mystic | 1bc90a375cb0c3411dd26407beadc1c6e0b0c297c69d00f2238d32d11dd1d6fa

General

Target

1bc90a375cb0c3411dd26407beadc1c6e0b0c297c69d00f2238d32d11dd1d6fa.exe
Size

742KB
MD5

29b27b4a1233bb03f71d5339955e3441
SHA1

fa5a11c3c9f089d0ae5f58114c135fb0c871aeec
SHA256

1bc90a375cb0c3411dd26407beadc1c6e0b0c297c69d00f2238d32d11dd1d6fa
SHA512

b7eb79cd85dee464b1ef4c64d3adc2cc2f73cfb901576ffb17b62d78d03db242cb1e30f6c064d95d2e00e24750946046d7e67c0d7da8bfc3e57554c6cfb40bf8
SSDEEP

12288:Ol//yfYb5BIQZVtxiVSIHl5O8Yg8EWoa5DJN/8GEBQpZFikrgafBiwqeNA89:GiuBtZcHF5O80oaFl3VrgGP

Score

10^/10

mystic redline moner infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

moner

C2

77.91.124.82:19071

Attributes

auth_value
a94cd9e01643e1945b296c28a2f28707

Signatures

Detect Mystic stealer payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000900000002308e-16.dat	family_mystic
behavioral2/files/0x000900000002308e-17.dat	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4352	y4018535.exe
3244	m6885952.exe
3024	n2973399.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y4018535.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4132 set thread context of 4312	4132	1bc90a375cb0c3411dd26407beadc1c6e0b0c297c69d00f2238d32d11dd1d6fa.exe	90

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4132 wrote to memory of 3692	4132	1bc90a375cb0c3411dd26407beadc1c6e0b0c297c69d00f2238d32d11dd1d6fa.exe	89
PID 4132 wrote to memory of 3692	4132	1bc90a375cb0c3411dd26407beadc1c6e0b0c297c69d00f2238d32d11dd1d6fa.exe	89
PID 4132 wrote to memory of 3692	4132	1bc90a375cb0c3411dd26407beadc1c6e0b0c297c69d00f2238d32d11dd1d6fa.exe	89
PID 4132 wrote to memory of 4312	4132	1bc90a375cb0c3411dd26407beadc1c6e0b0c297c69d00f2238d32d11dd1d6fa.exe	90
PID 4132 wrote to memory of 4312	4132	1bc90a375cb0c3411dd26407beadc1c6e0b0c297c69d00f2238d32d11dd1d6fa.exe	90
PID 4132 wrote to memory of 4312	4132	1bc90a375cb0c3411dd26407beadc1c6e0b0c297c69d00f2238d32d11dd1d6fa.exe	90
PID 4132 wrote to memory of 4312	4132	1bc90a375cb0c3411dd26407beadc1c6e0b0c297c69d00f2238d32d11dd1d6fa.exe	90
PID 4132 wrote to memory of 4312	4132	1bc90a375cb0c3411dd26407beadc1c6e0b0c297c69d00f2238d32d11dd1d6fa.exe	90
PID 4132 wrote to memory of 4312	4132	1bc90a375cb0c3411dd26407beadc1c6e0b0c297c69d00f2238d32d11dd1d6fa.exe	90
PID 4132 wrote to memory of 4312	4132	1bc90a375cb0c3411dd26407beadc1c6e0b0c297c69d00f2238d32d11dd1d6fa.exe	90
PID 4132 wrote to memory of 4312	4132	1bc90a375cb0c3411dd26407beadc1c6e0b0c297c69d00f2238d32d11dd1d6fa.exe	90
PID 4132 wrote to memory of 4312	4132	1bc90a375cb0c3411dd26407beadc1c6e0b0c297c69d00f2238d32d11dd1d6fa.exe	90
PID 4132 wrote to memory of 4312	4132	1bc90a375cb0c3411dd26407beadc1c6e0b0c297c69d00f2238d32d11dd1d6fa.exe	90
PID 4312 wrote to memory of 4352	4312	AppLaunch.exe	91
PID 4312 wrote to memory of 4352	4312	AppLaunch.exe	91
PID 4312 wrote to memory of 4352	4312	AppLaunch.exe	91
PID 4352 wrote to memory of 3244	4352	y4018535.exe	92
PID 4352 wrote to memory of 3244	4352	y4018535.exe	92
PID 4352 wrote to memory of 3244	4352	y4018535.exe	92
PID 4352 wrote to memory of 3024	4352	y4018535.exe	93
PID 4352 wrote to memory of 3024	4352	y4018535.exe	93
PID 4352 wrote to memory of 3024	4352	y4018535.exe	93

C:\Users\Admin\AppData\Local\Temp\1bc90a375cb0c3411dd26407beadc1c6e0b0c297c69d00f2238d32d11dd1d6fa.exe
"C:\Users\Admin\AppData\Local\Temp\1bc90a375cb0c3411dd26407beadc1c6e0b0c297c69d00f2238d32d11dd1d6fa.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:3692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4018535.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4018535.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4352
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m6885952.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m6885952.exe
      4⤵
      Executes dropped EXE
      PID:3244
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n2973399.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n2973399.exe
      4⤵
      Executes dropped EXE
      PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4018535.exe

Filesize
272KB

MD5
ba542f1c1d34fe5d5f8e67c8e205921d

SHA1
42ebf31450682b4a3e701acc50a295208fe913ef

SHA256
d878f493898a41e99c974a45fee572608640e86a559d047f3247b0962c40c86e

SHA512
4369b119a63457f47f4590c4f50c04baed14b3744e4d8e41f9cecedde26c62b40c38ea7baeb9e76038d4326e39b793559e6384303116eebd6cc34a1e37d59418

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4018535.exe

Filesize
272KB

MD5
ba542f1c1d34fe5d5f8e67c8e205921d

SHA1
42ebf31450682b4a3e701acc50a295208fe913ef

SHA256
d878f493898a41e99c974a45fee572608640e86a559d047f3247b0962c40c86e

SHA512
4369b119a63457f47f4590c4f50c04baed14b3744e4d8e41f9cecedde26c62b40c38ea7baeb9e76038d4326e39b793559e6384303116eebd6cc34a1e37d59418

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m6885952.exe

Filesize
140KB

MD5
853dff20cf0a2f19b5a04826d89fc322

SHA1
1473b1e359318c1bb23fe10caf39c213ec2f692b

SHA256
1ae8cdfa8ac3d7afb963585a29900ef9fb5a2b29e45c110e07d4c937ac0021b9

SHA512
63cb9571292193fb271b5b8ac66a0d20bf10024cac58edd171ffcc4e43447785a96effc89fcfe2888ac8d4eaa57afac32e8f72f7a6b19d04fc41acbb0f6abf25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m6885952.exe

Filesize
140KB

MD5
853dff20cf0a2f19b5a04826d89fc322

SHA1
1473b1e359318c1bb23fe10caf39c213ec2f692b

SHA256
1ae8cdfa8ac3d7afb963585a29900ef9fb5a2b29e45c110e07d4c937ac0021b9

SHA512
63cb9571292193fb271b5b8ac66a0d20bf10024cac58edd171ffcc4e43447785a96effc89fcfe2888ac8d4eaa57afac32e8f72f7a6b19d04fc41acbb0f6abf25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n2973399.exe

Filesize
174KB

MD5
c720253e37d66daad6d860766a029f67

SHA1
87a56b493f62476d824ed5385857be59226b0142

SHA256
86d29c0c3d8bd382030f1fbd9c495c16de74b6d873286d4acd4ecf2bccaf61b2

SHA512
944608b2e9676cff92fac7cdba4fb79ea61e2e667528b02f8cd4f7628f1b0aafca85a2562bebba91030a7e51bbecf3dd606fa89508e106c17ea770fe950fffdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n2973399.exe

Filesize
174KB

MD5
c720253e37d66daad6d860766a029f67

SHA1
87a56b493f62476d824ed5385857be59226b0142

SHA256
86d29c0c3d8bd382030f1fbd9c495c16de74b6d873286d4acd4ecf2bccaf61b2

SHA512
944608b2e9676cff92fac7cdba4fb79ea61e2e667528b02f8cd4f7628f1b0aafca85a2562bebba91030a7e51bbecf3dd606fa89508e106c17ea770fe950fffdf

Download Submit
memory/3024-21-0x00000000748E0000-0x0000000075090000-memory.dmp

Filesize
7.7MB

Download
memory/3024-28-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/3024-32-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/3024-31-0x0000000004A10000-0x0000000004A5C000-memory.dmp

Filesize
304KB

Download
memory/3024-30-0x00000000049A0000-0x00000000049DC000-memory.dmp

Filesize
240KB

Download
memory/3024-22-0x0000000000070000-0x00000000000A0000-memory.dmp

Filesize
192KB

Download
memory/3024-23-0x0000000002350000-0x0000000002356000-memory.dmp

Filesize
24KB

Download
memory/3024-29-0x0000000009F60000-0x0000000009F72000-memory.dmp

Filesize
72KB

Download
memory/3024-25-0x00000000748E0000-0x0000000075090000-memory.dmp

Filesize
7.7MB

Download
memory/3024-26-0x000000000A4E0000-0x000000000AAF8000-memory.dmp

Filesize
6.1MB

Download
memory/3024-27-0x000000000A020000-0x000000000A12A000-memory.dmp

Filesize
1.0MB

Download
memory/4312-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4312-24-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4312-3-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4312-1-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4312-2-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads