mystic | 12fc411362fbf7db2790399c07452564ed99e472ce5da3dbcce6d6ada8171282

General

Target

12fc411362fbf7db2790399c07452564ed99e472ce5da3dbcce6d6ada8171282.exe
Size

742KB
MD5

65da09996daf86723200abab2fe4ed5d
SHA1

624a24c6cf82ad8fb48494959b4a7656fcd1862c
SHA256

12fc411362fbf7db2790399c07452564ed99e472ce5da3dbcce6d6ada8171282
SHA512

859f7a41ad6d4a055d3d09f72d2028ab4dc8185fe7149ed04c9f4d1f4fae40b0f6ab169020e157c6199b8337ae09427f332565ba3b424db4541808d0a26f7813
SSDEEP

12288:JJ//yfYb5BIQZVt8keGlm/KJiYRVSpaLl5UubFlLT49T95FYy/n1K4SiFdA8pN9:riuBtZXeGgCNRVSo7FlLmYcn1KedPV

Score

10^/10

mystic redline moner infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

moner

C2

77.91.124.82:19071

Attributes

auth_value
a94cd9e01643e1945b296c28a2f28707

Signatures

Detect Mystic stealer payload 2 IoCs

resource	yara_rule
behavioral2/files/0x00090000000231f5-16.dat	family_mystic
behavioral2/files/0x00090000000231f5-17.dat	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4352	y4218484.exe
3124	m0242086.exe
1676	n3811759.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y4218484.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2952 set thread context of 1300	2952	12fc411362fbf7db2790399c07452564ed99e472ce5da3dbcce6d6ada8171282.exe	89

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 3484	2952	12fc411362fbf7db2790399c07452564ed99e472ce5da3dbcce6d6ada8171282.exe	88
PID 2952 wrote to memory of 3484	2952	12fc411362fbf7db2790399c07452564ed99e472ce5da3dbcce6d6ada8171282.exe	88
PID 2952 wrote to memory of 3484	2952	12fc411362fbf7db2790399c07452564ed99e472ce5da3dbcce6d6ada8171282.exe	88
PID 2952 wrote to memory of 1300	2952	12fc411362fbf7db2790399c07452564ed99e472ce5da3dbcce6d6ada8171282.exe	89
PID 2952 wrote to memory of 1300	2952	12fc411362fbf7db2790399c07452564ed99e472ce5da3dbcce6d6ada8171282.exe	89
PID 2952 wrote to memory of 1300	2952	12fc411362fbf7db2790399c07452564ed99e472ce5da3dbcce6d6ada8171282.exe	89
PID 2952 wrote to memory of 1300	2952	12fc411362fbf7db2790399c07452564ed99e472ce5da3dbcce6d6ada8171282.exe	89
PID 2952 wrote to memory of 1300	2952	12fc411362fbf7db2790399c07452564ed99e472ce5da3dbcce6d6ada8171282.exe	89
PID 2952 wrote to memory of 1300	2952	12fc411362fbf7db2790399c07452564ed99e472ce5da3dbcce6d6ada8171282.exe	89
PID 2952 wrote to memory of 1300	2952	12fc411362fbf7db2790399c07452564ed99e472ce5da3dbcce6d6ada8171282.exe	89
PID 2952 wrote to memory of 1300	2952	12fc411362fbf7db2790399c07452564ed99e472ce5da3dbcce6d6ada8171282.exe	89
PID 2952 wrote to memory of 1300	2952	12fc411362fbf7db2790399c07452564ed99e472ce5da3dbcce6d6ada8171282.exe	89
PID 2952 wrote to memory of 1300	2952	12fc411362fbf7db2790399c07452564ed99e472ce5da3dbcce6d6ada8171282.exe	89
PID 1300 wrote to memory of 4352	1300	AppLaunch.exe	90
PID 1300 wrote to memory of 4352	1300	AppLaunch.exe	90
PID 1300 wrote to memory of 4352	1300	AppLaunch.exe	90
PID 4352 wrote to memory of 3124	4352	y4218484.exe	91
PID 4352 wrote to memory of 3124	4352	y4218484.exe	91
PID 4352 wrote to memory of 3124	4352	y4218484.exe	91
PID 4352 wrote to memory of 1676	4352	y4218484.exe	92
PID 4352 wrote to memory of 1676	4352	y4218484.exe	92
PID 4352 wrote to memory of 1676	4352	y4218484.exe	92

C:\Users\Admin\AppData\Local\Temp\12fc411362fbf7db2790399c07452564ed99e472ce5da3dbcce6d6ada8171282.exe
"C:\Users\Admin\AppData\Local\Temp\12fc411362fbf7db2790399c07452564ed99e472ce5da3dbcce6d6ada8171282.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:3484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1300
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4218484.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4218484.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4352
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m0242086.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m0242086.exe
      4⤵
      Executes dropped EXE
      PID:3124
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n3811759.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n3811759.exe
      4⤵
      Executes dropped EXE
      PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4218484.exe

Filesize
272KB

MD5
37f45e7cc0fd688aa2cb32a549382d90

SHA1
c614ff464123a61ebe7c78f22dae2109b30be772

SHA256
7618ddb9e4a4f8eb9facccaca5f824467c35a2b211a133dc5f4f30148b77b907

SHA512
9c63e2f401ce2bded0f7f21d4cad2959cec78863ea007b9b92112633659938fc8f404a2fa07c88d7fd6e76645d0acb627914f34b1a36fc93e652cff67dc9b925

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4218484.exe

Filesize
272KB

MD5
37f45e7cc0fd688aa2cb32a549382d90

SHA1
c614ff464123a61ebe7c78f22dae2109b30be772

SHA256
7618ddb9e4a4f8eb9facccaca5f824467c35a2b211a133dc5f4f30148b77b907

SHA512
9c63e2f401ce2bded0f7f21d4cad2959cec78863ea007b9b92112633659938fc8f404a2fa07c88d7fd6e76645d0acb627914f34b1a36fc93e652cff67dc9b925

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m0242086.exe

Filesize
140KB

MD5
6339e999e26188d1bd02f3fdb3b8ced9

SHA1
ab12889c86b43a23e9f740456044502f7e51b7e1

SHA256
833828ea6d418e432258ddbacbc09dcdc29d7a10996235ed7c5e0dae93f6c6ba

SHA512
9b88fe24abfc706eb1aebd6dbc0a91f4d78237b1c2280683653ac4f28c30d5957d72311d3e346e295c4252eb59b40d3649c4af3bc100b99ffce78f259d28a1c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m0242086.exe

Filesize
140KB

MD5
6339e999e26188d1bd02f3fdb3b8ced9

SHA1
ab12889c86b43a23e9f740456044502f7e51b7e1

SHA256
833828ea6d418e432258ddbacbc09dcdc29d7a10996235ed7c5e0dae93f6c6ba

SHA512
9b88fe24abfc706eb1aebd6dbc0a91f4d78237b1c2280683653ac4f28c30d5957d72311d3e346e295c4252eb59b40d3649c4af3bc100b99ffce78f259d28a1c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n3811759.exe

Filesize
174KB

MD5
330abaedf21dac290a125211597da538

SHA1
5fd999e353472d1f405a9f98c1946b45a87e1028

SHA256
0ea9d64ac078f7243e6fdedc8ed488ff2678667a674d2d523b7d9b5cba75155e

SHA512
d61f4feecebc34c3c689d6848fb307ebdc3257fbd957794a292e8dff3690bfdef65b74d64c920c9a2f7351767d52bba725b4f280bb66e0c3c03c6af98dedf41d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n3811759.exe

Filesize
174KB

MD5
330abaedf21dac290a125211597da538

SHA1
5fd999e353472d1f405a9f98c1946b45a87e1028

SHA256
0ea9d64ac078f7243e6fdedc8ed488ff2678667a674d2d523b7d9b5cba75155e

SHA512
d61f4feecebc34c3c689d6848fb307ebdc3257fbd957794a292e8dff3690bfdef65b74d64c920c9a2f7351767d52bba725b4f280bb66e0c3c03c6af98dedf41d

Download Submit
memory/1300-24-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1300-1-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1300-2-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1300-3-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1300-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1676-21-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/1676-23-0x0000000002390000-0x0000000002396000-memory.dmp

Filesize
24KB

Download
memory/1676-22-0x00000000000B0000-0x00000000000E0000-memory.dmp

Filesize
192KB

Download
memory/1676-25-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/1676-26-0x00000000051E0000-0x00000000057F8000-memory.dmp

Filesize
6.1MB

Download
memory/1676-27-0x0000000005010000-0x000000000511A000-memory.dmp

Filesize
1.0MB

Download
memory/1676-28-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/1676-29-0x0000000004F40000-0x0000000004F52000-memory.dmp

Filesize
72KB

Download
memory/1676-30-0x0000000004FA0000-0x0000000004FDC000-memory.dmp

Filesize
240KB

Download
memory/1676-31-0x0000000005120000-0x000000000516C000-memory.dmp

Filesize
304KB

Download
memory/1676-32-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads