mystic | aa093746df8732b027df91c4b6eac4bff1ef5411e5466b7e26d48b3dcff82fe5

General

Target

aa093746df8732b027df91c4b6eac4bff1ef5411e5466b7e26d48b3dcff82fe5.exe
Size

742KB
MD5

1e6fb7fdf819c2a688365a2aeeb753c2
SHA1

e1119b817a5936726e8e1e1ba25faaf016f10019
SHA256

aa093746df8732b027df91c4b6eac4bff1ef5411e5466b7e26d48b3dcff82fe5
SHA512

35c02a796de0df49e386b5bf0e717807bf074e282a48e9452242e8d8e746f9df508027417b012f5a0c6919c0f5d433c5234e9015407408265a2d318ce2bed753
SSDEEP

12288:th//yfYb5BIQZVt4xOK+DYh84Cjtz1qGlaZVS8Qrn8PJHPVbJQEVuYSFn9:TiuBtZ0IYi4ItxucDrnaJHPVb/VuYA9

Score

10^/10

mystic redline moner infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

moner

C2

77.91.124.82:19071

Attributes

auth_value
a94cd9e01643e1945b296c28a2f28707

Signatures

Detect Mystic stealer payload 2 IoCs

resource	yara_rule
behavioral2/files/0x00070000000230ac-15.dat	family_mystic
behavioral2/files/0x00070000000230ac-17.dat	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4112	y9080979.exe
2552	m4915771.exe
848	n5794773.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y9080979.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4152 set thread context of 4236	4152	aa093746df8732b027df91c4b6eac4bff1ef5411e5466b7e26d48b3dcff82fe5.exe	87

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4152 wrote to memory of 4236	4152	aa093746df8732b027df91c4b6eac4bff1ef5411e5466b7e26d48b3dcff82fe5.exe	87
PID 4152 wrote to memory of 4236	4152	aa093746df8732b027df91c4b6eac4bff1ef5411e5466b7e26d48b3dcff82fe5.exe	87
PID 4152 wrote to memory of 4236	4152	aa093746df8732b027df91c4b6eac4bff1ef5411e5466b7e26d48b3dcff82fe5.exe	87
PID 4152 wrote to memory of 4236	4152	aa093746df8732b027df91c4b6eac4bff1ef5411e5466b7e26d48b3dcff82fe5.exe	87
PID 4152 wrote to memory of 4236	4152	aa093746df8732b027df91c4b6eac4bff1ef5411e5466b7e26d48b3dcff82fe5.exe	87
PID 4152 wrote to memory of 4236	4152	aa093746df8732b027df91c4b6eac4bff1ef5411e5466b7e26d48b3dcff82fe5.exe	87
PID 4152 wrote to memory of 4236	4152	aa093746df8732b027df91c4b6eac4bff1ef5411e5466b7e26d48b3dcff82fe5.exe	87
PID 4152 wrote to memory of 4236	4152	aa093746df8732b027df91c4b6eac4bff1ef5411e5466b7e26d48b3dcff82fe5.exe	87
PID 4152 wrote to memory of 4236	4152	aa093746df8732b027df91c4b6eac4bff1ef5411e5466b7e26d48b3dcff82fe5.exe	87
PID 4152 wrote to memory of 4236	4152	aa093746df8732b027df91c4b6eac4bff1ef5411e5466b7e26d48b3dcff82fe5.exe	87
PID 4236 wrote to memory of 4112	4236	AppLaunch.exe	88
PID 4236 wrote to memory of 4112	4236	AppLaunch.exe	88
PID 4236 wrote to memory of 4112	4236	AppLaunch.exe	88
PID 4112 wrote to memory of 2552	4112	y9080979.exe	89
PID 4112 wrote to memory of 2552	4112	y9080979.exe	89
PID 4112 wrote to memory of 2552	4112	y9080979.exe	89
PID 4112 wrote to memory of 848	4112	y9080979.exe	90
PID 4112 wrote to memory of 848	4112	y9080979.exe	90
PID 4112 wrote to memory of 848	4112	y9080979.exe	90

C:\Users\Admin\AppData\Local\Temp\aa093746df8732b027df91c4b6eac4bff1ef5411e5466b7e26d48b3dcff82fe5.exe
"C:\Users\Admin\AppData\Local\Temp\aa093746df8732b027df91c4b6eac4bff1ef5411e5466b7e26d48b3dcff82fe5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4236
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9080979.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9080979.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4112
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m4915771.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m4915771.exe
      4⤵
      Executes dropped EXE
      PID:2552
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n5794773.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n5794773.exe
      4⤵
      Executes dropped EXE
      PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9080979.exe

Filesize
271KB

MD5
c6d9a39d816ad80e8b5d4e1fda491746

SHA1
1bd6a19f4b0811b70e30dfa07f95ce6f8a5977d2

SHA256
c79c35fe9718b4eee1d6106113c19f1933d1d4478199becb66c433a0aac31e68

SHA512
af94ef1772377529bef7dc0de8299dda0328dfd59f2be25708f06835e19b85e4dd57a071dc3c2c303e91b2856965537ee8e20d42febe2ff66495ac9145d0a722

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9080979.exe

Filesize
271KB

MD5
c6d9a39d816ad80e8b5d4e1fda491746

SHA1
1bd6a19f4b0811b70e30dfa07f95ce6f8a5977d2

SHA256
c79c35fe9718b4eee1d6106113c19f1933d1d4478199becb66c433a0aac31e68

SHA512
af94ef1772377529bef7dc0de8299dda0328dfd59f2be25708f06835e19b85e4dd57a071dc3c2c303e91b2856965537ee8e20d42febe2ff66495ac9145d0a722

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m4915771.exe

Filesize
140KB

MD5
37bf9440cafc249d1dd7cfb82340ad3a

SHA1
e8834ceb92008b26e1c031eaab16d8e1b508da41

SHA256
d0c04a5d5dc464a8fb5e2277b2c6f6be0ed5113fb098318bb5a1498fc009b345

SHA512
e08efee111c748758409e87e0699ef349c7a6a16783de2d1b9d8f72b0490d47e2164833d52beebe0172ee28c3b41f649fc789bec6b7f878cf5f701e5d6a4cb20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m4915771.exe

Filesize
140KB

MD5
37bf9440cafc249d1dd7cfb82340ad3a

SHA1
e8834ceb92008b26e1c031eaab16d8e1b508da41

SHA256
d0c04a5d5dc464a8fb5e2277b2c6f6be0ed5113fb098318bb5a1498fc009b345

SHA512
e08efee111c748758409e87e0699ef349c7a6a16783de2d1b9d8f72b0490d47e2164833d52beebe0172ee28c3b41f649fc789bec6b7f878cf5f701e5d6a4cb20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n5794773.exe

Filesize
174KB

MD5
52b256e19f9949d68c8b6a596c427517

SHA1
87bb446efd60a628e803c2795078a726a8305248

SHA256
78f9868176846eb1e31dfeeffdb2459a3a1225bf5352d6d14347a835b008b6e2

SHA512
5364609b77a33cd84881a6e4ec29ad447427f6a27beb947e7840c3a55636ef1ddcfb36aa9fedd83a4f888538eeef269f2617f35ecdbc434907b35699457044e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n5794773.exe

Filesize
174KB

MD5
52b256e19f9949d68c8b6a596c427517

SHA1
87bb446efd60a628e803c2795078a726a8305248

SHA256
78f9868176846eb1e31dfeeffdb2459a3a1225bf5352d6d14347a835b008b6e2

SHA512
5364609b77a33cd84881a6e4ec29ad447427f6a27beb947e7840c3a55636ef1ddcfb36aa9fedd83a4f888538eeef269f2617f35ecdbc434907b35699457044e6

Download Submit
memory/848-21-0x0000000073FD0000-0x0000000074780000-memory.dmp

Filesize
7.7MB

Download
memory/848-27-0x00000000048A0000-0x00000000048B0000-memory.dmp

Filesize
64KB

Download
memory/848-32-0x00000000048A0000-0x00000000048B0000-memory.dmp

Filesize
64KB

Download
memory/848-31-0x0000000073FD0000-0x0000000074780000-memory.dmp

Filesize
7.7MB

Download
memory/848-30-0x000000000A060000-0x000000000A0AC000-memory.dmp

Filesize
304KB

Download
memory/848-22-0x00000000000E0000-0x0000000000110000-memory.dmp

Filesize
192KB

Download
memory/848-23-0x0000000004880000-0x0000000004886000-memory.dmp

Filesize
24KB

Download
memory/848-24-0x000000000A3D0000-0x000000000A9E8000-memory.dmp

Filesize
6.1MB

Download
memory/848-25-0x0000000009F50000-0x000000000A05A000-memory.dmp

Filesize
1.0MB

Download
memory/848-29-0x0000000009EF0000-0x0000000009F2C000-memory.dmp

Filesize
240KB

Download
memory/848-28-0x0000000009E90000-0x0000000009EA2000-memory.dmp

Filesize
72KB

Download
memory/4236-3-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4236-26-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4236-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4236-1-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4236-2-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads