mystic | 1a6318902483aa2924177a48f84811036b841e7b4ffb0e0eb626b1d206a37ee7

Analysis

max time kernel
145s
max time network
174s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14-10-2023 00:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a6318902483aa2924177a48f84811036b841e7b4ffb0e0eb626b1d206a37ee7.exe
Size

2.5MB
MD5

1f664d1699b3dcf5bb3accc6566833e4
SHA1

a8ee465ce7702482e2e63d3ba06306ea80f2be25
SHA256

1a6318902483aa2924177a48f84811036b841e7b4ffb0e0eb626b1d206a37ee7
SHA512

bb970ae19fb933706e18fc71ebe8ee2c1b29033e83558ba752c3e763be7aaca89bfdf981b4c881bbf2267809faa32b068a22422fb6371233b65176b33a8366a2
SSDEEP

49152:VLMtyQ3eJziMp6a3vr78NlQx2F+VTZXC:VLMtLMQC8h+V

Score

10^/10

mystic redline ramon infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

ramon

77.91.124.82:19071

Attributes

auth_value
3197576965d9513f115338c233015b40

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0008000000015eb0-29.dat	family_mystic
behavioral1/files/0x0008000000015eb0-32.dat	family_mystic
behavioral1/files/0x0008000000015eb0-33.dat	family_mystic
behavioral1/files/0x0008000000015eb0-34.dat	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2680	y2657058.exe
2400	m8922010.exe
2572	n5792348.exe

Loads dropped DLL 6 IoCs

pid	Process
2328	AppLaunch.exe
2680	y2657058.exe
2680	y2657058.exe
2400	m8922010.exe
2680	y2657058.exe
2572	n5792348.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y2657058.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1964 set thread context of 2328	1964	1a6318902483aa2924177a48f84811036b841e7b4ffb0e0eb626b1d206a37ee7.exe	30

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2444	1964	1a6318902483aa2924177a48f84811036b841e7b4ffb0e0eb626b1d206a37ee7.exe	29
PID 1964 wrote to memory of 2444	1964	1a6318902483aa2924177a48f84811036b841e7b4ffb0e0eb626b1d206a37ee7.exe	29
PID 1964 wrote to memory of 2444	1964	1a6318902483aa2924177a48f84811036b841e7b4ffb0e0eb626b1d206a37ee7.exe	29
PID 1964 wrote to memory of 2444	1964	1a6318902483aa2924177a48f84811036b841e7b4ffb0e0eb626b1d206a37ee7.exe	29
PID 1964 wrote to memory of 2444	1964	1a6318902483aa2924177a48f84811036b841e7b4ffb0e0eb626b1d206a37ee7.exe	29
PID 1964 wrote to memory of 2444	1964	1a6318902483aa2924177a48f84811036b841e7b4ffb0e0eb626b1d206a37ee7.exe	29
PID 1964 wrote to memory of 2444	1964	1a6318902483aa2924177a48f84811036b841e7b4ffb0e0eb626b1d206a37ee7.exe	29
PID 1964 wrote to memory of 2328	1964	1a6318902483aa2924177a48f84811036b841e7b4ffb0e0eb626b1d206a37ee7.exe	30
PID 1964 wrote to memory of 2328	1964	1a6318902483aa2924177a48f84811036b841e7b4ffb0e0eb626b1d206a37ee7.exe	30
PID 1964 wrote to memory of 2328	1964	1a6318902483aa2924177a48f84811036b841e7b4ffb0e0eb626b1d206a37ee7.exe	30
PID 1964 wrote to memory of 2328	1964	1a6318902483aa2924177a48f84811036b841e7b4ffb0e0eb626b1d206a37ee7.exe	30
PID 1964 wrote to memory of 2328	1964	1a6318902483aa2924177a48f84811036b841e7b4ffb0e0eb626b1d206a37ee7.exe	30
PID 1964 wrote to memory of 2328	1964	1a6318902483aa2924177a48f84811036b841e7b4ffb0e0eb626b1d206a37ee7.exe	30
PID 1964 wrote to memory of 2328	1964	1a6318902483aa2924177a48f84811036b841e7b4ffb0e0eb626b1d206a37ee7.exe	30
PID 1964 wrote to memory of 2328	1964	1a6318902483aa2924177a48f84811036b841e7b4ffb0e0eb626b1d206a37ee7.exe	30
PID 1964 wrote to memory of 2328	1964	1a6318902483aa2924177a48f84811036b841e7b4ffb0e0eb626b1d206a37ee7.exe	30
PID 1964 wrote to memory of 2328	1964	1a6318902483aa2924177a48f84811036b841e7b4ffb0e0eb626b1d206a37ee7.exe	30
PID 1964 wrote to memory of 2328	1964	1a6318902483aa2924177a48f84811036b841e7b4ffb0e0eb626b1d206a37ee7.exe	30
PID 1964 wrote to memory of 2328	1964	1a6318902483aa2924177a48f84811036b841e7b4ffb0e0eb626b1d206a37ee7.exe	30
PID 1964 wrote to memory of 2328	1964	1a6318902483aa2924177a48f84811036b841e7b4ffb0e0eb626b1d206a37ee7.exe	30
PID 1964 wrote to memory of 2328	1964	1a6318902483aa2924177a48f84811036b841e7b4ffb0e0eb626b1d206a37ee7.exe	30
PID 2328 wrote to memory of 2680	2328	AppLaunch.exe	31
PID 2328 wrote to memory of 2680	2328	AppLaunch.exe	31
PID 2328 wrote to memory of 2680	2328	AppLaunch.exe	31
PID 2328 wrote to memory of 2680	2328	AppLaunch.exe	31
PID 2328 wrote to memory of 2680	2328	AppLaunch.exe	31
PID 2328 wrote to memory of 2680	2328	AppLaunch.exe	31
PID 2328 wrote to memory of 2680	2328	AppLaunch.exe	31
PID 2680 wrote to memory of 2400	2680	y2657058.exe	32
PID 2680 wrote to memory of 2400	2680	y2657058.exe	32
PID 2680 wrote to memory of 2400	2680	y2657058.exe	32
PID 2680 wrote to memory of 2400	2680	y2657058.exe	32
PID 2680 wrote to memory of 2400	2680	y2657058.exe	32
PID 2680 wrote to memory of 2400	2680	y2657058.exe	32
PID 2680 wrote to memory of 2400	2680	y2657058.exe	32
PID 2680 wrote to memory of 2572	2680	y2657058.exe	33
PID 2680 wrote to memory of 2572	2680	y2657058.exe	33
PID 2680 wrote to memory of 2572	2680	y2657058.exe	33
PID 2680 wrote to memory of 2572	2680	y2657058.exe	33
PID 2680 wrote to memory of 2572	2680	y2657058.exe	33
PID 2680 wrote to memory of 2572	2680	y2657058.exe	33
PID 2680 wrote to memory of 2572	2680	y2657058.exe	33

C:\Users\Admin\AppData\Local\Temp\1a6318902483aa2924177a48f84811036b841e7b4ffb0e0eb626b1d206a37ee7.exe
"C:\Users\Admin\AppData\Local\Temp\1a6318902483aa2924177a48f84811036b841e7b4ffb0e0eb626b1d206a37ee7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:2444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2657058.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2657058.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m8922010.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m8922010.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2400
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n5792348.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n5792348.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2657058.exe

Filesize
271KB

MD5
75af76b345832cb3fdd95176f320966a

SHA1
48f2c3b641b5da62b1dbbd5990e1a5b8f679a5db

SHA256
847578f24ec972efd962a2a79c66a093bb8bd13e9d55cf7d1b5cdc11d698a318

SHA512
7d1a2c9833252000638ec41f87355f3d520e09f7cbe17011fa861ca6a3331179e92ed454111bf6ebe8c9a0086236c601c8d213da96e475d4983eb85f78a9ae52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2657058.exe

Filesize
271KB

MD5
75af76b345832cb3fdd95176f320966a

SHA1
48f2c3b641b5da62b1dbbd5990e1a5b8f679a5db

SHA256
847578f24ec972efd962a2a79c66a093bb8bd13e9d55cf7d1b5cdc11d698a318

SHA512
7d1a2c9833252000638ec41f87355f3d520e09f7cbe17011fa861ca6a3331179e92ed454111bf6ebe8c9a0086236c601c8d213da96e475d4983eb85f78a9ae52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m8922010.exe

Filesize
140KB

MD5
fdaf573098aeb5e81aa13fc4123592d4

SHA1
813c0de2e9a7f6179fc59b3cfd22ef92411cdb2d

SHA256
09c7e44a353df54bcbc739ecb92b95df506ce0c5d11fa5bb5917759fe16b0ce9

SHA512
874eb9706ace1d17f80e17657da9aeadbe28b6bac9571dafb5dd4a634414030172159be4cd550bc56a4ef5fa5c8e0cc0b70df07e109ca0d63bc15c7a8fb39dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m8922010.exe

Filesize
140KB

MD5
fdaf573098aeb5e81aa13fc4123592d4

SHA1
813c0de2e9a7f6179fc59b3cfd22ef92411cdb2d

SHA256
09c7e44a353df54bcbc739ecb92b95df506ce0c5d11fa5bb5917759fe16b0ce9

SHA512
874eb9706ace1d17f80e17657da9aeadbe28b6bac9571dafb5dd4a634414030172159be4cd550bc56a4ef5fa5c8e0cc0b70df07e109ca0d63bc15c7a8fb39dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n5792348.exe

Filesize
174KB

MD5
9a9968a39064de03ba78d203a2419970

SHA1
5a17ba05f391af5d63070a74e9767d11aab5ceb4

SHA256
7c5fa320ed9cd34224aec04a0a691ee884f6c8ecf211a987a91e862adffc12a2

SHA512
db7fcb14d9e66e6582fe0dc0f85bd7ea3947c03930766bc7cc4f3d97b461f3656f9ad8faa1154ac039395b48dc126941c9ce281df9d37cf6b70b77b25a205bad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n5792348.exe

Filesize
174KB

MD5
9a9968a39064de03ba78d203a2419970

SHA1
5a17ba05f391af5d63070a74e9767d11aab5ceb4

SHA256
7c5fa320ed9cd34224aec04a0a691ee884f6c8ecf211a987a91e862adffc12a2

SHA512
db7fcb14d9e66e6582fe0dc0f85bd7ea3947c03930766bc7cc4f3d97b461f3656f9ad8faa1154ac039395b48dc126941c9ce281df9d37cf6b70b77b25a205bad

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2657058.exe

Filesize
271KB

MD5
75af76b345832cb3fdd95176f320966a

SHA1
48f2c3b641b5da62b1dbbd5990e1a5b8f679a5db

SHA256
847578f24ec972efd962a2a79c66a093bb8bd13e9d55cf7d1b5cdc11d698a318

SHA512
7d1a2c9833252000638ec41f87355f3d520e09f7cbe17011fa861ca6a3331179e92ed454111bf6ebe8c9a0086236c601c8d213da96e475d4983eb85f78a9ae52

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2657058.exe

Filesize
271KB

MD5
75af76b345832cb3fdd95176f320966a

SHA1
48f2c3b641b5da62b1dbbd5990e1a5b8f679a5db

SHA256
847578f24ec972efd962a2a79c66a093bb8bd13e9d55cf7d1b5cdc11d698a318

SHA512
7d1a2c9833252000638ec41f87355f3d520e09f7cbe17011fa861ca6a3331179e92ed454111bf6ebe8c9a0086236c601c8d213da96e475d4983eb85f78a9ae52

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\m8922010.exe

Filesize
140KB

MD5
fdaf573098aeb5e81aa13fc4123592d4

SHA1
813c0de2e9a7f6179fc59b3cfd22ef92411cdb2d

SHA256
09c7e44a353df54bcbc739ecb92b95df506ce0c5d11fa5bb5917759fe16b0ce9

SHA512
874eb9706ace1d17f80e17657da9aeadbe28b6bac9571dafb5dd4a634414030172159be4cd550bc56a4ef5fa5c8e0cc0b70df07e109ca0d63bc15c7a8fb39dcc

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\m8922010.exe

Filesize
140KB

MD5
fdaf573098aeb5e81aa13fc4123592d4

SHA1
813c0de2e9a7f6179fc59b3cfd22ef92411cdb2d

SHA256
09c7e44a353df54bcbc739ecb92b95df506ce0c5d11fa5bb5917759fe16b0ce9

SHA512
874eb9706ace1d17f80e17657da9aeadbe28b6bac9571dafb5dd4a634414030172159be4cd550bc56a4ef5fa5c8e0cc0b70df07e109ca0d63bc15c7a8fb39dcc

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\n5792348.exe

Filesize
174KB

MD5
9a9968a39064de03ba78d203a2419970

SHA1
5a17ba05f391af5d63070a74e9767d11aab5ceb4

SHA256
7c5fa320ed9cd34224aec04a0a691ee884f6c8ecf211a987a91e862adffc12a2

SHA512
db7fcb14d9e66e6582fe0dc0f85bd7ea3947c03930766bc7cc4f3d97b461f3656f9ad8faa1154ac039395b48dc126941c9ce281df9d37cf6b70b77b25a205bad

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\n5792348.exe

Filesize
174KB

MD5
9a9968a39064de03ba78d203a2419970

SHA1
5a17ba05f391af5d63070a74e9767d11aab5ceb4

SHA256
7c5fa320ed9cd34224aec04a0a691ee884f6c8ecf211a987a91e862adffc12a2

SHA512
db7fcb14d9e66e6582fe0dc0f85bd7ea3947c03930766bc7cc4f3d97b461f3656f9ad8faa1154ac039395b48dc126941c9ce281df9d37cf6b70b77b25a205bad

Download Submit
memory/2328-0-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2328-11-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2328-8-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2328-7-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2328-6-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2328-5-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2328-14-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2328-9-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2328-4-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2328-13-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2328-2-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2328-43-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2572-42-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/2572-41-0x0000000001180000-0x00000000011B0000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads