mystic | fa0c8a27e4c5fdeb22ad1551b61aadf6a108053c682f20bb8bb071807e246488

Analysis

max time kernel
133s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
13/11/2023, 22:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa0c8a27e4c5fdeb22ad1551b61aadf6a108053c682f20bb8bb071807e246488.exe
Size

887KB
MD5

c291988a584ef6db369035db3c2ce785
SHA1

34897b1e8403e92b5901f9038ed3ac254ae8b661
SHA256

fa0c8a27e4c5fdeb22ad1551b61aadf6a108053c682f20bb8bb071807e246488
SHA512

3d34f2240ad17b8eb74f820596cc2be772c0aa6546ce99bbef74dd3a6dcfd599b7fdf536c78df5f18eabc1d315bde177232b70c50f60265cb52f6cf42567c65e
SSDEEP

24576:Cyh6QXZ9OCU1iH0Eoeyt2ec4TPpKLtaw+CvKn:p8QJ9O/iSN2zuhKLhfK

Score

10^/10

mystic redline taiga infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/1708-14-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/1708-17-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/1708-18-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/1708-20-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/3248-22-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
4872	TT5ax77.exe
3092	11Xl6164.exe
4620	12Sp059.exe
2908	13tF493.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fa0c8a27e4c5fdeb22ad1551b61aadf6a108053c682f20bb8bb071807e246488.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	TT5ax77.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3092 set thread context of 1708	3092	11Xl6164.exe	101
PID 4620 set thread context of 3248	4620	12Sp059.exe	106
PID 2908 set thread context of 3044	2908	13tF493.exe	118

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4304	1708	WerFault.exe	101

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3044	AppLaunch.exe
3044	AppLaunch.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 4872	2912	fa0c8a27e4c5fdeb22ad1551b61aadf6a108053c682f20bb8bb071807e246488.exe	87
PID 2912 wrote to memory of 4872	2912	fa0c8a27e4c5fdeb22ad1551b61aadf6a108053c682f20bb8bb071807e246488.exe	87
PID 2912 wrote to memory of 4872	2912	fa0c8a27e4c5fdeb22ad1551b61aadf6a108053c682f20bb8bb071807e246488.exe	87
PID 4872 wrote to memory of 3092	4872	TT5ax77.exe	88
PID 4872 wrote to memory of 3092	4872	TT5ax77.exe	88
PID 4872 wrote to memory of 3092	4872	TT5ax77.exe	88
PID 3092 wrote to memory of 1708	3092	11Xl6164.exe	101
PID 3092 wrote to memory of 1708	3092	11Xl6164.exe	101
PID 3092 wrote to memory of 1708	3092	11Xl6164.exe	101
PID 3092 wrote to memory of 1708	3092	11Xl6164.exe	101
PID 3092 wrote to memory of 1708	3092	11Xl6164.exe	101
PID 3092 wrote to memory of 1708	3092	11Xl6164.exe	101
PID 3092 wrote to memory of 1708	3092	11Xl6164.exe	101
PID 3092 wrote to memory of 1708	3092	11Xl6164.exe	101
PID 3092 wrote to memory of 1708	3092	11Xl6164.exe	101
PID 3092 wrote to memory of 1708	3092	11Xl6164.exe	101
PID 4872 wrote to memory of 4620	4872	TT5ax77.exe	102
PID 4872 wrote to memory of 4620	4872	TT5ax77.exe	102
PID 4872 wrote to memory of 4620	4872	TT5ax77.exe	102
PID 4620 wrote to memory of 3248	4620	12Sp059.exe	106
PID 4620 wrote to memory of 3248	4620	12Sp059.exe	106
PID 4620 wrote to memory of 3248	4620	12Sp059.exe	106
PID 4620 wrote to memory of 3248	4620	12Sp059.exe	106
PID 4620 wrote to memory of 3248	4620	12Sp059.exe	106
PID 4620 wrote to memory of 3248	4620	12Sp059.exe	106
PID 4620 wrote to memory of 3248	4620	12Sp059.exe	106
PID 4620 wrote to memory of 3248	4620	12Sp059.exe	106
PID 2912 wrote to memory of 2908	2912	fa0c8a27e4c5fdeb22ad1551b61aadf6a108053c682f20bb8bb071807e246488.exe	107
PID 2912 wrote to memory of 2908	2912	fa0c8a27e4c5fdeb22ad1551b61aadf6a108053c682f20bb8bb071807e246488.exe	107
PID 2912 wrote to memory of 2908	2912	fa0c8a27e4c5fdeb22ad1551b61aadf6a108053c682f20bb8bb071807e246488.exe	107
PID 2908 wrote to memory of 4860	2908	13tF493.exe	117
PID 2908 wrote to memory of 4860	2908	13tF493.exe	117
PID 2908 wrote to memory of 4860	2908	13tF493.exe	117
PID 2908 wrote to memory of 3044	2908	13tF493.exe	118
PID 2908 wrote to memory of 3044	2908	13tF493.exe	118
PID 2908 wrote to memory of 3044	2908	13tF493.exe	118
PID 2908 wrote to memory of 3044	2908	13tF493.exe	118
PID 2908 wrote to memory of 3044	2908	13tF493.exe	118
PID 2908 wrote to memory of 3044	2908	13tF493.exe	118
PID 2908 wrote to memory of 3044	2908	13tF493.exe	118
PID 2908 wrote to memory of 3044	2908	13tF493.exe	118
PID 2908 wrote to memory of 3044	2908	13tF493.exe	118

C:\Users\Admin\AppData\Local\Temp\fa0c8a27e4c5fdeb22ad1551b61aadf6a108053c682f20bb8bb071807e246488.exe
"C:\Users\Admin\AppData\Local\Temp\fa0c8a27e4c5fdeb22ad1551b61aadf6a108053c682f20bb8bb071807e246488.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TT5ax77.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TT5ax77.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11Xl6164.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11Xl6164.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3092
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:1708
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 540
        5⤵
        Program crash
        
        PID:4304
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12Sp059.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12Sp059.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4620
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:3248
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13tF493.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13tF493.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:4860
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1708 -ip 1708
1⤵
PID:3616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13tF493.exe

Filesize
724KB

MD5
6fe4ff933d2f467f8f13997f26f43762

SHA1
8d955cca0e88bae2813ccfd96bd5444e1c956b3a

SHA256
4c9723b284aa21554e2b5e6ea11bee9f92f7558fb7efb10bda800211121c89d3

SHA512
7c490a303cd5bb760cd7b3aa5e14aa31e793b6d11a20a0c30352aa6bb3418c7e8fafce51eceb8a10c46ee48d6f73f8c61bb0a5e9a39708695e599c04ed4f87c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13tF493.exe

Filesize
724KB

MD5
6fe4ff933d2f467f8f13997f26f43762

SHA1
8d955cca0e88bae2813ccfd96bd5444e1c956b3a

SHA256
4c9723b284aa21554e2b5e6ea11bee9f92f7558fb7efb10bda800211121c89d3

SHA512
7c490a303cd5bb760cd7b3aa5e14aa31e793b6d11a20a0c30352aa6bb3418c7e8fafce51eceb8a10c46ee48d6f73f8c61bb0a5e9a39708695e599c04ed4f87c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TT5ax77.exe

Filesize
424KB

MD5
bcfbde97b4496cefc1488456b3a2d6d8

SHA1
992f37a39b6e9431a502bac2bfdccf664f9c37fa

SHA256
5e5cc8569cf3db7569e4d100982ba212fee5f05c038f5b1f42609727f1cb5bdc

SHA512
06677b0bc5b478f0f3ea41b8b347a0de13d6debb384017ce378b6b768a827f9126e920c6b58090798414c99239d9d5acc4d03e9f249606a9a55d32d5a53ffb42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TT5ax77.exe

Filesize
424KB

MD5
bcfbde97b4496cefc1488456b3a2d6d8

SHA1
992f37a39b6e9431a502bac2bfdccf664f9c37fa

SHA256
5e5cc8569cf3db7569e4d100982ba212fee5f05c038f5b1f42609727f1cb5bdc

SHA512
06677b0bc5b478f0f3ea41b8b347a0de13d6debb384017ce378b6b768a827f9126e920c6b58090798414c99239d9d5acc4d03e9f249606a9a55d32d5a53ffb42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11Xl6164.exe

Filesize
378KB

MD5
b75646a0cafa1ab60973cc114711a96b

SHA1
9b7efef15d08499e53686a947c1d1c5b0f52c464

SHA256
75069e5bb392f938029f1e36d641d9193ffd7db60ad9b877b2336a3c4a4dabc9

SHA512
0d82021f3ed067368efdc4d163f1c4efeea6e3a2a6d11916a25bc45e2fb499240ec9940b3a46756663ca5ec3f6306fb39ac90096d6271bdd51a2d78d2d8d2492

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11Xl6164.exe

Filesize
378KB

MD5
b75646a0cafa1ab60973cc114711a96b

SHA1
9b7efef15d08499e53686a947c1d1c5b0f52c464

SHA256
75069e5bb392f938029f1e36d641d9193ffd7db60ad9b877b2336a3c4a4dabc9

SHA512
0d82021f3ed067368efdc4d163f1c4efeea6e3a2a6d11916a25bc45e2fb499240ec9940b3a46756663ca5ec3f6306fb39ac90096d6271bdd51a2d78d2d8d2492

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12Sp059.exe

Filesize
415KB

MD5
5b1740e2ce66d323dda1bdb1f72f8669

SHA1
86ad9f032454db33a226b46eca220a765ab9a0d5

SHA256
a6e2837e8bd919667bd7a443f5cac76b21de06e27b165a994696071059587707

SHA512
1abdfe14eb0957cdcc9a70d2c897899048837139c97f8fcb0bb823087fa62bb133a97e1dce7addc288164192bffe77436a0d081dc183c6d92308fcdffa1631ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12Sp059.exe

Filesize
415KB

MD5
5b1740e2ce66d323dda1bdb1f72f8669

SHA1
86ad9f032454db33a226b46eca220a765ab9a0d5

SHA256
a6e2837e8bd919667bd7a443f5cac76b21de06e27b165a994696071059587707

SHA512
1abdfe14eb0957cdcc9a70d2c897899048837139c97f8fcb0bb823087fa62bb133a97e1dce7addc288164192bffe77436a0d081dc183c6d92308fcdffa1631ea

Download Submit
memory/1708-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1708-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1708-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1708-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-42-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/3044-40-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/3044-38-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/3044-39-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/3248-27-0x0000000007F40000-0x00000000084E4000-memory.dmp

Filesize
5.6MB

Download
memory/3248-30-0x0000000007A10000-0x0000000007A1A000-memory.dmp

Filesize
40KB

Download
memory/3248-31-0x0000000008B10000-0x0000000009128000-memory.dmp

Filesize
6.1MB

Download
memory/3248-32-0x0000000007E30000-0x0000000007F3A000-memory.dmp

Filesize
1.0MB

Download
memory/3248-33-0x0000000007C80000-0x0000000007C92000-memory.dmp

Filesize
72KB

Download
memory/3248-34-0x0000000007CE0000-0x0000000007D1C000-memory.dmp

Filesize
240KB

Download
memory/3248-35-0x0000000007D20000-0x0000000007D6C000-memory.dmp

Filesize
304KB

Download
memory/3248-36-0x0000000073F30000-0x00000000746E0000-memory.dmp

Filesize
7.7MB

Download
memory/3248-37-0x0000000007C40000-0x0000000007C50000-memory.dmp

Filesize
64KB

Download
memory/3248-29-0x0000000007C40000-0x0000000007C50000-memory.dmp

Filesize
64KB

Download
memory/3248-28-0x0000000007A30000-0x0000000007AC2000-memory.dmp

Filesize
584KB

Download
memory/3248-26-0x0000000073F30000-0x00000000746E0000-memory.dmp

Filesize
7.7MB

Download
memory/3248-22-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download