Malware Analysis Report

2025-06-16 01:44

Sample ID 231109-yps8psda3x
Target file.exe
SHA256 e3346fe08c979602e5adbc8c80c6b5356ecee04d8331fb626f3f9cf36235ea97
Tags
mystic redline taiga infostealer persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e3346fe08c979602e5adbc8c80c6b5356ecee04d8331fb626f3f9cf36235ea97

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

mystic redline taiga infostealer persistence stealer

Mystic

RedLine payload

Detect Mystic stealer payload

RedLine

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-09 19:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-09 19:58

Reported

2023-11-09 20:00

Platform

win10v2004-20231023-en

Max time kernel

145s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Mystic

stealer mystic

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Ie96xN.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wM4Bt15.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 60 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wM4Bt15.exe
PID 60 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wM4Bt15.exe
PID 60 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wM4Bt15.exe
PID 3144 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wM4Bt15.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Wr483Tf.exe
PID 3144 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wM4Bt15.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Wr483Tf.exe
PID 3144 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wM4Bt15.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Wr483Tf.exe
PID 4312 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Wr483Tf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4312 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Wr483Tf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4312 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Wr483Tf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4312 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Wr483Tf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4312 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Wr483Tf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4312 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Wr483Tf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4312 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Wr483Tf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4312 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Wr483Tf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4312 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Wr483Tf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4312 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Wr483Tf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3144 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wM4Bt15.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4kx6gY7.exe
PID 3144 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wM4Bt15.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4kx6gY7.exe
PID 3144 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wM4Bt15.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4kx6gY7.exe
PID 2132 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4kx6gY7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2132 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4kx6gY7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2132 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4kx6gY7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2132 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4kx6gY7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2132 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4kx6gY7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2132 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4kx6gY7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2132 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4kx6gY7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2132 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4kx6gY7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2132 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4kx6gY7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2132 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4kx6gY7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2132 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4kx6gY7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 60 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Ie96xN.exe
PID 60 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Ie96xN.exe
PID 60 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Ie96xN.exe
PID 4720 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Ie96xN.exe C:\Windows\SysWOW64\cmd.exe
PID 4720 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Ie96xN.exe C:\Windows\SysWOW64\cmd.exe
PID 4720 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Ie96xN.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wM4Bt15.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wM4Bt15.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Wr483Tf.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Wr483Tf.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4kx6gY7.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4kx6gY7.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2400 -ip 2400

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Ie96xN.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Ie96xN.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 5.42.92.51:19057 tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 104.98.62.23.in-addr.arpa udp
RU 5.42.92.51:19057 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
RU 5.42.92.51:19057 tcp
US 8.8.8.8:53 120.208.253.8.in-addr.arpa udp
RU 5.42.92.51:19057 tcp
RU 5.42.92.51:19057 tcp
US 8.8.8.8:53 226.162.46.104.in-addr.arpa udp
RU 5.42.92.51:19057 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wM4Bt15.exe

MD5 730774dd62b888857f27803f348e69c5
SHA1 4489381fa8d64a437590e1bc8f4280ecf4829844
SHA256 5be2a8e89e19b28d5b535f39dc343814287eb7d85f48babd803b84af5675de4c
SHA512 e9d20a68944ae93626b1cb378dce3b9117b91dcac6fa38d84ef88939a0028a128635090a015caefc01a3fb19bed9569b44605c18d7e3caf10e47735b4f92d29b

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wM4Bt15.exe

MD5 730774dd62b888857f27803f348e69c5
SHA1 4489381fa8d64a437590e1bc8f4280ecf4829844
SHA256 5be2a8e89e19b28d5b535f39dc343814287eb7d85f48babd803b84af5675de4c
SHA512 e9d20a68944ae93626b1cb378dce3b9117b91dcac6fa38d84ef88939a0028a128635090a015caefc01a3fb19bed9569b44605c18d7e3caf10e47735b4f92d29b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Wr483Tf.exe

MD5 6fc14a9c635856701da0ef1d98da8e36
SHA1 50f1989c23df0b078cb2c23bf639800297b71707
SHA256 750f7323e1dff4e8be12005177941334c86d48acbe7949cac30721f92b008da4
SHA512 10013810726c61e01ab3a971b15321a0b7b29380d754587f39f6840b3059293c4d3b18c07a790c302a086c18466b47ab90bcd74ec2a5c9a70364bf524bd28497

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Wr483Tf.exe

MD5 6fc14a9c635856701da0ef1d98da8e36
SHA1 50f1989c23df0b078cb2c23bf639800297b71707
SHA256 750f7323e1dff4e8be12005177941334c86d48acbe7949cac30721f92b008da4
SHA512 10013810726c61e01ab3a971b15321a0b7b29380d754587f39f6840b3059293c4d3b18c07a790c302a086c18466b47ab90bcd74ec2a5c9a70364bf524bd28497

memory/2400-14-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2400-15-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2400-16-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2400-18-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4kx6gY7.exe

MD5 e94d931a855236c7309d07d4b7d862ac
SHA1 43584d7ca607a4f80395883e4e51129524a49c4c
SHA256 829c19597ba300dc91ae26d18591ea6d388d97c62d1a8929f3c10ecdfa6bf0aa
SHA512 136a2be4bce598b7726dd5ec29b5aeb0a500ed466ac9bdc8e1a312de4dbb7beb7305999dd0b836afbd1219ded001444eea2b1c8e7f4f840aa3cf91439647a244

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4kx6gY7.exe

MD5 e94d931a855236c7309d07d4b7d862ac
SHA1 43584d7ca607a4f80395883e4e51129524a49c4c
SHA256 829c19597ba300dc91ae26d18591ea6d388d97c62d1a8929f3c10ecdfa6bf0aa
SHA512 136a2be4bce598b7726dd5ec29b5aeb0a500ed466ac9bdc8e1a312de4dbb7beb7305999dd0b836afbd1219ded001444eea2b1c8e7f4f840aa3cf91439647a244

memory/224-22-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Ie96xN.exe

MD5 bcbd3c60b750ac0cf9d69018df0e1771
SHA1 eb5cc68ccee25af2f360e6223f9ce9745c03f9e1
SHA256 29b78f3164bef67f5c7a2be8cfeb2c674ed387d8977536fa42de7ccd8149c4b9
SHA512 cb5feff6c3f392ce1aa6d03e406b980f7dd684042092bb51f5eef4f8fedf88c3ea8c467c877cb1fd20797b9dcd69df23717978fd1f63b947f42a0bc94a946361

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Ie96xN.exe

MD5 bcbd3c60b750ac0cf9d69018df0e1771
SHA1 eb5cc68ccee25af2f360e6223f9ce9745c03f9e1
SHA256 29b78f3164bef67f5c7a2be8cfeb2c674ed387d8977536fa42de7ccd8149c4b9
SHA512 cb5feff6c3f392ce1aa6d03e406b980f7dd684042092bb51f5eef4f8fedf88c3ea8c467c877cb1fd20797b9dcd69df23717978fd1f63b947f42a0bc94a946361

memory/224-28-0x0000000073FC0000-0x0000000074770000-memory.dmp

memory/224-29-0x0000000007F40000-0x00000000084E4000-memory.dmp

memory/224-31-0x0000000007A50000-0x0000000007AE2000-memory.dmp

memory/224-33-0x0000000007C00000-0x0000000007C10000-memory.dmp

memory/224-34-0x0000000007C50000-0x0000000007C5A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is64.bat

MD5 225edee1d46e0a80610db26b275d72fb
SHA1 ce206abf11aaf19278b72f5021cc64b1b427b7e8
SHA256 e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559
SHA512 4f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504

C:\Users\Admin\AppData\Local\Temp\is64.txt

MD5 a5ea0ad9260b1550a14cc58d2c39b03d
SHA1 f0aedf295071ed34ab8c6a7692223d22b6a19841
SHA256 f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04
SHA512 7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

memory/224-39-0x0000000008B10000-0x0000000009128000-memory.dmp

memory/224-40-0x00000000084F0000-0x00000000085FA000-memory.dmp

memory/224-41-0x0000000007D20000-0x0000000007D32000-memory.dmp

memory/224-42-0x0000000007D80000-0x0000000007DBC000-memory.dmp

memory/224-43-0x0000000007DF0000-0x0000000007E3C000-memory.dmp

memory/224-44-0x0000000073FC0000-0x0000000074770000-memory.dmp

memory/224-45-0x0000000007C00000-0x0000000007C10000-memory.dmp