mystic | b0bcee0dad0376bfcfa3b0f6fa3ccd6eb6fc2b52323280c463b7e53a3339585e

General

Target

665a25fe81677103220663a397237e33d3cf2835a4f2376447486c4e09189fc0.exe
Size

742KB
MD5

91c9ea17b096c3b5b012690d69e2f8d6
SHA1

bde6d582771ba0065e6599239243cf86e0d2fe50
SHA256

665a25fe81677103220663a397237e33d3cf2835a4f2376447486c4e09189fc0
SHA512

257534852cff565e3da87df8f785f659c5eccf4bdb5107521e80b72f2c62932c76533f57a08f259989f21581694086d89d710a0f36d36dd9ff42a002e36d79cf
SSDEEP

12288:eN//yfYb5BIQZVth9bNgLmajQ/gsuhqt+GTDXWc1vqJ8HwcThN/n0Y9:uiuBtZvb2LR0/gO7LH1veATHj

Score

10^/10

mystic redline moner infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

moner

C2

77.91.124.82:19071

Attributes

auth_value
a94cd9e01643e1945b296c28a2f28707

Signatures

Detect Mystic stealer payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023222-16.dat	family_mystic
behavioral2/files/0x0009000000023222-17.dat	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
868	y8865851.exe
4612	m2310531.exe
4260	n7874439.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y8865851.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3548 set thread context of 1180	3548	665a25fe81677103220663a397237e33d3cf2835a4f2376447486c4e09189fc0.exe	94

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3548 wrote to memory of 1180	3548	665a25fe81677103220663a397237e33d3cf2835a4f2376447486c4e09189fc0.exe	94
PID 3548 wrote to memory of 1180	3548	665a25fe81677103220663a397237e33d3cf2835a4f2376447486c4e09189fc0.exe	94
PID 3548 wrote to memory of 1180	3548	665a25fe81677103220663a397237e33d3cf2835a4f2376447486c4e09189fc0.exe	94
PID 3548 wrote to memory of 1180	3548	665a25fe81677103220663a397237e33d3cf2835a4f2376447486c4e09189fc0.exe	94
PID 3548 wrote to memory of 1180	3548	665a25fe81677103220663a397237e33d3cf2835a4f2376447486c4e09189fc0.exe	94
PID 3548 wrote to memory of 1180	3548	665a25fe81677103220663a397237e33d3cf2835a4f2376447486c4e09189fc0.exe	94
PID 3548 wrote to memory of 1180	3548	665a25fe81677103220663a397237e33d3cf2835a4f2376447486c4e09189fc0.exe	94
PID 3548 wrote to memory of 1180	3548	665a25fe81677103220663a397237e33d3cf2835a4f2376447486c4e09189fc0.exe	94
PID 3548 wrote to memory of 1180	3548	665a25fe81677103220663a397237e33d3cf2835a4f2376447486c4e09189fc0.exe	94
PID 3548 wrote to memory of 1180	3548	665a25fe81677103220663a397237e33d3cf2835a4f2376447486c4e09189fc0.exe	94
PID 1180 wrote to memory of 868	1180	AppLaunch.exe	96
PID 1180 wrote to memory of 868	1180	AppLaunch.exe	96
PID 1180 wrote to memory of 868	1180	AppLaunch.exe	96
PID 868 wrote to memory of 4612	868	y8865851.exe	97
PID 868 wrote to memory of 4612	868	y8865851.exe	97
PID 868 wrote to memory of 4612	868	y8865851.exe	97
PID 868 wrote to memory of 4260	868	y8865851.exe	98
PID 868 wrote to memory of 4260	868	y8865851.exe	98
PID 868 wrote to memory of 4260	868	y8865851.exe	98

C:\Users\Admin\AppData\Local\Temp\665a25fe81677103220663a397237e33d3cf2835a4f2376447486c4e09189fc0.exe
"C:\Users\Admin\AppData\Local\Temp\665a25fe81677103220663a397237e33d3cf2835a4f2376447486c4e09189fc0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1180
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8865851.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8865851.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:868
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m2310531.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m2310531.exe
      4⤵
      Executes dropped EXE
      PID:4612
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n7874439.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n7874439.exe
      4⤵
      Executes dropped EXE
      PID:4260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8865851.exe

Filesize
272KB

MD5
b969bf81dfb3547bf824cf3f7232b700

SHA1
c024db3ed4ae121877abe71c57f75c261b04db09

SHA256
3051873d9d2bebffce2e3acf1408fdf28138bc03c9c24bf2077654e44b905dfe

SHA512
9a8230fc876d5d1202b9449abf73bc600f064fb50752b823e2a9c9ece68a83ff58aed4ef3960bc462685b1f3a86c03303808c1fc2f7b5f22d8d11b8163c7acbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8865851.exe

Filesize
272KB

MD5
b969bf81dfb3547bf824cf3f7232b700

SHA1
c024db3ed4ae121877abe71c57f75c261b04db09

SHA256
3051873d9d2bebffce2e3acf1408fdf28138bc03c9c24bf2077654e44b905dfe

SHA512
9a8230fc876d5d1202b9449abf73bc600f064fb50752b823e2a9c9ece68a83ff58aed4ef3960bc462685b1f3a86c03303808c1fc2f7b5f22d8d11b8163c7acbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m2310531.exe

Filesize
140KB

MD5
27df4109673c1de0f864ac3abfd65b38

SHA1
1ea31bb24f07d6e389faa26b1abb74e34c84d26d

SHA256
5d8067fb9c7ea791d4c51c474d16564bddb01259b80f179281a364f9eb36eaa1

SHA512
a305027f822dbd1fc3e68b0f0b105df27123e3fffa46888b48d0ea23e5e44ad51c568fc26700b69e43df181419bd98e558b18e43c5e924143ddd08064bcdc991

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m2310531.exe

Filesize
140KB

MD5
27df4109673c1de0f864ac3abfd65b38

SHA1
1ea31bb24f07d6e389faa26b1abb74e34c84d26d

SHA256
5d8067fb9c7ea791d4c51c474d16564bddb01259b80f179281a364f9eb36eaa1

SHA512
a305027f822dbd1fc3e68b0f0b105df27123e3fffa46888b48d0ea23e5e44ad51c568fc26700b69e43df181419bd98e558b18e43c5e924143ddd08064bcdc991

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n7874439.exe

Filesize
174KB

MD5
763ad6995d678104cc55447e502c4525

SHA1
aeb9b4bcc4979e839fe9267cb92cb9918f170fcd

SHA256
0a50753094d4290102a1913285191c174d7cd7c1bef7c771fdfa0e22deb62320

SHA512
91ee685ee4490cb15b14262063ebde904944012d43b35125b2ac5b295d56b20d7686ddb1b929c588e68a9ab5df777e8fa88ada29d46e4212fd7557c7c0373608

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n7874439.exe

Filesize
174KB

MD5
763ad6995d678104cc55447e502c4525

SHA1
aeb9b4bcc4979e839fe9267cb92cb9918f170fcd

SHA256
0a50753094d4290102a1913285191c174d7cd7c1bef7c771fdfa0e22deb62320

SHA512
91ee685ee4490cb15b14262063ebde904944012d43b35125b2ac5b295d56b20d7686ddb1b929c588e68a9ab5df777e8fa88ada29d46e4212fd7557c7c0373608

Download Submit
memory/1180-30-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1180-1-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1180-2-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1180-3-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1180-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4260-21-0x0000000000700000-0x0000000000730000-memory.dmp

Filesize
192KB

Download
memory/4260-23-0x0000000002A50000-0x0000000002A56000-memory.dmp

Filesize
24KB

Download
memory/4260-24-0x00000000057C0000-0x0000000005DD8000-memory.dmp

Filesize
6.1MB

Download
memory/4260-25-0x00000000052B0000-0x00000000053BA000-memory.dmp

Filesize
1.0MB

Download
memory/4260-27-0x00000000051D0000-0x00000000051E2000-memory.dmp

Filesize
72KB

Download
memory/4260-26-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/4260-28-0x0000000005230000-0x000000000526C000-memory.dmp

Filesize
240KB

Download
memory/4260-29-0x00000000053C0000-0x000000000540C000-memory.dmp

Filesize
304KB

Download
memory/4260-22-0x0000000074230000-0x00000000749E0000-memory.dmp

Filesize
7.7MB

Download
memory/4260-31-0x0000000074230000-0x00000000749E0000-memory.dmp

Filesize
7.7MB

Download
memory/4260-32-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads