mystic | 300f651e85e7dddd9830587778fabe058e01fc38fbfe8f2d42f9154d8fbb7789

Analysis

max time kernel
144s
max time network
156s
platform
windows10-1703_x64
resource
win10-20231025-en
resource tags

arch:x64arch:x86image:win10-20231025-enlocale:en-usos:windows10-1703-x64system
submitted
13-11-2023 16:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

300f651e85e7dddd9830587778fabe058e01fc38fbfe8f2d42f9154d8fbb7789.exe
Size

1.3MB
MD5

2cb82e398715cecb177b9cfa3fb3af1f
SHA1

d7ed2113fbed166a4c7d02bbe93ef584b9e7ccf6
SHA256

300f651e85e7dddd9830587778fabe058e01fc38fbfe8f2d42f9154d8fbb7789
SHA512

ad4b299d114ffb36ca761a6eb05217ecd2a268e83ecaf981af05adab9479238263d40c2770503c5cc7af02c0728b16182fcee9cec2da09197a4e80edfc1eaa8b
SSDEEP

24576:cyYrZ+9EooK9/m7gr9K3h5FVb3vBDR7Pz8567l+Bv:LYwz/eiIR5zb3FR7PflO

Score

10^/10

mystic redline taiga infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/4548-21-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/4548-25-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/4548-27-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/4548-29-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/4076-31-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
2872	GX0gJ35.exe
4908	an6sW04.exe
3400	11it6557.exe
4584	12Tz841.exe
3416	13qo461.exe
3396	14jb946.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	300f651e85e7dddd9830587778fabe058e01fc38fbfe8f2d42f9154d8fbb7789.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	GX0gJ35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	an6sW04.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3400 set thread context of 4548	3400	11it6557.exe	75
PID 4584 set thread context of 4076	4584	12Tz841.exe	80
PID 3416 set thread context of 4904	3416	13qo461.exe	83
PID 3396 set thread context of 804	3396	14jb946.exe	86

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1212	4548	WerFault.exe	75

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4904	AppLaunch.exe
4904	AppLaunch.exe
804	AppLaunch.exe
804	AppLaunch.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 64 wrote to memory of 2872	64	300f651e85e7dddd9830587778fabe058e01fc38fbfe8f2d42f9154d8fbb7789.exe	71
PID 64 wrote to memory of 2872	64	300f651e85e7dddd9830587778fabe058e01fc38fbfe8f2d42f9154d8fbb7789.exe	71
PID 64 wrote to memory of 2872	64	300f651e85e7dddd9830587778fabe058e01fc38fbfe8f2d42f9154d8fbb7789.exe	71
PID 2872 wrote to memory of 4908	2872	GX0gJ35.exe	72
PID 2872 wrote to memory of 4908	2872	GX0gJ35.exe	72
PID 2872 wrote to memory of 4908	2872	GX0gJ35.exe	72
PID 4908 wrote to memory of 3400	4908	an6sW04.exe	73
PID 4908 wrote to memory of 3400	4908	an6sW04.exe	73
PID 4908 wrote to memory of 3400	4908	an6sW04.exe	73
PID 3400 wrote to memory of 4548	3400	11it6557.exe	75
PID 3400 wrote to memory of 4548	3400	11it6557.exe	75
PID 3400 wrote to memory of 4548	3400	11it6557.exe	75
PID 3400 wrote to memory of 4548	3400	11it6557.exe	75
PID 3400 wrote to memory of 4548	3400	11it6557.exe	75
PID 3400 wrote to memory of 4548	3400	11it6557.exe	75
PID 3400 wrote to memory of 4548	3400	11it6557.exe	75
PID 3400 wrote to memory of 4548	3400	11it6557.exe	75
PID 3400 wrote to memory of 4548	3400	11it6557.exe	75
PID 3400 wrote to memory of 4548	3400	11it6557.exe	75
PID 4908 wrote to memory of 4584	4908	an6sW04.exe	76
PID 4908 wrote to memory of 4584	4908	an6sW04.exe	76
PID 4908 wrote to memory of 4584	4908	an6sW04.exe	76
PID 4584 wrote to memory of 4076	4584	12Tz841.exe	80
PID 4584 wrote to memory of 4076	4584	12Tz841.exe	80
PID 4584 wrote to memory of 4076	4584	12Tz841.exe	80
PID 4584 wrote to memory of 4076	4584	12Tz841.exe	80
PID 4584 wrote to memory of 4076	4584	12Tz841.exe	80
PID 4584 wrote to memory of 4076	4584	12Tz841.exe	80
PID 4584 wrote to memory of 4076	4584	12Tz841.exe	80
PID 4584 wrote to memory of 4076	4584	12Tz841.exe	80
PID 2872 wrote to memory of 3416	2872	GX0gJ35.exe	81
PID 2872 wrote to memory of 3416	2872	GX0gJ35.exe	81
PID 2872 wrote to memory of 3416	2872	GX0gJ35.exe	81
PID 3416 wrote to memory of 4904	3416	13qo461.exe	83
PID 3416 wrote to memory of 4904	3416	13qo461.exe	83
PID 3416 wrote to memory of 4904	3416	13qo461.exe	83
PID 3416 wrote to memory of 4904	3416	13qo461.exe	83
PID 3416 wrote to memory of 4904	3416	13qo461.exe	83
PID 3416 wrote to memory of 4904	3416	13qo461.exe	83
PID 3416 wrote to memory of 4904	3416	13qo461.exe	83
PID 3416 wrote to memory of 4904	3416	13qo461.exe	83
PID 3416 wrote to memory of 4904	3416	13qo461.exe	83
PID 64 wrote to memory of 3396	64	300f651e85e7dddd9830587778fabe058e01fc38fbfe8f2d42f9154d8fbb7789.exe	84
PID 64 wrote to memory of 3396	64	300f651e85e7dddd9830587778fabe058e01fc38fbfe8f2d42f9154d8fbb7789.exe	84
PID 64 wrote to memory of 3396	64	300f651e85e7dddd9830587778fabe058e01fc38fbfe8f2d42f9154d8fbb7789.exe	84
PID 3396 wrote to memory of 804	3396	14jb946.exe	86
PID 3396 wrote to memory of 804	3396	14jb946.exe	86
PID 3396 wrote to memory of 804	3396	14jb946.exe	86
PID 3396 wrote to memory of 804	3396	14jb946.exe	86
PID 3396 wrote to memory of 804	3396	14jb946.exe	86
PID 3396 wrote to memory of 804	3396	14jb946.exe	86
PID 3396 wrote to memory of 804	3396	14jb946.exe	86
PID 3396 wrote to memory of 804	3396	14jb946.exe	86
PID 3396 wrote to memory of 804	3396	14jb946.exe	86

C:\Users\Admin\AppData\Local\Temp\300f651e85e7dddd9830587778fabe058e01fc38fbfe8f2d42f9154d8fbb7789.exe
"C:\Users\Admin\AppData\Local\Temp\300f651e85e7dddd9830587778fabe058e01fc38fbfe8f2d42f9154d8fbb7789.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:64
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GX0gJ35.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GX0gJ35.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\an6sW04.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\an6sW04.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4908
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\11it6557.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\11it6557.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3400
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:4548
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 568
        6⤵
        Program crash
        
        PID:1212
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\12Tz841.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\12Tz841.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4584
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:4076
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\13qo461.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\13qo461.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3416
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4904
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\14jb946.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\14jb946.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3396
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\14jb946.exe

Filesize
717KB

MD5
0e1c8515e5bc365f685fa61eb4f5013b

SHA1
f98a7115f0afdc34afc853188952208da16e7520

SHA256
26e579ab004d5d234b1ce29aea30ddb87bba0d6d1e2f846854f414d77faeb2bd

SHA512
735f54561726b9dd1f3ba1fc8c27b28a21c2975a34ea1ef640bf968a6c9afb987160bddba47d27dd78a039c928325b897f4a79c7e81dc1c97f7dce84420bf7e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\14jb946.exe

Filesize
717KB

MD5
0e1c8515e5bc365f685fa61eb4f5013b

SHA1
f98a7115f0afdc34afc853188952208da16e7520

SHA256
26e579ab004d5d234b1ce29aea30ddb87bba0d6d1e2f846854f414d77faeb2bd

SHA512
735f54561726b9dd1f3ba1fc8c27b28a21c2975a34ea1ef640bf968a6c9afb987160bddba47d27dd78a039c928325b897f4a79c7e81dc1c97f7dce84420bf7e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GX0gJ35.exe

Filesize
887KB

MD5
34989fa8d5219452abf7688aacfb9711

SHA1
0e4687b06e331bddf215b2f0d978dc4bb3f87607

SHA256
6d100815536b398c42e6e20fb559a6e05987786ab6d084694869e62726e954ec

SHA512
3789e89cc6b2d25933b8305a9ca3a761a4bd7fa067a4333455ee11b4d5d8c96472bf2ab0cf15df73a5305339ce1889e17354ab53d43f557db941652909fb879c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GX0gJ35.exe

Filesize
887KB

MD5
34989fa8d5219452abf7688aacfb9711

SHA1
0e4687b06e331bddf215b2f0d978dc4bb3f87607

SHA256
6d100815536b398c42e6e20fb559a6e05987786ab6d084694869e62726e954ec

SHA512
3789e89cc6b2d25933b8305a9ca3a761a4bd7fa067a4333455ee11b4d5d8c96472bf2ab0cf15df73a5305339ce1889e17354ab53d43f557db941652909fb879c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\13qo461.exe

Filesize
717KB

MD5
f98153a1407a061d2ec2e21976456d08

SHA1
7c072826bb27dc238bed611c7f4c8929af25f1e5

SHA256
2d52ed3479cc0a51a87a44fd67f24527bd85f9f6a3d59f2389e788664ed846b6

SHA512
2d6a267ccc4e7cc03210f9204451c55d00d0c20458a13318efff2f7611c15977dcf84443853f506aac81824db125cd472b1264df76ba7925664728280774d1a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\13qo461.exe

Filesize
717KB

MD5
f98153a1407a061d2ec2e21976456d08

SHA1
7c072826bb27dc238bed611c7f4c8929af25f1e5

SHA256
2d52ed3479cc0a51a87a44fd67f24527bd85f9f6a3d59f2389e788664ed846b6

SHA512
2d6a267ccc4e7cc03210f9204451c55d00d0c20458a13318efff2f7611c15977dcf84443853f506aac81824db125cd472b1264df76ba7925664728280774d1a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\an6sW04.exe

Filesize
426KB

MD5
51265eec1ac3f369cea330630a51741f

SHA1
0f8c4011c1ec01c382e6a2d43825e1a48964d3af

SHA256
9085845391c845d4a7bb7649139276809b0d39d41d48f86644d23b5a6dbb5c19

SHA512
59b8b3f95ca8f4533f8950e1c3f891ac35c412a814968457c1b2648cacf4bb9f5e405224e5a93529029b799a1cdbd800f56ebbeb8024d92374fc420f1bb65291

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\an6sW04.exe

Filesize
426KB

MD5
51265eec1ac3f369cea330630a51741f

SHA1
0f8c4011c1ec01c382e6a2d43825e1a48964d3af

SHA256
9085845391c845d4a7bb7649139276809b0d39d41d48f86644d23b5a6dbb5c19

SHA512
59b8b3f95ca8f4533f8950e1c3f891ac35c412a814968457c1b2648cacf4bb9f5e405224e5a93529029b799a1cdbd800f56ebbeb8024d92374fc420f1bb65291

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\11it6557.exe

Filesize
369KB

MD5
7830c008ef776b10f84b0ee01d4aebac

SHA1
7f1ae5b428fecf20fd2e3fb71e8834d1accbacb5

SHA256
e932bb61fc5fade773cdce6b6d8e6d6e3bcd37252382193a8deba3ab4b879d25

SHA512
af777c6b855365608f7548a04bc8f6c64da26a037298ebf2c39696f71b41c7b7e6bf888d502144983062eb71b6a34e1206050ff2ae717ee9297b0926edf73bdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\11it6557.exe

Filesize
369KB

MD5
7830c008ef776b10f84b0ee01d4aebac

SHA1
7f1ae5b428fecf20fd2e3fb71e8834d1accbacb5

SHA256
e932bb61fc5fade773cdce6b6d8e6d6e3bcd37252382193a8deba3ab4b879d25

SHA512
af777c6b855365608f7548a04bc8f6c64da26a037298ebf2c39696f71b41c7b7e6bf888d502144983062eb71b6a34e1206050ff2ae717ee9297b0926edf73bdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\12Tz841.exe

Filesize
408KB

MD5
ba1b4a70be958525d6db4b5feb6fc2e8

SHA1
358280e97ba020e5deee342b55f6886d05ce7616

SHA256
638b70cca614e505e8dd9b8c26285a76aae9f346602403cbffbb79c3c14fc1ec

SHA512
5be23a375336a40db3bb58f8c7fbd527a814a28cc8435bc5db0d4117d9a3dd8a8169702267c55232d95b68d32e5c3418c2d5cf156a9513ca76582b068ea8fe08

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\12Tz841.exe

Filesize
408KB

MD5
ba1b4a70be958525d6db4b5feb6fc2e8

SHA1
358280e97ba020e5deee342b55f6886d05ce7616

SHA256
638b70cca614e505e8dd9b8c26285a76aae9f346602403cbffbb79c3c14fc1ec

SHA512
5be23a375336a40db3bb58f8c7fbd527a814a28cc8435bc5db0d4117d9a3dd8a8169702267c55232d95b68d32e5c3418c2d5cf156a9513ca76582b068ea8fe08

Download Submit
memory/804-65-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/804-67-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/804-69-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/804-66-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4076-31-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4076-40-0x000000000B660000-0x000000000B6F2000-memory.dmp

Filesize
584KB

Download
memory/4076-41-0x000000000B620000-0x000000000B62A000-memory.dmp

Filesize
40KB

Download
memory/4076-42-0x000000000C590000-0x000000000CB96000-memory.dmp

Filesize
6.0MB

Download
memory/4076-43-0x000000000B960000-0x000000000BA6A000-memory.dmp

Filesize
1.0MB

Download
memory/4076-44-0x000000000B880000-0x000000000B892000-memory.dmp

Filesize
72KB

Download
memory/4076-45-0x000000000B8E0000-0x000000000B91E000-memory.dmp

Filesize
248KB

Download
memory/4076-46-0x000000000BF80000-0x000000000BFCB000-memory.dmp

Filesize
300KB

Download
memory/4076-39-0x000000000BA80000-0x000000000BF7E000-memory.dmp

Filesize
5.0MB

Download
memory/4076-38-0x0000000072E10000-0x00000000734FE000-memory.dmp

Filesize
6.9MB

Download
memory/4076-70-0x0000000072E10000-0x00000000734FE000-memory.dmp

Filesize
6.9MB

Download
memory/4548-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4904-55-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4904-58-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4904-54-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4904-51-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download