mystic | cba9f2e5cea06fc8287a3c7987fbe703d1e59c3089a3241a7dd673cdc3e076c3

Analysis

max time kernel
142s
max time network
149s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
13-11-2023 22:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cba9f2e5cea06fc8287a3c7987fbe703d1e59c3089a3241a7dd673cdc3e076c3.exe
Size

892KB
MD5

5d3131a868e493ceabb4647f5c9587bf
SHA1

bbe56c732ce5cb1a09b79ca2e87163e4347e6be7
SHA256

cba9f2e5cea06fc8287a3c7987fbe703d1e59c3089a3241a7dd673cdc3e076c3
SHA512

f55d90afe75bec7f9bffa3cc26a7b78cc3f0085660f0953766e7cfaa84b63444a60f4782a546b8d8cbf1e4737e2802673fbf10bbe40cdf03b3d991fa77b9fe5b
SSDEEP

24576:/yT/h8U1y/5b9AIbjznhXGZNyKxMhJr/4BGx:KTGU0/5ScozNsr/wG

Score

10^/10

mystic redline taiga infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/2240-14-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/2240-18-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/2240-17-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/2240-20-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/4816-24-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
1076	IQ7sD58.exe
3080	11Kr2422.exe
2552	12kL649.exe
5032	13tU983.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	IQ7sD58.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cba9f2e5cea06fc8287a3c7987fbe703d1e59c3089a3241a7dd673cdc3e076c3.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3080 set thread context of 2240	3080	11Kr2422.exe	74
PID 2552 set thread context of 4816	2552	12kL649.exe	79
PID 5032 set thread context of 2568	5032	13tU983.exe	82

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3280	2240	WerFault.exe	74

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2568	AppLaunch.exe
2568	AppLaunch.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 1076	2244	cba9f2e5cea06fc8287a3c7987fbe703d1e59c3089a3241a7dd673cdc3e076c3.exe	71
PID 2244 wrote to memory of 1076	2244	cba9f2e5cea06fc8287a3c7987fbe703d1e59c3089a3241a7dd673cdc3e076c3.exe	71
PID 2244 wrote to memory of 1076	2244	cba9f2e5cea06fc8287a3c7987fbe703d1e59c3089a3241a7dd673cdc3e076c3.exe	71
PID 1076 wrote to memory of 3080	1076	IQ7sD58.exe	72
PID 1076 wrote to memory of 3080	1076	IQ7sD58.exe	72
PID 1076 wrote to memory of 3080	1076	IQ7sD58.exe	72
PID 3080 wrote to memory of 2240	3080	11Kr2422.exe	74
PID 3080 wrote to memory of 2240	3080	11Kr2422.exe	74
PID 3080 wrote to memory of 2240	3080	11Kr2422.exe	74
PID 3080 wrote to memory of 2240	3080	11Kr2422.exe	74
PID 3080 wrote to memory of 2240	3080	11Kr2422.exe	74
PID 3080 wrote to memory of 2240	3080	11Kr2422.exe	74
PID 3080 wrote to memory of 2240	3080	11Kr2422.exe	74
PID 3080 wrote to memory of 2240	3080	11Kr2422.exe	74
PID 3080 wrote to memory of 2240	3080	11Kr2422.exe	74
PID 3080 wrote to memory of 2240	3080	11Kr2422.exe	74
PID 1076 wrote to memory of 2552	1076	IQ7sD58.exe	75
PID 1076 wrote to memory of 2552	1076	IQ7sD58.exe	75
PID 1076 wrote to memory of 2552	1076	IQ7sD58.exe	75
PID 2552 wrote to memory of 4816	2552	12kL649.exe	79
PID 2552 wrote to memory of 4816	2552	12kL649.exe	79
PID 2552 wrote to memory of 4816	2552	12kL649.exe	79
PID 2552 wrote to memory of 4816	2552	12kL649.exe	79
PID 2552 wrote to memory of 4816	2552	12kL649.exe	79
PID 2552 wrote to memory of 4816	2552	12kL649.exe	79
PID 2552 wrote to memory of 4816	2552	12kL649.exe	79
PID 2552 wrote to memory of 4816	2552	12kL649.exe	79
PID 2244 wrote to memory of 5032	2244	cba9f2e5cea06fc8287a3c7987fbe703d1e59c3089a3241a7dd673cdc3e076c3.exe	80
PID 2244 wrote to memory of 5032	2244	cba9f2e5cea06fc8287a3c7987fbe703d1e59c3089a3241a7dd673cdc3e076c3.exe	80
PID 2244 wrote to memory of 5032	2244	cba9f2e5cea06fc8287a3c7987fbe703d1e59c3089a3241a7dd673cdc3e076c3.exe	80
PID 5032 wrote to memory of 2568	5032	13tU983.exe	82
PID 5032 wrote to memory of 2568	5032	13tU983.exe	82
PID 5032 wrote to memory of 2568	5032	13tU983.exe	82
PID 5032 wrote to memory of 2568	5032	13tU983.exe	82
PID 5032 wrote to memory of 2568	5032	13tU983.exe	82
PID 5032 wrote to memory of 2568	5032	13tU983.exe	82
PID 5032 wrote to memory of 2568	5032	13tU983.exe	82
PID 5032 wrote to memory of 2568	5032	13tU983.exe	82
PID 5032 wrote to memory of 2568	5032	13tU983.exe	82

C:\Users\Admin\AppData\Local\Temp\cba9f2e5cea06fc8287a3c7987fbe703d1e59c3089a3241a7dd673cdc3e076c3.exe
"C:\Users\Admin\AppData\Local\Temp\cba9f2e5cea06fc8287a3c7987fbe703d1e59c3089a3241a7dd673cdc3e076c3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IQ7sD58.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IQ7sD58.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1076
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11Kr2422.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11Kr2422.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3080
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2240
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 568
        5⤵
        Program crash
        
        PID:3280
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12kL649.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12kL649.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4816
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13tU983.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13tU983.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13tU983.exe

Filesize
724KB

MD5
03b81781e7796c41afa5aa03c092813f

SHA1
4aa0b58746c953b1fb2024e0a9868cb1a7f29e8c

SHA256
3fbc9ddc9abc13a9b386898efd29c48816dfaf0a09d07d50f9b30f0185f87c4f

SHA512
865cfc6b3a60b3b38491f2341a22cd41d9ffeb52d3e044b40d04b854d538901b139aa584eadc53cf3f5a7e68a43d474547c2d71b09529d2c73062d38ca7609d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13tU983.exe

Filesize
724KB

MD5
03b81781e7796c41afa5aa03c092813f

SHA1
4aa0b58746c953b1fb2024e0a9868cb1a7f29e8c

SHA256
3fbc9ddc9abc13a9b386898efd29c48816dfaf0a09d07d50f9b30f0185f87c4f

SHA512
865cfc6b3a60b3b38491f2341a22cd41d9ffeb52d3e044b40d04b854d538901b139aa584eadc53cf3f5a7e68a43d474547c2d71b09529d2c73062d38ca7609d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IQ7sD58.exe

Filesize
429KB

MD5
74cd04781a2cdfc01e589559f8150117

SHA1
923855e1a26454643ef729a1852c87b8c2537dd1

SHA256
10aa5621da8388f42820709377128927d05a993a58e555bcfcbdc6e2cf6a2f14

SHA512
40f7f7ffbae98ce345ba5d075cc1fafde3608f86defe1dce521630b422d94e6b4d37b74f0cab582364a150df61498f89178de24c19ee33f43871dc23ef72982e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IQ7sD58.exe

Filesize
429KB

MD5
74cd04781a2cdfc01e589559f8150117

SHA1
923855e1a26454643ef729a1852c87b8c2537dd1

SHA256
10aa5621da8388f42820709377128927d05a993a58e555bcfcbdc6e2cf6a2f14

SHA512
40f7f7ffbae98ce345ba5d075cc1fafde3608f86defe1dce521630b422d94e6b4d37b74f0cab582364a150df61498f89178de24c19ee33f43871dc23ef72982e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11Kr2422.exe

Filesize
376KB

MD5
3eff834885464a3323e7ba70bd0e8658

SHA1
2b892b446e59659406f88235a2685e6ffba09757

SHA256
82efa46a46b883c43f94717a2f97c5e7a77bed394022a3a161cd65baeeac901d

SHA512
71f2f3538db208468fddd2dfedc2bc35ba4cb4187b6d4a886f50cb7e2e614af42191fd172533b137b143b60326d22853469d18fb84e9c7dc4b3e94ff6faf20ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11Kr2422.exe

Filesize
376KB

MD5
3eff834885464a3323e7ba70bd0e8658

SHA1
2b892b446e59659406f88235a2685e6ffba09757

SHA256
82efa46a46b883c43f94717a2f97c5e7a77bed394022a3a161cd65baeeac901d

SHA512
71f2f3538db208468fddd2dfedc2bc35ba4cb4187b6d4a886f50cb7e2e614af42191fd172533b137b143b60326d22853469d18fb84e9c7dc4b3e94ff6faf20ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12kL649.exe

Filesize
415KB

MD5
d97d27eb3f9f3d4af0ad17e803e3b252

SHA1
d278b93d4254969c3e83653c6901d2cf3bb5c94d

SHA256
8298aa1bd9a174da9fa7619e0daaca6f1799b41b4d9657befc91752b88210208

SHA512
405354cc65597b989574fec9a89a0dee9061e6a3648541d7a7ff2dc7c6fb2cb18084a63ac6b4512d3c8b0fe210896c877e1384db51d08f5472d0d489dadfcb33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12kL649.exe

Filesize
415KB

MD5
d97d27eb3f9f3d4af0ad17e803e3b252

SHA1
d278b93d4254969c3e83653c6901d2cf3bb5c94d

SHA256
8298aa1bd9a174da9fa7619e0daaca6f1799b41b4d9657befc91752b88210208

SHA512
405354cc65597b989574fec9a89a0dee9061e6a3648541d7a7ff2dc7c6fb2cb18084a63ac6b4512d3c8b0fe210896c877e1384db51d08f5472d0d489dadfcb33

Download Submit
memory/2240-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-20-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-18-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-48-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2568-46-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2568-45-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2568-44-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4816-35-0x000000000C310000-0x000000000C916000-memory.dmp

Filesize
6.0MB

Download
memory/4816-34-0x0000000008F50000-0x0000000008F5A000-memory.dmp

Filesize
40KB

Download
memory/4816-36-0x000000000B610000-0x000000000B71A000-memory.dmp

Filesize
1.0MB

Download
memory/4816-37-0x000000000B530000-0x000000000B542000-memory.dmp

Filesize
72KB

Download
memory/4816-38-0x000000000B590000-0x000000000B5CE000-memory.dmp

Filesize
248KB

Download
memory/4816-39-0x000000000B720000-0x000000000B76B000-memory.dmp

Filesize
300KB

Download
memory/4816-33-0x000000000B300000-0x000000000B392000-memory.dmp

Filesize
584KB

Download
memory/4816-32-0x000000000B800000-0x000000000BCFE000-memory.dmp

Filesize
5.0MB

Download
memory/4816-31-0x00000000727D0000-0x0000000072EBE000-memory.dmp

Filesize
6.9MB

Download
memory/4816-24-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4816-55-0x00000000727D0000-0x0000000072EBE000-memory.dmp

Filesize
6.9MB

Download