mystic | d26b1be37b5b12691f4989956ef7b72ff6bf2ec8a670b138cf837211bd215316

Analysis

max time kernel
9s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
13-11-2023 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.e71b3e82dff6cfcb94c9c35deb7221b0.exe
Size

1.3MB
MD5

e71b3e82dff6cfcb94c9c35deb7221b0
SHA1

351e87cfe5b2af1494feccb6df4e33620c9e84fa
SHA256

d26b1be37b5b12691f4989956ef7b72ff6bf2ec8a670b138cf837211bd215316
SHA512

a2ca4ed2845de981da45090dc338dea020eadfa4dfe4fce16e16b93673e9c17d3e19d010e8a0a898ce3f1dd2a11bbd232358242c0b8996532824282341d15d5c
SSDEEP

24576:xyRaC4fcFQheOd6n6dEmX2C78BLd1o6/WKlOSD+cpljGI/5yXnt+5:kRB4EFQhesOh1oKlIkjGIx6k

Score

10^/10

mystic redline kedru infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kedru

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/1796-28-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/1796-32-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/1796-30-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/1796-29-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0006000000022e21-34.dat	family_redline
behavioral1/files/0x0006000000022e21-35.dat	family_redline
behavioral1/memory/4800-37-0x00000000006D0000-0x000000000070C000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
4768	dN2OL8lH.exe
3976	EB9Uv3XT.exe
3128	QT2AI9YK.exe
5068	1Ls45kV2.exe
4800	2nv797Zu.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.e71b3e82dff6cfcb94c9c35deb7221b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	dN2OL8lH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	EB9Uv3XT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	QT2AI9YK.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5068 set thread context of 1796	5068	1Ls45kV2.exe	72

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1068	1796	WerFault.exe	72

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4244 wrote to memory of 4768	4244	NEAS.e71b3e82dff6cfcb94c9c35deb7221b0.exe	55
PID 4244 wrote to memory of 4768	4244	NEAS.e71b3e82dff6cfcb94c9c35deb7221b0.exe	55
PID 4244 wrote to memory of 4768	4244	NEAS.e71b3e82dff6cfcb94c9c35deb7221b0.exe	55
PID 4768 wrote to memory of 3976	4768	dN2OL8lH.exe	58
PID 4768 wrote to memory of 3976	4768	dN2OL8lH.exe	58
PID 4768 wrote to memory of 3976	4768	dN2OL8lH.exe	58
PID 3976 wrote to memory of 3128	3976	EB9Uv3XT.exe	60
PID 3976 wrote to memory of 3128	3976	EB9Uv3XT.exe	60
PID 3976 wrote to memory of 3128	3976	EB9Uv3XT.exe	60
PID 3128 wrote to memory of 5068	3128	QT2AI9YK.exe	62
PID 3128 wrote to memory of 5068	3128	QT2AI9YK.exe	62
PID 3128 wrote to memory of 5068	3128	QT2AI9YK.exe	62
PID 5068 wrote to memory of 1796	5068	1Ls45kV2.exe	72
PID 5068 wrote to memory of 1796	5068	1Ls45kV2.exe	72
PID 5068 wrote to memory of 1796	5068	1Ls45kV2.exe	72
PID 5068 wrote to memory of 1796	5068	1Ls45kV2.exe	72
PID 5068 wrote to memory of 1796	5068	1Ls45kV2.exe	72
PID 5068 wrote to memory of 1796	5068	1Ls45kV2.exe	72
PID 5068 wrote to memory of 1796	5068	1Ls45kV2.exe	72
PID 5068 wrote to memory of 1796	5068	1Ls45kV2.exe	72
PID 5068 wrote to memory of 1796	5068	1Ls45kV2.exe	72
PID 5068 wrote to memory of 1796	5068	1Ls45kV2.exe	72
PID 3128 wrote to memory of 4800	3128	QT2AI9YK.exe	69
PID 3128 wrote to memory of 4800	3128	QT2AI9YK.exe	69
PID 3128 wrote to memory of 4800	3128	QT2AI9YK.exe	69

C:\Users\Admin\AppData\Local\Temp\NEAS.e71b3e82dff6cfcb94c9c35deb7221b0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.e71b3e82dff6cfcb94c9c35deb7221b0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dN2OL8lH.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dN2OL8lH.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\EB9Uv3XT.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\EB9Uv3XT.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3976
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\QT2AI9YK.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\QT2AI9YK.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3128
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Ls45kV2.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Ls45kV2.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:5068
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 540
        7⤵
        Program crash
        
        PID:1068
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2nv797Zu.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2nv797Zu.exe
        5⤵
        Executes dropped EXE
        
        PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1796 -ip 1796
1⤵
PID:1380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dN2OL8lH.exe

Filesize
1.1MB

MD5
e3d76a0d05cefb91f3bbdef560958790

SHA1
171883ee2f7e4aa131cf1c6ad142fab0e09bca7a

SHA256
55ba3000984faae8513a4157545413f2180b6782390b2e30a571106b4eb6fbec

SHA512
ea15433536d489908c0a8d7b583b190d70495bfe2526523870bd70e289efe454f51d7192c863e8a969501af40641f1da1ff5ac1d0901b6f77ace30babf2f49d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dN2OL8lH.exe

Filesize
1.1MB

MD5
e3d76a0d05cefb91f3bbdef560958790

SHA1
171883ee2f7e4aa131cf1c6ad142fab0e09bca7a

SHA256
55ba3000984faae8513a4157545413f2180b6782390b2e30a571106b4eb6fbec

SHA512
ea15433536d489908c0a8d7b583b190d70495bfe2526523870bd70e289efe454f51d7192c863e8a969501af40641f1da1ff5ac1d0901b6f77ace30babf2f49d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\EB9Uv3XT.exe

Filesize
753KB

MD5
9db7388987f066d5cce5dc42c68e8a5d

SHA1
5411e0e63b1fe8e10fde230f3ab30c92d2c049dc

SHA256
73b7ec932dfcb1ebd6096cef90d5d0673b23b43f8052b09baf07f74d966ec12d

SHA512
a2b3391dc480461cd0c3e50392d9fb6f63f921ddee92f74a04dced36101ef054de98044c46fa991c0e25a9c90e61c5350193987b6b7b5e6db511ca6f410e6278

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\EB9Uv3XT.exe

Filesize
753KB

MD5
9db7388987f066d5cce5dc42c68e8a5d

SHA1
5411e0e63b1fe8e10fde230f3ab30c92d2c049dc

SHA256
73b7ec932dfcb1ebd6096cef90d5d0673b23b43f8052b09baf07f74d966ec12d

SHA512
a2b3391dc480461cd0c3e50392d9fb6f63f921ddee92f74a04dced36101ef054de98044c46fa991c0e25a9c90e61c5350193987b6b7b5e6db511ca6f410e6278

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\QT2AI9YK.exe

Filesize
558KB

MD5
55b33aa2b281cb6319b903a663136693

SHA1
9e5b66faea9131ae8a2679041e82d5b6dacfa8ab

SHA256
4d3644491fd1a1ac2759163863e8acd7a0c3f18c88d3647c41cfdd684b22968a

SHA512
ec1ed41b242825cb918c03dc4152fd3a5b0ae676cd90957190003ff3e185301e7e17d06f41e8e124fed5c71454effc8a1a4e4c00251040f7a9e5468b3a4738d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\QT2AI9YK.exe

Filesize
558KB

MD5
55b33aa2b281cb6319b903a663136693

SHA1
9e5b66faea9131ae8a2679041e82d5b6dacfa8ab

SHA256
4d3644491fd1a1ac2759163863e8acd7a0c3f18c88d3647c41cfdd684b22968a

SHA512
ec1ed41b242825cb918c03dc4152fd3a5b0ae676cd90957190003ff3e185301e7e17d06f41e8e124fed5c71454effc8a1a4e4c00251040f7a9e5468b3a4738d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Ls45kV2.exe

Filesize
1.0MB

MD5
a5a72ed79ae5e9780a11e88e6c6853c2

SHA1
9c59ba2bdb9066bedc108596ed94633c824edec8

SHA256
4d29c049f541cf4cfc30160228c05c981a115b3890004fb839ff261b99b62051

SHA512
84b85e7ce7701c18bffba0a76a289ab8f43dffaa77604d2c4e3682feb3dd8e937a70b00aba3213c5303d3ffa7bfc7e97008d39505087ace7c3cce9baac9b9d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Ls45kV2.exe

Filesize
1.0MB

MD5
a5a72ed79ae5e9780a11e88e6c6853c2

SHA1
9c59ba2bdb9066bedc108596ed94633c824edec8

SHA256
4d29c049f541cf4cfc30160228c05c981a115b3890004fb839ff261b99b62051

SHA512
84b85e7ce7701c18bffba0a76a289ab8f43dffaa77604d2c4e3682feb3dd8e937a70b00aba3213c5303d3ffa7bfc7e97008d39505087ace7c3cce9baac9b9d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2nv797Zu.exe

Filesize
219KB

MD5
c59b3883230bc6c756eceff071591dad

SHA1
1c2855d67696e112d3746b3bb1fb180386f89467

SHA256
4d175dcfaeda1e81dad76d4d11b24fe977f45ebb49b3cad30a269bb471f423d2

SHA512
6de800865ab911d4f0f0a8848c1b0c151a74b16eaf35ff11de5f98a6a11c6716a9fe1fb375dce16b64f663f128f60083777e1d16a2ceaa44e3dd31b5e31ecfbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2nv797Zu.exe

Filesize
219KB

MD5
c59b3883230bc6c756eceff071591dad

SHA1
1c2855d67696e112d3746b3bb1fb180386f89467

SHA256
4d175dcfaeda1e81dad76d4d11b24fe977f45ebb49b3cad30a269bb471f423d2

SHA512
6de800865ab911d4f0f0a8848c1b0c151a74b16eaf35ff11de5f98a6a11c6716a9fe1fb375dce16b64f663f128f60083777e1d16a2ceaa44e3dd31b5e31ecfbf

Download Submit
memory/1796-30-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1796-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1796-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1796-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4800-41-0x0000000007590000-0x000000000759A000-memory.dmp

Filesize
40KB

Download
memory/4800-37-0x00000000006D0000-0x000000000070C000-memory.dmp

Filesize
240KB

Download
memory/4800-38-0x00000000079D0000-0x0000000007F74000-memory.dmp

Filesize
5.6MB

Download
memory/4800-39-0x00000000074C0000-0x0000000007552000-memory.dmp

Filesize
584KB

Download
memory/4800-40-0x0000000007630000-0x0000000007640000-memory.dmp

Filesize
64KB

Download
memory/4800-36-0x0000000074360000-0x0000000074B10000-memory.dmp

Filesize
7.7MB

Download
memory/4800-42-0x00000000085A0000-0x0000000008BB8000-memory.dmp

Filesize
6.1MB

Download
memory/4800-43-0x0000000007F80000-0x000000000808A000-memory.dmp

Filesize
1.0MB

Download
memory/4800-44-0x0000000007870000-0x0000000007882000-memory.dmp

Filesize
72KB

Download
memory/4800-45-0x00000000078D0000-0x000000000790C000-memory.dmp

Filesize
240KB

Download
memory/4800-46-0x0000000007910000-0x000000000795C000-memory.dmp

Filesize
304KB

Download
memory/4800-47-0x0000000074360000-0x0000000074B10000-memory.dmp

Filesize
7.7MB

Download
memory/4800-48-0x0000000007630000-0x0000000007640000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads