mystic | 7f2cc76276f40703761f1aa44309e0fce6ed0e8d9c2a8b146b31f6483b7222ca

General

Target

7f2cc76276f40703761f1aa44309e0fce6ed0e8d9c2a8b146b31f6483b7222ca.exe
Size

742KB
MD5

2ea88d1ecfd24025dfa9e35849cadcba
SHA1

3b29499b52efad983ce96cccd9e557e612024b10
SHA256

7f2cc76276f40703761f1aa44309e0fce6ed0e8d9c2a8b146b31f6483b7222ca
SHA512

86da2851db4d4db23d8b20922a1e9b741c982eb77ca53205c43834aa9b699f9f71fab4000bdc91cc1019d3ede27b511ebd9919218a5cdf39863f37aedeaf88a0
SSDEEP

12288:kR//yfYb5BIQZVtHPs9eQU9pHaO/RW/Bj4z0sNQ26HFCpRk/uIBaFCSp6VihvT9:AiuBtZs26O/RyglN6Fb/4CJa

Score

10^/10

mystic redline moner infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

moner

C2

77.91.124.82:19071

Attributes

auth_value
a94cd9e01643e1945b296c28a2f28707

Signatures

Detect Mystic stealer payload 2 IoCs

resource	yara_rule
behavioral2/files/0x00070000000230d1-16.dat	family_mystic
behavioral2/files/0x00070000000230d1-17.dat	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
3608	y7432870.exe
4344	m5089754.exe
2964	n2223392.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y7432870.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4644 set thread context of 3452	4644	7f2cc76276f40703761f1aa44309e0fce6ed0e8d9c2a8b146b31f6483b7222ca.exe	89

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4644 wrote to memory of 3160	4644	7f2cc76276f40703761f1aa44309e0fce6ed0e8d9c2a8b146b31f6483b7222ca.exe	87
PID 4644 wrote to memory of 3160	4644	7f2cc76276f40703761f1aa44309e0fce6ed0e8d9c2a8b146b31f6483b7222ca.exe	87
PID 4644 wrote to memory of 3160	4644	7f2cc76276f40703761f1aa44309e0fce6ed0e8d9c2a8b146b31f6483b7222ca.exe	87
PID 4644 wrote to memory of 1928	4644	7f2cc76276f40703761f1aa44309e0fce6ed0e8d9c2a8b146b31f6483b7222ca.exe	88
PID 4644 wrote to memory of 1928	4644	7f2cc76276f40703761f1aa44309e0fce6ed0e8d9c2a8b146b31f6483b7222ca.exe	88
PID 4644 wrote to memory of 1928	4644	7f2cc76276f40703761f1aa44309e0fce6ed0e8d9c2a8b146b31f6483b7222ca.exe	88
PID 4644 wrote to memory of 3452	4644	7f2cc76276f40703761f1aa44309e0fce6ed0e8d9c2a8b146b31f6483b7222ca.exe	89
PID 4644 wrote to memory of 3452	4644	7f2cc76276f40703761f1aa44309e0fce6ed0e8d9c2a8b146b31f6483b7222ca.exe	89
PID 4644 wrote to memory of 3452	4644	7f2cc76276f40703761f1aa44309e0fce6ed0e8d9c2a8b146b31f6483b7222ca.exe	89
PID 4644 wrote to memory of 3452	4644	7f2cc76276f40703761f1aa44309e0fce6ed0e8d9c2a8b146b31f6483b7222ca.exe	89
PID 4644 wrote to memory of 3452	4644	7f2cc76276f40703761f1aa44309e0fce6ed0e8d9c2a8b146b31f6483b7222ca.exe	89
PID 4644 wrote to memory of 3452	4644	7f2cc76276f40703761f1aa44309e0fce6ed0e8d9c2a8b146b31f6483b7222ca.exe	89
PID 4644 wrote to memory of 3452	4644	7f2cc76276f40703761f1aa44309e0fce6ed0e8d9c2a8b146b31f6483b7222ca.exe	89
PID 4644 wrote to memory of 3452	4644	7f2cc76276f40703761f1aa44309e0fce6ed0e8d9c2a8b146b31f6483b7222ca.exe	89
PID 4644 wrote to memory of 3452	4644	7f2cc76276f40703761f1aa44309e0fce6ed0e8d9c2a8b146b31f6483b7222ca.exe	89
PID 4644 wrote to memory of 3452	4644	7f2cc76276f40703761f1aa44309e0fce6ed0e8d9c2a8b146b31f6483b7222ca.exe	89
PID 3452 wrote to memory of 3608	3452	AppLaunch.exe	92
PID 3452 wrote to memory of 3608	3452	AppLaunch.exe	92
PID 3452 wrote to memory of 3608	3452	AppLaunch.exe	92
PID 3608 wrote to memory of 4344	3608	y7432870.exe	94
PID 3608 wrote to memory of 4344	3608	y7432870.exe	94
PID 3608 wrote to memory of 4344	3608	y7432870.exe	94
PID 3608 wrote to memory of 2964	3608	y7432870.exe	95
PID 3608 wrote to memory of 2964	3608	y7432870.exe	95
PID 3608 wrote to memory of 2964	3608	y7432870.exe	95

C:\Users\Admin\AppData\Local\Temp\7f2cc76276f40703761f1aa44309e0fce6ed0e8d9c2a8b146b31f6483b7222ca.exe
"C:\Users\Admin\AppData\Local\Temp\7f2cc76276f40703761f1aa44309e0fce6ed0e8d9c2a8b146b31f6483b7222ca.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:3160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:1928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3452
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7432870.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7432870.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3608
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m5089754.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m5089754.exe
      4⤵
      Executes dropped EXE
      PID:4344
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n2223392.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n2223392.exe
      4⤵
      Executes dropped EXE
      PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7432870.exe

Filesize
271KB

MD5
6a89f1ae97c63410021da1c67f5babf9

SHA1
6325e24fbb2e021700a270f3d16db41e636ff875

SHA256
95a418ce66432132cd7908aec551fc3175659a5c9a74ac30114f0fd762f1089a

SHA512
3002a993857d50cc3d8adbad96299f33b6e6dff7323e6998046613ad6f5d41ccc859570e91b6cc5cd3b244c3558ba8664f6897e70ed42fad02c21ea9550cfff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7432870.exe

Filesize
271KB

MD5
6a89f1ae97c63410021da1c67f5babf9

SHA1
6325e24fbb2e021700a270f3d16db41e636ff875

SHA256
95a418ce66432132cd7908aec551fc3175659a5c9a74ac30114f0fd762f1089a

SHA512
3002a993857d50cc3d8adbad96299f33b6e6dff7323e6998046613ad6f5d41ccc859570e91b6cc5cd3b244c3558ba8664f6897e70ed42fad02c21ea9550cfff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m5089754.exe

Filesize
140KB

MD5
3b6a03b6cc5f4993c0d5a782b6290e93

SHA1
371183ce53f8c712e17a12bf55c21547b6fa2b55

SHA256
d08e924777dd5247cc20774f09178272f09b86802d443162d6f99c2ccc7d882e

SHA512
595cfbdfba30816dc17af84dda6f44a370884dddbea3c83f5d7653c66523e3196f7eebe247a079ad71f93b3577b1a5d239f7a6bacd9f74c4418ab5847a8962f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m5089754.exe

Filesize
140KB

MD5
3b6a03b6cc5f4993c0d5a782b6290e93

SHA1
371183ce53f8c712e17a12bf55c21547b6fa2b55

SHA256
d08e924777dd5247cc20774f09178272f09b86802d443162d6f99c2ccc7d882e

SHA512
595cfbdfba30816dc17af84dda6f44a370884dddbea3c83f5d7653c66523e3196f7eebe247a079ad71f93b3577b1a5d239f7a6bacd9f74c4418ab5847a8962f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n2223392.exe

Filesize
174KB

MD5
17b77cd94ed3d939912601b6410f7081

SHA1
7f93d11b2c20faa64d49e253e593db23f96d2848

SHA256
e769cad5a238469cc88ebc0062e9012bd2ad3b28c3aa2f78f678d7f4828db8a7

SHA512
3496babca9b78b02ce4f54ec1f0644d6fdeabf9686d0c59d00b59de4ad3e0928499fa571a75cd4fbbed17f9c17c3b4c9574698b3609b59de18ab48364b6daf5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n2223392.exe

Filesize
174KB

MD5
17b77cd94ed3d939912601b6410f7081

SHA1
7f93d11b2c20faa64d49e253e593db23f96d2848

SHA256
e769cad5a238469cc88ebc0062e9012bd2ad3b28c3aa2f78f678d7f4828db8a7

SHA512
3496babca9b78b02ce4f54ec1f0644d6fdeabf9686d0c59d00b59de4ad3e0928499fa571a75cd4fbbed17f9c17c3b4c9574698b3609b59de18ab48364b6daf5f

Download Submit
memory/2964-25-0x00000000740A0000-0x0000000074850000-memory.dmp

Filesize
7.7MB

Download
memory/2964-27-0x000000000A730000-0x000000000A83A000-memory.dmp

Filesize
1.0MB

Download
memory/2964-32-0x0000000002960000-0x0000000002970000-memory.dmp

Filesize
64KB

Download
memory/2964-31-0x000000000A840000-0x000000000A88C000-memory.dmp

Filesize
304KB

Download
memory/2964-30-0x000000000A6D0000-0x000000000A70C000-memory.dmp

Filesize
240KB

Download
memory/2964-22-0x00000000740A0000-0x0000000074850000-memory.dmp

Filesize
7.7MB

Download
memory/2964-23-0x0000000000780000-0x00000000007B0000-memory.dmp

Filesize
192KB

Download
memory/2964-24-0x0000000002B20000-0x0000000002B26000-memory.dmp

Filesize
24KB

Download
memory/2964-26-0x000000000ABB0000-0x000000000B1C8000-memory.dmp

Filesize
6.1MB

Download
memory/2964-29-0x000000000A670000-0x000000000A682000-memory.dmp

Filesize
72KB

Download
memory/2964-28-0x0000000002960000-0x0000000002970000-memory.dmp

Filesize
64KB

Download
memory/3452-3-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3452-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3452-21-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3452-1-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3452-2-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads