mystic | ef0529d0b1be347ab3dc4d572ab9f67c58c0e3c5b248fb74de4b4474a9eefca0

General

Target

ef0529d0b1be347ab3dc4d572ab9f67c58c0e3c5b248fb74de4b4474a9eefca0.exe
Size

741KB
MD5

c18668c0214ae3c707c0c23da80018d5
SHA1

5ca26749c7a266e1f45d7e009a96ba5e7a37abdc
SHA256

ef0529d0b1be347ab3dc4d572ab9f67c58c0e3c5b248fb74de4b4474a9eefca0
SHA512

f5da9dd17e8569befc476504b6c9779d7bc3b48cfcbc54ba7f65b56de99d79cb6aafb1b8579679bb397265b2eaca4381c401ae90a22b3ef8ab9464c064fe54af
SSDEEP

12288:z8//yfYb5BIQZVtA3F+FRRUiXI56cCFqOkPuYsDNuWWgwzya7NFoG0LE9:YiuBtZVXRULIFqOEuYM+gwzvroGz

Score

10^/10

mystic redline moner infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

moner

C2

77.91.124.82:19071

Attributes

auth_value
a94cd9e01643e1945b296c28a2f28707

Signatures

Detect Mystic stealer payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023209-16.dat	family_mystic
behavioral2/files/0x0007000000023209-17.dat	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2712	y9930532.exe
4044	m0795598.exe
1600	n3952546.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y9930532.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3924 set thread context of 1984	3924	ef0529d0b1be347ab3dc4d572ab9f67c58c0e3c5b248fb74de4b4474a9eefca0.exe	93

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3924 wrote to memory of 1984	3924	ef0529d0b1be347ab3dc4d572ab9f67c58c0e3c5b248fb74de4b4474a9eefca0.exe	93
PID 3924 wrote to memory of 1984	3924	ef0529d0b1be347ab3dc4d572ab9f67c58c0e3c5b248fb74de4b4474a9eefca0.exe	93
PID 3924 wrote to memory of 1984	3924	ef0529d0b1be347ab3dc4d572ab9f67c58c0e3c5b248fb74de4b4474a9eefca0.exe	93
PID 3924 wrote to memory of 1984	3924	ef0529d0b1be347ab3dc4d572ab9f67c58c0e3c5b248fb74de4b4474a9eefca0.exe	93
PID 3924 wrote to memory of 1984	3924	ef0529d0b1be347ab3dc4d572ab9f67c58c0e3c5b248fb74de4b4474a9eefca0.exe	93
PID 3924 wrote to memory of 1984	3924	ef0529d0b1be347ab3dc4d572ab9f67c58c0e3c5b248fb74de4b4474a9eefca0.exe	93
PID 3924 wrote to memory of 1984	3924	ef0529d0b1be347ab3dc4d572ab9f67c58c0e3c5b248fb74de4b4474a9eefca0.exe	93
PID 3924 wrote to memory of 1984	3924	ef0529d0b1be347ab3dc4d572ab9f67c58c0e3c5b248fb74de4b4474a9eefca0.exe	93
PID 3924 wrote to memory of 1984	3924	ef0529d0b1be347ab3dc4d572ab9f67c58c0e3c5b248fb74de4b4474a9eefca0.exe	93
PID 3924 wrote to memory of 1984	3924	ef0529d0b1be347ab3dc4d572ab9f67c58c0e3c5b248fb74de4b4474a9eefca0.exe	93
PID 1984 wrote to memory of 2712	1984	AppLaunch.exe	94
PID 1984 wrote to memory of 2712	1984	AppLaunch.exe	94
PID 1984 wrote to memory of 2712	1984	AppLaunch.exe	94
PID 2712 wrote to memory of 4044	2712	y9930532.exe	96
PID 2712 wrote to memory of 4044	2712	y9930532.exe	96
PID 2712 wrote to memory of 4044	2712	y9930532.exe	96
PID 2712 wrote to memory of 1600	2712	y9930532.exe	97
PID 2712 wrote to memory of 1600	2712	y9930532.exe	97
PID 2712 wrote to memory of 1600	2712	y9930532.exe	97

C:\Users\Admin\AppData\Local\Temp\ef0529d0b1be347ab3dc4d572ab9f67c58c0e3c5b248fb74de4b4474a9eefca0.exe
"C:\Users\Admin\AppData\Local\Temp\ef0529d0b1be347ab3dc4d572ab9f67c58c0e3c5b248fb74de4b4474a9eefca0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9930532.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9930532.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m0795598.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m0795598.exe
      4⤵
      Executes dropped EXE
      PID:4044
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n3952546.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n3952546.exe
      4⤵
      Executes dropped EXE
      PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9930532.exe

Filesize
271KB

MD5
804e9a5d8858941ff2b03c1fcb9e16bc

SHA1
ed3194aa1b57d956c4046b6c83e753d162d32836

SHA256
7602005caca43308be19b4bd4e31214cd835d5a5db3029fafa65c8da58c55df4

SHA512
bd4dc2367c1fe27d42a2a8d9b7e11366284e71b0bc37638ba137d31dc0c021081ddd2d954c44d0b4367916eb541e28c156c7680934705a0cc7c46c99c0aa6e6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9930532.exe

Filesize
271KB

MD5
804e9a5d8858941ff2b03c1fcb9e16bc

SHA1
ed3194aa1b57d956c4046b6c83e753d162d32836

SHA256
7602005caca43308be19b4bd4e31214cd835d5a5db3029fafa65c8da58c55df4

SHA512
bd4dc2367c1fe27d42a2a8d9b7e11366284e71b0bc37638ba137d31dc0c021081ddd2d954c44d0b4367916eb541e28c156c7680934705a0cc7c46c99c0aa6e6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m0795598.exe

Filesize
140KB

MD5
faafedec3c7a85808c18c60a7cb9e75e

SHA1
dd168b59b184b26b74de3119f190d25719067d43

SHA256
bb04dca2802052c41dce0da0a46438a42aea9999910a2983ffedaf64304c1888

SHA512
e511e4490927c367880cb873dd09df062bb38316b529c5d64c09dfb921c584d9e91661289553f0cdabcdf92efbdb9e98a988c013d1fa350b1611bf3b29bddfe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m0795598.exe

Filesize
140KB

MD5
faafedec3c7a85808c18c60a7cb9e75e

SHA1
dd168b59b184b26b74de3119f190d25719067d43

SHA256
bb04dca2802052c41dce0da0a46438a42aea9999910a2983ffedaf64304c1888

SHA512
e511e4490927c367880cb873dd09df062bb38316b529c5d64c09dfb921c584d9e91661289553f0cdabcdf92efbdb9e98a988c013d1fa350b1611bf3b29bddfe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n3952546.exe

Filesize
174KB

MD5
de6c85d9d39b155c246bc43b6428d1f0

SHA1
7f9bed40212f982b4576dec92aaa04bde9ed776d

SHA256
a0cd86b66a29d956797886ade01634c3452e3767d683db54f7ec40720d88ec75

SHA512
c5bce1a0f15f2e4181a4f163dd68f72d8e6453b71322e117c50eed92a8fef639a359f69a60a221bbe42c44da242a2e6039a245c974c36d8496d83a2550e14732

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n3952546.exe

Filesize
174KB

MD5
de6c85d9d39b155c246bc43b6428d1f0

SHA1
7f9bed40212f982b4576dec92aaa04bde9ed776d

SHA256
a0cd86b66a29d956797886ade01634c3452e3767d683db54f7ec40720d88ec75

SHA512
c5bce1a0f15f2e4181a4f163dd68f72d8e6453b71322e117c50eed92a8fef639a359f69a60a221bbe42c44da242a2e6039a245c974c36d8496d83a2550e14732

Download Submit
memory/1600-21-0x00000000003F0000-0x0000000000420000-memory.dmp

Filesize
192KB

Download
memory/1600-26-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/1600-32-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/1600-31-0x0000000004F60000-0x0000000004FAC000-memory.dmp

Filesize
304KB

Download
memory/1600-30-0x0000000074420000-0x0000000074BD0000-memory.dmp

Filesize
7.7MB

Download
memory/1600-22-0x0000000074420000-0x0000000074BD0000-memory.dmp

Filesize
7.7MB

Download
memory/1600-23-0x0000000004C10000-0x0000000004C16000-memory.dmp

Filesize
24KB

Download
memory/1600-24-0x0000000005360000-0x0000000005978000-memory.dmp

Filesize
6.1MB

Download
memory/1600-25-0x0000000004E50000-0x0000000004F5A000-memory.dmp

Filesize
1.0MB

Download
memory/1600-27-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/1600-29-0x0000000004DE0000-0x0000000004E1C000-memory.dmp

Filesize
240KB

Download
memory/1984-28-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1984-3-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1984-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1984-1-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1984-2-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads