mystic | 7f7c3f251f6c309d1ee48104c278683285eb20b06342fb10fd5de4d9aaf1092f

Analysis

max time kernel
140s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
13-11-2023 15:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f7c3f251f6c309d1ee48104c278683285eb20b06342fb10fd5de4d9aaf1092f.exe
Size

1.2MB
MD5

b03551bd804b4ceea5571b668948b2b0
SHA1

0d185d4d52e317c7972f4ddb4b5bb6773994e662
SHA256

7f7c3f251f6c309d1ee48104c278683285eb20b06342fb10fd5de4d9aaf1092f
SHA512

4b6bcb202463fab88e7579c480b6b5381b18acafa3b11ec150c5ff181b2dfaa45289dc713023f79d2a0ceb6ec3f9b7b707d4086b91d1ed4cb1ec2e23587e562d
SSDEEP

24576:wyvFJYHe6avpE1V0lAF1wjUaH8GlTw8TQEQxFtW0LGyYX4:3vzBE1Vc0+18GFw8TQXNm

Score

10^/10

mystic redline taiga discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/4780-21-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/4780-22-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/4780-23-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/4780-25-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/2064-29-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
236	zu0Iv90.exe
2432	VP3eS07.exe
2152	11nG9919.exe
4884	12KR852.exe
4788	13iG500.exe
4364	14rG797.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7f7c3f251f6c309d1ee48104c278683285eb20b06342fb10fd5de4d9aaf1092f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zu0Iv90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	VP3eS07.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2152 set thread context of 4780	2152	11nG9919.exe	102
PID 4884 set thread context of 2064	4884	12KR852.exe	108
PID 4364 set thread context of 3240	4364	14rG797.exe	120

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2748	4780	WerFault.exe	102

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4788	13iG500.exe
4788	13iG500.exe
3240	AppLaunch.exe
3240	AppLaunch.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 3856 wrote to memory of 236	3856	7f7c3f251f6c309d1ee48104c278683285eb20b06342fb10fd5de4d9aaf1092f.exe	89
PID 3856 wrote to memory of 236	3856	7f7c3f251f6c309d1ee48104c278683285eb20b06342fb10fd5de4d9aaf1092f.exe	89
PID 3856 wrote to memory of 236	3856	7f7c3f251f6c309d1ee48104c278683285eb20b06342fb10fd5de4d9aaf1092f.exe	89
PID 236 wrote to memory of 2432	236	zu0Iv90.exe	91
PID 236 wrote to memory of 2432	236	zu0Iv90.exe	91
PID 236 wrote to memory of 2432	236	zu0Iv90.exe	91
PID 2432 wrote to memory of 2152	2432	VP3eS07.exe	92
PID 2432 wrote to memory of 2152	2432	VP3eS07.exe	92
PID 2432 wrote to memory of 2152	2432	VP3eS07.exe	92
PID 2152 wrote to memory of 4780	2152	11nG9919.exe	102
PID 2152 wrote to memory of 4780	2152	11nG9919.exe	102
PID 2152 wrote to memory of 4780	2152	11nG9919.exe	102
PID 2152 wrote to memory of 4780	2152	11nG9919.exe	102
PID 2152 wrote to memory of 4780	2152	11nG9919.exe	102
PID 2152 wrote to memory of 4780	2152	11nG9919.exe	102
PID 2152 wrote to memory of 4780	2152	11nG9919.exe	102
PID 2152 wrote to memory of 4780	2152	11nG9919.exe	102
PID 2152 wrote to memory of 4780	2152	11nG9919.exe	102
PID 2152 wrote to memory of 4780	2152	11nG9919.exe	102
PID 2432 wrote to memory of 4884	2432	VP3eS07.exe	103
PID 2432 wrote to memory of 4884	2432	VP3eS07.exe	103
PID 2432 wrote to memory of 4884	2432	VP3eS07.exe	103
PID 4884 wrote to memory of 2064	4884	12KR852.exe	108
PID 4884 wrote to memory of 2064	4884	12KR852.exe	108
PID 4884 wrote to memory of 2064	4884	12KR852.exe	108
PID 4884 wrote to memory of 2064	4884	12KR852.exe	108
PID 4884 wrote to memory of 2064	4884	12KR852.exe	108
PID 4884 wrote to memory of 2064	4884	12KR852.exe	108
PID 4884 wrote to memory of 2064	4884	12KR852.exe	108
PID 4884 wrote to memory of 2064	4884	12KR852.exe	108
PID 236 wrote to memory of 4788	236	zu0Iv90.exe	109
PID 236 wrote to memory of 4788	236	zu0Iv90.exe	109
PID 236 wrote to memory of 4788	236	zu0Iv90.exe	109
PID 3856 wrote to memory of 4364	3856	7f7c3f251f6c309d1ee48104c278683285eb20b06342fb10fd5de4d9aaf1092f.exe	117
PID 3856 wrote to memory of 4364	3856	7f7c3f251f6c309d1ee48104c278683285eb20b06342fb10fd5de4d9aaf1092f.exe	117
PID 3856 wrote to memory of 4364	3856	7f7c3f251f6c309d1ee48104c278683285eb20b06342fb10fd5de4d9aaf1092f.exe	117
PID 4364 wrote to memory of 3240	4364	14rG797.exe	120
PID 4364 wrote to memory of 3240	4364	14rG797.exe	120
PID 4364 wrote to memory of 3240	4364	14rG797.exe	120
PID 4364 wrote to memory of 3240	4364	14rG797.exe	120
PID 4364 wrote to memory of 3240	4364	14rG797.exe	120
PID 4364 wrote to memory of 3240	4364	14rG797.exe	120
PID 4364 wrote to memory of 3240	4364	14rG797.exe	120
PID 4364 wrote to memory of 3240	4364	14rG797.exe	120
PID 4364 wrote to memory of 3240	4364	14rG797.exe	120

C:\Users\Admin\AppData\Local\Temp\7f7c3f251f6c309d1ee48104c278683285eb20b06342fb10fd5de4d9aaf1092f.exe
"C:\Users\Admin\AppData\Local\Temp\7f7c3f251f6c309d1ee48104c278683285eb20b06342fb10fd5de4d9aaf1092f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3856
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zu0Iv90.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zu0Iv90.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:236
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VP3eS07.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VP3eS07.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\11nG9919.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\11nG9919.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2152
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:4780
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 196
        6⤵
        Program crash
        
        PID:2748
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\12KR852.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\12KR852.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4884
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:2064
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\13iG500.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\13iG500.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4788
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\14rG797.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\14rG797.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4364
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4780 -ip 4780
1⤵
PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\14rG797.exe

Filesize
717KB

MD5
9a5d90b14bc1aff99ff01a2b4a5537ea

SHA1
7f7dd6a4fed0d0a7428abac253d0b8702a0e1f24

SHA256
2f949ae76d8e70bcca391fd65b56124c33ed1d874e8e9c3244bb760dad54dbd1

SHA512
2464eb5902872089922d9db1dd5ca89be0a531812119c681ef4e56d9733e93cfad21d3a90e47594734463c2da844982208b88e04e1579ed2e41e22f6b724143f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\14rG797.exe

Filesize
717KB

MD5
9a5d90b14bc1aff99ff01a2b4a5537ea

SHA1
7f7dd6a4fed0d0a7428abac253d0b8702a0e1f24

SHA256
2f949ae76d8e70bcca391fd65b56124c33ed1d874e8e9c3244bb760dad54dbd1

SHA512
2464eb5902872089922d9db1dd5ca89be0a531812119c681ef4e56d9733e93cfad21d3a90e47594734463c2da844982208b88e04e1579ed2e41e22f6b724143f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zu0Iv90.exe

Filesize
788KB

MD5
46f48be8570004c19178170b3bd7852d

SHA1
fec425294c82c0f7cd44991bc2f56852c1425c5b

SHA256
61e47b5e0970f4725eddadbb8ade84f810fe1b726cad5344c649b1cf5901355a

SHA512
c4b430791240ec566888b9d8e943264480cf80a62d3a1eb5039d0d8559120bd771bdac6b8adee0f16d9a9d4208d52ca7c5e9b79e2cb7b4639936f931b327b726

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zu0Iv90.exe

Filesize
788KB

MD5
46f48be8570004c19178170b3bd7852d

SHA1
fec425294c82c0f7cd44991bc2f56852c1425c5b

SHA256
61e47b5e0970f4725eddadbb8ade84f810fe1b726cad5344c649b1cf5901355a

SHA512
c4b430791240ec566888b9d8e943264480cf80a62d3a1eb5039d0d8559120bd771bdac6b8adee0f16d9a9d4208d52ca7c5e9b79e2cb7b4639936f931b327b726

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\13iG500.exe

Filesize
529KB

MD5
f5753fbbd7e5e53e6217934ec7ac9305

SHA1
fe0a1fe8e514d9538149eedb5ceb0e4b6af9dc53

SHA256
ea0b316b2303027873752d44ea1a11a63f08c85f54431954c750f844fc087f24

SHA512
4942cbe593e4cf4b1f48d8e13aebd3e7aa37f1621f98a343ebac61d72804c88cbe4f2b4c7998bf7e962af318d6a5acbe21a51c5f6ded24746e90fe4fed188d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\13iG500.exe

Filesize
529KB

MD5
f5753fbbd7e5e53e6217934ec7ac9305

SHA1
fe0a1fe8e514d9538149eedb5ceb0e4b6af9dc53

SHA256
ea0b316b2303027873752d44ea1a11a63f08c85f54431954c750f844fc087f24

SHA512
4942cbe593e4cf4b1f48d8e13aebd3e7aa37f1621f98a343ebac61d72804c88cbe4f2b4c7998bf7e962af318d6a5acbe21a51c5f6ded24746e90fe4fed188d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VP3eS07.exe

Filesize
426KB

MD5
1cf4ec4d75ede8d5233fb69ba513088e

SHA1
1a4440629b2abdaee162f0a4fcfaca7508c880d9

SHA256
ef8ecbffdb0c56fba94e09a653c01222b0f5effe17f98e1fda206bf70abb16f9

SHA512
64ca85a58d6e054ad77144212ab131f8d38cb183510516db46e542340c39c24c078e9d72968e9ad3d49d5eed8db318547b706a02f52b3a577cb3fb21611fd1fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VP3eS07.exe

Filesize
426KB

MD5
1cf4ec4d75ede8d5233fb69ba513088e

SHA1
1a4440629b2abdaee162f0a4fcfaca7508c880d9

SHA256
ef8ecbffdb0c56fba94e09a653c01222b0f5effe17f98e1fda206bf70abb16f9

SHA512
64ca85a58d6e054ad77144212ab131f8d38cb183510516db46e542340c39c24c078e9d72968e9ad3d49d5eed8db318547b706a02f52b3a577cb3fb21611fd1fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\11nG9919.exe

Filesize
369KB

MD5
641c4bc65740056e9d3295a39c5f97b5

SHA1
b1fd5a44100e8413d2c6f7b8a57532e219aa7f63

SHA256
38b999837f8a6d307fbda882aea0e372cdc380caf69782d4f507918c43191237

SHA512
818b4c0b0c2636c24e4245db5f9d7cddacc427be645bf146ac046fdfe2161ce2c11d2ba05b234b20f8cee315ecd20ac09a79d0e8c14e5074e32c6437eeec1f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\11nG9919.exe

Filesize
369KB

MD5
641c4bc65740056e9d3295a39c5f97b5

SHA1
b1fd5a44100e8413d2c6f7b8a57532e219aa7f63

SHA256
38b999837f8a6d307fbda882aea0e372cdc380caf69782d4f507918c43191237

SHA512
818b4c0b0c2636c24e4245db5f9d7cddacc427be645bf146ac046fdfe2161ce2c11d2ba05b234b20f8cee315ecd20ac09a79d0e8c14e5074e32c6437eeec1f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\12KR852.exe

Filesize
408KB

MD5
d42afd3ad9a795f39e42e18ade652ee5

SHA1
3d4ecac9413d562dc259d39916cbef5ff3425cd1

SHA256
e9496ed5e0ce957c630177d33485432b65f57524784f3ec1875aecd110f9761a

SHA512
0fb3262efd82bec9a7d65cdd5c853f9ba52d830b57f48be7d5db2884c647900cd4f90f1bd6f5f85dd0a7dab4ebcca8d6e30b00b5b849bfa54581faa3ac8ae752

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\12KR852.exe

Filesize
408KB

MD5
d42afd3ad9a795f39e42e18ade652ee5

SHA1
3d4ecac9413d562dc259d39916cbef5ff3425cd1

SHA256
e9496ed5e0ce957c630177d33485432b65f57524784f3ec1875aecd110f9761a

SHA512
0fb3262efd82bec9a7d65cdd5c853f9ba52d830b57f48be7d5db2884c647900cd4f90f1bd6f5f85dd0a7dab4ebcca8d6e30b00b5b849bfa54581faa3ac8ae752

Download Submit
memory/2064-42-0x00000000082C0000-0x000000000830C000-memory.dmp

Filesize
304KB

Download
memory/2064-41-0x0000000008140000-0x000000000817C000-memory.dmp

Filesize
240KB

Download
memory/2064-47-0x0000000007E70000-0x0000000007E80000-memory.dmp

Filesize
64KB

Download
memory/2064-33-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/2064-34-0x0000000008390000-0x0000000008934000-memory.dmp

Filesize
5.6MB

Download
memory/2064-35-0x0000000007E80000-0x0000000007F12000-memory.dmp

Filesize
584KB

Download
memory/2064-36-0x0000000007E70000-0x0000000007E80000-memory.dmp

Filesize
64KB

Download
memory/2064-37-0x0000000007E60000-0x0000000007E6A000-memory.dmp

Filesize
40KB

Download
memory/2064-38-0x0000000008F60000-0x0000000009578000-memory.dmp

Filesize
6.1MB

Download
memory/2064-39-0x00000000081B0000-0x00000000082BA000-memory.dmp

Filesize
1.0MB

Download
memory/2064-40-0x00000000080E0000-0x00000000080F2000-memory.dmp

Filesize
72KB

Download
memory/2064-29-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2064-46-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/3240-48-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/3240-49-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/3240-50-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/3240-52-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4780-22-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4780-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4780-23-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4780-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download