mystic | e35e93f9ca7731196ebc922e102fe9230fb6818c52f8c7fcbec24ba9c2df0847

General

Target

e35e93f9ca7731196ebc922e102fe9230fb6818c52f8c7fcbec24ba9c2df0847.exe
Size

742KB
MD5

49d46cb81f01044f2563813d9ff41fbd
SHA1

9c7f2e414f91b5b4a06a47491e079d8510b36fb9
SHA256

e35e93f9ca7731196ebc922e102fe9230fb6818c52f8c7fcbec24ba9c2df0847
SHA512

86f2c9809b7c57d6320c187efe735680a9641f60aba0ce62ba81e97d33064455610c3194f197a583296a7e0096aaafaa76cc223e07d60314817fe708dde3205c
SSDEEP

12288:cO//yfYb5BIQZVt31Pi7uFqDIhN6UZeTp3HO65rRyLzmqnFFbsrVI9:7iuBtZtKoUWs5VO65rR0FbUy

Score

10^/10

mystic redline moner infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

moner

C2

77.91.124.82:19071

Attributes

auth_value
a94cd9e01643e1945b296c28a2f28707

Signatures

Detect Mystic stealer payload 2 IoCs

resource	yara_rule
behavioral2/files/0x00080000000231e5-17.dat	family_mystic
behavioral2/files/0x00080000000231e5-16.dat	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
3992	y7299366.exe
1404	m7841525.exe
4460	n0060393.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y7299366.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3596 set thread context of 5112	3596	e35e93f9ca7731196ebc922e102fe9230fb6818c52f8c7fcbec24ba9c2df0847.exe	87

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 5112	3596	e35e93f9ca7731196ebc922e102fe9230fb6818c52f8c7fcbec24ba9c2df0847.exe	87
PID 3596 wrote to memory of 5112	3596	e35e93f9ca7731196ebc922e102fe9230fb6818c52f8c7fcbec24ba9c2df0847.exe	87
PID 3596 wrote to memory of 5112	3596	e35e93f9ca7731196ebc922e102fe9230fb6818c52f8c7fcbec24ba9c2df0847.exe	87
PID 3596 wrote to memory of 5112	3596	e35e93f9ca7731196ebc922e102fe9230fb6818c52f8c7fcbec24ba9c2df0847.exe	87
PID 3596 wrote to memory of 5112	3596	e35e93f9ca7731196ebc922e102fe9230fb6818c52f8c7fcbec24ba9c2df0847.exe	87
PID 3596 wrote to memory of 5112	3596	e35e93f9ca7731196ebc922e102fe9230fb6818c52f8c7fcbec24ba9c2df0847.exe	87
PID 3596 wrote to memory of 5112	3596	e35e93f9ca7731196ebc922e102fe9230fb6818c52f8c7fcbec24ba9c2df0847.exe	87
PID 3596 wrote to memory of 5112	3596	e35e93f9ca7731196ebc922e102fe9230fb6818c52f8c7fcbec24ba9c2df0847.exe	87
PID 3596 wrote to memory of 5112	3596	e35e93f9ca7731196ebc922e102fe9230fb6818c52f8c7fcbec24ba9c2df0847.exe	87
PID 3596 wrote to memory of 5112	3596	e35e93f9ca7731196ebc922e102fe9230fb6818c52f8c7fcbec24ba9c2df0847.exe	87
PID 5112 wrote to memory of 3992	5112	AppLaunch.exe	88
PID 5112 wrote to memory of 3992	5112	AppLaunch.exe	88
PID 5112 wrote to memory of 3992	5112	AppLaunch.exe	88
PID 3992 wrote to memory of 1404	3992	y7299366.exe	89
PID 3992 wrote to memory of 1404	3992	y7299366.exe	89
PID 3992 wrote to memory of 1404	3992	y7299366.exe	89
PID 3992 wrote to memory of 4460	3992	y7299366.exe	90
PID 3992 wrote to memory of 4460	3992	y7299366.exe	90
PID 3992 wrote to memory of 4460	3992	y7299366.exe	90

C:\Users\Admin\AppData\Local\Temp\e35e93f9ca7731196ebc922e102fe9230fb6818c52f8c7fcbec24ba9c2df0847.exe
"C:\Users\Admin\AppData\Local\Temp\e35e93f9ca7731196ebc922e102fe9230fb6818c52f8c7fcbec24ba9c2df0847.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5112
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7299366.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7299366.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3992
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m7841525.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m7841525.exe
      4⤵
      Executes dropped EXE
      PID:1404
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n0060393.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n0060393.exe
      4⤵
      Executes dropped EXE
      PID:4460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7299366.exe

Filesize
272KB

MD5
23ad1fcee08f5a9944316a21ada8ebf0

SHA1
2bbe19a25251d6137c0b704d12d78d71e5527308

SHA256
1a81f72dfb7e0ade80f71c41fbf82a3129aaa407dd5b651570666423a44b69e1

SHA512
df130a399cd7be74a67095c24bcd0c9d34ccb7e8a6f12cd6d5561d00cd6628259382882a113c624b25dce09a079cf21bd4a2617c82c8e779229779afd33c0b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7299366.exe

Filesize
272KB

MD5
23ad1fcee08f5a9944316a21ada8ebf0

SHA1
2bbe19a25251d6137c0b704d12d78d71e5527308

SHA256
1a81f72dfb7e0ade80f71c41fbf82a3129aaa407dd5b651570666423a44b69e1

SHA512
df130a399cd7be74a67095c24bcd0c9d34ccb7e8a6f12cd6d5561d00cd6628259382882a113c624b25dce09a079cf21bd4a2617c82c8e779229779afd33c0b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m7841525.exe

Filesize
140KB

MD5
d2299781b97e72554bac0b18c54c18e6

SHA1
ca715fabfba8b0f02e21f0eb3814a4d20678f205

SHA256
059a487b5e6e854236a71105e38d55660687e3c0610ac753dbfb010ebd84b922

SHA512
1bb5c4c49a6ea81e5f9f9183cf5dcd6386579b78978099584e2a5426e70776cf6277c508d421efc5ec21f41d88c5b48e6a9d1c51ec57a0dcfbb332ab7d38b089

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m7841525.exe

Filesize
140KB

MD5
d2299781b97e72554bac0b18c54c18e6

SHA1
ca715fabfba8b0f02e21f0eb3814a4d20678f205

SHA256
059a487b5e6e854236a71105e38d55660687e3c0610ac753dbfb010ebd84b922

SHA512
1bb5c4c49a6ea81e5f9f9183cf5dcd6386579b78978099584e2a5426e70776cf6277c508d421efc5ec21f41d88c5b48e6a9d1c51ec57a0dcfbb332ab7d38b089

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n0060393.exe

Filesize
174KB

MD5
6cff9e54de3360f8ece29bfdda8d73b6

SHA1
9bafe76bd68b6b413cf1ca688733d218e003d1e0

SHA256
839f3ccce0dfc7519fcee9d8cd15efef7e920a24cfe2879517c49283abf6a8b1

SHA512
deb9162db65b9e0287026d13f4b98b87a1a8641ae079b84e0307b79d77482e399d194f1ccf7bb7f331c0a75280a750d03f9a7dda7d1794bbdbcc07fc582419fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n0060393.exe

Filesize
174KB

MD5
6cff9e54de3360f8ece29bfdda8d73b6

SHA1
9bafe76bd68b6b413cf1ca688733d218e003d1e0

SHA256
839f3ccce0dfc7519fcee9d8cd15efef7e920a24cfe2879517c49283abf6a8b1

SHA512
deb9162db65b9e0287026d13f4b98b87a1a8641ae079b84e0307b79d77482e399d194f1ccf7bb7f331c0a75280a750d03f9a7dda7d1794bbdbcc07fc582419fc

Download Submit
memory/4460-22-0x0000000074080000-0x0000000074830000-memory.dmp

Filesize
7.7MB

Download
memory/4460-27-0x0000000004F00000-0x000000000500A000-memory.dmp

Filesize
1.0MB

Download
memory/4460-32-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/4460-31-0x0000000005010000-0x000000000505C000-memory.dmp

Filesize
304KB

Download
memory/4460-30-0x0000000004E90000-0x0000000004ECC000-memory.dmp

Filesize
240KB

Download
memory/4460-21-0x0000000000360000-0x0000000000390000-memory.dmp

Filesize
192KB

Download
memory/4460-29-0x0000000004E30000-0x0000000004E42000-memory.dmp

Filesize
72KB

Download
memory/4460-24-0x0000000074080000-0x0000000074830000-memory.dmp

Filesize
7.7MB

Download
memory/4460-25-0x0000000000CB0000-0x0000000000CB6000-memory.dmp

Filesize
24KB

Download
memory/4460-26-0x0000000005410000-0x0000000005A28000-memory.dmp

Filesize
6.1MB

Download
memory/4460-28-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/5112-3-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5112-23-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5112-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5112-1-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5112-2-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads