mystic | 83d5d197881cace05f6260ed8d0b91e9fee2f637cbb0017c1b5dbdf8f8bd2b5a

General

Target

NEAS.9d6d022c70611ba628da7b718a0b7ab0.exe
Size

764KB
MD5

9d6d022c70611ba628da7b718a0b7ab0
SHA1

d3daa97c52a5ffb64a04a297ad8deab9c7fcf760
SHA256

83d5d197881cace05f6260ed8d0b91e9fee2f637cbb0017c1b5dbdf8f8bd2b5a
SHA512

b54d7f3838aa82e4ff85eaf477bcf35f2a45c8ca86ade69ea0e8be414fefb59cbbedffe105d3cebe8b297ab84e698921a958c4bcb81b868fecafcfe59eb803de
SSDEEP

12288:MMr1y90P/vGzKdHMXHqU9Dvkxm8LFIiTNhT9ZneL65+MlMdjpQk8nf7pO:5y8/v1UHqUhlsqiTTrnHtM5G3nfE

Score

10^/10

mystic redline kedru infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kedru

C2

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/4940-14-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/4940-15-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/4940-16-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/4940-18-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000022df6-20.dat	family_redline
behavioral1/files/0x0007000000022df6-21.dat	family_redline
behavioral1/memory/4844-22-0x0000000000410000-0x000000000044C000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
2972	VD3Xe1xS.exe
2032	1tX74Av1.exe
4844	2BL972tk.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.9d6d022c70611ba628da7b718a0b7ab0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	VD3Xe1xS.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2032 set thread context of 4940	2032	1tX74Av1.exe	88

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4828	4940	WerFault.exe	88

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 2972	2952	NEAS.9d6d022c70611ba628da7b718a0b7ab0.exe	82
PID 2952 wrote to memory of 2972	2952	NEAS.9d6d022c70611ba628da7b718a0b7ab0.exe	82
PID 2952 wrote to memory of 2972	2952	NEAS.9d6d022c70611ba628da7b718a0b7ab0.exe	82
PID 2972 wrote to memory of 2032	2972	VD3Xe1xS.exe	87
PID 2972 wrote to memory of 2032	2972	VD3Xe1xS.exe	87
PID 2972 wrote to memory of 2032	2972	VD3Xe1xS.exe	87
PID 2032 wrote to memory of 4940	2032	1tX74Av1.exe	88
PID 2032 wrote to memory of 4940	2032	1tX74Av1.exe	88
PID 2032 wrote to memory of 4940	2032	1tX74Av1.exe	88
PID 2032 wrote to memory of 4940	2032	1tX74Av1.exe	88
PID 2032 wrote to memory of 4940	2032	1tX74Av1.exe	88
PID 2032 wrote to memory of 4940	2032	1tX74Av1.exe	88
PID 2032 wrote to memory of 4940	2032	1tX74Av1.exe	88
PID 2032 wrote to memory of 4940	2032	1tX74Av1.exe	88
PID 2032 wrote to memory of 4940	2032	1tX74Av1.exe	88
PID 2032 wrote to memory of 4940	2032	1tX74Av1.exe	88
PID 2972 wrote to memory of 4844	2972	VD3Xe1xS.exe	90
PID 2972 wrote to memory of 4844	2972	VD3Xe1xS.exe	90
PID 2972 wrote to memory of 4844	2972	VD3Xe1xS.exe	90

C:\Users\Admin\AppData\Local\Temp\NEAS.9d6d022c70611ba628da7b718a0b7ab0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.9d6d022c70611ba628da7b718a0b7ab0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VD3Xe1xS.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VD3Xe1xS.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1tX74Av1.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1tX74Av1.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4940
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 200
        5⤵
        Program crash
        
        PID:4828
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BL972tk.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BL972tk.exe
    3⤵
    - Executes dropped EXE
    PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 4940 -ip 4940
1⤵
PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VD3Xe1xS.exe

Filesize
568KB

MD5
4e1ed19dbc711bff791ad1fe7efcaebd

SHA1
63c9078698137048a183e24064ffaaa5ae42b29c

SHA256
51d7c9680fb25a74025133a6d38daa562f47bb7f5ed66fddba1df08a8f7f640c

SHA512
b10f0ef6875e7e484da5c7cbbe20476da97fe75e2174e614dacca0c8b000589257ecf11ec96bc20782d06c319186402ee0233a8d0c0c650376194ed4db6495ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VD3Xe1xS.exe

Filesize
568KB

MD5
4e1ed19dbc711bff791ad1fe7efcaebd

SHA1
63c9078698137048a183e24064ffaaa5ae42b29c

SHA256
51d7c9680fb25a74025133a6d38daa562f47bb7f5ed66fddba1df08a8f7f640c

SHA512
b10f0ef6875e7e484da5c7cbbe20476da97fe75e2174e614dacca0c8b000589257ecf11ec96bc20782d06c319186402ee0233a8d0c0c650376194ed4db6495ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1tX74Av1.exe

Filesize
1.1MB

MD5
ee68186cfeea46d38bc09121d2675d6b

SHA1
c9febfc790a0cd0627dc4e732934cb6b3cd79810

SHA256
48a771dc8e31fe8254040805755d315d61e38fb0f8700d920fbc8cfc77e5e5f6

SHA512
fc11da4e59b87c8d49b9582789ea9556aa762c5c068e52e2764f3a77825497bb8a6725e74cae8cd64079de4b165f2a2405c80060be77f9b7c66759c5544fcbde

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1tX74Av1.exe

Filesize
1.1MB

MD5
ee68186cfeea46d38bc09121d2675d6b

SHA1
c9febfc790a0cd0627dc4e732934cb6b3cd79810

SHA256
48a771dc8e31fe8254040805755d315d61e38fb0f8700d920fbc8cfc77e5e5f6

SHA512
fc11da4e59b87c8d49b9582789ea9556aa762c5c068e52e2764f3a77825497bb8a6725e74cae8cd64079de4b165f2a2405c80060be77f9b7c66759c5544fcbde

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BL972tk.exe

Filesize
219KB

MD5
a48c8f3fdba556d91550152cedc62990

SHA1
b0e79dc1762d1cd86c4a72f1a8a590c3cbc4c114

SHA256
52330ef0432e0a053ab852a80e992041cd1cf71085e91b9bf073347eea69ad02

SHA512
50494a569d6a82d5b62a46cc93873ad8525b11dca2fe7f4dd78ab100c7b516c2e17ce2c62b80887034dc483511eebe525c663fe3384f75a9c8e4f626df07a1cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BL972tk.exe

Filesize
219KB

MD5
a48c8f3fdba556d91550152cedc62990

SHA1
b0e79dc1762d1cd86c4a72f1a8a590c3cbc4c114

SHA256
52330ef0432e0a053ab852a80e992041cd1cf71085e91b9bf073347eea69ad02

SHA512
50494a569d6a82d5b62a46cc93873ad8525b11dca2fe7f4dd78ab100c7b516c2e17ce2c62b80887034dc483511eebe525c663fe3384f75a9c8e4f626df07a1cc

Download Submit
memory/4844-27-0x00000000073A0000-0x00000000073AA000-memory.dmp

Filesize
40KB

Download
memory/4844-31-0x00000000074D0000-0x000000000750C000-memory.dmp

Filesize
240KB

Download
memory/4844-34-0x00000000071B0000-0x00000000071C0000-memory.dmp

Filesize
64KB

Download
memory/4844-33-0x0000000074590000-0x0000000074D40000-memory.dmp

Filesize
7.7MB

Download
memory/4844-22-0x0000000000410000-0x000000000044C000-memory.dmp

Filesize
240KB

Download
memory/4844-23-0x0000000074590000-0x0000000074D40000-memory.dmp

Filesize
7.7MB

Download
memory/4844-24-0x00000000076B0000-0x0000000007C54000-memory.dmp

Filesize
5.6MB

Download
memory/4844-25-0x00000000071E0000-0x0000000007272000-memory.dmp

Filesize
584KB

Download
memory/4844-26-0x00000000071B0000-0x00000000071C0000-memory.dmp

Filesize
64KB

Download
memory/4844-32-0x0000000007650000-0x000000000769C000-memory.dmp

Filesize
304KB

Download
memory/4844-28-0x0000000008280000-0x0000000008898000-memory.dmp

Filesize
6.1MB

Download
memory/4844-29-0x0000000007540000-0x000000000764A000-memory.dmp

Filesize
1.0MB

Download
memory/4844-30-0x0000000007470000-0x0000000007482000-memory.dmp

Filesize
72KB

Download
memory/4940-18-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads