mystic | aa9975911e07982ac68567812e63186e5c87a6bed3c640520cb7d92ad81ec15a

General

Target

aa9975911e07982ac68567812e63186e5c87a6bed3c640520cb7d92ad81ec15a.exe
Size

742KB
MD5

c85ffd829fe425599cf8a66ec3d5f167
SHA1

62de26bff1d32ee79beafe423ce87684c91b27c0
SHA256

aa9975911e07982ac68567812e63186e5c87a6bed3c640520cb7d92ad81ec15a
SHA512

9c59eb69b24c8ea872d408e600397bdba9f6e73db5f521c88b226911189d683f77c6760127cec419897ebad8a3871dbfe4a475604a212cbfeddbe6836490b4b4
SSDEEP

12288:Xa//yfYb5BIQZVtqOZJu8+ILcmujtOUtUy5PBc9OXw3Shvn4lUsCu8Lvfp1dsd/Y:KiuBtZHJu8+ucjjoo5PS9piBeCz3sd/Y

Score

10^/10

mystic redline moner infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

moner

C2

77.91.124.82:19071

Attributes

auth_value
a94cd9e01643e1945b296c28a2f28707

Signatures

Detect Mystic stealer payload 2 IoCs

resource	yara_rule
behavioral2/files/0x00070000000231ee-16.dat	family_mystic
behavioral2/files/0x00070000000231ee-17.dat	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2116	y6652556.exe
4576	m0477185.exe
4852	n7893608.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y6652556.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3340 set thread context of 4940	3340	aa9975911e07982ac68567812e63186e5c87a6bed3c640520cb7d92ad81ec15a.exe	88

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3340 wrote to memory of 4940	3340	aa9975911e07982ac68567812e63186e5c87a6bed3c640520cb7d92ad81ec15a.exe	88
PID 3340 wrote to memory of 4940	3340	aa9975911e07982ac68567812e63186e5c87a6bed3c640520cb7d92ad81ec15a.exe	88
PID 3340 wrote to memory of 4940	3340	aa9975911e07982ac68567812e63186e5c87a6bed3c640520cb7d92ad81ec15a.exe	88
PID 3340 wrote to memory of 4940	3340	aa9975911e07982ac68567812e63186e5c87a6bed3c640520cb7d92ad81ec15a.exe	88
PID 3340 wrote to memory of 4940	3340	aa9975911e07982ac68567812e63186e5c87a6bed3c640520cb7d92ad81ec15a.exe	88
PID 3340 wrote to memory of 4940	3340	aa9975911e07982ac68567812e63186e5c87a6bed3c640520cb7d92ad81ec15a.exe	88
PID 3340 wrote to memory of 4940	3340	aa9975911e07982ac68567812e63186e5c87a6bed3c640520cb7d92ad81ec15a.exe	88
PID 3340 wrote to memory of 4940	3340	aa9975911e07982ac68567812e63186e5c87a6bed3c640520cb7d92ad81ec15a.exe	88
PID 3340 wrote to memory of 4940	3340	aa9975911e07982ac68567812e63186e5c87a6bed3c640520cb7d92ad81ec15a.exe	88
PID 3340 wrote to memory of 4940	3340	aa9975911e07982ac68567812e63186e5c87a6bed3c640520cb7d92ad81ec15a.exe	88
PID 4940 wrote to memory of 2116	4940	AppLaunch.exe	90
PID 4940 wrote to memory of 2116	4940	AppLaunch.exe	90
PID 4940 wrote to memory of 2116	4940	AppLaunch.exe	90
PID 2116 wrote to memory of 4576	2116	y6652556.exe	92
PID 2116 wrote to memory of 4576	2116	y6652556.exe	92
PID 2116 wrote to memory of 4576	2116	y6652556.exe	92
PID 2116 wrote to memory of 4852	2116	y6652556.exe	93
PID 2116 wrote to memory of 4852	2116	y6652556.exe	93
PID 2116 wrote to memory of 4852	2116	y6652556.exe	93

C:\Users\Admin\AppData\Local\Temp\aa9975911e07982ac68567812e63186e5c87a6bed3c640520cb7d92ad81ec15a.exe
"C:\Users\Admin\AppData\Local\Temp\aa9975911e07982ac68567812e63186e5c87a6bed3c640520cb7d92ad81ec15a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6652556.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6652556.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2116
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m0477185.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m0477185.exe
      4⤵
      Executes dropped EXE
      PID:4576
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n7893608.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n7893608.exe
      4⤵
      Executes dropped EXE
      PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6652556.exe

Filesize
272KB

MD5
76f64498720c11ec1d0de660efcf970b

SHA1
661423729ed1e2d29dfefe545b8077222f64d9b4

SHA256
553411e5ddb7395fc83f386fa830bbf4eb270866ab7bfa3db8ce5c8002fde242

SHA512
252a6f72f1add33844ec0457ff574800613bf10bd8d77078de2312a25f4a70c2d1eb0f2957875597c5851469d37e9126828cddd2f6631e84cf0cab162fc26565

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6652556.exe

Filesize
272KB

MD5
76f64498720c11ec1d0de660efcf970b

SHA1
661423729ed1e2d29dfefe545b8077222f64d9b4

SHA256
553411e5ddb7395fc83f386fa830bbf4eb270866ab7bfa3db8ce5c8002fde242

SHA512
252a6f72f1add33844ec0457ff574800613bf10bd8d77078de2312a25f4a70c2d1eb0f2957875597c5851469d37e9126828cddd2f6631e84cf0cab162fc26565

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m0477185.exe

Filesize
140KB

MD5
6a3b44096d391388d25dd87f5e83594b

SHA1
665f2944ab96ca154e236c6881c83f58fabcc18e

SHA256
f663459397a2ec4d6b09d15ea7f366bdc7a36747c8367b608e5f9f1fd90512df

SHA512
c2d552b980186fe93a30953757460dee5e0fb8b721bb48db63bef71c95c70e50e5fb7e01c9a3c0006cf9fb848d913770c88ae1ced957591cf0e22261fefd7b99

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m0477185.exe

Filesize
140KB

MD5
6a3b44096d391388d25dd87f5e83594b

SHA1
665f2944ab96ca154e236c6881c83f58fabcc18e

SHA256
f663459397a2ec4d6b09d15ea7f366bdc7a36747c8367b608e5f9f1fd90512df

SHA512
c2d552b980186fe93a30953757460dee5e0fb8b721bb48db63bef71c95c70e50e5fb7e01c9a3c0006cf9fb848d913770c88ae1ced957591cf0e22261fefd7b99

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n7893608.exe

Filesize
175KB

MD5
bddf7157f8baaadea0dc238271c788d3

SHA1
f628285a3f8eb3001b4e4a2996c10b963464b24d

SHA256
9daa875e78ec8086f5442b23ff1fb997e255ec22ed0cb923f8ccda508d10476b

SHA512
5bbd5c012eb07f713f2424f9d89a9f3ac310690d6fdc6c23248cfccdb712fc17a76265d87a9d28618f03a050cde95b5a152c04d397930a8211b1ba7ad8428163

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n7893608.exe

Filesize
175KB

MD5
bddf7157f8baaadea0dc238271c788d3

SHA1
f628285a3f8eb3001b4e4a2996c10b963464b24d

SHA256
9daa875e78ec8086f5442b23ff1fb997e255ec22ed0cb923f8ccda508d10476b

SHA512
5bbd5c012eb07f713f2424f9d89a9f3ac310690d6fdc6c23248cfccdb712fc17a76265d87a9d28618f03a050cde95b5a152c04d397930a8211b1ba7ad8428163

Download Submit
memory/4852-21-0x0000000000CE0000-0x0000000000D10000-memory.dmp

Filesize
192KB

Download
memory/4852-28-0x0000000005680000-0x0000000005690000-memory.dmp

Filesize
64KB

Download
memory/4852-32-0x0000000005680000-0x0000000005690000-memory.dmp

Filesize
64KB

Download
memory/4852-31-0x0000000073CB0000-0x0000000074460000-memory.dmp

Filesize
7.7MB

Download
memory/4852-30-0x0000000005620000-0x000000000566C000-memory.dmp

Filesize
304KB

Download
memory/4852-22-0x0000000073CB0000-0x0000000074460000-memory.dmp

Filesize
7.7MB

Download
memory/4852-23-0x00000000030B0000-0x00000000030B6000-memory.dmp

Filesize
24KB

Download
memory/4852-24-0x0000000005DB0000-0x00000000063C8000-memory.dmp

Filesize
6.1MB

Download
memory/4852-25-0x00000000058A0000-0x00000000059AA000-memory.dmp

Filesize
1.0MB

Download
memory/4852-29-0x00000000055E0000-0x000000000561C000-memory.dmp

Filesize
240KB

Download
memory/4852-26-0x0000000003110000-0x0000000003122000-memory.dmp

Filesize
72KB

Download
memory/4940-3-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4940-27-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4940-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4940-1-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4940-2-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads