mystic | c4112ebe1f8d2b3167172d3fc7c5a18a2253e22052376e32c00f20d04d677840

Analysis

max time kernel
143s
max time network
151s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
13-11-2023 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4112ebe1f8d2b3167172d3fc7c5a18a2253e22052376e32c00f20d04d677840.exe
Size

1.2MB
MD5

d5955bc329e947f2693e64929dcb8d80
SHA1

3cce5cfe424f46443155164b54b4d8c78e04f6ca
SHA256

c4112ebe1f8d2b3167172d3fc7c5a18a2253e22052376e32c00f20d04d677840
SHA512

f0b39857c62268e4645c925521ef6025c857a4a1bfc17f894b0e4c8702fbd88ecaaaefc2a7e71c4a2a46bc2e281da27073055c4106b0769d27bfe2b5055b3c71
SSDEEP

24576:iyxZbeQt2LUo0pWqnUJ6zlrnFpsXNfYbirc:JPeZd0XnYUrn7G

Score

10^/10

mystic redline taiga discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/4496-21-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/4496-26-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/4496-27-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/4496-29-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/1392-31-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
4396	mE3YM86.exe
220	wY3su08.exe
4136	11pC5094.exe
1268	12Ki887.exe
5092	13BO042.exe
5080	14aE815.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	wY3su08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c4112ebe1f8d2b3167172d3fc7c5a18a2253e22052376e32c00f20d04d677840.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	mE3YM86.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4136 set thread context of 4496	4136	11pC5094.exe	78
PID 1268 set thread context of 1392	1268	12Ki887.exe	83
PID 5080 set thread context of 1196	5080	14aE815.exe	87

Program crash 1 IoCs

pid	pid_target	Process	procid_target
68	4496	WerFault.exe	78

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5092	13BO042.exe
5092	13BO042.exe
1196	AppLaunch.exe
1196	AppLaunch.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 4396	1308	c4112ebe1f8d2b3167172d3fc7c5a18a2253e22052376e32c00f20d04d677840.exe	71
PID 1308 wrote to memory of 4396	1308	c4112ebe1f8d2b3167172d3fc7c5a18a2253e22052376e32c00f20d04d677840.exe	71
PID 1308 wrote to memory of 4396	1308	c4112ebe1f8d2b3167172d3fc7c5a18a2253e22052376e32c00f20d04d677840.exe	71
PID 4396 wrote to memory of 220	4396	mE3YM86.exe	72
PID 4396 wrote to memory of 220	4396	mE3YM86.exe	72
PID 4396 wrote to memory of 220	4396	mE3YM86.exe	72
PID 220 wrote to memory of 4136	220	wY3su08.exe	73
PID 220 wrote to memory of 4136	220	wY3su08.exe	73
PID 220 wrote to memory of 4136	220	wY3su08.exe	73
PID 4136 wrote to memory of 432	4136	11pC5094.exe	75
PID 4136 wrote to memory of 432	4136	11pC5094.exe	75
PID 4136 wrote to memory of 432	4136	11pC5094.exe	75
PID 4136 wrote to memory of 364	4136	11pC5094.exe	76
PID 4136 wrote to memory of 364	4136	11pC5094.exe	76
PID 4136 wrote to memory of 364	4136	11pC5094.exe	76
PID 4136 wrote to memory of 1040	4136	11pC5094.exe	77
PID 4136 wrote to memory of 1040	4136	11pC5094.exe	77
PID 4136 wrote to memory of 1040	4136	11pC5094.exe	77
PID 4136 wrote to memory of 4496	4136	11pC5094.exe	78
PID 4136 wrote to memory of 4496	4136	11pC5094.exe	78
PID 4136 wrote to memory of 4496	4136	11pC5094.exe	78
PID 4136 wrote to memory of 4496	4136	11pC5094.exe	78
PID 4136 wrote to memory of 4496	4136	11pC5094.exe	78
PID 4136 wrote to memory of 4496	4136	11pC5094.exe	78
PID 4136 wrote to memory of 4496	4136	11pC5094.exe	78
PID 4136 wrote to memory of 4496	4136	11pC5094.exe	78
PID 4136 wrote to memory of 4496	4136	11pC5094.exe	78
PID 4136 wrote to memory of 4496	4136	11pC5094.exe	78
PID 220 wrote to memory of 1268	220	wY3su08.exe	79
PID 220 wrote to memory of 1268	220	wY3su08.exe	79
PID 220 wrote to memory of 1268	220	wY3su08.exe	79
PID 1268 wrote to memory of 1392	1268	12Ki887.exe	83
PID 1268 wrote to memory of 1392	1268	12Ki887.exe	83
PID 1268 wrote to memory of 1392	1268	12Ki887.exe	83
PID 1268 wrote to memory of 1392	1268	12Ki887.exe	83
PID 1268 wrote to memory of 1392	1268	12Ki887.exe	83
PID 1268 wrote to memory of 1392	1268	12Ki887.exe	83
PID 1268 wrote to memory of 1392	1268	12Ki887.exe	83
PID 1268 wrote to memory of 1392	1268	12Ki887.exe	83
PID 4396 wrote to memory of 5092	4396	mE3YM86.exe	84
PID 4396 wrote to memory of 5092	4396	mE3YM86.exe	84
PID 4396 wrote to memory of 5092	4396	mE3YM86.exe	84
PID 1308 wrote to memory of 5080	1308	c4112ebe1f8d2b3167172d3fc7c5a18a2253e22052376e32c00f20d04d677840.exe	85
PID 1308 wrote to memory of 5080	1308	c4112ebe1f8d2b3167172d3fc7c5a18a2253e22052376e32c00f20d04d677840.exe	85
PID 1308 wrote to memory of 5080	1308	c4112ebe1f8d2b3167172d3fc7c5a18a2253e22052376e32c00f20d04d677840.exe	85
PID 5080 wrote to memory of 1196	5080	14aE815.exe	87
PID 5080 wrote to memory of 1196	5080	14aE815.exe	87
PID 5080 wrote to memory of 1196	5080	14aE815.exe	87
PID 5080 wrote to memory of 1196	5080	14aE815.exe	87
PID 5080 wrote to memory of 1196	5080	14aE815.exe	87
PID 5080 wrote to memory of 1196	5080	14aE815.exe	87
PID 5080 wrote to memory of 1196	5080	14aE815.exe	87
PID 5080 wrote to memory of 1196	5080	14aE815.exe	87
PID 5080 wrote to memory of 1196	5080	14aE815.exe	87

C:\Users\Admin\AppData\Local\Temp\c4112ebe1f8d2b3167172d3fc7c5a18a2253e22052376e32c00f20d04d677840.exe
"C:\Users\Admin\AppData\Local\Temp\c4112ebe1f8d2b3167172d3fc7c5a18a2253e22052376e32c00f20d04d677840.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mE3YM86.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mE3YM86.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4396
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wY3su08.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wY3su08.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:220
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\11pC5094.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\11pC5094.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4136
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:432
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:364
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:1040
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:4496
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 568
        6⤵
        Program crash
        
        PID:68
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\12Ki887.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\12Ki887.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1268
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:1392
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\13BO042.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\13BO042.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:5092
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\14aE815.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\14aE815.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\14aE815.exe

Filesize
717KB

MD5
fd314708a16adbdffb0a7c20edf75ae4

SHA1
359ffa58b05bec8d01a108ad6c14e5190030f535

SHA256
1353f8821c3352039bc34a9c0e4c696fcb8f3ae2ed72b4cf2863862a5c20b00f

SHA512
72910da56b092c43df7ec47b84a2a59eefdf977dfbd45d40d4eb8a07f0ec0f8d6d1212419b3cef52e87a1dbb84d6dff942ef4f1c1721089b637359c2b287ad12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\14aE815.exe

Filesize
717KB

MD5
fd314708a16adbdffb0a7c20edf75ae4

SHA1
359ffa58b05bec8d01a108ad6c14e5190030f535

SHA256
1353f8821c3352039bc34a9c0e4c696fcb8f3ae2ed72b4cf2863862a5c20b00f

SHA512
72910da56b092c43df7ec47b84a2a59eefdf977dfbd45d40d4eb8a07f0ec0f8d6d1212419b3cef52e87a1dbb84d6dff942ef4f1c1721089b637359c2b287ad12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mE3YM86.exe

Filesize
782KB

MD5
d5b5215134147847a05610ab2aea02d4

SHA1
ccdfb4f8d0324242a934eb6d210bcbdcac5eb433

SHA256
20f06bd431331ca8063f42026ada1b4958b2364816f80b3a51fb1bb261f0c13e

SHA512
1d83a525b97d217ce861af3df42b9c3b79b53eba0671db68dd8b74eb415fcba1a5606688e8cc1cceb1aa791bf333c22161d14ff39e357b890cff4a97002a174b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mE3YM86.exe

Filesize
782KB

MD5
d5b5215134147847a05610ab2aea02d4

SHA1
ccdfb4f8d0324242a934eb6d210bcbdcac5eb433

SHA256
20f06bd431331ca8063f42026ada1b4958b2364816f80b3a51fb1bb261f0c13e

SHA512
1d83a525b97d217ce861af3df42b9c3b79b53eba0671db68dd8b74eb415fcba1a5606688e8cc1cceb1aa791bf333c22161d14ff39e357b890cff4a97002a174b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\13BO042.exe

Filesize
529KB

MD5
f5753fbbd7e5e53e6217934ec7ac9305

SHA1
fe0a1fe8e514d9538149eedb5ceb0e4b6af9dc53

SHA256
ea0b316b2303027873752d44ea1a11a63f08c85f54431954c750f844fc087f24

SHA512
4942cbe593e4cf4b1f48d8e13aebd3e7aa37f1621f98a343ebac61d72804c88cbe4f2b4c7998bf7e962af318d6a5acbe21a51c5f6ded24746e90fe4fed188d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\13BO042.exe

Filesize
529KB

MD5
f5753fbbd7e5e53e6217934ec7ac9305

SHA1
fe0a1fe8e514d9538149eedb5ceb0e4b6af9dc53

SHA256
ea0b316b2303027873752d44ea1a11a63f08c85f54431954c750f844fc087f24

SHA512
4942cbe593e4cf4b1f48d8e13aebd3e7aa37f1621f98a343ebac61d72804c88cbe4f2b4c7998bf7e962af318d6a5acbe21a51c5f6ded24746e90fe4fed188d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wY3su08.exe

Filesize
420KB

MD5
8b5e5d8b06a7d41ccdc487995a2d428f

SHA1
9bdeff526de0d0d47903760d4b658716891c7f50

SHA256
1c2da11ddb1e8666b2c900681d96405f700ff62a5502d3213c659f21ba334432

SHA512
4fbc3cf6baaeae5c8aa04b826142d49a40e6e888f2abe4ed7401538ea22a0f176db1ef6409958e27998f9bb512f29700b2f836a00d7f8e8410323cba3b4ac842

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wY3su08.exe

Filesize
420KB

MD5
8b5e5d8b06a7d41ccdc487995a2d428f

SHA1
9bdeff526de0d0d47903760d4b658716891c7f50

SHA256
1c2da11ddb1e8666b2c900681d96405f700ff62a5502d3213c659f21ba334432

SHA512
4fbc3cf6baaeae5c8aa04b826142d49a40e6e888f2abe4ed7401538ea22a0f176db1ef6409958e27998f9bb512f29700b2f836a00d7f8e8410323cba3b4ac842

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\11pC5094.exe

Filesize
369KB

MD5
2cf0a1048cf320896c935fcfa90767ae

SHA1
6503e08ea91042fa96a02725c2eefa4d7ea3fd11

SHA256
af10deff12c4917bc56a31557df7408ec3df99b154d8e31a72f07d40337e31a8

SHA512
ed31b1e6de5a4dc68f3de03421a5a5959894adecc610dc1e9193c8ecc4fc4902ac6f3cdcf35af6e882995e3b576e136c7addce0d69ba8e406eb184c8a90d825d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\11pC5094.exe

Filesize
369KB

MD5
2cf0a1048cf320896c935fcfa90767ae

SHA1
6503e08ea91042fa96a02725c2eefa4d7ea3fd11

SHA256
af10deff12c4917bc56a31557df7408ec3df99b154d8e31a72f07d40337e31a8

SHA512
ed31b1e6de5a4dc68f3de03421a5a5959894adecc610dc1e9193c8ecc4fc4902ac6f3cdcf35af6e882995e3b576e136c7addce0d69ba8e406eb184c8a90d825d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\12Ki887.exe

Filesize
408KB

MD5
67a38fd5b4d5a5414a3b4a2972dbbe25

SHA1
851fbb33b8d989a13366589f478c752add70a81f

SHA256
8c0598aad6eceae42d5c399f8fbf42d999e358678ba75697def0ae0fea0a137e

SHA512
843cc2e07b4390d408b053e49957e4e59b1851d52f7c4af8c9b2717c39f615688fb93152ed4fc0efd0709c978d68ea9e6c0d504e5dbdc06aeb71edf99654c481

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\12Ki887.exe

Filesize
408KB

MD5
67a38fd5b4d5a5414a3b4a2972dbbe25

SHA1
851fbb33b8d989a13366589f478c752add70a81f

SHA256
8c0598aad6eceae42d5c399f8fbf42d999e358678ba75697def0ae0fea0a137e

SHA512
843cc2e07b4390d408b053e49957e4e59b1851d52f7c4af8c9b2717c39f615688fb93152ed4fc0efd0709c978d68ea9e6c0d504e5dbdc06aeb71edf99654c481

Download Submit
memory/1196-65-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1196-63-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1196-62-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1196-61-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1392-44-0x000000000B500000-0x000000000B512000-memory.dmp

Filesize
72KB

Download
memory/1392-46-0x000000000B6E0000-0x000000000B72B000-memory.dmp

Filesize
300KB

Download
memory/1392-41-0x000000000B2B0000-0x000000000B2BA000-memory.dmp

Filesize
40KB

Download
memory/1392-42-0x000000000C240000-0x000000000C846000-memory.dmp

Filesize
6.0MB

Download
memory/1392-43-0x000000000B5D0000-0x000000000B6DA000-memory.dmp

Filesize
1.0MB

Download
memory/1392-39-0x000000000B730000-0x000000000BC2E000-memory.dmp

Filesize
5.0MB

Download
memory/1392-45-0x000000000B560000-0x000000000B59E000-memory.dmp

Filesize
248KB

Download
memory/1392-40-0x000000000B2D0000-0x000000000B362000-memory.dmp

Filesize
584KB

Download
memory/1392-31-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1392-38-0x0000000072DF0000-0x00000000734DE000-memory.dmp

Filesize
6.9MB

Download
memory/1392-60-0x0000000072DF0000-0x00000000734DE000-memory.dmp

Filesize
6.9MB

Download
memory/4496-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-26-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download