mystic | 40aa442f42d41589d006a2e3e3f5a557d6c1a99eb3ea05d49d810f96ddc4c4a0

General

Target

40aa442f42d41589d006a2e3e3f5a557d6c1a99eb3ea05d49d810f96ddc4c4a0.exe
Size

741KB
MD5

28344341ea474fe839724bea49da07de
SHA1

a34505fc8fafe00a942083bd12308959bc8103a3
SHA256

40aa442f42d41589d006a2e3e3f5a557d6c1a99eb3ea05d49d810f96ddc4c4a0
SHA512

73fb0a6b77a214147d3a3a5e95a27a0d83a2f81594f3520ea0a7604856603b6d7053ed9f85eaebe5f47bdedadf6fcafb003abb2897f96d216376b8d37a00372f
SSDEEP

12288:YR//yfYb5BIQZVtYVPZtQNdZ4jfylbKtgETFz5buK/UZTSwb19:siuBtZaZtQHchgEh5L/Y3bv

Score

10^/10

mystic redline moner infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

moner

C2

77.91.124.82:19071

Attributes

auth_value
a94cd9e01643e1945b296c28a2f28707

Signatures

Detect Mystic stealer payload 2 IoCs

resource	yara_rule
behavioral2/files/0x00090000000230b2-16.dat	family_mystic
behavioral2/files/0x00090000000230b2-17.dat	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
824	y8349669.exe
4688	m7140100.exe
5108	n4359592.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y8349669.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2152 set thread context of 492	2152	40aa442f42d41589d006a2e3e3f5a557d6c1a99eb3ea05d49d810f96ddc4c4a0.exe	92

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 3500	2152	40aa442f42d41589d006a2e3e3f5a557d6c1a99eb3ea05d49d810f96ddc4c4a0.exe	91
PID 2152 wrote to memory of 3500	2152	40aa442f42d41589d006a2e3e3f5a557d6c1a99eb3ea05d49d810f96ddc4c4a0.exe	91
PID 2152 wrote to memory of 3500	2152	40aa442f42d41589d006a2e3e3f5a557d6c1a99eb3ea05d49d810f96ddc4c4a0.exe	91
PID 2152 wrote to memory of 492	2152	40aa442f42d41589d006a2e3e3f5a557d6c1a99eb3ea05d49d810f96ddc4c4a0.exe	92
PID 2152 wrote to memory of 492	2152	40aa442f42d41589d006a2e3e3f5a557d6c1a99eb3ea05d49d810f96ddc4c4a0.exe	92
PID 2152 wrote to memory of 492	2152	40aa442f42d41589d006a2e3e3f5a557d6c1a99eb3ea05d49d810f96ddc4c4a0.exe	92
PID 2152 wrote to memory of 492	2152	40aa442f42d41589d006a2e3e3f5a557d6c1a99eb3ea05d49d810f96ddc4c4a0.exe	92
PID 2152 wrote to memory of 492	2152	40aa442f42d41589d006a2e3e3f5a557d6c1a99eb3ea05d49d810f96ddc4c4a0.exe	92
PID 2152 wrote to memory of 492	2152	40aa442f42d41589d006a2e3e3f5a557d6c1a99eb3ea05d49d810f96ddc4c4a0.exe	92
PID 2152 wrote to memory of 492	2152	40aa442f42d41589d006a2e3e3f5a557d6c1a99eb3ea05d49d810f96ddc4c4a0.exe	92
PID 2152 wrote to memory of 492	2152	40aa442f42d41589d006a2e3e3f5a557d6c1a99eb3ea05d49d810f96ddc4c4a0.exe	92
PID 2152 wrote to memory of 492	2152	40aa442f42d41589d006a2e3e3f5a557d6c1a99eb3ea05d49d810f96ddc4c4a0.exe	92
PID 2152 wrote to memory of 492	2152	40aa442f42d41589d006a2e3e3f5a557d6c1a99eb3ea05d49d810f96ddc4c4a0.exe	92
PID 492 wrote to memory of 824	492	AppLaunch.exe	95
PID 492 wrote to memory of 824	492	AppLaunch.exe	95
PID 492 wrote to memory of 824	492	AppLaunch.exe	95
PID 824 wrote to memory of 4688	824	y8349669.exe	96
PID 824 wrote to memory of 4688	824	y8349669.exe	96
PID 824 wrote to memory of 4688	824	y8349669.exe	96
PID 824 wrote to memory of 5108	824	y8349669.exe	98
PID 824 wrote to memory of 5108	824	y8349669.exe	98
PID 824 wrote to memory of 5108	824	y8349669.exe	98

C:\Users\Admin\AppData\Local\Temp\40aa442f42d41589d006a2e3e3f5a557d6c1a99eb3ea05d49d810f96ddc4c4a0.exe
"C:\Users\Admin\AppData\Local\Temp\40aa442f42d41589d006a2e3e3f5a557d6c1a99eb3ea05d49d810f96ddc4c4a0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:3500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:492
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8349669.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8349669.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:824
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m7140100.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m7140100.exe
      4⤵
      Executes dropped EXE
      PID:4688
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n4359592.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n4359592.exe
      4⤵
      Executes dropped EXE
      PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8349669.exe

Filesize
271KB

MD5
8a03dfc8602e1bc4684b8a66f2c7415d

SHA1
15cdf322836e4aa809ce03e8f9dbe1d04b8c3c4c

SHA256
b772c00edc3e28c9c843868950e28107d44ea658335acb8765e8183c1db9f8a2

SHA512
32973c482b5b1b55422edaf7999695fde96239fa55ca9f4d575f60846204a1845856f4a94d29d568ccaf34cf559d4422c597ac03cf12e929e7717beae1ca00c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8349669.exe

Filesize
271KB

MD5
8a03dfc8602e1bc4684b8a66f2c7415d

SHA1
15cdf322836e4aa809ce03e8f9dbe1d04b8c3c4c

SHA256
b772c00edc3e28c9c843868950e28107d44ea658335acb8765e8183c1db9f8a2

SHA512
32973c482b5b1b55422edaf7999695fde96239fa55ca9f4d575f60846204a1845856f4a94d29d568ccaf34cf559d4422c597ac03cf12e929e7717beae1ca00c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m7140100.exe

Filesize
140KB

MD5
71106d12909c3253248f8775f5c40789

SHA1
c238f0606143310b4a9cb56d9f5c72d7ebc94020

SHA256
f23f24f53bf41421c37e8e6a717b7a263b15abfc923060f1808e502c98161417

SHA512
ac00c616df37434c1db2d8f79b349dc5210e3dcfb27c7d7c8b1d073b755c1466361d646da012cc8743083d669ccceae43a60a73d38369d152f3e62490219ed42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m7140100.exe

Filesize
140KB

MD5
71106d12909c3253248f8775f5c40789

SHA1
c238f0606143310b4a9cb56d9f5c72d7ebc94020

SHA256
f23f24f53bf41421c37e8e6a717b7a263b15abfc923060f1808e502c98161417

SHA512
ac00c616df37434c1db2d8f79b349dc5210e3dcfb27c7d7c8b1d073b755c1466361d646da012cc8743083d669ccceae43a60a73d38369d152f3e62490219ed42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n4359592.exe

Filesize
174KB

MD5
60448db61c39affec3416b4d012099d5

SHA1
b79d12308a02e0873099c7f283a07a704cfd7bf0

SHA256
341bbf8663b096a5a6d5f373f4966910e520d72ab914bdf2dddc39fcdb659fc1

SHA512
3d4bd15184eb58de5eefc91cc6029eafe549933378c407741aba0ae7263e7e15542bff10be86294f12c590393c1a78741ebe1675e8597ab92ceec07a285aaabf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n4359592.exe

Filesize
174KB

MD5
60448db61c39affec3416b4d012099d5

SHA1
b79d12308a02e0873099c7f283a07a704cfd7bf0

SHA256
341bbf8663b096a5a6d5f373f4966910e520d72ab914bdf2dddc39fcdb659fc1

SHA512
3d4bd15184eb58de5eefc91cc6029eafe549933378c407741aba0ae7263e7e15542bff10be86294f12c590393c1a78741ebe1675e8597ab92ceec07a285aaabf

Download Submit
memory/492-30-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/492-1-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/492-2-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/492-3-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/492-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5108-21-0x0000000074600000-0x0000000074DB0000-memory.dmp

Filesize
7.7MB

Download
memory/5108-23-0x0000000003000000-0x0000000003006000-memory.dmp

Filesize
24KB

Download
memory/5108-24-0x000000000B210000-0x000000000B828000-memory.dmp

Filesize
6.1MB

Download
memory/5108-25-0x000000000AD60000-0x000000000AE6A000-memory.dmp

Filesize
1.0MB

Download
memory/5108-26-0x00000000055E0000-0x00000000055F0000-memory.dmp

Filesize
64KB

Download
memory/5108-27-0x000000000ACA0000-0x000000000ACB2000-memory.dmp

Filesize
72KB

Download
memory/5108-28-0x000000000AD00000-0x000000000AD3C000-memory.dmp

Filesize
240KB

Download
memory/5108-29-0x000000000AE70000-0x000000000AEBC000-memory.dmp

Filesize
304KB

Download
memory/5108-22-0x0000000000DB0000-0x0000000000DE0000-memory.dmp

Filesize
192KB

Download
memory/5108-31-0x0000000074600000-0x0000000074DB0000-memory.dmp

Filesize
7.7MB

Download
memory/5108-32-0x00000000055E0000-0x00000000055F0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads