mystic | 4924c0344f15212afda72b1177efaab11c010cc568b92d09ba5735e81ffbff5c

Analysis

max time kernel
142s
max time network
150s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
13-11-2023 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4924c0344f15212afda72b1177efaab11c010cc568b92d09ba5735e81ffbff5c.exe
Size

1.3MB
MD5

3dabb4266fd89f7c51473310c3a6b41f
SHA1

37f50b0b8b9d6829bf7853839209be865c61f53b
SHA256

4924c0344f15212afda72b1177efaab11c010cc568b92d09ba5735e81ffbff5c
SHA512

d4b81fefd2b373e214958c174107946502838807c738b330ee96babfae20afdce568cc9a8d6afcbbdb024f0275c5e3759f51a6d4920152ba9a7af50d4e1386e2
SSDEEP

24576:pyXesjrCSifZQZk9qwKFjLebjD+zLZ0MIsjh7aYeD3NZNgjOXCtjl:cXRreOUq9jqul0MIsjhW3NgWK

Score

10^/10

mystic redline taiga infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/4084-21-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/4084-24-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/4084-25-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/4084-29-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/5116-31-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
5084	AW3Ke41.exe
488	jf9IN31.exe
1100	11kw2652.exe
4664	12dP496.exe
4992	13Cj907.exe
2656	14WJ506.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	AW3Ke41.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	jf9IN31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4924c0344f15212afda72b1177efaab11c010cc568b92d09ba5735e81ffbff5c.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1100 set thread context of 4084	1100	11kw2652.exe	75
PID 4664 set thread context of 5116	4664	12dP496.exe	81
PID 4992 set thread context of 4040	4992	13Cj907.exe	84
PID 2656 set thread context of 4524	2656	14WJ506.exe	87

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1228	4084	WerFault.exe	75

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4040	AppLaunch.exe
4040	AppLaunch.exe
4524	AppLaunch.exe
4524	AppLaunch.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 520 wrote to memory of 5084	520	4924c0344f15212afda72b1177efaab11c010cc568b92d09ba5735e81ffbff5c.exe	71
PID 520 wrote to memory of 5084	520	4924c0344f15212afda72b1177efaab11c010cc568b92d09ba5735e81ffbff5c.exe	71
PID 520 wrote to memory of 5084	520	4924c0344f15212afda72b1177efaab11c010cc568b92d09ba5735e81ffbff5c.exe	71
PID 5084 wrote to memory of 488	5084	AW3Ke41.exe	72
PID 5084 wrote to memory of 488	5084	AW3Ke41.exe	72
PID 5084 wrote to memory of 488	5084	AW3Ke41.exe	72
PID 488 wrote to memory of 1100	488	jf9IN31.exe	73
PID 488 wrote to memory of 1100	488	jf9IN31.exe	73
PID 488 wrote to memory of 1100	488	jf9IN31.exe	73
PID 1100 wrote to memory of 4084	1100	11kw2652.exe	75
PID 1100 wrote to memory of 4084	1100	11kw2652.exe	75
PID 1100 wrote to memory of 4084	1100	11kw2652.exe	75
PID 1100 wrote to memory of 4084	1100	11kw2652.exe	75
PID 1100 wrote to memory of 4084	1100	11kw2652.exe	75
PID 1100 wrote to memory of 4084	1100	11kw2652.exe	75
PID 1100 wrote to memory of 4084	1100	11kw2652.exe	75
PID 1100 wrote to memory of 4084	1100	11kw2652.exe	75
PID 1100 wrote to memory of 4084	1100	11kw2652.exe	75
PID 1100 wrote to memory of 4084	1100	11kw2652.exe	75
PID 488 wrote to memory of 4664	488	jf9IN31.exe	76
PID 488 wrote to memory of 4664	488	jf9IN31.exe	76
PID 488 wrote to memory of 4664	488	jf9IN31.exe	76
PID 4664 wrote to memory of 1352	4664	12dP496.exe	80
PID 4664 wrote to memory of 1352	4664	12dP496.exe	80
PID 4664 wrote to memory of 1352	4664	12dP496.exe	80
PID 4664 wrote to memory of 5116	4664	12dP496.exe	81
PID 4664 wrote to memory of 5116	4664	12dP496.exe	81
PID 4664 wrote to memory of 5116	4664	12dP496.exe	81
PID 4664 wrote to memory of 5116	4664	12dP496.exe	81
PID 4664 wrote to memory of 5116	4664	12dP496.exe	81
PID 4664 wrote to memory of 5116	4664	12dP496.exe	81
PID 4664 wrote to memory of 5116	4664	12dP496.exe	81
PID 4664 wrote to memory of 5116	4664	12dP496.exe	81
PID 5084 wrote to memory of 4992	5084	AW3Ke41.exe	82
PID 5084 wrote to memory of 4992	5084	AW3Ke41.exe	82
PID 5084 wrote to memory of 4992	5084	AW3Ke41.exe	82
PID 4992 wrote to memory of 4040	4992	13Cj907.exe	84
PID 4992 wrote to memory of 4040	4992	13Cj907.exe	84
PID 4992 wrote to memory of 4040	4992	13Cj907.exe	84
PID 4992 wrote to memory of 4040	4992	13Cj907.exe	84
PID 4992 wrote to memory of 4040	4992	13Cj907.exe	84
PID 4992 wrote to memory of 4040	4992	13Cj907.exe	84
PID 4992 wrote to memory of 4040	4992	13Cj907.exe	84
PID 4992 wrote to memory of 4040	4992	13Cj907.exe	84
PID 4992 wrote to memory of 4040	4992	13Cj907.exe	84
PID 520 wrote to memory of 2656	520	4924c0344f15212afda72b1177efaab11c010cc568b92d09ba5735e81ffbff5c.exe	85
PID 520 wrote to memory of 2656	520	4924c0344f15212afda72b1177efaab11c010cc568b92d09ba5735e81ffbff5c.exe	85
PID 520 wrote to memory of 2656	520	4924c0344f15212afda72b1177efaab11c010cc568b92d09ba5735e81ffbff5c.exe	85
PID 2656 wrote to memory of 4524	2656	14WJ506.exe	87
PID 2656 wrote to memory of 4524	2656	14WJ506.exe	87
PID 2656 wrote to memory of 4524	2656	14WJ506.exe	87
PID 2656 wrote to memory of 4524	2656	14WJ506.exe	87
PID 2656 wrote to memory of 4524	2656	14WJ506.exe	87
PID 2656 wrote to memory of 4524	2656	14WJ506.exe	87
PID 2656 wrote to memory of 4524	2656	14WJ506.exe	87
PID 2656 wrote to memory of 4524	2656	14WJ506.exe	87
PID 2656 wrote to memory of 4524	2656	14WJ506.exe	87

C:\Users\Admin\AppData\Local\Temp\4924c0344f15212afda72b1177efaab11c010cc568b92d09ba5735e81ffbff5c.exe
"C:\Users\Admin\AppData\Local\Temp\4924c0344f15212afda72b1177efaab11c010cc568b92d09ba5735e81ffbff5c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:520
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AW3Ke41.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AW3Ke41.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jf9IN31.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jf9IN31.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:488
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\11kw2652.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\11kw2652.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1100
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:4084
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 568
        6⤵
        Program crash
        
        PID:1228
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\12dP496.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\12dP496.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4664
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:1352
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:5116
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\13Cj907.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\13Cj907.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4992
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4040
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\14WJ506.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\14WJ506.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\14WJ506.exe

Filesize
717KB

MD5
0bb580fa7e8090761f392fd92ec3e0ba

SHA1
88ea7588be856a54e4a1bb1ac9ae0ace4544def3

SHA256
4e1a363da24eb3d2dc51a054d2f40b2acd23c35072ec9c58dd6ca3f89b978ee8

SHA512
6157414a51694af283f03621a28f3d2b6dc72179116fab97cdceb5e699a1bd6af607afd69a517766424c87ae7d1a941705e98164270c6300d19990862a751aea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\14WJ506.exe

Filesize
717KB

MD5
0bb580fa7e8090761f392fd92ec3e0ba

SHA1
88ea7588be856a54e4a1bb1ac9ae0ace4544def3

SHA256
4e1a363da24eb3d2dc51a054d2f40b2acd23c35072ec9c58dd6ca3f89b978ee8

SHA512
6157414a51694af283f03621a28f3d2b6dc72179116fab97cdceb5e699a1bd6af607afd69a517766424c87ae7d1a941705e98164270c6300d19990862a751aea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AW3Ke41.exe

Filesize
888KB

MD5
f8590c09e75a4d0ed70ce816f99de622

SHA1
0135ccc0f6fa22becaad1f50349a9ac1c740f915

SHA256
ff3aeda95da183ef35fe52e88572ada2c76454cd94df6ee5fe20ea179a65fc9d

SHA512
75e713baf89e99ba887729e3bef7dd4cee347acbeeeb0d58d43ca2ff74474d76774fcd5f45217559ff58d1f455204755c08974e5ac42a5dae111c24b6865ce21

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AW3Ke41.exe

Filesize
888KB

MD5
f8590c09e75a4d0ed70ce816f99de622

SHA1
0135ccc0f6fa22becaad1f50349a9ac1c740f915

SHA256
ff3aeda95da183ef35fe52e88572ada2c76454cd94df6ee5fe20ea179a65fc9d

SHA512
75e713baf89e99ba887729e3bef7dd4cee347acbeeeb0d58d43ca2ff74474d76774fcd5f45217559ff58d1f455204755c08974e5ac42a5dae111c24b6865ce21

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\13Cj907.exe

Filesize
717KB

MD5
8ca19cdf32f8f3a73566a3d59daf0c00

SHA1
d5e7748b0daa9ef590937ab044ecb1a759336ef7

SHA256
5dcbff8ce0637e06a93053de518edb5fac9dbf9333750f3efba11ebe50e6f5eb

SHA512
c80a2419370a71d9f2d85c5fdf70720ccd5446e9228aeb71b6a4f832d2a4046062ecf43493724222c507834e58f84394bba240904526321484fa7c351780ef10

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\13Cj907.exe

Filesize
717KB

MD5
8ca19cdf32f8f3a73566a3d59daf0c00

SHA1
d5e7748b0daa9ef590937ab044ecb1a759336ef7

SHA256
5dcbff8ce0637e06a93053de518edb5fac9dbf9333750f3efba11ebe50e6f5eb

SHA512
c80a2419370a71d9f2d85c5fdf70720ccd5446e9228aeb71b6a4f832d2a4046062ecf43493724222c507834e58f84394bba240904526321484fa7c351780ef10

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\13Cj907.exe

Filesize
717KB

MD5
8ca19cdf32f8f3a73566a3d59daf0c00

SHA1
d5e7748b0daa9ef590937ab044ecb1a759336ef7

SHA256
5dcbff8ce0637e06a93053de518edb5fac9dbf9333750f3efba11ebe50e6f5eb

SHA512
c80a2419370a71d9f2d85c5fdf70720ccd5446e9228aeb71b6a4f832d2a4046062ecf43493724222c507834e58f84394bba240904526321484fa7c351780ef10

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jf9IN31.exe

Filesize
426KB

MD5
7d7c73ae37d966a4aeea6be9ee78a38c

SHA1
a7ef5df88016d37cb7b6acf052c2b6c1f0ea9b18

SHA256
1479e7c0114779cb638ffc2444d3bd686cc0c0b2e22ace28a8e1ceebe95c2566

SHA512
e9c52a2f8b9c60b6b60aff295f4e5f12b3889f11d4159bf397bba984f0b86828917bd0a118c81fea78c11b1c1fe2e60e1a317031595d4d022ccf6e60e79ae878

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jf9IN31.exe

Filesize
426KB

MD5
7d7c73ae37d966a4aeea6be9ee78a38c

SHA1
a7ef5df88016d37cb7b6acf052c2b6c1f0ea9b18

SHA256
1479e7c0114779cb638ffc2444d3bd686cc0c0b2e22ace28a8e1ceebe95c2566

SHA512
e9c52a2f8b9c60b6b60aff295f4e5f12b3889f11d4159bf397bba984f0b86828917bd0a118c81fea78c11b1c1fe2e60e1a317031595d4d022ccf6e60e79ae878

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\11kw2652.exe

Filesize
369KB

MD5
d3e8786b5ff672de3f5986562b26c869

SHA1
a99cf7dc4701e0f49fd74103eb8a9052053302f3

SHA256
f126be9b13ca892b217c70ed04cdcf18fe76da72c834f008415dcf2872a7ec20

SHA512
9e0db88b3c534814f8d78aa1a4ec3a8b449e7d15381feb42f33b91552a096c8ae193e78a52ffc6493ec710b3078e2230270df5cefaa4e60f82103cfabb82800d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\11kw2652.exe

Filesize
369KB

MD5
d3e8786b5ff672de3f5986562b26c869

SHA1
a99cf7dc4701e0f49fd74103eb8a9052053302f3

SHA256
f126be9b13ca892b217c70ed04cdcf18fe76da72c834f008415dcf2872a7ec20

SHA512
9e0db88b3c534814f8d78aa1a4ec3a8b449e7d15381feb42f33b91552a096c8ae193e78a52ffc6493ec710b3078e2230270df5cefaa4e60f82103cfabb82800d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\12dP496.exe

Filesize
408KB

MD5
ef385a8e07374b3fc45fa70bf9457928

SHA1
522622a237ce572f33b64511d437190e500de86d

SHA256
d6a014ba2d1c86167742aa6c15f6edf1d7eb9658f932dbc75c2cb9bcdda40df0

SHA512
a8d829ea883cc72e0a4f80802cc88acb30f6a60c43aebbb50df8bfce5f0de58c466bd5d75154fe92a1699ff8ff3bd7f32600e4ea258a470fa4ac5a7b9c97907d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\12dP496.exe

Filesize
408KB

MD5
ef385a8e07374b3fc45fa70bf9457928

SHA1
522622a237ce572f33b64511d437190e500de86d

SHA256
d6a014ba2d1c86167742aa6c15f6edf1d7eb9658f932dbc75c2cb9bcdda40df0

SHA512
a8d829ea883cc72e0a4f80802cc88acb30f6a60c43aebbb50df8bfce5f0de58c466bd5d75154fe92a1699ff8ff3bd7f32600e4ea258a470fa4ac5a7b9c97907d

Download Submit
memory/4040-54-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4040-51-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4040-58-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4040-56-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4084-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4524-69-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4524-67-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4524-66-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4524-65-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/5116-41-0x00000000094D0000-0x00000000094DA000-memory.dmp

Filesize
40KB

Download
memory/5116-46-0x000000000BB50000-0x000000000BB9B000-memory.dmp

Filesize
300KB

Download
memory/5116-45-0x000000000BB10000-0x000000000BB4E000-memory.dmp

Filesize
248KB

Download
memory/5116-44-0x000000000BAB0000-0x000000000BAC2000-memory.dmp

Filesize
72KB

Download
memory/5116-43-0x000000000BBD0000-0x000000000BCDA000-memory.dmp

Filesize
1.0MB

Download
memory/5116-42-0x000000000C890000-0x000000000CE96000-memory.dmp

Filesize
6.0MB

Download
memory/5116-31-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5116-40-0x000000000B880000-0x000000000B912000-memory.dmp

Filesize
584KB

Download
memory/5116-39-0x000000000BD80000-0x000000000C27E000-memory.dmp

Filesize
5.0MB

Download
memory/5116-38-0x0000000072A30000-0x000000007311E000-memory.dmp

Filesize
6.9MB

Download
memory/5116-70-0x0000000072A30000-0x000000007311E000-memory.dmp

Filesize
6.9MB

Download