bd7c816ed861ad2fb2d6ba711dddf0f40bec0e.exe	96
PID 4720 wrote to memory of 4412	4720	4d5ad17afba094be5ae7ab14a5bd7c816ed861ad2fb2d6ba711dddf0f40bec0e.exe	96
PID 4720 wrote to memory of 4412	4720	4d5ad17afba094be5ae7ab14a5bd7c816ed861ad2fb2d6ba711dddf0f40bec0e.exe	96
PID 4412 wrote to memory of 4100	4412	AppLaunch.exe	98
PID 4412 wrote to memory of 4100	4412	AppLaunch.exe	98
PID 4412 wrote to memory of 4100	4412	AppLaunch.exe	98
PID 4100 wrote to memory of 3028	4100	y5475781.exe	99
PID 4100 wrote to memory of 3028	4100	y5475781.exe	99
PID 4100 wrote to memory of 3028	4100	y5475781.exe	99
PID 4100 wrote to memory of 4688	4100	y5475781.exe	100
PID 4100 wrote to memory of 4688	4100	y5475781.exe	100
PID 4100 wrote to memory of 4688	4100	y5475781.exe	100

C:\Users\Admin\AppData\Local\Temp\4d5ad17afba094be5ae7ab14a5bd7c816ed861ad2fb2d6ba711dddf0f40bec0e.exe
"C:\Users\Admin\AppData\Local\Temp\4d5ad17afba094be5ae7ab14a5bd7c816ed861ad2fb2d6ba711dddf0f40bec0e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:4264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4412
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5475781.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5475781.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4100
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m1249957.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m1249957.exe
      4⤵
      Executes dropped EXE
      PID:3028
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n1886076.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n1886076.exe
      4⤵
      Executes dropped EXE
      PID:4688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5475781.exe

Filesize
271KB

MD5
4188849964d7dfb86d9d05c1e7cff9a1

SHA1
8b91907361cf0d6d206ee3ce0979dd4a2598e8a1

SHA256
90eb5d8c6d87fcdb9b52cc392c1ecefcaf0c5abe0fe066c1d01b767c7d7d5d7b

SHA512
3ade1c8e35d2fb463389406c53b347621d4371ac40f0430c65f48dfafe6b015d0c3c1d139a1fd1b551416ea06964a93dac2e9af66f0ee74450044a337abd015e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5475781.exe

Filesize
271KB

MD5
4188849964d7dfb86d9d05c1e7cff9a1

SHA1
8b91907361cf0d6d206ee3ce0979dd4a2598e8a1

SHA256
90eb5d8c6d87fcdb9b52cc392c1ecefcaf0c5abe0fe066c1d01b767c7d7d5d7b

SHA512
3ade1c8e35d2fb463389406c53b347621d4371ac40f0430c65f48dfafe6b015d0c3c1d139a1fd1b551416ea06964a93dac2e9af66f0ee74450044a337abd015e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m1249957.exe

Filesize
140KB

MD5
3462f58f29a8e9cee1a3784b6d9ca81a

SHA1
d1263091469a2767bc2d01fdcfada72eb81413f3

SHA256
07ac187aac9955dd78c49f756596f52638d5b6b15d236d39ebb52ac54cd9b45f

SHA512
2a75b49e50488b6e75aeb6d2d2783025da7c8401e276d760081769e6d5cf14a43bd92de3a4a3cd628c0f20731eb8fa6dbed9a02a083e8a1c3cf2d85375dc702b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m1249957.exe

Filesize
140KB

MD5
3462f58f29a8e9cee1a3784b6d9ca81a

SHA1
d1263091469a2767bc2d01fdcfada72eb81413f3

SHA256
07ac187aac9955dd78c49f756596f52638d5b6b15d236d39ebb52ac54cd9b45f

SHA512
2a75b49e50488b6e75aeb6d2d2783025da7c8401e276d760081769e6d5cf14a43bd92de3a4a3cd628c0f20731eb8fa6dbed9a02a083e8a1c3cf2d85375dc702b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n1886076.exe

Filesize
174KB

MD5
cba4858bd1ba1ee2c33959b54a4c3164

SHA1
95a1d4d23fd2a8837fbb99035ce5817239cd84be

SHA256
da00bc347006b2c8310bce45068575cde109c5bd4e50f40780e18de1bdbc684c

SHA512
04fdc10ec75de7135483402f32b2d74db4db44083868bdec78a4cefbcb37d0ded4fcf57ac54f53c15c82ba23abfa88d4e7c93d1ccd9b5e258d8e426d3268bde3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n1886076.exe

Filesize
174KB

MD5
cba4858bd1ba1ee2c33959b54a4c3164

SHA1
95a1d4d23fd2a8837fbb99035ce5817239cd84be

SHA256
da00bc347006b2c8310bce45068575cde109c5bd4e50f40780e18de1bdbc684c

SHA512
04fdc10ec75de7135483402f32b2d74db4db44083868bdec78a4cefbcb37d0ded4fcf57ac54f53c15c82ba23abfa88d4e7c93d1ccd9b5e258d8e426d3268bde3

Download Submit
memory/4412-24-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4412-1-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4412-2-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4412-3-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4412-0-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4688-21-0x0000000000120000-0x0000000000150000-memory.dmp

Filesize
192KB

Download
memory/4688-23-0x0000000002280000-0x0000000002286000-memory.dmp

Filesize
24KB

Download
memory/4688-22-0x0000000073B40000-0x00000000742F0000-memory.dmp

Filesize
7.7MB

Download
memory/4688-25-0x0000000073B40000-0x00000000742F0000-memory.dmp

Filesize
7.7MB

Download
memory/4688-26-0x00000000051A0000-0x00000000057B8000-memory.dmp

Filesize
6.1MB

Download
memory/4688-27-0x0000000004CB0000-0x0000000004DBA000-memory.dmp

Filesize
1.0MB

Download
memory/4688-28-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download
memory/4688-29-0x0000000004BF0000-0x0000000004C02000-memory.dmp

Filesize
72KB

Download
memory/4688-30-0x0000000004C50000-0x0000000004C8C000-memory.dmp

Filesize
240KB

Download
memory/4688-31-0x0000000004DC0000-0x0000000004E0C000-memory.dmp

Filesize
304KB

Download
memory/4688-32-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads