mystic | 921f1dd6b717c66ce264bd8af6793b360ffa8cc24e8d905a4f2e9bbdff12676a

General

Target

921f1dd6b717c66ce264bd8af6793b360ffa8cc24e8d905a4f2e9bbdff12676a.exe
Size

742KB
MD5

b9e5c469db702cf7056b00bc00443333
SHA1

ee1800ddf9155210401f93f0142c753a276bf11a
SHA256

921f1dd6b717c66ce264bd8af6793b360ffa8cc24e8d905a4f2e9bbdff12676a
SHA512

8a9ce1f8ac6501caaf08d73d230cb49be27ef7a0843d1df484999db1b77786b0dacea390391ea509bdbafb646be20b1fb8edcfa7e86ec37aef96f3c3ece63756
SSDEEP

12288:d4lCJiYn38AwFVtUSAeYKqoAMPl0j4a/J2DE61e/eoP9ky23H1qJ9:W+Z8zF1ANiDE67olEqD

Score

10^/10

mystic redline moner infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

moner

C2

77.91.124.82:19071

Attributes

auth_value
a94cd9e01643e1945b296c28a2f28707

Signatures

Detect Mystic stealer payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000700000002322d-16.dat	family_mystic
behavioral2/files/0x000700000002322d-17.dat	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4420	y1439239.exe
5112	m1024926.exe
3484	n6759556.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y1439239.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4916 set thread context of 1664	4916	921f1dd6b717c66ce264bd8af6793b360ffa8cc24e8d905a4f2e9bbdff12676a.exe	85

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 1664	4916	921f1dd6b717c66ce264bd8af6793b360ffa8cc24e8d905a4f2e9bbdff12676a.exe	85
PID 4916 wrote to memory of 1664	4916	921f1dd6b717c66ce264bd8af6793b360ffa8cc24e8d905a4f2e9bbdff12676a.exe	85
PID 4916 wrote to memory of 1664	4916	921f1dd6b717c66ce264bd8af6793b360ffa8cc24e8d905a4f2e9bbdff12676a.exe	85
PID 4916 wrote to memory of 1664	4916	921f1dd6b717c66ce264bd8af6793b360ffa8cc24e8d905a4f2e9bbdff12676a.exe	85
PID 4916 wrote to memory of 1664	4916	921f1dd6b717c66ce264bd8af6793b360ffa8cc24e8d905a4f2e9bbdff12676a.exe	85
PID 4916 wrote to memory of 1664	4916	921f1dd6b717c66ce264bd8af6793b360ffa8cc24e8d905a4f2e9bbdff12676a.exe	85
PID 4916 wrote to memory of 1664	4916	921f1dd6b717c66ce264bd8af6793b360ffa8cc24e8d905a4f2e9bbdff12676a.exe	85
PID 4916 wrote to memory of 1664	4916	921f1dd6b717c66ce264bd8af6793b360ffa8cc24e8d905a4f2e9bbdff12676a.exe	85
PID 4916 wrote to memory of 1664	4916	921f1dd6b717c66ce264bd8af6793b360ffa8cc24e8d905a4f2e9bbdff12676a.exe	85
PID 4916 wrote to memory of 1664	4916	921f1dd6b717c66ce264bd8af6793b360ffa8cc24e8d905a4f2e9bbdff12676a.exe	85
PID 1664 wrote to memory of 4420	1664	AppLaunch.exe	86
PID 1664 wrote to memory of 4420	1664	AppLaunch.exe	86
PID 1664 wrote to memory of 4420	1664	AppLaunch.exe	86
PID 4420 wrote to memory of 5112	4420	y1439239.exe	87
PID 4420 wrote to memory of 5112	4420	y1439239.exe	87
PID 4420 wrote to memory of 5112	4420	y1439239.exe	87
PID 4420 wrote to memory of 3484	4420	y1439239.exe	88
PID 4420 wrote to memory of 3484	4420	y1439239.exe	88
PID 4420 wrote to memory of 3484	4420	y1439239.exe	88

C:\Users\Admin\AppData\Local\Temp\921f1dd6b717c66ce264bd8af6793b360ffa8cc24e8d905a4f2e9bbdff12676a.exe
"C:\Users\Admin\AppData\Local\Temp\921f1dd6b717c66ce264bd8af6793b360ffa8cc24e8d905a4f2e9bbdff12676a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1439239.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1439239.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4420
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m1024926.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m1024926.exe
      4⤵
      Executes dropped EXE
      PID:5112
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n6759556.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n6759556.exe
      4⤵
      Executes dropped EXE
      PID:3484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1439239.exe

Filesize
272KB

MD5
ce888d3e95fd72b44ba9755a7b5f3070

SHA1
acfac50f32c643900534a35b95e5324a79a6f24c

SHA256
87139651e5e0bbbfe1bfa2f0a0607e9be351dbd75ab76f7846f919648224e922

SHA512
4d7b3b5acb8d2de6ddfc8ab6e2e0ffbac86fd2cbdf55ca001390a073d4fa878d4886c636021b8c4276377137113f31b609fa8afcbbf9cc55bb3d7f5856e37487

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1439239.exe

Filesize
272KB

MD5
ce888d3e95fd72b44ba9755a7b5f3070

SHA1
acfac50f32c643900534a35b95e5324a79a6f24c

SHA256
87139651e5e0bbbfe1bfa2f0a0607e9be351dbd75ab76f7846f919648224e922

SHA512
4d7b3b5acb8d2de6ddfc8ab6e2e0ffbac86fd2cbdf55ca001390a073d4fa878d4886c636021b8c4276377137113f31b609fa8afcbbf9cc55bb3d7f5856e37487

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m1024926.exe

Filesize
140KB

MD5
f1c72f6f33dc90b962d2bc4fa57d854b

SHA1
f108fd8e69fe0dc5948e9a87802b9525f6c3bb0e

SHA256
3907c3d28a994e4ff2e5566a9f80155018f234f488ff49ae8e46b4d818541200

SHA512
4e3e875d7c4b111b2ed1c7dca9c1c84caa10debadf4bdba705a71b531fc280cf9a21eacdb98b44d7e3d244bdf0765e9404be054e4ff8c766f3ef72a265da8293

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m1024926.exe

Filesize
140KB

MD5
f1c72f6f33dc90b962d2bc4fa57d854b

SHA1
f108fd8e69fe0dc5948e9a87802b9525f6c3bb0e

SHA256
3907c3d28a994e4ff2e5566a9f80155018f234f488ff49ae8e46b4d818541200

SHA512
4e3e875d7c4b111b2ed1c7dca9c1c84caa10debadf4bdba705a71b531fc280cf9a21eacdb98b44d7e3d244bdf0765e9404be054e4ff8c766f3ef72a265da8293

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n6759556.exe

Filesize
174KB

MD5
21829fc034799adf43ad6aa59792e3af

SHA1
0e39c92ef8cb7a3cffd6bb1ce22038f33f0a4c58

SHA256
15401a746683c0055e6dc209d7e1130f64b5c260231498aa8d30378d3703be6c

SHA512
2af8b78fd63f24a3168bf701ef088f8ee0c002d1a5c8ab171a6a4af8d57363325718682210551f4bdaaa6aaa1f49f5d7160a50b810092a25a3e42c25a94ae4cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n6759556.exe

Filesize
174KB

MD5
21829fc034799adf43ad6aa59792e3af

SHA1
0e39c92ef8cb7a3cffd6bb1ce22038f33f0a4c58

SHA256
15401a746683c0055e6dc209d7e1130f64b5c260231498aa8d30378d3703be6c

SHA512
2af8b78fd63f24a3168bf701ef088f8ee0c002d1a5c8ab171a6a4af8d57363325718682210551f4bdaaa6aaa1f49f5d7160a50b810092a25a3e42c25a94ae4cc

Download Submit
memory/1664-30-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1664-1-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1664-2-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1664-3-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1664-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3484-21-0x0000000000A70000-0x0000000000AA0000-memory.dmp

Filesize
192KB

Download
memory/3484-23-0x0000000002D10000-0x0000000002D16000-memory.dmp

Filesize
24KB

Download
memory/3484-24-0x00000000059C0000-0x0000000005FD8000-memory.dmp

Filesize
6.1MB

Download
memory/3484-25-0x00000000054C0000-0x00000000055CA000-memory.dmp

Filesize
1.0MB

Download
memory/3484-27-0x0000000005400000-0x0000000005412000-memory.dmp

Filesize
72KB

Download
memory/3484-26-0x0000000002D30000-0x0000000002D40000-memory.dmp

Filesize
64KB

Download
memory/3484-28-0x0000000005460000-0x000000000549C000-memory.dmp

Filesize
240KB

Download
memory/3484-29-0x00000000055D0000-0x000000000561C000-memory.dmp

Filesize
304KB

Download
memory/3484-22-0x0000000074180000-0x0000000074930000-memory.dmp

Filesize
7.7MB

Download
memory/3484-31-0x0000000074180000-0x0000000074930000-memory.dmp

Filesize
7.7MB

Download
memory/3484-32-0x0000000002D30000-0x0000000002D40000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads