mystic | 72bbfe1dac71424882c41d164994fa15629c68fe2e332b3361e0a1475f2ffc9f

Analysis

max time kernel
129s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
13/11/2023, 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72bbfe1dac71424882c41d164994fa15629c68fe2e332b3361e0a1475f2ffc9f.exe
Size

1.2MB
MD5

7640209542642be02bd974dea72d0776
SHA1

e37eefba7fb5b74be592ac1c341bc5bdcb39e5e2
SHA256

72bbfe1dac71424882c41d164994fa15629c68fe2e332b3361e0a1475f2ffc9f
SHA512

1ffedb2d2bff311f56ff327e93eb58a821c98538fb2704f785e103d93f944c01c9e302f4a4672844bbd31cba0123a990b0a8b6a3179373753ae84fedd957e966
SSDEEP

24576:Qy6sjYfYXOt6QPkzjljcLv1SrXQXHotyYw4g+qarjTKgAKG:X6saY+tQzj2hIthDbHjTtA

Score

10^/10

mystic redline taiga discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/3352-21-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/3352-24-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/3352-25-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/3352-27-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/4592-29-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
3924	Ax7Bz13.exe
1584	lT2An98.exe
3532	11tb9461.exe
3360	12Lc681.exe
116	13EC572.exe
2868	14mz497.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	72bbfe1dac71424882c41d164994fa15629c68fe2e332b3361e0a1475f2ffc9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Ax7Bz13.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	lT2An98.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3532 set thread context of 3352	3532	11tb9461.exe	102
PID 3360 set thread context of 4592	3360	12Lc681.exe	109
PID 2868 set thread context of 2964	2868	14mz497.exe	120

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2868	3352	WerFault.exe	102

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
116	13EC572.exe
116	13EC572.exe
2964	AppLaunch.exe
2964	AppLaunch.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 4132 wrote to memory of 3924	4132	72bbfe1dac71424882c41d164994fa15629c68fe2e332b3361e0a1475f2ffc9f.exe	86
PID 4132 wrote to memory of 3924	4132	72bbfe1dac71424882c41d164994fa15629c68fe2e332b3361e0a1475f2ffc9f.exe	86
PID 4132 wrote to memory of 3924	4132	72bbfe1dac71424882c41d164994fa15629c68fe2e332b3361e0a1475f2ffc9f.exe	86
PID 3924 wrote to memory of 1584	3924	Ax7Bz13.exe	88
PID 3924 wrote to memory of 1584	3924	Ax7Bz13.exe	88
PID 3924 wrote to memory of 1584	3924	Ax7Bz13.exe	88
PID 1584 wrote to memory of 3532	1584	lT2An98.exe	89
PID 1584 wrote to memory of 3532	1584	lT2An98.exe	89
PID 1584 wrote to memory of 3532	1584	lT2An98.exe	89
PID 3532 wrote to memory of 3352	3532	11tb9461.exe	102
PID 3532 wrote to memory of 3352	3532	11tb9461.exe	102
PID 3532 wrote to memory of 3352	3532	11tb9461.exe	102
PID 3532 wrote to memory of 3352	3532	11tb9461.exe	102
PID 3532 wrote to memory of 3352	3532	11tb9461.exe	102
PID 3532 wrote to memory of 3352	3532	11tb9461.exe	102
PID 3532 wrote to memory of 3352	3532	11tb9461.exe	102
PID 3532 wrote to memory of 3352	3532	11tb9461.exe	102
PID 3532 wrote to memory of 3352	3532	11tb9461.exe	102
PID 3532 wrote to memory of 3352	3532	11tb9461.exe	102
PID 1584 wrote to memory of 3360	1584	lT2An98.exe	103
PID 1584 wrote to memory of 3360	1584	lT2An98.exe	103
PID 1584 wrote to memory of 3360	1584	lT2An98.exe	103
PID 3360 wrote to memory of 4428	3360	12Lc681.exe	107
PID 3360 wrote to memory of 4428	3360	12Lc681.exe	107
PID 3360 wrote to memory of 4428	3360	12Lc681.exe	107
PID 3360 wrote to memory of 2592	3360	12Lc681.exe	108
PID 3360 wrote to memory of 2592	3360	12Lc681.exe	108
PID 3360 wrote to memory of 2592	3360	12Lc681.exe	108
PID 3360 wrote to memory of 4592	3360	12Lc681.exe	109
PID 3360 wrote to memory of 4592	3360	12Lc681.exe	109
PID 3360 wrote to memory of 4592	3360	12Lc681.exe	109
PID 3360 wrote to memory of 4592	3360	12Lc681.exe	109
PID 3360 wrote to memory of 4592	3360	12Lc681.exe	109
PID 3360 wrote to memory of 4592	3360	12Lc681.exe	109
PID 3360 wrote to memory of 4592	3360	12Lc681.exe	109
PID 3360 wrote to memory of 4592	3360	12Lc681.exe	109
PID 3924 wrote to memory of 116	3924	Ax7Bz13.exe	110
PID 3924 wrote to memory of 116	3924	Ax7Bz13.exe	110
PID 3924 wrote to memory of 116	3924	Ax7Bz13.exe	110
PID 4132 wrote to memory of 2868	4132	72bbfe1dac71424882c41d164994fa15629c68fe2e332b3361e0a1475f2ffc9f.exe	118
PID 4132 wrote to memory of 2868	4132	72bbfe1dac71424882c41d164994fa15629c68fe2e332b3361e0a1475f2ffc9f.exe	118
PID 4132 wrote to memory of 2868	4132	72bbfe1dac71424882c41d164994fa15629c68fe2e332b3361e0a1475f2ffc9f.exe	118
PID 2868 wrote to memory of 2964	2868	14mz497.exe	120
PID 2868 wrote to memory of 2964	2868	14mz497.exe	120
PID 2868 wrote to memory of 2964	2868	14mz497.exe	120
PID 2868 wrote to memory of 2964	2868	14mz497.exe	120
PID 2868 wrote to memory of 2964	2868	14mz497.exe	120
PID 2868 wrote to memory of 2964	2868	14mz497.exe	120
PID 2868 wrote to memory of 2964	2868	14mz497.exe	120
PID 2868 wrote to memory of 2964	2868	14mz497.exe	120
PID 2868 wrote to memory of 2964	2868	14mz497.exe	120

C:\Users\Admin\AppData\Local\Temp\72bbfe1dac71424882c41d164994fa15629c68fe2e332b3361e0a1475f2ffc9f.exe
"C:\Users\Admin\AppData\Local\Temp\72bbfe1dac71424882c41d164994fa15629c68fe2e332b3361e0a1475f2ffc9f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4132
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ax7Bz13.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ax7Bz13.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3924
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lT2An98.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lT2An98.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1584
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\11tb9461.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\11tb9461.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3532
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:3352
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 540
        6⤵
        Program crash
        
        PID:2868
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\12Lc681.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\12Lc681.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3360
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:4428
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:2592
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:4592
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\13EC572.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\13EC572.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:116
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\14mz497.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\14mz497.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3352 -ip 3352
1⤵
PID:4068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\14mz497.exe

Filesize
717KB

MD5
82a9e11d65283faee9a133e60e38408d

SHA1
c461d5a0ba79b73fd8e48f818c6ee4f48831d296

SHA256
c928b1c12d5174917d1535dfd02042ceb0236391df1150835dada8b34570ffb6

SHA512
98c7b235cac2cadc1904c2545bdc8fa6271a4232d2f35d8f9dcc83712827f137abb35ceff15e941ae74289f777f6f876fb48778c357c3034e46e3bef7b079eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\14mz497.exe

Filesize
717KB

MD5
82a9e11d65283faee9a133e60e38408d

SHA1
c461d5a0ba79b73fd8e48f818c6ee4f48831d296

SHA256
c928b1c12d5174917d1535dfd02042ceb0236391df1150835dada8b34570ffb6

SHA512
98c7b235cac2cadc1904c2545bdc8fa6271a4232d2f35d8f9dcc83712827f137abb35ceff15e941ae74289f777f6f876fb48778c357c3034e46e3bef7b079eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ax7Bz13.exe

Filesize
788KB

MD5
f286c63ae193269fe4096e5b63ac66eb

SHA1
f690c7f1d755c0394f38d7b52e52d30c0d777aab

SHA256
30fa2e5527428d7ed412c34c0d68ce330fe3bfef4d93b4cd42333077b03fbd34

SHA512
cd1c1b8bbdb82213fbc399d66c82abfb773725b74bb41c05fed6577d3f01e2c8f6f834de272c0f3f610564543f47e1c51af5ccbbf467b81b3995de8a57fbc71d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ax7Bz13.exe

Filesize
788KB

MD5
f286c63ae193269fe4096e5b63ac66eb

SHA1
f690c7f1d755c0394f38d7b52e52d30c0d777aab

SHA256
30fa2e5527428d7ed412c34c0d68ce330fe3bfef4d93b4cd42333077b03fbd34

SHA512
cd1c1b8bbdb82213fbc399d66c82abfb773725b74bb41c05fed6577d3f01e2c8f6f834de272c0f3f610564543f47e1c51af5ccbbf467b81b3995de8a57fbc71d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\13EC572.exe

Filesize
529KB

MD5
f5753fbbd7e5e53e6217934ec7ac9305

SHA1
fe0a1fe8e514d9538149eedb5ceb0e4b6af9dc53

SHA256
ea0b316b2303027873752d44ea1a11a63f08c85f54431954c750f844fc087f24

SHA512
4942cbe593e4cf4b1f48d8e13aebd3e7aa37f1621f98a343ebac61d72804c88cbe4f2b4c7998bf7e962af318d6a5acbe21a51c5f6ded24746e90fe4fed188d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\13EC572.exe

Filesize
529KB

MD5
f5753fbbd7e5e53e6217934ec7ac9305

SHA1
fe0a1fe8e514d9538149eedb5ceb0e4b6af9dc53

SHA256
ea0b316b2303027873752d44ea1a11a63f08c85f54431954c750f844fc087f24

SHA512
4942cbe593e4cf4b1f48d8e13aebd3e7aa37f1621f98a343ebac61d72804c88cbe4f2b4c7998bf7e962af318d6a5acbe21a51c5f6ded24746e90fe4fed188d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lT2An98.exe

Filesize
426KB

MD5
603b8ae14a94ed14bc9a1315bb86b70a

SHA1
12162c06436dec3e701f478f3f5b367e005a78e3

SHA256
d3eb5e47e148bb63ffa32afa7c6f38069b1a6fbaf20260e64ed7b27de3d6a7b3

SHA512
2396d0343d5559b8b759f4a88dde94b4e8d41615cc3f117eb6f71bf6c5630dff783911d57b421e0edb80c8ed466bd4f6493918a5c49e300d6328d5833b837794

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lT2An98.exe

Filesize
426KB

MD5
603b8ae14a94ed14bc9a1315bb86b70a

SHA1
12162c06436dec3e701f478f3f5b367e005a78e3

SHA256
d3eb5e47e148bb63ffa32afa7c6f38069b1a6fbaf20260e64ed7b27de3d6a7b3

SHA512
2396d0343d5559b8b759f4a88dde94b4e8d41615cc3f117eb6f71bf6c5630dff783911d57b421e0edb80c8ed466bd4f6493918a5c49e300d6328d5833b837794

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\11tb9461.exe

Filesize
369KB

MD5
8e6321145e94770804efd0b7f0476c23

SHA1
fcce7837cb406ef7b29172604d88f89aef03684a

SHA256
0dda525a242b05cd308ac7534749c53a75600096cd6cb9658856020b003e573a

SHA512
93ecf4ad8d3b2f7c619dd3243e931c0de9ea07dc1b5ad08f53d88d5f471cf6d8c0087ded918f8d191c57910f386a307aecab985d8a45fdab6aa45a5a80a1c7bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\11tb9461.exe

Filesize
369KB

MD5
8e6321145e94770804efd0b7f0476c23

SHA1
fcce7837cb406ef7b29172604d88f89aef03684a

SHA256
0dda525a242b05cd308ac7534749c53a75600096cd6cb9658856020b003e573a

SHA512
93ecf4ad8d3b2f7c619dd3243e931c0de9ea07dc1b5ad08f53d88d5f471cf6d8c0087ded918f8d191c57910f386a307aecab985d8a45fdab6aa45a5a80a1c7bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\12Lc681.exe

Filesize
408KB

MD5
9f0d45e8731c26f6b23b3d48f6f6c4a5

SHA1
4c4af3e08f306aac082cb679f352803b075f52a8

SHA256
d4ef70c8edfecbb6d528f3109f214f8222b6b680f2b4dc3cf13e61705d5dd04c

SHA512
d63e42296d6287cc1a29907cd5dea47b3789efe66942fcabb2c30a7888fc1e85fa44fef86185a8b537cecdda41857c14e84f65213ec5b8b1c7cca8e6972f8cf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\12Lc681.exe

Filesize
408KB

MD5
9f0d45e8731c26f6b23b3d48f6f6c4a5

SHA1
4c4af3e08f306aac082cb679f352803b075f52a8

SHA256
d4ef70c8edfecbb6d528f3109f214f8222b6b680f2b4dc3cf13e61705d5dd04c

SHA512
d63e42296d6287cc1a29907cd5dea47b3789efe66942fcabb2c30a7888fc1e85fa44fef86185a8b537cecdda41857c14e84f65213ec5b8b1c7cca8e6972f8cf8

Download Submit
memory/2964-50-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2964-52-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2964-49-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2964-48-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/3352-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3352-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3352-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3352-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4592-34-0x0000000007FC0000-0x0000000008564000-memory.dmp

Filesize
5.6MB

Download
memory/4592-39-0x0000000007E30000-0x0000000007F3A000-memory.dmp

Filesize
1.0MB

Download
memory/4592-40-0x0000000007D60000-0x0000000007D72000-memory.dmp

Filesize
72KB

Download
memory/4592-41-0x0000000007DC0000-0x0000000007DFC000-memory.dmp

Filesize
240KB

Download
memory/4592-42-0x0000000007F40000-0x0000000007F8C000-memory.dmp

Filesize
304KB

Download
memory/4592-38-0x0000000008B90000-0x00000000091A8000-memory.dmp

Filesize
6.1MB

Download
memory/4592-37-0x0000000007B80000-0x0000000007B8A000-memory.dmp

Filesize
40KB

Download
memory/4592-46-0x00000000742B0000-0x0000000074A60000-memory.dmp

Filesize
7.7MB

Download
memory/4592-47-0x0000000007D00000-0x0000000007D10000-memory.dmp

Filesize
64KB

Download
memory/4592-36-0x0000000007D00000-0x0000000007D10000-memory.dmp

Filesize
64KB

Download
memory/4592-35-0x0000000007AB0000-0x0000000007B42000-memory.dmp

Filesize
584KB

Download
memory/4592-33-0x00000000742B0000-0x0000000074A60000-memory.dmp

Filesize
7.7MB

Download
memory/4592-29-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download