mystic | 35562ead61c7492e5bc22fae61d89e8e70cd5e51b291fba1a2e123527340e122

General

Target

35562ead61c7492e5bc22fae61d89e8e70cd5e51b291fba1a2e123527340e122.exe
Size

742KB
MD5

54c5c31aeedfec77556026ade8842c8a
SHA1

ad6aacf4aecfacb6b62d6889e17cee3b4e85af4f
SHA256

35562ead61c7492e5bc22fae61d89e8e70cd5e51b291fba1a2e123527340e122
SHA512

68607873f0104e2eaa9c7b2f3aad0247b59f5cbe1243c3491baf29843ffabc61bd86e1e40db65636ee3391f130e40836c5d605c0a3b442d7930dc7a58514223c
SSDEEP

12288:4r//yfYb5BIQZVtl+PYLaVsXzcYKk8KimW+lU0NypfhHHzhL43nZI9:2iuBtZYvVsXXKnKiJ+lUWyZhnzK3n2

Score

10^/10

mystic redline moner infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

moner

C2

77.91.124.82:19071

Attributes

auth_value
a94cd9e01643e1945b296c28a2f28707

Signatures

Detect Mystic stealer payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000b0000000231f3-16.dat	family_mystic
behavioral2/files/0x000b0000000231f3-17.dat	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1428	y6075978.exe
1776	m7781484.exe
4000	n8924532.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y6075978.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1204 set thread context of 1732	1204	35562ead61c7492e5bc22fae61d89e8e70cd5e51b291fba1a2e123527340e122.exe	93

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 1732	1204	35562ead61c7492e5bc22fae61d89e8e70cd5e51b291fba1a2e123527340e122.exe	93
PID 1204 wrote to memory of 1732	1204	35562ead61c7492e5bc22fae61d89e8e70cd5e51b291fba1a2e123527340e122.exe	93
PID 1204 wrote to memory of 1732	1204	35562ead61c7492e5bc22fae61d89e8e70cd5e51b291fba1a2e123527340e122.exe	93
PID 1204 wrote to memory of 1732	1204	35562ead61c7492e5bc22fae61d89e8e70cd5e51b291fba1a2e123527340e122.exe	93
PID 1204 wrote to memory of 1732	1204	35562ead61c7492e5bc22fae61d89e8e70cd5e51b291fba1a2e123527340e122.exe	93
PID 1204 wrote to memory of 1732	1204	35562ead61c7492e5bc22fae61d89e8e70cd5e51b291fba1a2e123527340e122.exe	93
PID 1204 wrote to memory of 1732	1204	35562ead61c7492e5bc22fae61d89e8e70cd5e51b291fba1a2e123527340e122.exe	93
PID 1204 wrote to memory of 1732	1204	35562ead61c7492e5bc22fae61d89e8e70cd5e51b291fba1a2e123527340e122.exe	93
PID 1204 wrote to memory of 1732	1204	35562ead61c7492e5bc22fae61d89e8e70cd5e51b291fba1a2e123527340e122.exe	93
PID 1204 wrote to memory of 1732	1204	35562ead61c7492e5bc22fae61d89e8e70cd5e51b291fba1a2e123527340e122.exe	93
PID 1732 wrote to memory of 1428	1732	AppLaunch.exe	94
PID 1732 wrote to memory of 1428	1732	AppLaunch.exe	94
PID 1732 wrote to memory of 1428	1732	AppLaunch.exe	94
PID 1428 wrote to memory of 1776	1428	y6075978.exe	95
PID 1428 wrote to memory of 1776	1428	y6075978.exe	95
PID 1428 wrote to memory of 1776	1428	y6075978.exe	95
PID 1428 wrote to memory of 4000	1428	y6075978.exe	96
PID 1428 wrote to memory of 4000	1428	y6075978.exe	96
PID 1428 wrote to memory of 4000	1428	y6075978.exe	96

C:\Users\Admin\AppData\Local\Temp\35562ead61c7492e5bc22fae61d89e8e70cd5e51b291fba1a2e123527340e122.exe
"C:\Users\Admin\AppData\Local\Temp\35562ead61c7492e5bc22fae61d89e8e70cd5e51b291fba1a2e123527340e122.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6075978.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6075978.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1428
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m7781484.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m7781484.exe
      4⤵
      Executes dropped EXE
      PID:1776
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n8924532.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n8924532.exe
      4⤵
      Executes dropped EXE
      PID:4000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6075978.exe

Filesize
272KB

MD5
b431a64e8b613958285939f0e3999503

SHA1
f6e723704eaa1c689827a625bbdc6eddfddb2239

SHA256
049ed61c114c9e85961e5c8cb007b1fc4e4e08627f968401fa2ab6354736735e

SHA512
72f06b1461212807ec468b3173324e5993bcd88fe83c126a51063977814b57f1bd65b4b7d228d4218e35eab7f824d71f47f15595186ca64a989aee501422e20a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6075978.exe

Filesize
272KB

MD5
b431a64e8b613958285939f0e3999503

SHA1
f6e723704eaa1c689827a625bbdc6eddfddb2239

SHA256
049ed61c114c9e85961e5c8cb007b1fc4e4e08627f968401fa2ab6354736735e

SHA512
72f06b1461212807ec468b3173324e5993bcd88fe83c126a51063977814b57f1bd65b4b7d228d4218e35eab7f824d71f47f15595186ca64a989aee501422e20a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m7781484.exe

Filesize
140KB

MD5
3a3ca0068784bfe0fb9968567b9006f9

SHA1
460d6cf0720f3c5e8d803c2a30ddae71ef8ecfcd

SHA256
32b753cadf727fad1efdca3bee8310f34d912ac317953410bf9fddf60cf8a680

SHA512
7fac87fc0ba5e43f7c5a15a15d8fbd45d9d1b21412c4d62335846c0f6f7ae6163056748397d3e716ad8ae7d65f0080e849370dcd99fd5aedb05c1de449d23787

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m7781484.exe

Filesize
140KB

MD5
3a3ca0068784bfe0fb9968567b9006f9

SHA1
460d6cf0720f3c5e8d803c2a30ddae71ef8ecfcd

SHA256
32b753cadf727fad1efdca3bee8310f34d912ac317953410bf9fddf60cf8a680

SHA512
7fac87fc0ba5e43f7c5a15a15d8fbd45d9d1b21412c4d62335846c0f6f7ae6163056748397d3e716ad8ae7d65f0080e849370dcd99fd5aedb05c1de449d23787

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n8924532.exe

Filesize
175KB

MD5
63d6199ac9b625d19f1ad8b853fd45df

SHA1
1fd063c39565e8b505b7ab91dfcb0257d3ab6bfb

SHA256
109bcf3f966386f2d7d376d8b20b5b95062bc7d3b5d6d49c233bccf65a91226c

SHA512
652969e4e498b781b503ad443835a11e41680660a1332760034a50a531df49981cc8beab4f0d23834a5d9085ff3ce77b1b649afc92bfa59f90a63b8bc3f5ca9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n8924532.exe

Filesize
175KB

MD5
63d6199ac9b625d19f1ad8b853fd45df

SHA1
1fd063c39565e8b505b7ab91dfcb0257d3ab6bfb

SHA256
109bcf3f966386f2d7d376d8b20b5b95062bc7d3b5d6d49c233bccf65a91226c

SHA512
652969e4e498b781b503ad443835a11e41680660a1332760034a50a531df49981cc8beab4f0d23834a5d9085ff3ce77b1b649afc92bfa59f90a63b8bc3f5ca9e

Download Submit
memory/1732-30-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1732-1-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1732-2-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1732-3-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1732-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4000-21-0x0000000000D60000-0x0000000000D90000-memory.dmp

Filesize
192KB

Download
memory/4000-23-0x0000000003000000-0x0000000003006000-memory.dmp

Filesize
24KB

Download
memory/4000-24-0x0000000005DF0000-0x0000000006408000-memory.dmp

Filesize
6.1MB

Download
memory/4000-27-0x0000000005830000-0x0000000005842000-memory.dmp

Filesize
72KB

Download
memory/4000-26-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/4000-25-0x00000000058F0000-0x00000000059FA000-memory.dmp

Filesize
1.0MB

Download
memory/4000-28-0x0000000005890000-0x00000000058CC000-memory.dmp

Filesize
240KB

Download
memory/4000-29-0x0000000005A00000-0x0000000005A4C000-memory.dmp

Filesize
304KB

Download
memory/4000-22-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/4000-31-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/4000-32-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads