mystic | 35db8c9d9387fff19e234c0c4520acefcfb7906c3311e92d1643031014936acd

General

Target

35db8c9d9387fff19e234c0c4520acefcfb7906c3311e92d1643031014936acd.exe
Size

742KB
MD5

e8f2c4652165760519c6353f74c84c8e
SHA1

de9a0b1e42fb43ed97e73f46adcce6215243852c
SHA256

35db8c9d9387fff19e234c0c4520acefcfb7906c3311e92d1643031014936acd
SHA512

48b9f2928c2de7b7f9c25380e93d69b686674034fe7f64d02ed0e4beb142fb715303e809cb5ea4964bfe0dc74b1241e8cbdcc73d9e42b2f685d4e2f3a3407ace
SSDEEP

12288:Pn//yfYb5BIQZVt8H1fhpnsuG3/Nl7lNAEEJhzGfy8OXdLygvooc9:/iuBtZKfhpnsNPFizGK8OtyF

Score

10^/10

mystic redline moner infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

moner

C2

77.91.124.82:19071

Attributes

auth_value
a94cd9e01643e1945b296c28a2f28707

Signatures

Detect Mystic stealer payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023257-16.dat	family_mystic
behavioral2/files/0x0008000000023257-17.dat	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
3988	y3952316.exe
2520	m6769895.exe
4520	n6608345.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y3952316.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4476 set thread context of 628	4476	35db8c9d9387fff19e234c0c4520acefcfb7906c3311e92d1643031014936acd.exe	88

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4476 wrote to memory of 628	4476	35db8c9d9387fff19e234c0c4520acefcfb7906c3311e92d1643031014936acd.exe	88
PID 4476 wrote to memory of 628	4476	35db8c9d9387fff19e234c0c4520acefcfb7906c3311e92d1643031014936acd.exe	88
PID 4476 wrote to memory of 628	4476	35db8c9d9387fff19e234c0c4520acefcfb7906c3311e92d1643031014936acd.exe	88
PID 4476 wrote to memory of 628	4476	35db8c9d9387fff19e234c0c4520acefcfb7906c3311e92d1643031014936acd.exe	88
PID 4476 wrote to memory of 628	4476	35db8c9d9387fff19e234c0c4520acefcfb7906c3311e92d1643031014936acd.exe	88
PID 4476 wrote to memory of 628	4476	35db8c9d9387fff19e234c0c4520acefcfb7906c3311e92d1643031014936acd.exe	88
PID 4476 wrote to memory of 628	4476	35db8c9d9387fff19e234c0c4520acefcfb7906c3311e92d1643031014936acd.exe	88
PID 4476 wrote to memory of 628	4476	35db8c9d9387fff19e234c0c4520acefcfb7906c3311e92d1643031014936acd.exe	88
PID 4476 wrote to memory of 628	4476	35db8c9d9387fff19e234c0c4520acefcfb7906c3311e92d1643031014936acd.exe	88
PID 4476 wrote to memory of 628	4476	35db8c9d9387fff19e234c0c4520acefcfb7906c3311e92d1643031014936acd.exe	88
PID 628 wrote to memory of 3988	628	AppLaunch.exe	90
PID 628 wrote to memory of 3988	628	AppLaunch.exe	90
PID 628 wrote to memory of 3988	628	AppLaunch.exe	90
PID 3988 wrote to memory of 2520	3988	y3952316.exe	94
PID 3988 wrote to memory of 2520	3988	y3952316.exe	94
PID 3988 wrote to memory of 2520	3988	y3952316.exe	94
PID 3988 wrote to memory of 4520	3988	y3952316.exe	96
PID 3988 wrote to memory of 4520	3988	y3952316.exe	96
PID 3988 wrote to memory of 4520	3988	y3952316.exe	96

C:\Users\Admin\AppData\Local\Temp\35db8c9d9387fff19e234c0c4520acefcfb7906c3311e92d1643031014936acd.exe
"C:\Users\Admin\AppData\Local\Temp\35db8c9d9387fff19e234c0c4520acefcfb7906c3311e92d1643031014936acd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3952316.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3952316.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3988
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m6769895.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m6769895.exe
      4⤵
      Executes dropped EXE
      PID:2520
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n6608345.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n6608345.exe
      4⤵
      Executes dropped EXE
      PID:4520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3952316.exe

Filesize
271KB

MD5
ff87cc9ab2c449b53fc47a4b585097e7

SHA1
c2469c0d8de70db4072a80645c7545922b550418

SHA256
017eb11c79efd5bedf1706984f4b6d06e7accc0c25d00d3dbd4318bd42fcb3b6

SHA512
0593e5e06acf96ae6194df55edb053f873d68833b38c7741970f79d022541a803b976005c0a3e1258283dd17efee493e88993fba5737f57f46b782c510476dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3952316.exe

Filesize
271KB

MD5
ff87cc9ab2c449b53fc47a4b585097e7

SHA1
c2469c0d8de70db4072a80645c7545922b550418

SHA256
017eb11c79efd5bedf1706984f4b6d06e7accc0c25d00d3dbd4318bd42fcb3b6

SHA512
0593e5e06acf96ae6194df55edb053f873d68833b38c7741970f79d022541a803b976005c0a3e1258283dd17efee493e88993fba5737f57f46b782c510476dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m6769895.exe

Filesize
140KB

MD5
6d1f65cea93914a198f7bdfc2f84f387

SHA1
ac5edb27a7e8ac9bcda27e1f1f8167c54f6056c6

SHA256
e013b4654fd98118c2877b03aa505f21c11109df38847283c58a8372c3a31b47

SHA512
452eb86e36d55aed10afcd282e6b0c00abcfbad64d5c434881d0a6dfff7f5e5af42f258a6042089373429934eea8892c43615a20ad4fa0d5c1ec7fa9f18cd8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m6769895.exe

Filesize
140KB

MD5
6d1f65cea93914a198f7bdfc2f84f387

SHA1
ac5edb27a7e8ac9bcda27e1f1f8167c54f6056c6

SHA256
e013b4654fd98118c2877b03aa505f21c11109df38847283c58a8372c3a31b47

SHA512
452eb86e36d55aed10afcd282e6b0c00abcfbad64d5c434881d0a6dfff7f5e5af42f258a6042089373429934eea8892c43615a20ad4fa0d5c1ec7fa9f18cd8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n6608345.exe

Filesize
174KB

MD5
23ff80c3a85fa6d622c3e952d3e55b2a

SHA1
1adf6276551b827b799caa0bb351ed02a33293eb

SHA256
4fdbb073b977942e89b1355a6104733810b75f82ca17aabde95792ee5877bd66

SHA512
4a588d41699505e111f77dc422466b5988ffa85cb6803a9eb6f752293afaa43b98f0706468d5cca0ff9511538cb1a6b72161dff882b8d176cd01aed553c89e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n6608345.exe

Filesize
174KB

MD5
23ff80c3a85fa6d622c3e952d3e55b2a

SHA1
1adf6276551b827b799caa0bb351ed02a33293eb

SHA256
4fdbb073b977942e89b1355a6104733810b75f82ca17aabde95792ee5877bd66

SHA512
4a588d41699505e111f77dc422466b5988ffa85cb6803a9eb6f752293afaa43b98f0706468d5cca0ff9511538cb1a6b72161dff882b8d176cd01aed553c89e0b

Download Submit
memory/628-30-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/628-1-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/628-2-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/628-3-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/628-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4520-21-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/4520-23-0x0000000004F90000-0x0000000004F96000-memory.dmp

Filesize
24KB

Download
memory/4520-24-0x000000000ABF0000-0x000000000B208000-memory.dmp

Filesize
6.1MB

Download
memory/4520-25-0x000000000A760000-0x000000000A86A000-memory.dmp

Filesize
1.0MB

Download
memory/4520-26-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/4520-27-0x000000000A6A0000-0x000000000A6B2000-memory.dmp

Filesize
72KB

Download
memory/4520-28-0x000000000A700000-0x000000000A73C000-memory.dmp

Filesize
240KB

Download
memory/4520-29-0x000000000A870000-0x000000000A8BC000-memory.dmp

Filesize
304KB

Download
memory/4520-22-0x00000000007B0000-0x00000000007E0000-memory.dmp

Filesize
192KB

Download
memory/4520-31-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/4520-32-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads