mystic | 8ca41ea3c3e20c751b3cec6e9a3eec3e2ce7629a322f9f26919543f9328b0e37

Analysis

max time kernel
132s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
13-11-2023 22:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ca41ea3c3e20c751b3cec6e9a3eec3e2ce7629a322f9f26919543f9328b0e37.exe
Size

893KB
MD5

a28ee74b3ec1903fc937b58a7b57ba36
SHA1

2675065fea3cc12a63beefcb1d43a0fc240e3203
SHA256

8ca41ea3c3e20c751b3cec6e9a3eec3e2ce7629a322f9f26919543f9328b0e37
SHA512

f51b122059deb78afea97f949716b5daec8a237e23950d9335125ddbedeeff19b72d1eecdcf8e239bf679ead3a6f7f69ed65bbb0d1a53202915be4d3393099b9
SSDEEP

24576:yyGnJg7lrDwaabNIJD1ywHNLRJD8wwUYt:ZGylf1aGJD/1NVY

Score

10^/10

mystic redline taiga infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/2824-14-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/2824-15-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/2824-16-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/2824-18-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/4360-22-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
4404	Nw9fn35.exe
1844	11ki0958.exe
2708	12du148.exe
3504	13DB565.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Nw9fn35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8ca41ea3c3e20c751b3cec6e9a3eec3e2ce7629a322f9f26919543f9328b0e37.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1844 set thread context of 2824	1844	11ki0958.exe	100
PID 2708 set thread context of 4360	2708	12du148.exe	110
PID 3504 set thread context of 4568	3504	13DB565.exe	120

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3196	2824	WerFault.exe	100

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4568	AppLaunch.exe
4568	AppLaunch.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 4396 wrote to memory of 4404	4396	8ca41ea3c3e20c751b3cec6e9a3eec3e2ce7629a322f9f26919543f9328b0e37.exe	86
PID 4396 wrote to memory of 4404	4396	8ca41ea3c3e20c751b3cec6e9a3eec3e2ce7629a322f9f26919543f9328b0e37.exe	86
PID 4396 wrote to memory of 4404	4396	8ca41ea3c3e20c751b3cec6e9a3eec3e2ce7629a322f9f26919543f9328b0e37.exe	86
PID 4404 wrote to memory of 1844	4404	Nw9fn35.exe	87
PID 4404 wrote to memory of 1844	4404	Nw9fn35.exe	87
PID 4404 wrote to memory of 1844	4404	Nw9fn35.exe	87
PID 1844 wrote to memory of 1144	1844	11ki0958.exe	99
PID 1844 wrote to memory of 1144	1844	11ki0958.exe	99
PID 1844 wrote to memory of 1144	1844	11ki0958.exe	99
PID 1844 wrote to memory of 2824	1844	11ki0958.exe	100
PID 1844 wrote to memory of 2824	1844	11ki0958.exe	100
PID 1844 wrote to memory of 2824	1844	11ki0958.exe	100
PID 1844 wrote to memory of 2824	1844	11ki0958.exe	100
PID 1844 wrote to memory of 2824	1844	11ki0958.exe	100
PID 1844 wrote to memory of 2824	1844	11ki0958.exe	100
PID 1844 wrote to memory of 2824	1844	11ki0958.exe	100
PID 1844 wrote to memory of 2824	1844	11ki0958.exe	100
PID 1844 wrote to memory of 2824	1844	11ki0958.exe	100
PID 1844 wrote to memory of 2824	1844	11ki0958.exe	100
PID 4404 wrote to memory of 2708	4404	Nw9fn35.exe	101
PID 4404 wrote to memory of 2708	4404	Nw9fn35.exe	101
PID 4404 wrote to memory of 2708	4404	Nw9fn35.exe	101
PID 2708 wrote to memory of 4580	2708	12du148.exe	108
PID 2708 wrote to memory of 4580	2708	12du148.exe	108
PID 2708 wrote to memory of 4580	2708	12du148.exe	108
PID 2708 wrote to memory of 2612	2708	12du148.exe	109
PID 2708 wrote to memory of 2612	2708	12du148.exe	109
PID 2708 wrote to memory of 2612	2708	12du148.exe	109
PID 2708 wrote to memory of 4360	2708	12du148.exe	110
PID 2708 wrote to memory of 4360	2708	12du148.exe	110
PID 2708 wrote to memory of 4360	2708	12du148.exe	110
PID 2708 wrote to memory of 4360	2708	12du148.exe	110
PID 2708 wrote to memory of 4360	2708	12du148.exe	110
PID 2708 wrote to memory of 4360	2708	12du148.exe	110
PID 2708 wrote to memory of 4360	2708	12du148.exe	110
PID 2708 wrote to memory of 4360	2708	12du148.exe	110
PID 4396 wrote to memory of 3504	4396	8ca41ea3c3e20c751b3cec6e9a3eec3e2ce7629a322f9f26919543f9328b0e37.exe	111
PID 4396 wrote to memory of 3504	4396	8ca41ea3c3e20c751b3cec6e9a3eec3e2ce7629a322f9f26919543f9328b0e37.exe	111
PID 4396 wrote to memory of 3504	4396	8ca41ea3c3e20c751b3cec6e9a3eec3e2ce7629a322f9f26919543f9328b0e37.exe	111
PID 3504 wrote to memory of 4568	3504	13DB565.exe	120
PID 3504 wrote to memory of 4568	3504	13DB565.exe	120
PID 3504 wrote to memory of 4568	3504	13DB565.exe	120
PID 3504 wrote to memory of 4568	3504	13DB565.exe	120
PID 3504 wrote to memory of 4568	3504	13DB565.exe	120
PID 3504 wrote to memory of 4568	3504	13DB565.exe	120
PID 3504 wrote to memory of 4568	3504	13DB565.exe	120
PID 3504 wrote to memory of 4568	3504	13DB565.exe	120
PID 3504 wrote to memory of 4568	3504	13DB565.exe	120

C:\Users\Admin\AppData\Local\Temp\8ca41ea3c3e20c751b3cec6e9a3eec3e2ce7629a322f9f26919543f9328b0e37.exe
"C:\Users\Admin\AppData\Local\Temp\8ca41ea3c3e20c751b3cec6e9a3eec3e2ce7629a322f9f26919543f9328b0e37.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nw9fn35.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nw9fn35.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4404
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11ki0958.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11ki0958.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1844
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:1144
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2824
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 540
        5⤵
        Program crash
        
        PID:3196
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12du148.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12du148.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4580
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2612
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4360
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13DB565.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13DB565.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3504
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2824 -ip 2824
1⤵
PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13DB565.exe

Filesize
724KB

MD5
b215b6347e313792e390adc2292a4dcd

SHA1
b8fb11819b7be37ef69d592b5d62e26a3566b59c

SHA256
5f45a1c6642f1799786a7736d44c830d7de00a19471fff50d8b8000584508433

SHA512
5e9f6e6fb834cf0ff9d5e0a4a5db6cdb9429da9d670bb6702038dceafe9314d9165326a2c9e819e8ba97891cbeb55ff8c67e28448dd085522cc60fa1cd80ac74

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13DB565.exe

Filesize
724KB

MD5
b215b6347e313792e390adc2292a4dcd

SHA1
b8fb11819b7be37ef69d592b5d62e26a3566b59c

SHA256
5f45a1c6642f1799786a7736d44c830d7de00a19471fff50d8b8000584508433

SHA512
5e9f6e6fb834cf0ff9d5e0a4a5db6cdb9429da9d670bb6702038dceafe9314d9165326a2c9e819e8ba97891cbeb55ff8c67e28448dd085522cc60fa1cd80ac74

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nw9fn35.exe

Filesize
429KB

MD5
48d35ea4cd6ede81d9bba52d6dbca9b0

SHA1
a444abbb86fbbf98d781bc61c05cf8e8fce2611b

SHA256
28872f1fb0d538fd73e865caa083d1d9c82cd3dcc15cd8765afa84631466217a

SHA512
ed67a5883732ab0caec268f775c03cc131bcda3ba6ab57ba771f3a05592e7ed97669a8081d44b05b0ad304c539bb25c6a7021175855cb09f0d55fbd8918f7d54

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nw9fn35.exe

Filesize
429KB

MD5
48d35ea4cd6ede81d9bba52d6dbca9b0

SHA1
a444abbb86fbbf98d781bc61c05cf8e8fce2611b

SHA256
28872f1fb0d538fd73e865caa083d1d9c82cd3dcc15cd8765afa84631466217a

SHA512
ed67a5883732ab0caec268f775c03cc131bcda3ba6ab57ba771f3a05592e7ed97669a8081d44b05b0ad304c539bb25c6a7021175855cb09f0d55fbd8918f7d54

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11ki0958.exe

Filesize
376KB

MD5
1aafdc918a12fab26169356c49103bb7

SHA1
005ec4da41b2443b4430ead87f42969445e0f9d1

SHA256
c4ab8bf871221b0dd763b1dba75dacca4e3adeb7fe598c8985ced5a7630b1cb2

SHA512
45690fbcda9dc7a8b84e9fcd5031b6b1b5ca91064f7263c977197694a605af5a5b947de213cd2234fd1d07be424e1f6b1edcf28a43f7d1ae0210a43cb6968802

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11ki0958.exe

Filesize
376KB

MD5
1aafdc918a12fab26169356c49103bb7

SHA1
005ec4da41b2443b4430ead87f42969445e0f9d1

SHA256
c4ab8bf871221b0dd763b1dba75dacca4e3adeb7fe598c8985ced5a7630b1cb2

SHA512
45690fbcda9dc7a8b84e9fcd5031b6b1b5ca91064f7263c977197694a605af5a5b947de213cd2234fd1d07be424e1f6b1edcf28a43f7d1ae0210a43cb6968802

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12du148.exe

Filesize
415KB

MD5
33513c4dcc2808bbcb246844207f35fa

SHA1
5d435eb7ae23afa00dd783aa32d19ac4eb519598

SHA256
2a3668375f316b2af43783403a477ac8416e5355870dbd7d729c707cde8cf81a

SHA512
5968498d62625c9e71342ca77ef155657779dc54db04caa58ab7769a3739b2a7eba5a7bc8d29035346cbbae4d9431b26735c756b995c518c8c52a8067f29aa9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12du148.exe

Filesize
415KB

MD5
33513c4dcc2808bbcb246844207f35fa

SHA1
5d435eb7ae23afa00dd783aa32d19ac4eb519598

SHA256
2a3668375f316b2af43783403a477ac8416e5355870dbd7d729c707cde8cf81a

SHA512
5968498d62625c9e71342ca77ef155657779dc54db04caa58ab7769a3739b2a7eba5a7bc8d29035346cbbae4d9431b26735c756b995c518c8c52a8067f29aa9b

Download Submit
memory/2824-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-18-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-27-0x0000000008440000-0x00000000089E4000-memory.dmp

Filesize
5.6MB

Download
memory/4360-34-0x00000000081B0000-0x00000000081EC000-memory.dmp

Filesize
240KB

Download
memory/4360-22-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4360-28-0x0000000007F30000-0x0000000007FC2000-memory.dmp

Filesize
584KB

Download
memory/4360-29-0x0000000007EE0000-0x0000000007EF0000-memory.dmp

Filesize
64KB

Download
memory/4360-30-0x0000000007EF0000-0x0000000007EFA000-memory.dmp

Filesize
40KB

Download
memory/4360-31-0x0000000009010000-0x0000000009628000-memory.dmp

Filesize
6.1MB

Download
memory/4360-32-0x0000000008220000-0x000000000832A000-memory.dmp

Filesize
1.0MB

Download
memory/4360-33-0x0000000008150000-0x0000000008162000-memory.dmp

Filesize
72KB

Download
memory/4360-26-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/4360-35-0x0000000008330000-0x000000000837C000-memory.dmp

Filesize
304KB

Download
memory/4360-36-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/4360-37-0x0000000007EE0000-0x0000000007EF0000-memory.dmp

Filesize
64KB

Download
memory/4568-38-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4568-39-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4568-40-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4568-42-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download