mystic | 0d2c55bae95eac40498af18c082aa5b68b9aaa6d4e886cc4e6db1e37290f588d

General

Target

0d2c55bae95eac40498af18c082aa5b68b9aaa6d4e886cc4e6db1e37290f588d.exe
Size

742KB
MD5

5279ce75303fd75d2d8dafd5d76e28cb
SHA1

66adb76e112f78662bd7511ca2e2609dc7139d05
SHA256

0d2c55bae95eac40498af18c082aa5b68b9aaa6d4e886cc4e6db1e37290f588d
SHA512

47c2075fb4f74f115309e2c66d6dd2e395183bc245d7c03f305edce7b9858e4c2a23bd5de8169475000c087993eff89ba703ffc37696362b17c93ca09c678c52
SSDEEP

12288:7U//yfYb5BIQZVt/rTkJsCo3TuDo9iq/lYPtM58iN+XWV//uRbJRrbcv61uaop9:giuBtZ73tjbknavVnuRbJlt1m

Score

10^/10

mystic redline moner infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

moner

C2

77.91.124.82:19071

Attributes

auth_value
a94cd9e01643e1945b296c28a2f28707

Signatures

Detect Mystic stealer payload 2 IoCs

resource	yara_rule
behavioral2/files/0x00080000000231e3-16.dat	family_mystic
behavioral2/files/0x00080000000231e3-17.dat	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4752	y6647845.exe
2608	m4288012.exe
4088	n4308335.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y6647845.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3520 set thread context of 4124	3520	0d2c55bae95eac40498af18c082aa5b68b9aaa6d4e886cc4e6db1e37290f588d.exe	90

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3520 wrote to memory of 1552	3520	0d2c55bae95eac40498af18c082aa5b68b9aaa6d4e886cc4e6db1e37290f588d.exe	89
PID 3520 wrote to memory of 1552	3520	0d2c55bae95eac40498af18c082aa5b68b9aaa6d4e886cc4e6db1e37290f588d.exe	89
PID 3520 wrote to memory of 1552	3520	0d2c55bae95eac40498af18c082aa5b68b9aaa6d4e886cc4e6db1e37290f588d.exe	89
PID 3520 wrote to memory of 4124	3520	0d2c55bae95eac40498af18c082aa5b68b9aaa6d4e886cc4e6db1e37290f588d.exe	90
PID 3520 wrote to memory of 4124	3520	0d2c55bae95eac40498af18c082aa5b68b9aaa6d4e886cc4e6db1e37290f588d.exe	90
PID 3520 wrote to memory of 4124	3520	0d2c55bae95eac40498af18c082aa5b68b9aaa6d4e886cc4e6db1e37290f588d.exe	90
PID 3520 wrote to memory of 4124	3520	0d2c55bae95eac40498af18c082aa5b68b9aaa6d4e886cc4e6db1e37290f588d.exe	90
PID 3520 wrote to memory of 4124	3520	0d2c55bae95eac40498af18c082aa5b68b9aaa6d4e886cc4e6db1e37290f588d.exe	90
PID 3520 wrote to memory of 4124	3520	0d2c55bae95eac40498af18c082aa5b68b9aaa6d4e886cc4e6db1e37290f588d.exe	90
PID 3520 wrote to memory of 4124	3520	0d2c55bae95eac40498af18c082aa5b68b9aaa6d4e886cc4e6db1e37290f588d.exe	90
PID 3520 wrote to memory of 4124	3520	0d2c55bae95eac40498af18c082aa5b68b9aaa6d4e886cc4e6db1e37290f588d.exe	90
PID 3520 wrote to memory of 4124	3520	0d2c55bae95eac40498af18c082aa5b68b9aaa6d4e886cc4e6db1e37290f588d.exe	90
PID 3520 wrote to memory of 4124	3520	0d2c55bae95eac40498af18c082aa5b68b9aaa6d4e886cc4e6db1e37290f588d.exe	90
PID 4124 wrote to memory of 4752	4124	AppLaunch.exe	91
PID 4124 wrote to memory of 4752	4124	AppLaunch.exe	91
PID 4124 wrote to memory of 4752	4124	AppLaunch.exe	91
PID 4752 wrote to memory of 2608	4752	y6647845.exe	93
PID 4752 wrote to memory of 2608	4752	y6647845.exe	93
PID 4752 wrote to memory of 2608	4752	y6647845.exe	93
PID 4752 wrote to memory of 4088	4752	y6647845.exe	94
PID 4752 wrote to memory of 4088	4752	y6647845.exe	94
PID 4752 wrote to memory of 4088	4752	y6647845.exe	94

C:\Users\Admin\AppData\Local\Temp\0d2c55bae95eac40498af18c082aa5b68b9aaa6d4e886cc4e6db1e37290f588d.exe
"C:\Users\Admin\AppData\Local\Temp\0d2c55bae95eac40498af18c082aa5b68b9aaa6d4e886cc4e6db1e37290f588d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:1552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4124
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6647845.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6647845.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4752
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m4288012.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m4288012.exe
      4⤵
      Executes dropped EXE
      PID:2608
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n4308335.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n4308335.exe
      4⤵
      Executes dropped EXE
      PID:4088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6647845.exe

Filesize
272KB

MD5
c4686a93a7c2afb486b4acfd15fd2b89

SHA1
51353e40a703a8cf3e574ca6c72f49f17798e6ac

SHA256
1d2e5d1883c262405a823647682bf7927f876c143dfc81e9cfd7fb56be8f5fef

SHA512
ca0fcc886ad2fd700a94c6e4b8c31f32d07ea058d42ef20c23107ac366b5a7be4829ce479324763e90332f5db75ed7f204463234919d46d281853b3cbd22ef12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6647845.exe

Filesize
272KB

MD5
c4686a93a7c2afb486b4acfd15fd2b89

SHA1
51353e40a703a8cf3e574ca6c72f49f17798e6ac

SHA256
1d2e5d1883c262405a823647682bf7927f876c143dfc81e9cfd7fb56be8f5fef

SHA512
ca0fcc886ad2fd700a94c6e4b8c31f32d07ea058d42ef20c23107ac366b5a7be4829ce479324763e90332f5db75ed7f204463234919d46d281853b3cbd22ef12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m4288012.exe

Filesize
140KB

MD5
7e48e437e9169b3a7af100571e5c18b2

SHA1
5e3ebd676f01b6ff325d626716ca8c96068d0265

SHA256
8d075903147bbac7890c2b4053303af9c4ed92cd29634e846b2056a64151bdd2

SHA512
d351aa5a76178901fa2a727e2bf455a7e37d6263e283c3a34f1251a58d1b24b29aca3ddca19bf760e54e7dd34cb69f8d12fe9443a5dce1cd36db1627d131bb1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m4288012.exe

Filesize
140KB

MD5
7e48e437e9169b3a7af100571e5c18b2

SHA1
5e3ebd676f01b6ff325d626716ca8c96068d0265

SHA256
8d075903147bbac7890c2b4053303af9c4ed92cd29634e846b2056a64151bdd2

SHA512
d351aa5a76178901fa2a727e2bf455a7e37d6263e283c3a34f1251a58d1b24b29aca3ddca19bf760e54e7dd34cb69f8d12fe9443a5dce1cd36db1627d131bb1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n4308335.exe

Filesize
174KB

MD5
15f199aae19ed48f8078a5eebee1c386

SHA1
8f09d78750ee124d4a5eeb6ad33bfe4b8e479b11

SHA256
5e6362346b529e3d1d4eefebff20e5433791800d8a9e37a3cd2e4ef42fe4cbed

SHA512
d9adb9ffd561c7d0b8512500b5b1abf8790dd380090ba5782b85b0b806e688b526d99a0309528f21393b04a0e28b10b475f460219d5248f6b3b0f2bf1ef6b640

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n4308335.exe

Filesize
174KB

MD5
15f199aae19ed48f8078a5eebee1c386

SHA1
8f09d78750ee124d4a5eeb6ad33bfe4b8e479b11

SHA256
5e6362346b529e3d1d4eefebff20e5433791800d8a9e37a3cd2e4ef42fe4cbed

SHA512
d9adb9ffd561c7d0b8512500b5b1abf8790dd380090ba5782b85b0b806e688b526d99a0309528f21393b04a0e28b10b475f460219d5248f6b3b0f2bf1ef6b640

Download Submit
memory/4088-21-0x0000000000B40000-0x0000000000B70000-memory.dmp

Filesize
192KB

Download
memory/4088-28-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download
memory/4088-32-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download
memory/4088-31-0x0000000005900000-0x000000000594C000-memory.dmp

Filesize
304KB

Download
memory/4088-30-0x00000000058C0000-0x00000000058FC000-memory.dmp

Filesize
240KB

Download
memory/4088-22-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/4088-23-0x0000000005560000-0x0000000005566000-memory.dmp

Filesize
24KB

Download
memory/4088-29-0x0000000005860000-0x0000000005872000-memory.dmp

Filesize
72KB

Download
memory/4088-25-0x0000000005C30000-0x0000000006248000-memory.dmp

Filesize
6.1MB

Download
memory/4088-26-0x0000000005720000-0x000000000582A000-memory.dmp

Filesize
1.0MB

Download
memory/4088-27-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/4124-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4124-24-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4124-3-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4124-1-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4124-2-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads