mystic | 9085f734e35e609d36a6419dbe3971a712fd17e114249a3924a44bc57ca9af79

General

Target

9085f734e35e609d36a6419dbe3971a712fd17e114249a3924a44bc57ca9af79.exe
Size

2.5MB
MD5

bc662b9f4a4d532ad2dbceba21f44d11
SHA1

bdfae10c8b50adb8d4e92d487e4ba69345bb0df4
SHA256

9085f734e35e609d36a6419dbe3971a712fd17e114249a3924a44bc57ca9af79
SHA512

a228294ea7836fc975dd563f1db42e9d8a11fe3f3bd2788fc5ed7df9f56e7a33c4437f3a29a18dd588355fe02c5ab205bde6b6a1b00f10c3233a446821fd8f90
SSDEEP

49152:G9RodsK5RBoEs6a3voe+EGfDNvr/CR+yg3eIffg6:G9RoUELl7/fh/wAfo

Score

10^/10

mystic redline ramon infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

ramon

C2

77.91.124.82:19071

Attributes

auth_value
3197576965d9513f115338c233015b40

Signatures

Detect Mystic stealer payload 2 IoCs

resource	yara_rule
behavioral2/files/0x00070000000231e7-16.dat	family_mystic
behavioral2/files/0x00070000000231e7-17.dat	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1924	y9462525.exe
4264	m1379250.exe
3084	n7434794.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y9462525.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3368 set thread context of 2068	3368	9085f734e35e609d36a6419dbe3971a712fd17e114249a3924a44bc57ca9af79.exe	96

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3368 wrote to memory of 2068	3368	9085f734e35e609d36a6419dbe3971a712fd17e114249a3924a44bc57ca9af79.exe	96
PID 3368 wrote to memory of 2068	3368	9085f734e35e609d36a6419dbe3971a712fd17e114249a3924a44bc57ca9af79.exe	96
PID 3368 wrote to memory of 2068	3368	9085f734e35e609d36a6419dbe3971a712fd17e114249a3924a44bc57ca9af79.exe	96
PID 3368 wrote to memory of 2068	3368	9085f734e35e609d36a6419dbe3971a712fd17e114249a3924a44bc57ca9af79.exe	96
PID 3368 wrote to memory of 2068	3368	9085f734e35e609d36a6419dbe3971a712fd17e114249a3924a44bc57ca9af79.exe	96
PID 3368 wrote to memory of 2068	3368	9085f734e35e609d36a6419dbe3971a712fd17e114249a3924a44bc57ca9af79.exe	96
PID 3368 wrote to memory of 2068	3368	9085f734e35e609d36a6419dbe3971a712fd17e114249a3924a44bc57ca9af79.exe	96
PID 3368 wrote to memory of 2068	3368	9085f734e35e609d36a6419dbe3971a712fd17e114249a3924a44bc57ca9af79.exe	96
PID 3368 wrote to memory of 2068	3368	9085f734e35e609d36a6419dbe3971a712fd17e114249a3924a44bc57ca9af79.exe	96
PID 3368 wrote to memory of 2068	3368	9085f734e35e609d36a6419dbe3971a712fd17e114249a3924a44bc57ca9af79.exe	96
PID 2068 wrote to memory of 1924	2068	AppLaunch.exe	97
PID 2068 wrote to memory of 1924	2068	AppLaunch.exe	97
PID 2068 wrote to memory of 1924	2068	AppLaunch.exe	97
PID 1924 wrote to memory of 4264	1924	y9462525.exe	98
PID 1924 wrote to memory of 4264	1924	y9462525.exe	98
PID 1924 wrote to memory of 4264	1924	y9462525.exe	98
PID 1924 wrote to memory of 3084	1924	y9462525.exe	99
PID 1924 wrote to memory of 3084	1924	y9462525.exe	99
PID 1924 wrote to memory of 3084	1924	y9462525.exe	99

C:\Users\Admin\AppData\Local\Temp\9085f734e35e609d36a6419dbe3971a712fd17e114249a3924a44bc57ca9af79.exe
"C:\Users\Admin\AppData\Local\Temp\9085f734e35e609d36a6419dbe3971a712fd17e114249a3924a44bc57ca9af79.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9462525.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9462525.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1924
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m1379250.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m1379250.exe
      4⤵
      Executes dropped EXE
      PID:4264
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n7434794.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n7434794.exe
      4⤵
      Executes dropped EXE
      PID:3084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9462525.exe

Filesize
271KB

MD5
7786174476171f241758e1ce2cb72b52

SHA1
4c32ee94835cf6d4de567bb7b4da9bd8c5a8a31d

SHA256
3c0691bf96e981d0d14c48abf3cdf962c4bb2b72d4ca8dc62ed730c7c6ee3a9c

SHA512
e2c6bf1de24ae72d6185c9774b8e1ff3739f23a785f05050047f3d23b712d715330031a84918092be2fd9e6ca3ac0414335c8899ac138dc2b4ea280e6a42093d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9462525.exe

Filesize
271KB

MD5
7786174476171f241758e1ce2cb72b52

SHA1
4c32ee94835cf6d4de567bb7b4da9bd8c5a8a31d

SHA256
3c0691bf96e981d0d14c48abf3cdf962c4bb2b72d4ca8dc62ed730c7c6ee3a9c

SHA512
e2c6bf1de24ae72d6185c9774b8e1ff3739f23a785f05050047f3d23b712d715330031a84918092be2fd9e6ca3ac0414335c8899ac138dc2b4ea280e6a42093d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m1379250.exe

Filesize
140KB

MD5
81f9872208c8d537e5c4580f1ab706b3

SHA1
e95b56fe582e97c84d41b16b6982b46afc374dff

SHA256
2cabaa9ac9cdb6796413de997802c1c74f2bd3d173c3baef9122624ddd4cabce

SHA512
d5cc7351e70fb971bfae6dd2e6ce1320d3275f60b977cebf069a46bc767583a76b89762f3d2430b496709fc22c561ed051c4464a419665617b4df6f14dc55b38

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m1379250.exe

Filesize
140KB

MD5
81f9872208c8d537e5c4580f1ab706b3

SHA1
e95b56fe582e97c84d41b16b6982b46afc374dff

SHA256
2cabaa9ac9cdb6796413de997802c1c74f2bd3d173c3baef9122624ddd4cabce

SHA512
d5cc7351e70fb971bfae6dd2e6ce1320d3275f60b977cebf069a46bc767583a76b89762f3d2430b496709fc22c561ed051c4464a419665617b4df6f14dc55b38

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n7434794.exe

Filesize
174KB

MD5
ef16eeba395715cb35ce7cbce309385b

SHA1
ddc800290c980d113e9b7d0b543238977f663f82

SHA256
a9a3945cb09bbf79fb4f53c15dcb3094fb0a779e41e4e8a0d8e0d5b625fa5281

SHA512
991de2b4bd034db76205b9188789ee1249edcf3374a7035e3e1aa463d8c357dd134d435e4a4c4a9d820a2d12dde2abe60d7f2c114bd517375077642d8f8e650a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n7434794.exe

Filesize
174KB

MD5
ef16eeba395715cb35ce7cbce309385b

SHA1
ddc800290c980d113e9b7d0b543238977f663f82

SHA256
a9a3945cb09bbf79fb4f53c15dcb3094fb0a779e41e4e8a0d8e0d5b625fa5281

SHA512
991de2b4bd034db76205b9188789ee1249edcf3374a7035e3e1aa463d8c357dd134d435e4a4c4a9d820a2d12dde2abe60d7f2c114bd517375077642d8f8e650a

Download Submit
memory/2068-30-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2068-1-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2068-2-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2068-3-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2068-0-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3084-21-0x0000000000640000-0x0000000000670000-memory.dmp

Filesize
192KB

Download
memory/3084-23-0x0000000001210000-0x0000000001216000-memory.dmp

Filesize
24KB

Download
memory/3084-24-0x000000000AAF0000-0x000000000B108000-memory.dmp

Filesize
6.1MB

Download
memory/3084-25-0x000000000A5F0000-0x000000000A6FA000-memory.dmp

Filesize
1.0MB

Download
memory/3084-26-0x000000000A530000-0x000000000A542000-memory.dmp

Filesize
72KB

Download
memory/3084-27-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/3084-28-0x000000000A590000-0x000000000A5CC000-memory.dmp

Filesize
240KB

Download
memory/3084-29-0x000000000A700000-0x000000000A74C000-memory.dmp

Filesize
304KB

Download
memory/3084-22-0x0000000074220000-0x00000000749D0000-memory.dmp

Filesize
7.7MB

Download
memory/3084-31-0x0000000074220000-0x00000000749D0000-memory.dmp

Filesize
7.7MB

Download
memory/3084-32-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads