mystic | 0f8dad9bd2936d342978ee8646d1a61f1ceb199b29f87593139e16e8b76afc7c

General

Target

0f8dad9bd2936d342978ee8646d1a61f1ceb199b29f87593139e16e8b76afc7c.exe
Size

742KB
MD5

77b1412a26dcb1e794fcc91750f6d616
SHA1

637b78b6db9bb2dc5bbfdc798b9a968a6ed9fb12
SHA256

0f8dad9bd2936d342978ee8646d1a61f1ceb199b29f87593139e16e8b76afc7c
SHA512

ca2db54c592efa905fb350d18f9152691802cfac19321a3a07f6ced5c064d94390c0b9d4a01b9b54ae7b11a85e2123f500ddd5deab0bf881bd80a7176dfb524c
SSDEEP

12288:e3//yfYb5BIQZVtMPLHzavXjNxPV5FSHaiFRGG86njlgSmWBICBubNRvmrOs/C9:MiuBtZKzavXjV5gdjdnjlgSLILbNMOse

Score

10^/10

mystic redline moner infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

moner

C2

77.91.124.82:19071

Attributes

auth_value
a94cd9e01643e1945b296c28a2f28707

Signatures

Detect Mystic stealer payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023218-16.dat	family_mystic
behavioral2/files/0x0007000000023218-17.dat	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
3792	y7318103.exe
3104	m1916338.exe
752	n6942017.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y7318103.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1128 set thread context of 1988	1128	0f8dad9bd2936d342978ee8646d1a61f1ceb199b29f87593139e16e8b76afc7c.exe	95

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 1988	1128	0f8dad9bd2936d342978ee8646d1a61f1ceb199b29f87593139e16e8b76afc7c.exe	95
PID 1128 wrote to memory of 1988	1128	0f8dad9bd2936d342978ee8646d1a61f1ceb199b29f87593139e16e8b76afc7c.exe	95
PID 1128 wrote to memory of 1988	1128	0f8dad9bd2936d342978ee8646d1a61f1ceb199b29f87593139e16e8b76afc7c.exe	95
PID 1128 wrote to memory of 1988	1128	0f8dad9bd2936d342978ee8646d1a61f1ceb199b29f87593139e16e8b76afc7c.exe	95
PID 1128 wrote to memory of 1988	1128	0f8dad9bd2936d342978ee8646d1a61f1ceb199b29f87593139e16e8b76afc7c.exe	95
PID 1128 wrote to memory of 1988	1128	0f8dad9bd2936d342978ee8646d1a61f1ceb199b29f87593139e16e8b76afc7c.exe	95
PID 1128 wrote to memory of 1988	1128	0f8dad9bd2936d342978ee8646d1a61f1ceb199b29f87593139e16e8b76afc7c.exe	95
PID 1128 wrote to memory of 1988	1128	0f8dad9bd2936d342978ee8646d1a61f1ceb199b29f87593139e16e8b76afc7c.exe	95
PID 1128 wrote to memory of 1988	1128	0f8dad9bd2936d342978ee8646d1a61f1ceb199b29f87593139e16e8b76afc7c.exe	95
PID 1128 wrote to memory of 1988	1128	0f8dad9bd2936d342978ee8646d1a61f1ceb199b29f87593139e16e8b76afc7c.exe	95
PID 1988 wrote to memory of 3792	1988	AppLaunch.exe	96
PID 1988 wrote to memory of 3792	1988	AppLaunch.exe	96
PID 1988 wrote to memory of 3792	1988	AppLaunch.exe	96
PID 3792 wrote to memory of 3104	3792	y7318103.exe	98
PID 3792 wrote to memory of 3104	3792	y7318103.exe	98
PID 3792 wrote to memory of 3104	3792	y7318103.exe	98
PID 3792 wrote to memory of 752	3792	y7318103.exe	99
PID 3792 wrote to memory of 752	3792	y7318103.exe	99
PID 3792 wrote to memory of 752	3792	y7318103.exe	99

C:\Users\Admin\AppData\Local\Temp\0f8dad9bd2936d342978ee8646d1a61f1ceb199b29f87593139e16e8b76afc7c.exe
"C:\Users\Admin\AppData\Local\Temp\0f8dad9bd2936d342978ee8646d1a61f1ceb199b29f87593139e16e8b76afc7c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7318103.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7318103.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3792
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m1916338.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m1916338.exe
      4⤵
      Executes dropped EXE
      PID:3104
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n6942017.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n6942017.exe
      4⤵
      Executes dropped EXE
      PID:752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7318103.exe

Filesize
272KB

MD5
c7b20ab32ba0f6c17fc8ccd363deb268

SHA1
a6b1cc2b3cc109ba1bd554315909fd9952d1838a

SHA256
4554bf088e18e967a8aa56b03b0648493880e6b55c5bc11bab50078af4699837

SHA512
b924a68b8425496c4f23bdf0971d80443e104cb38401419e4729f39fd6bdc87c8ffc82d7ecedbab81206ddce66ffd950e26aed2c5ec0cd930f982db1459bf53b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7318103.exe

Filesize
272KB

MD5
c7b20ab32ba0f6c17fc8ccd363deb268

SHA1
a6b1cc2b3cc109ba1bd554315909fd9952d1838a

SHA256
4554bf088e18e967a8aa56b03b0648493880e6b55c5bc11bab50078af4699837

SHA512
b924a68b8425496c4f23bdf0971d80443e104cb38401419e4729f39fd6bdc87c8ffc82d7ecedbab81206ddce66ffd950e26aed2c5ec0cd930f982db1459bf53b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m1916338.exe

Filesize
140KB

MD5
e87c0f4905744b029a10b2c49fa34a05

SHA1
b6eee9bdaf36be5d85b376a76ee43d4af5a3ac59

SHA256
7378fa6e1e57d48cfc80cdfd582ccdae76c69a7a5641292b2c82dab110e142d0

SHA512
76e7966d31c3d2b0edc831cc53ed9a45b4d5a2cefad095d4ae87c9938686aeddd71265a5b9532fa6943f7ef10e45ed052defd75f6cb64464701ddf00804126c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m1916338.exe

Filesize
140KB

MD5
e87c0f4905744b029a10b2c49fa34a05

SHA1
b6eee9bdaf36be5d85b376a76ee43d4af5a3ac59

SHA256
7378fa6e1e57d48cfc80cdfd582ccdae76c69a7a5641292b2c82dab110e142d0

SHA512
76e7966d31c3d2b0edc831cc53ed9a45b4d5a2cefad095d4ae87c9938686aeddd71265a5b9532fa6943f7ef10e45ed052defd75f6cb64464701ddf00804126c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n6942017.exe

Filesize
175KB

MD5
8f1687ef9a2ccf4fb62a117e4a5de4db

SHA1
1eac3eeae16ff7e72feae9a365c1295a23fc2bfb

SHA256
595b3485917fa089a06f5d7f2c6f93f82c38ed487e7bb19d1a8b309baa1ef971

SHA512
8f96e967ba3e90540c21d15d6d72c87d64fde063bf1c90af4c9f5b122454f27cc1437e6a08ba7c185167eca808f1c557f37cc9a523e9fdcc0273ec928b7aca75

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n6942017.exe

Filesize
175KB

MD5
8f1687ef9a2ccf4fb62a117e4a5de4db

SHA1
1eac3eeae16ff7e72feae9a365c1295a23fc2bfb

SHA256
595b3485917fa089a06f5d7f2c6f93f82c38ed487e7bb19d1a8b309baa1ef971

SHA512
8f96e967ba3e90540c21d15d6d72c87d64fde063bf1c90af4c9f5b122454f27cc1437e6a08ba7c185167eca808f1c557f37cc9a523e9fdcc0273ec928b7aca75

Download Submit
memory/752-21-0x0000000000530000-0x0000000000560000-memory.dmp

Filesize
192KB

Download
memory/752-26-0x0000000004EC0000-0x0000000004ED2000-memory.dmp

Filesize
72KB

Download
memory/752-32-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/752-31-0x0000000073BE0000-0x0000000074390000-memory.dmp

Filesize
7.7MB

Download
memory/752-30-0x00000000050B0000-0x00000000050FC000-memory.dmp

Filesize
304KB

Download
memory/752-22-0x0000000073BE0000-0x0000000074390000-memory.dmp

Filesize
7.7MB

Download
memory/752-23-0x00000000026E0000-0x00000000026E6000-memory.dmp

Filesize
24KB

Download
memory/752-24-0x00000000054B0000-0x0000000005AC8000-memory.dmp

Filesize
6.1MB

Download
memory/752-25-0x0000000004FA0000-0x00000000050AA000-memory.dmp

Filesize
1.0MB

Download
memory/752-27-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/752-28-0x0000000004F20000-0x0000000004F5C000-memory.dmp

Filesize
240KB

Download
memory/1988-3-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1988-29-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1988-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1988-1-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1988-2-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads