mystic | 122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b

General

Target

122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b.exe
Size

2.5MB
MD5

2f7f146caa6b89738f522f714eead088
SHA1

6a54ffc979a13f1d2ec86af63de97db5ffeb0126
SHA256

122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b
SHA512

61a4692ae87401c64792d1195cee1b0a9e8b0c84409689fb1129dcab46718193adafaa2317a3cb3a94e9951e018a39d635ce8ec5ffec8687ee2c44926645d5a8
SSDEEP

49152:MktzA0pHxVZkV6a3vJQyf+74G/w3eL+n9:Mktz1kscGGv

Score

10^/10

mystic redline ramon infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

ramon

C2

77.91.124.82:19071

Attributes

auth_value
3197576965d9513f115338c233015b40

Signatures

Detect Mystic stealer payload 2 IoCs

resource	yara_rule
behavioral2/files/0x00070000000230ac-17.dat	family_mystic
behavioral2/files/0x00070000000230ac-18.dat	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4808	y3499828.exe
1880	m2402832.exe
1384	n9109208.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y3499828.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2032 set thread context of 556	2032	122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b.exe	87

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 556	2032	122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b.exe	87
PID 2032 wrote to memory of 556	2032	122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b.exe	87
PID 2032 wrote to memory of 556	2032	122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b.exe	87
PID 2032 wrote to memory of 556	2032	122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b.exe	87
PID 2032 wrote to memory of 556	2032	122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b.exe	87
PID 2032 wrote to memory of 556	2032	122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b.exe	87
PID 2032 wrote to memory of 556	2032	122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b.exe	87
PID 2032 wrote to memory of 556	2032	122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b.exe	87
PID 2032 wrote to memory of 556	2032	122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b.exe	87
PID 2032 wrote to memory of 556	2032	122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b.exe	87
PID 556 wrote to memory of 4808	556	AppLaunch.exe	88
PID 556 wrote to memory of 4808	556	AppLaunch.exe	88
PID 556 wrote to memory of 4808	556	AppLaunch.exe	88
PID 4808 wrote to memory of 1880	4808	y3499828.exe	89
PID 4808 wrote to memory of 1880	4808	y3499828.exe	89
PID 4808 wrote to memory of 1880	4808	y3499828.exe	89
PID 4808 wrote to memory of 1384	4808	y3499828.exe	92
PID 4808 wrote to memory of 1384	4808	y3499828.exe	92
PID 4808 wrote to memory of 1384	4808	y3499828.exe	92

C:\Users\Admin\AppData\Local\Temp\122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b.exe
"C:\Users\Admin\AppData\Local\Temp\122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:556
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3499828.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3499828.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4808
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m2402832.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m2402832.exe
      4⤵
      Executes dropped EXE
      PID:1880
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n9109208.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n9109208.exe
      4⤵
      Executes dropped EXE
      PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3499828.exe

Filesize
271KB

MD5
b603e22cb2e5a96c44580842b8378a87

SHA1
a42a2b3638dcd10c5b9b7cf9ca1e5f6860702abe

SHA256
1bf4f35f6278d56c1f7151bf3313b763968ff07664bbcf7cd26f9dff6857eabb

SHA512
cd2aaabe25fbff836195f266135ea72b40187897091db667ea46ef03888a4b2159de6d1fe24878c84e31ed812caebca43b751458812a6db32f5be81f8f40135b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3499828.exe

Filesize
271KB

MD5
b603e22cb2e5a96c44580842b8378a87

SHA1
a42a2b3638dcd10c5b9b7cf9ca1e5f6860702abe

SHA256
1bf4f35f6278d56c1f7151bf3313b763968ff07664bbcf7cd26f9dff6857eabb

SHA512
cd2aaabe25fbff836195f266135ea72b40187897091db667ea46ef03888a4b2159de6d1fe24878c84e31ed812caebca43b751458812a6db32f5be81f8f40135b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m2402832.exe

Filesize
140KB

MD5
0f7d89bd2b2cab8f2bb7e75d8cf5d045

SHA1
5ae7f5d816d4aa6405e5bbe46130e376392e86e6

SHA256
c788623dd0900281d25113197c2e2dbff1167b9cddde370cfa84db775ee9ae60

SHA512
2ba626e55274414525a05d719d13d2718be93688ba18f72bc208db255b4d3a621c2e66a9706b3344d0b58d18419b10417a263766cf6d40e00f408cad97449754

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m2402832.exe

Filesize
140KB

MD5
0f7d89bd2b2cab8f2bb7e75d8cf5d045

SHA1
5ae7f5d816d4aa6405e5bbe46130e376392e86e6

SHA256
c788623dd0900281d25113197c2e2dbff1167b9cddde370cfa84db775ee9ae60

SHA512
2ba626e55274414525a05d719d13d2718be93688ba18f72bc208db255b4d3a621c2e66a9706b3344d0b58d18419b10417a263766cf6d40e00f408cad97449754

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n9109208.exe

Filesize
174KB

MD5
c5a3567146b7c2b169e457502caa6116

SHA1
01c96aa80b1a84766b6f74b18c0d3312448e42a0

SHA256
8f7fdca3cf5a7a59f2ae53a7ae3263df9b1cdb601ea94dde03fb29c3e958602c

SHA512
14ddf5218e027f38c8e62635b4044ac9da0b0f1133e6846f89b6dfb63658ed7571cf92f560789ff846152a50b29340be1c9e43c423828c7f33151b290cf9d3fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n9109208.exe

Filesize
174KB

MD5
c5a3567146b7c2b169e457502caa6116

SHA1
01c96aa80b1a84766b6f74b18c0d3312448e42a0

SHA256
8f7fdca3cf5a7a59f2ae53a7ae3263df9b1cdb601ea94dde03fb29c3e958602c

SHA512
14ddf5218e027f38c8e62635b4044ac9da0b0f1133e6846f89b6dfb63658ed7571cf92f560789ff846152a50b29340be1c9e43c423828c7f33151b290cf9d3fa

Download Submit
memory/556-15-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/556-3-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/556-2-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/556-1-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/556-0-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1384-25-0x0000000073FB0000-0x0000000074760000-memory.dmp

Filesize
7.7MB

Download
memory/1384-23-0x00000000000F0000-0x0000000000120000-memory.dmp

Filesize
192KB

Download
memory/1384-24-0x0000000004A10000-0x0000000004A16000-memory.dmp

Filesize
24KB

Download
memory/1384-22-0x0000000073FB0000-0x0000000074760000-memory.dmp

Filesize
7.7MB

Download
memory/1384-26-0x000000000A520000-0x000000000AB38000-memory.dmp

Filesize
6.1MB

Download
memory/1384-27-0x000000000A010000-0x000000000A11A000-memory.dmp

Filesize
1.0MB

Download
memory/1384-28-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/1384-29-0x000000000A240000-0x000000000A252000-memory.dmp

Filesize
72KB

Download
memory/1384-30-0x000000000A2A0000-0x000000000A2DC000-memory.dmp

Filesize
240KB

Download
memory/1384-31-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/1384-32-0x000000000A2E0000-0x000000000A32C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads