mystic | 48922a35a5ba37dddca84adc818fd762daa91a670a478d00e09f6a738750595d

Analysis

max time kernel
143s
max time network
154s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
13-11-2023 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48922a35a5ba37dddca84adc818fd762daa91a670a478d00e09f6a738750595d.exe
Size

881KB
MD5

98899f22a10c280312fe8d19237f6f18
SHA1

12e758b38967e2a89d3378645eb5a97d6f6bc84c
SHA256

48922a35a5ba37dddca84adc818fd762daa91a670a478d00e09f6a738750595d
SHA512

e3222dd3916bb1f6ace61ac886be0566babdc09b63604f2052b492554f602ec0268737c49cd3ab655094f0fde80824e12f93d20daf722a972967565dd53f94b9
SSDEEP

12288:RMrcy90U5MBk0fpdMlHOX7FVrNOnu0D6M1wsog2uLvEVktUbuMQrTy1ZvX2p:Ny5sfMlo7nEvB8ju5y1Z/A

Score

10^/10

mystic redline taiga infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/3720-14-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/3720-18-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/3720-19-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/3720-22-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/412-24-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
4300	ml8XG76.exe
3244	11cm6897.exe
3660	12lh741.exe
4136	13rw678.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	48922a35a5ba37dddca84adc818fd762daa91a670a478d00e09f6a738750595d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ml8XG76.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3244 set thread context of 3720	3244	11cm6897.exe	73
PID 3660 set thread context of 412	3660	12lh741.exe	80
PID 4136 set thread context of 2688	4136	13rw678.exe	83

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1160	3720	WerFault.exe	73

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2688	AppLaunch.exe
2688	AppLaunch.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 3792 wrote to memory of 4300	3792	48922a35a5ba37dddca84adc818fd762daa91a670a478d00e09f6a738750595d.exe	70
PID 3792 wrote to memory of 4300	3792	48922a35a5ba37dddca84adc818fd762daa91a670a478d00e09f6a738750595d.exe	70
PID 3792 wrote to memory of 4300	3792	48922a35a5ba37dddca84adc818fd762daa91a670a478d00e09f6a738750595d.exe	70
PID 4300 wrote to memory of 3244	4300	ml8XG76.exe	71
PID 4300 wrote to memory of 3244	4300	ml8XG76.exe	71
PID 4300 wrote to memory of 3244	4300	ml8XG76.exe	71
PID 3244 wrote to memory of 3720	3244	11cm6897.exe	73
PID 3244 wrote to memory of 3720	3244	11cm6897.exe	73
PID 3244 wrote to memory of 3720	3244	11cm6897.exe	73
PID 3244 wrote to memory of 3720	3244	11cm6897.exe	73
PID 3244 wrote to memory of 3720	3244	11cm6897.exe	73
PID 3244 wrote to memory of 3720	3244	11cm6897.exe	73
PID 3244 wrote to memory of 3720	3244	11cm6897.exe	73
PID 3244 wrote to memory of 3720	3244	11cm6897.exe	73
PID 3244 wrote to memory of 3720	3244	11cm6897.exe	73
PID 3244 wrote to memory of 3720	3244	11cm6897.exe	73
PID 4300 wrote to memory of 3660	4300	ml8XG76.exe	74
PID 4300 wrote to memory of 3660	4300	ml8XG76.exe	74
PID 4300 wrote to memory of 3660	4300	ml8XG76.exe	74
PID 3660 wrote to memory of 3652	3660	12lh741.exe	78
PID 3660 wrote to memory of 3652	3660	12lh741.exe	78
PID 3660 wrote to memory of 3652	3660	12lh741.exe	78
PID 3660 wrote to memory of 4416	3660	12lh741.exe	79
PID 3660 wrote to memory of 4416	3660	12lh741.exe	79
PID 3660 wrote to memory of 4416	3660	12lh741.exe	79
PID 3660 wrote to memory of 412	3660	12lh741.exe	80
PID 3660 wrote to memory of 412	3660	12lh741.exe	80
PID 3660 wrote to memory of 412	3660	12lh741.exe	80
PID 3660 wrote to memory of 412	3660	12lh741.exe	80
PID 3660 wrote to memory of 412	3660	12lh741.exe	80
PID 3660 wrote to memory of 412	3660	12lh741.exe	80
PID 3660 wrote to memory of 412	3660	12lh741.exe	80
PID 3660 wrote to memory of 412	3660	12lh741.exe	80
PID 3792 wrote to memory of 4136	3792	48922a35a5ba37dddca84adc818fd762daa91a670a478d00e09f6a738750595d.exe	81
PID 3792 wrote to memory of 4136	3792	48922a35a5ba37dddca84adc818fd762daa91a670a478d00e09f6a738750595d.exe	81
PID 3792 wrote to memory of 4136	3792	48922a35a5ba37dddca84adc818fd762daa91a670a478d00e09f6a738750595d.exe	81
PID 4136 wrote to memory of 2688	4136	13rw678.exe	83
PID 4136 wrote to memory of 2688	4136	13rw678.exe	83
PID 4136 wrote to memory of 2688	4136	13rw678.exe	83
PID 4136 wrote to memory of 2688	4136	13rw678.exe	83
PID 4136 wrote to memory of 2688	4136	13rw678.exe	83
PID 4136 wrote to memory of 2688	4136	13rw678.exe	83
PID 4136 wrote to memory of 2688	4136	13rw678.exe	83
PID 4136 wrote to memory of 2688	4136	13rw678.exe	83
PID 4136 wrote to memory of 2688	4136	13rw678.exe	83

C:\Users\Admin\AppData\Local\Temp\48922a35a5ba37dddca84adc818fd762daa91a670a478d00e09f6a738750595d.exe
"C:\Users\Admin\AppData\Local\Temp\48922a35a5ba37dddca84adc818fd762daa91a670a478d00e09f6a738750595d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3792
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ml8XG76.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ml8XG76.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4300
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11cm6897.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11cm6897.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3244
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:3720
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 568
        5⤵
        Program crash
        
        PID:1160
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12lh741.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12lh741.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3660
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:3652
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4416
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:412
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13rw678.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13rw678.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4136
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13rw678.exe

Filesize
717KB

MD5
1ea5d48a5684b0876b61037669abe7d4

SHA1
2b2e2d96f60ae789db83b408f5a04ee420f09bb5

SHA256
a16526ccd1f0a0d19513afe199fc2438c541f2255e2fa42c7bf36e61ed4f4fbd

SHA512
3a72ff72188f4f78772d26a6e47514dfeed4ec7a9ace05ebe49f524c48eb6e5ef614f8919ee60d009f050d4ec4d9143297e5cee034640a5d14ef8e80415d6dd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13rw678.exe

Filesize
717KB

MD5
1ea5d48a5684b0876b61037669abe7d4

SHA1
2b2e2d96f60ae789db83b408f5a04ee420f09bb5

SHA256
a16526ccd1f0a0d19513afe199fc2438c541f2255e2fa42c7bf36e61ed4f4fbd

SHA512
3a72ff72188f4f78772d26a6e47514dfeed4ec7a9ace05ebe49f524c48eb6e5ef614f8919ee60d009f050d4ec4d9143297e5cee034640a5d14ef8e80415d6dd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ml8XG76.exe

Filesize
420KB

MD5
fa1446c865998c2183ee65ac526ba514

SHA1
5d0d16520b8a89ecc11c7cbbb427d1aebb6152b9

SHA256
03f1a2bdf4b18e4336ec17b3eb1331f7ac4683bfa1b0caab27264a2c343c9da4

SHA512
fc28e5f5f7fc39326f0e65dc73cf0a7c70fb5ce4d3b1dafee100a9e1988b6c1231795b9036e5f7552f09778737d164a00255e2d3cc96e89ca16b4ba1f38791d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ml8XG76.exe

Filesize
420KB

MD5
fa1446c865998c2183ee65ac526ba514

SHA1
5d0d16520b8a89ecc11c7cbbb427d1aebb6152b9

SHA256
03f1a2bdf4b18e4336ec17b3eb1331f7ac4683bfa1b0caab27264a2c343c9da4

SHA512
fc28e5f5f7fc39326f0e65dc73cf0a7c70fb5ce4d3b1dafee100a9e1988b6c1231795b9036e5f7552f09778737d164a00255e2d3cc96e89ca16b4ba1f38791d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11cm6897.exe

Filesize
369KB

MD5
544da39a27c613699a61fde1c7bd1e0f

SHA1
b747e0fcd39a0d5e6de699ee17f9d3a016ec7eff

SHA256
1052267079ebcb32e964139bc1c0d21a74aa1675643bddaac057f320dc16f13e

SHA512
304fa8e61760590fe38ce2fc609845b2bb0637302002d34c219ddd27a039a76a2622ccec402d3998b529a2540895ab7b5abc3079c8a3f6246c6846e9a4989519

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11cm6897.exe

Filesize
369KB

MD5
544da39a27c613699a61fde1c7bd1e0f

SHA1
b747e0fcd39a0d5e6de699ee17f9d3a016ec7eff

SHA256
1052267079ebcb32e964139bc1c0d21a74aa1675643bddaac057f320dc16f13e

SHA512
304fa8e61760590fe38ce2fc609845b2bb0637302002d34c219ddd27a039a76a2622ccec402d3998b529a2540895ab7b5abc3079c8a3f6246c6846e9a4989519

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12lh741.exe

Filesize
408KB

MD5
d2c9cfa17058bc05a38c8f3aeda55ca4

SHA1
0187740b4181b9342d1d141f056333e9a52e86be

SHA256
bd9f22d640e90e1b81cd77cd0e256935e1ab1bb3fb625479ed14f1d3d1ff6ad9

SHA512
d198dcc4ba7a16624d364027e881df533959cf149a32d9c80a5c3b1e786dc0eac162cfe3ebf7b7a8ed452bc9a20cb1baf5e2ac9e4ce26f5f096059e2fae7ee31

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12lh741.exe

Filesize
408KB

MD5
d2c9cfa17058bc05a38c8f3aeda55ca4

SHA1
0187740b4181b9342d1d141f056333e9a52e86be

SHA256
bd9f22d640e90e1b81cd77cd0e256935e1ab1bb3fb625479ed14f1d3d1ff6ad9

SHA512
d198dcc4ba7a16624d364027e881df533959cf149a32d9c80a5c3b1e786dc0eac162cfe3ebf7b7a8ed452bc9a20cb1baf5e2ac9e4ce26f5f096059e2fae7ee31

Download Submit
memory/412-37-0x000000000B580000-0x000000000B592000-memory.dmp

Filesize
72KB

Download
memory/412-55-0x0000000072A20000-0x000000007310E000-memory.dmp

Filesize
6.9MB

Download
memory/412-24-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/412-39-0x000000000B5E0000-0x000000000B62B000-memory.dmp

Filesize
300KB

Download
memory/412-38-0x000000000B5A0000-0x000000000B5DE000-memory.dmp

Filesize
248KB

Download
memory/412-31-0x0000000072A20000-0x000000007310E000-memory.dmp

Filesize
6.9MB

Download
memory/412-32-0x000000000B750000-0x000000000BC4E000-memory.dmp

Filesize
5.0MB

Download
memory/412-33-0x000000000B300000-0x000000000B392000-memory.dmp

Filesize
584KB

Download
memory/412-34-0x000000000B470000-0x000000000B47A000-memory.dmp

Filesize
40KB

Download
memory/412-35-0x000000000C260000-0x000000000C866000-memory.dmp

Filesize
6.0MB

Download
memory/412-36-0x000000000BC50000-0x000000000BD5A000-memory.dmp

Filesize
1.0MB

Download
memory/2688-44-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2688-45-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2688-46-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2688-48-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/3720-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3720-18-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3720-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3720-22-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download