mystic | 2724af8206b8d7a960bebb0f79de8afdf65db65b99057a05bd9257191957aed0

General

Target

2724af8206b8d7a960bebb0f79de8afdf65db65b99057a05bd9257191957aed0.exe
Size

742KB
MD5

e71b28e3bf543500ed2bffd58a5d3193
SHA1

5514aa60f3f9b8d9772aa46482e26873400ac286
SHA256

2724af8206b8d7a960bebb0f79de8afdf65db65b99057a05bd9257191957aed0
SHA512

6d77023f16c10b781f9bffeccba27175fd29f36f97cb6d6febd5cedbe809cc463b46930025c8006ec1774be1e9965fa194323c1f5fc7cbdb53675ff86265b960
SSDEEP

12288:od//yfYb5BIQZVtJa/GO3B/KZU7twYpptKWcGX4DnYcTzVbC8IbX9KamdG5j8PF9:giuBtZizZJwYfmGX4DYWAtj89XiVNO

Score

10^/10

mystic redline moner infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

moner

C2

77.91.124.82:19071

Attributes

auth_value
a94cd9e01643e1945b296c28a2f28707

Signatures

Detect Mystic stealer payload 2 IoCs

resource	yara_rule
behavioral2/files/0x00070000000231e1-16.dat	family_mystic
behavioral2/files/0x00070000000231e1-17.dat	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4828	y3213497.exe
5052	m4626236.exe
2748	n5889237.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y3213497.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4920 set thread context of 2924	4920	2724af8206b8d7a960bebb0f79de8afdf65db65b99057a05bd9257191957aed0.exe	94

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4920 wrote to memory of 4700	4920	2724af8206b8d7a960bebb0f79de8afdf65db65b99057a05bd9257191957aed0.exe	93
PID 4920 wrote to memory of 4700	4920	2724af8206b8d7a960bebb0f79de8afdf65db65b99057a05bd9257191957aed0.exe	93
PID 4920 wrote to memory of 4700	4920	2724af8206b8d7a960bebb0f79de8afdf65db65b99057a05bd9257191957aed0.exe	93
PID 4920 wrote to memory of 2924	4920	2724af8206b8d7a960bebb0f79de8afdf65db65b99057a05bd9257191957aed0.exe	94
PID 4920 wrote to memory of 2924	4920	2724af8206b8d7a960bebb0f79de8afdf65db65b99057a05bd9257191957aed0.exe	94
PID 4920 wrote to memory of 2924	4920	2724af8206b8d7a960bebb0f79de8afdf65db65b99057a05bd9257191957aed0.exe	94
PID 4920 wrote to memory of 2924	4920	2724af8206b8d7a960bebb0f79de8afdf65db65b99057a05bd9257191957aed0.exe	94
PID 4920 wrote to memory of 2924	4920	2724af8206b8d7a960bebb0f79de8afdf65db65b99057a05bd9257191957aed0.exe	94
PID 4920 wrote to memory of 2924	4920	2724af8206b8d7a960bebb0f79de8afdf65db65b99057a05bd9257191957aed0.exe	94
PID 4920 wrote to memory of 2924	4920	2724af8206b8d7a960bebb0f79de8afdf65db65b99057a05bd9257191957aed0.exe	94
PID 4920 wrote to memory of 2924	4920	2724af8206b8d7a960bebb0f79de8afdf65db65b99057a05bd9257191957aed0.exe	94
PID 4920 wrote to memory of 2924	4920	2724af8206b8d7a960bebb0f79de8afdf65db65b99057a05bd9257191957aed0.exe	94
PID 4920 wrote to memory of 2924	4920	2724af8206b8d7a960bebb0f79de8afdf65db65b99057a05bd9257191957aed0.exe	94
PID 2924 wrote to memory of 4828	2924	AppLaunch.exe	95
PID 2924 wrote to memory of 4828	2924	AppLaunch.exe	95
PID 2924 wrote to memory of 4828	2924	AppLaunch.exe	95
PID 4828 wrote to memory of 5052	4828	y3213497.exe	96
PID 4828 wrote to memory of 5052	4828	y3213497.exe	96
PID 4828 wrote to memory of 5052	4828	y3213497.exe	96
PID 4828 wrote to memory of 2748	4828	y3213497.exe	97
PID 4828 wrote to memory of 2748	4828	y3213497.exe	97
PID 4828 wrote to memory of 2748	4828	y3213497.exe	97

C:\Users\Admin\AppData\Local\Temp\2724af8206b8d7a960bebb0f79de8afdf65db65b99057a05bd9257191957aed0.exe
"C:\Users\Admin\AppData\Local\Temp\2724af8206b8d7a960bebb0f79de8afdf65db65b99057a05bd9257191957aed0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:4700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3213497.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3213497.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4828
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m4626236.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m4626236.exe
      4⤵
      Executes dropped EXE
      PID:5052
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n5889237.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n5889237.exe
      4⤵
      Executes dropped EXE
      PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3213497.exe

Filesize
271KB

MD5
20edcc73b51f3ce8d967d080dc87d472

SHA1
4899f1ce1063812bfe2e4416e2f36ccd0bc3f59a

SHA256
a8bf8d9ccfebba12223174145530a1ec9284d6e6d9ca4b0d0e7ad85687a67291

SHA512
1ace063fc394ec4288e73954a99f114dee27258cfb325c14541f9d88b1f73e3436f1d67b62e182a92a61cea93372a8983f2766e03cd563c7d0f5c3a84c4bcb61

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3213497.exe

Filesize
271KB

MD5
20edcc73b51f3ce8d967d080dc87d472

SHA1
4899f1ce1063812bfe2e4416e2f36ccd0bc3f59a

SHA256
a8bf8d9ccfebba12223174145530a1ec9284d6e6d9ca4b0d0e7ad85687a67291

SHA512
1ace063fc394ec4288e73954a99f114dee27258cfb325c14541f9d88b1f73e3436f1d67b62e182a92a61cea93372a8983f2766e03cd563c7d0f5c3a84c4bcb61

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m4626236.exe

Filesize
140KB

MD5
dff524ad2b0124d47d061ced568d63dd

SHA1
f31f16fcab070a859d88b4355f8d351fca60cc35

SHA256
639dec563124a2a994e9ace9a15558a9a2054c63567c933952c373ae3859a2a7

SHA512
a4bf65fb724c47ff1711730b614fd67738bbfdaaf69e61cd4fe4689900a73e45323fc38f3df0139f2d068010a67502f82559fef1f8e6b1754e3b442ec7f9763e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m4626236.exe

Filesize
140KB

MD5
dff524ad2b0124d47d061ced568d63dd

SHA1
f31f16fcab070a859d88b4355f8d351fca60cc35

SHA256
639dec563124a2a994e9ace9a15558a9a2054c63567c933952c373ae3859a2a7

SHA512
a4bf65fb724c47ff1711730b614fd67738bbfdaaf69e61cd4fe4689900a73e45323fc38f3df0139f2d068010a67502f82559fef1f8e6b1754e3b442ec7f9763e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n5889237.exe

Filesize
174KB

MD5
e991aecfbe160f99cbdeaf13bad97923

SHA1
b4e6e8ee0b2daa7bc1689c39736cd6fad5a2f764

SHA256
e7b2b3d35a2e81ee5396e07bcceae6539433ca57470f8f3ab2509d2cd84226e2

SHA512
ad0c734afe13fa8c5b3cf62258e64e759b31170a6beb766d57d4bfcdbb2bd69a8276056c81c2fc91536d9c4d87c7b85790dad27e14b7ed19bd5a7cd0b32b70ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n5889237.exe

Filesize
174KB

MD5
e991aecfbe160f99cbdeaf13bad97923

SHA1
b4e6e8ee0b2daa7bc1689c39736cd6fad5a2f764

SHA256
e7b2b3d35a2e81ee5396e07bcceae6539433ca57470f8f3ab2509d2cd84226e2

SHA512
ad0c734afe13fa8c5b3cf62258e64e759b31170a6beb766d57d4bfcdbb2bd69a8276056c81c2fc91536d9c4d87c7b85790dad27e14b7ed19bd5a7cd0b32b70ce

Download Submit
memory/2748-21-0x0000000000A50000-0x0000000000A80000-memory.dmp

Filesize
192KB

Download
memory/2748-27-0x0000000005520000-0x0000000005532000-memory.dmp

Filesize
72KB

Download
memory/2748-32-0x0000000005360000-0x0000000005370000-memory.dmp

Filesize
64KB

Download
memory/2748-31-0x0000000074460000-0x0000000074C10000-memory.dmp

Filesize
7.7MB

Download
memory/2748-29-0x00000000056F0000-0x000000000573C000-memory.dmp

Filesize
304KB

Download
memory/2748-22-0x0000000074460000-0x0000000074C10000-memory.dmp

Filesize
7.7MB

Download
memory/2748-23-0x0000000002CF0000-0x0000000002CF6000-memory.dmp

Filesize
24KB

Download
memory/2748-24-0x0000000005A90000-0x00000000060A8000-memory.dmp

Filesize
6.1MB

Download
memory/2748-25-0x00000000055E0000-0x00000000056EA000-memory.dmp

Filesize
1.0MB

Download
memory/2748-26-0x0000000005360000-0x0000000005370000-memory.dmp

Filesize
64KB

Download
memory/2748-28-0x0000000005580000-0x00000000055BC000-memory.dmp

Filesize
240KB

Download
memory/2924-3-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2924-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2924-30-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2924-1-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2924-2-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads