mystic | 1a6318902483aa2924177a48f84811036b841e7b4ffb0e0eb626b1d206a37ee7

General

Target

1a6318902483aa2924177a48f84811036b841e7b4ffb0e0eb626b1d206a37ee7.exe
Size

2.5MB
MD5

1f664d1699b3dcf5bb3accc6566833e4
SHA1

a8ee465ce7702482e2e63d3ba06306ea80f2be25
SHA256

1a6318902483aa2924177a48f84811036b841e7b4ffb0e0eb626b1d206a37ee7
SHA512

bb970ae19fb933706e18fc71ebe8ee2c1b29033e83558ba752c3e763be7aaca89bfdf981b4c881bbf2267809faa32b068a22422fb6371233b65176b33a8366a2
SSDEEP

49152:VLMtyQ3eJziMp6a3vr78NlQx2F+VTZXC:VLMtLMQC8h+V

Score

10^/10

mystic redline ramon infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

ramon

C2

77.91.124.82:19071

Attributes

auth_value
3197576965d9513f115338c233015b40

Signatures

Detect Mystic stealer payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000800000002307c-16.dat	family_mystic
behavioral2/files/0x000800000002307c-17.dat	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2856	y2657058.exe
3152	m8922010.exe
4036	n5792348.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y2657058.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4680 set thread context of 2424	4680	1a6318902483aa2924177a48f84811036b841e7b4ffb0e0eb626b1d206a37ee7.exe	87

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4680 wrote to memory of 2424	4680	1a6318902483aa2924177a48f84811036b841e7b4ffb0e0eb626b1d206a37ee7.exe	87
PID 4680 wrote to memory of 2424	4680	1a6318902483aa2924177a48f84811036b841e7b4ffb0e0eb626b1d206a37ee7.exe	87
PID 4680 wrote to memory of 2424	4680	1a6318902483aa2924177a48f84811036b841e7b4ffb0e0eb626b1d206a37ee7.exe	87
PID 4680 wrote to memory of 2424	4680	1a6318902483aa2924177a48f84811036b841e7b4ffb0e0eb626b1d206a37ee7.exe	87
PID 4680 wrote to memory of 2424	4680	1a6318902483aa2924177a48f84811036b841e7b4ffb0e0eb626b1d206a37ee7.exe	87
PID 4680 wrote to memory of 2424	4680	1a6318902483aa2924177a48f84811036b841e7b4ffb0e0eb626b1d206a37ee7.exe	87
PID 4680 wrote to memory of 2424	4680	1a6318902483aa2924177a48f84811036b841e7b4ffb0e0eb626b1d206a37ee7.exe	87
PID 4680 wrote to memory of 2424	4680	1a6318902483aa2924177a48f84811036b841e7b4ffb0e0eb626b1d206a37ee7.exe	87
PID 4680 wrote to memory of 2424	4680	1a6318902483aa2924177a48f84811036b841e7b4ffb0e0eb626b1d206a37ee7.exe	87
PID 4680 wrote to memory of 2424	4680	1a6318902483aa2924177a48f84811036b841e7b4ffb0e0eb626b1d206a37ee7.exe	87
PID 2424 wrote to memory of 2856	2424	AppLaunch.exe	88
PID 2424 wrote to memory of 2856	2424	AppLaunch.exe	88
PID 2424 wrote to memory of 2856	2424	AppLaunch.exe	88
PID 2856 wrote to memory of 3152	2856	y2657058.exe	89
PID 2856 wrote to memory of 3152	2856	y2657058.exe	89
PID 2856 wrote to memory of 3152	2856	y2657058.exe	89
PID 2856 wrote to memory of 4036	2856	y2657058.exe	91
PID 2856 wrote to memory of 4036	2856	y2657058.exe	91
PID 2856 wrote to memory of 4036	2856	y2657058.exe	91

C:\Users\Admin\AppData\Local\Temp\1a6318902483aa2924177a48f84811036b841e7b4ffb0e0eb626b1d206a37ee7.exe
"C:\Users\Admin\AppData\Local\Temp\1a6318902483aa2924177a48f84811036b841e7b4ffb0e0eb626b1d206a37ee7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2657058.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2657058.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m8922010.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m8922010.exe
      4⤵
      Executes dropped EXE
      PID:3152
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n5792348.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n5792348.exe
      4⤵
      Executes dropped EXE
      PID:4036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2657058.exe

Filesize
271KB

MD5
75af76b345832cb3fdd95176f320966a

SHA1
48f2c3b641b5da62b1dbbd5990e1a5b8f679a5db

SHA256
847578f24ec972efd962a2a79c66a093bb8bd13e9d55cf7d1b5cdc11d698a318

SHA512
7d1a2c9833252000638ec41f87355f3d520e09f7cbe17011fa861ca6a3331179e92ed454111bf6ebe8c9a0086236c601c8d213da96e475d4983eb85f78a9ae52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2657058.exe

Filesize
271KB

MD5
75af76b345832cb3fdd95176f320966a

SHA1
48f2c3b641b5da62b1dbbd5990e1a5b8f679a5db

SHA256
847578f24ec972efd962a2a79c66a093bb8bd13e9d55cf7d1b5cdc11d698a318

SHA512
7d1a2c9833252000638ec41f87355f3d520e09f7cbe17011fa861ca6a3331179e92ed454111bf6ebe8c9a0086236c601c8d213da96e475d4983eb85f78a9ae52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m8922010.exe

Filesize
140KB

MD5
fdaf573098aeb5e81aa13fc4123592d4

SHA1
813c0de2e9a7f6179fc59b3cfd22ef92411cdb2d

SHA256
09c7e44a353df54bcbc739ecb92b95df506ce0c5d11fa5bb5917759fe16b0ce9

SHA512
874eb9706ace1d17f80e17657da9aeadbe28b6bac9571dafb5dd4a634414030172159be4cd550bc56a4ef5fa5c8e0cc0b70df07e109ca0d63bc15c7a8fb39dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m8922010.exe

Filesize
140KB

MD5
fdaf573098aeb5e81aa13fc4123592d4

SHA1
813c0de2e9a7f6179fc59b3cfd22ef92411cdb2d

SHA256
09c7e44a353df54bcbc739ecb92b95df506ce0c5d11fa5bb5917759fe16b0ce9

SHA512
874eb9706ace1d17f80e17657da9aeadbe28b6bac9571dafb5dd4a634414030172159be4cd550bc56a4ef5fa5c8e0cc0b70df07e109ca0d63bc15c7a8fb39dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n5792348.exe

Filesize
174KB

MD5
9a9968a39064de03ba78d203a2419970

SHA1
5a17ba05f391af5d63070a74e9767d11aab5ceb4

SHA256
7c5fa320ed9cd34224aec04a0a691ee884f6c8ecf211a987a91e862adffc12a2

SHA512
db7fcb14d9e66e6582fe0dc0f85bd7ea3947c03930766bc7cc4f3d97b461f3656f9ad8faa1154ac039395b48dc126941c9ce281df9d37cf6b70b77b25a205bad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n5792348.exe

Filesize
174KB

MD5
9a9968a39064de03ba78d203a2419970

SHA1
5a17ba05f391af5d63070a74e9767d11aab5ceb4

SHA256
7c5fa320ed9cd34224aec04a0a691ee884f6c8ecf211a987a91e862adffc12a2

SHA512
db7fcb14d9e66e6582fe0dc0f85bd7ea3947c03930766bc7cc4f3d97b461f3656f9ad8faa1154ac039395b48dc126941c9ce281df9d37cf6b70b77b25a205bad

Download Submit
memory/2424-22-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2424-1-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2424-2-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2424-3-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2424-0-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/4036-21-0x0000000074090000-0x0000000074840000-memory.dmp

Filesize
7.7MB

Download
memory/4036-23-0x0000000000D20000-0x0000000000D50000-memory.dmp

Filesize
192KB

Download
memory/4036-24-0x0000000074090000-0x0000000074840000-memory.dmp

Filesize
7.7MB

Download
memory/4036-25-0x0000000005780000-0x0000000005786000-memory.dmp

Filesize
24KB

Download
memory/4036-26-0x000000000B3D0000-0x000000000B9E8000-memory.dmp

Filesize
6.1MB

Download
memory/4036-27-0x000000000AEC0000-0x000000000AFCA000-memory.dmp

Filesize
1.0MB

Download
memory/4036-28-0x00000000057E0000-0x00000000057F0000-memory.dmp

Filesize
64KB

Download
memory/4036-29-0x0000000005730000-0x0000000005742000-memory.dmp

Filesize
72KB

Download
memory/4036-30-0x000000000ADF0000-0x000000000AE2C000-memory.dmp

Filesize
240KB

Download
memory/4036-31-0x000000000AE30000-0x000000000AE7C000-memory.dmp

Filesize
304KB

Download
memory/4036-32-0x00000000057E0000-0x00000000057F0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads