mystic | 02f3472728c81bc22d0648476836d360c9e027e199399f262929128043f6bac0

General

Target

02f3472728c81bc22d0648476836d360c9e027e199399f262929128043f6bac0.exe
Size

742KB
MD5

dc0f33f640d4ff63c98d0301e872d196
SHA1

476cd471a39d90a37c1cdc1a857d7b4c63edaa5f
SHA256

02f3472728c81bc22d0648476836d360c9e027e199399f262929128043f6bac0
SHA512

57755f049fd7ddd4deceb102efb0250611f2f01067c324fa8683395031352f2812e56a90949585222f80f84d1c220cbbddd7347f234a7e566eb8f30d4b8bb0d4
SSDEEP

12288:/B//yfYb5BIQZVtnLZXBGjDHjwyDEifNpblKPpyFwqKt0NY7R5JJbuEzBVF479:piuBtZTZxwPEi1ct0ONbj5y

Score

10^/10

mystic redline moner infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

moner

C2

77.91.124.82:19071

Attributes

auth_value
a94cd9e01643e1945b296c28a2f28707

Signatures

Detect Mystic stealer payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023067-17.dat	family_mystic
behavioral2/files/0x0007000000023067-18.dat	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4128	y5364938.exe
3608	m9611676.exe
3528	n4082009.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y5364938.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3920 set thread context of 2112	3920	02f3472728c81bc22d0648476836d360c9e027e199399f262929128043f6bac0.exe	87

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3920 wrote to memory of 2112	3920	02f3472728c81bc22d0648476836d360c9e027e199399f262929128043f6bac0.exe	87
PID 3920 wrote to memory of 2112	3920	02f3472728c81bc22d0648476836d360c9e027e199399f262929128043f6bac0.exe	87
PID 3920 wrote to memory of 2112	3920	02f3472728c81bc22d0648476836d360c9e027e199399f262929128043f6bac0.exe	87
PID 3920 wrote to memory of 2112	3920	02f3472728c81bc22d0648476836d360c9e027e199399f262929128043f6bac0.exe	87
PID 3920 wrote to memory of 2112	3920	02f3472728c81bc22d0648476836d360c9e027e199399f262929128043f6bac0.exe	87
PID 3920 wrote to memory of 2112	3920	02f3472728c81bc22d0648476836d360c9e027e199399f262929128043f6bac0.exe	87
PID 3920 wrote to memory of 2112	3920	02f3472728c81bc22d0648476836d360c9e027e199399f262929128043f6bac0.exe	87
PID 3920 wrote to memory of 2112	3920	02f3472728c81bc22d0648476836d360c9e027e199399f262929128043f6bac0.exe	87
PID 3920 wrote to memory of 2112	3920	02f3472728c81bc22d0648476836d360c9e027e199399f262929128043f6bac0.exe	87
PID 3920 wrote to memory of 2112	3920	02f3472728c81bc22d0648476836d360c9e027e199399f262929128043f6bac0.exe	87
PID 2112 wrote to memory of 4128	2112	AppLaunch.exe	88
PID 2112 wrote to memory of 4128	2112	AppLaunch.exe	88
PID 2112 wrote to memory of 4128	2112	AppLaunch.exe	88
PID 4128 wrote to memory of 3608	4128	y5364938.exe	91
PID 4128 wrote to memory of 3608	4128	y5364938.exe	91
PID 4128 wrote to memory of 3608	4128	y5364938.exe	91
PID 4128 wrote to memory of 3528	4128	y5364938.exe	92
PID 4128 wrote to memory of 3528	4128	y5364938.exe	92
PID 4128 wrote to memory of 3528	4128	y5364938.exe	92

C:\Users\Admin\AppData\Local\Temp\02f3472728c81bc22d0648476836d360c9e027e199399f262929128043f6bac0.exe
"C:\Users\Admin\AppData\Local\Temp\02f3472728c81bc22d0648476836d360c9e027e199399f262929128043f6bac0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5364938.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5364938.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4128
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m9611676.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m9611676.exe
      4⤵
      Executes dropped EXE
      PID:3608
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n4082009.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n4082009.exe
      4⤵
      Executes dropped EXE
      PID:3528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5364938.exe

Filesize
272KB

MD5
a6d3fe5b91cf25e01fa211fba89ebb57

SHA1
2cf16c392167adc71f5a41d1b7c991874f140d23

SHA256
ea48ff0f73476f341ab3a713b48b3426642ea51b7a0e535ea16d28492e90667d

SHA512
904eccbc39476a19bdb89c054772fc517a371f09797ccfbb19049068aff40bf7787953e07e0ec28d5f57cbf027a678feac0cd4e06ca9009553561c4da3ec435f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5364938.exe

Filesize
272KB

MD5
a6d3fe5b91cf25e01fa211fba89ebb57

SHA1
2cf16c392167adc71f5a41d1b7c991874f140d23

SHA256
ea48ff0f73476f341ab3a713b48b3426642ea51b7a0e535ea16d28492e90667d

SHA512
904eccbc39476a19bdb89c054772fc517a371f09797ccfbb19049068aff40bf7787953e07e0ec28d5f57cbf027a678feac0cd4e06ca9009553561c4da3ec435f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m9611676.exe

Filesize
140KB

MD5
2472e0a1c1ae65cdfaec0d18fdfe4c40

SHA1
b341c1bf1bd61a5467195fd05f136a83b69c4ad3

SHA256
01d43e94020afcf3ff5b320715b21351b40936a80b3ae5d4350b287361466742

SHA512
b6868422287635ffd2e693365d6d4985d25435bb2c432c30ddb795488e4f2e4c4aedd20bf32d4593af107e33ef96390f4aba6d8f9dc431e89a1d57fcb89cac3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m9611676.exe

Filesize
140KB

MD5
2472e0a1c1ae65cdfaec0d18fdfe4c40

SHA1
b341c1bf1bd61a5467195fd05f136a83b69c4ad3

SHA256
01d43e94020afcf3ff5b320715b21351b40936a80b3ae5d4350b287361466742

SHA512
b6868422287635ffd2e693365d6d4985d25435bb2c432c30ddb795488e4f2e4c4aedd20bf32d4593af107e33ef96390f4aba6d8f9dc431e89a1d57fcb89cac3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n4082009.exe

Filesize
175KB

MD5
1cf9fa05e48c63afce57f6c6eed1464f

SHA1
94eacfce0608d85515922c4aad98e07c6e3da38c

SHA256
6c1392ca337cf3f4cb590990c09f96929e92aa34678f7817e490e864df70a43d

SHA512
16f37dd371b41cea05bf7c59b5082d506e566de37a2f7244af996e3b54f3054601f54f804b2e97ffc02d89c75efa37b310e645af9aba6b3bd69971fc8aeb5fd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n4082009.exe

Filesize
175KB

MD5
1cf9fa05e48c63afce57f6c6eed1464f

SHA1
94eacfce0608d85515922c4aad98e07c6e3da38c

SHA256
6c1392ca337cf3f4cb590990c09f96929e92aa34678f7817e490e864df70a43d

SHA512
16f37dd371b41cea05bf7c59b5082d506e566de37a2f7244af996e3b54f3054601f54f804b2e97ffc02d89c75efa37b310e645af9aba6b3bd69971fc8aeb5fd0

Download Submit
memory/2112-11-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2112-3-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2112-2-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2112-1-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2112-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3528-25-0x0000000000CA0000-0x0000000000CA6000-memory.dmp

Filesize
24KB

Download
memory/3528-23-0x0000000000260000-0x0000000000290000-memory.dmp

Filesize
192KB

Download
memory/3528-24-0x0000000074210000-0x00000000749C0000-memory.dmp

Filesize
7.7MB

Download
memory/3528-22-0x0000000074210000-0x00000000749C0000-memory.dmp

Filesize
7.7MB

Download
memory/3528-26-0x000000000A980000-0x000000000AF98000-memory.dmp

Filesize
6.1MB

Download
memory/3528-27-0x000000000A4B0000-0x000000000A5BA000-memory.dmp

Filesize
1.0MB

Download
memory/3528-28-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/3528-29-0x00000000023F0000-0x0000000002402000-memory.dmp

Filesize
72KB

Download
memory/3528-30-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/3528-31-0x0000000002450000-0x000000000248C000-memory.dmp

Filesize
240KB

Download
memory/3528-32-0x00000000022F0000-0x000000000233C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads