mystic | 02b9093c16847b5c5928b641cfacb073a2139801590bde64fc945c56abfabaee

Analysis

max time kernel
141s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
13-11-2023 20:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02b9093c16847b5c5928b641cfacb073a2139801590bde64fc945c56abfabaee.exe
Size

891KB
MD5

a4643a016d6924cdce59ad62e2149b91
SHA1

fb569ce3db9811f42cfc97bf1489c262c5aabda5
SHA256

02b9093c16847b5c5928b641cfacb073a2139801590bde64fc945c56abfabaee
SHA512

f6751610b4bb90b9eb816b29e9d5b117de1ef2b78559d32f7dffe1e13529b2ac42d155a75fe5969ad2be0b44c2f83e96a8622898b468f218990a64470e4284a1
SSDEEP

24576:8yl3ZmRr10SPdyacBuHmyfG9fMhUlgQE:rvs6SFyacCGCK

Score

10^/10

mystic redline taiga infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/2992-14-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/2992-15-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/2992-16-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/2992-18-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/3584-22-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
2108	KS4yz25.exe
3620	11br6553.exe
1892	12xB089.exe
668	13II032.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	02b9093c16847b5c5928b641cfacb073a2139801590bde64fc945c56abfabaee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	KS4yz25.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3620 set thread context of 2992	3620	11br6553.exe	102
PID 1892 set thread context of 3584	1892	12xB089.exe	107
PID 668 set thread context of 4348	668	13II032.exe	118

Program crash 1 IoCs

pid	pid_target	Process	procid_target
556	2992	WerFault.exe	102

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4348	AppLaunch.exe
4348	AppLaunch.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 3828 wrote to memory of 2108	3828	02b9093c16847b5c5928b641cfacb073a2139801590bde64fc945c56abfabaee.exe	87
PID 3828 wrote to memory of 2108	3828	02b9093c16847b5c5928b641cfacb073a2139801590bde64fc945c56abfabaee.exe	87
PID 3828 wrote to memory of 2108	3828	02b9093c16847b5c5928b641cfacb073a2139801590bde64fc945c56abfabaee.exe	87
PID 2108 wrote to memory of 3620	2108	KS4yz25.exe	89
PID 2108 wrote to memory of 3620	2108	KS4yz25.exe	89
PID 2108 wrote to memory of 3620	2108	KS4yz25.exe	89
PID 3620 wrote to memory of 2992	3620	11br6553.exe	102
PID 3620 wrote to memory of 2992	3620	11br6553.exe	102
PID 3620 wrote to memory of 2992	3620	11br6553.exe	102
PID 3620 wrote to memory of 2992	3620	11br6553.exe	102
PID 3620 wrote to memory of 2992	3620	11br6553.exe	102
PID 3620 wrote to memory of 2992	3620	11br6553.exe	102
PID 3620 wrote to memory of 2992	3620	11br6553.exe	102
PID 3620 wrote to memory of 2992	3620	11br6553.exe	102
PID 3620 wrote to memory of 2992	3620	11br6553.exe	102
PID 3620 wrote to memory of 2992	3620	11br6553.exe	102
PID 2108 wrote to memory of 1892	2108	KS4yz25.exe	103
PID 2108 wrote to memory of 1892	2108	KS4yz25.exe	103
PID 2108 wrote to memory of 1892	2108	KS4yz25.exe	103
PID 1892 wrote to memory of 3584	1892	12xB089.exe	107
PID 1892 wrote to memory of 3584	1892	12xB089.exe	107
PID 1892 wrote to memory of 3584	1892	12xB089.exe	107
PID 1892 wrote to memory of 3584	1892	12xB089.exe	107
PID 1892 wrote to memory of 3584	1892	12xB089.exe	107
PID 1892 wrote to memory of 3584	1892	12xB089.exe	107
PID 1892 wrote to memory of 3584	1892	12xB089.exe	107
PID 1892 wrote to memory of 3584	1892	12xB089.exe	107
PID 3828 wrote to memory of 668	3828	02b9093c16847b5c5928b641cfacb073a2139801590bde64fc945c56abfabaee.exe	108
PID 3828 wrote to memory of 668	3828	02b9093c16847b5c5928b641cfacb073a2139801590bde64fc945c56abfabaee.exe	108
PID 3828 wrote to memory of 668	3828	02b9093c16847b5c5928b641cfacb073a2139801590bde64fc945c56abfabaee.exe	108
PID 668 wrote to memory of 4348	668	13II032.exe	118
PID 668 wrote to memory of 4348	668	13II032.exe	118
PID 668 wrote to memory of 4348	668	13II032.exe	118
PID 668 wrote to memory of 4348	668	13II032.exe	118
PID 668 wrote to memory of 4348	668	13II032.exe	118
PID 668 wrote to memory of 4348	668	13II032.exe	118
PID 668 wrote to memory of 4348	668	13II032.exe	118
PID 668 wrote to memory of 4348	668	13II032.exe	118
PID 668 wrote to memory of 4348	668	13II032.exe	118

C:\Users\Admin\AppData\Local\Temp\02b9093c16847b5c5928b641cfacb073a2139801590bde64fc945c56abfabaee.exe
"C:\Users\Admin\AppData\Local\Temp\02b9093c16847b5c5928b641cfacb073a2139801590bde64fc945c56abfabaee.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3828
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KS4yz25.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KS4yz25.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11br6553.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11br6553.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3620
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2992
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 540
        5⤵
        Program crash
        
        PID:556
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12xB089.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12xB089.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1892
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:3584
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13II032.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13II032.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:668
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2992 -ip 2992
1⤵
PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13II032.exe

Filesize
724KB

MD5
e79176b5359a7d0dcdae89161bed5a98

SHA1
790911c5ab27305adae90af6ea96d26242dbd09a

SHA256
0fded9b6058b4866f5ac28876cfe8bdf6735111f0114b81c39a719626829f4ab

SHA512
e26e6d448045ab85ee3353934af8f85e75f6fa9c08f332f13c74aaaef7f021cedcec34cd28a0a61ad36ec6a01f6c80e15baba736f085a5484cdc3f8f44742597

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13II032.exe

Filesize
724KB

MD5
e79176b5359a7d0dcdae89161bed5a98

SHA1
790911c5ab27305adae90af6ea96d26242dbd09a

SHA256
0fded9b6058b4866f5ac28876cfe8bdf6735111f0114b81c39a719626829f4ab

SHA512
e26e6d448045ab85ee3353934af8f85e75f6fa9c08f332f13c74aaaef7f021cedcec34cd28a0a61ad36ec6a01f6c80e15baba736f085a5484cdc3f8f44742597

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KS4yz25.exe

Filesize
428KB

MD5
d30cfef42fc5ba11fb1ee38be9419a38

SHA1
94fb5eadfa04234b6d2be86fcc618abfa55d7c64

SHA256
438deeb57951c08de1ac38d50667e90ee7bc1885f280933e146341a895918a1d

SHA512
6a9c5980641b85efa84a941fd8a23fed38634fa9ae29cde707cba344d5e64bde96b3a2ceb26767461ca1a7b02b5b65d4077a6ecd3212db96e54b8a6e879ba9b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KS4yz25.exe

Filesize
428KB

MD5
d30cfef42fc5ba11fb1ee38be9419a38

SHA1
94fb5eadfa04234b6d2be86fcc618abfa55d7c64

SHA256
438deeb57951c08de1ac38d50667e90ee7bc1885f280933e146341a895918a1d

SHA512
6a9c5980641b85efa84a941fd8a23fed38634fa9ae29cde707cba344d5e64bde96b3a2ceb26767461ca1a7b02b5b65d4077a6ecd3212db96e54b8a6e879ba9b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11br6553.exe

Filesize
376KB

MD5
9e70e31b7c3325c2fb998caae803d7f1

SHA1
fb9ca45c7c7fe97b3827665d3ed54f5f121b7d1a

SHA256
7c06763c1bdf44245cf5d6326ca1c4722a007e26004db9fb4a6e836051653a87

SHA512
e4c1df712c88b744cf15d94b719f000fbda1ff887a7532e5d38a3064f6d252040d8f4fc3764ae6a30f17bef48216b90ac45b7500c51b0f7498a659a7ec340ed8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11br6553.exe

Filesize
376KB

MD5
9e70e31b7c3325c2fb998caae803d7f1

SHA1
fb9ca45c7c7fe97b3827665d3ed54f5f121b7d1a

SHA256
7c06763c1bdf44245cf5d6326ca1c4722a007e26004db9fb4a6e836051653a87

SHA512
e4c1df712c88b744cf15d94b719f000fbda1ff887a7532e5d38a3064f6d252040d8f4fc3764ae6a30f17bef48216b90ac45b7500c51b0f7498a659a7ec340ed8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12xB089.exe

Filesize
415KB

MD5
9aa8fbad5aae60501d8133f03b03c41c

SHA1
d93b4a1348c7a818f772bf174c74982142e5301e

SHA256
2b4600cd703c8850d7ee26783ab64013b92d34012d4ca887763c557c523f4871

SHA512
5b6a1a2c64e89cc77af2145b015ea6b18954687a0a486acceab8c71fa7e9f50d855880192d351d2db67fe8908db2e06ce14dd6137551ab05a8952f1e3c03521b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12xB089.exe

Filesize
415KB

MD5
9aa8fbad5aae60501d8133f03b03c41c

SHA1
d93b4a1348c7a818f772bf174c74982142e5301e

SHA256
2b4600cd703c8850d7ee26783ab64013b92d34012d4ca887763c557c523f4871

SHA512
5b6a1a2c64e89cc77af2145b015ea6b18954687a0a486acceab8c71fa7e9f50d855880192d351d2db67fe8908db2e06ce14dd6137551ab05a8952f1e3c03521b

Download Submit
memory/2992-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-18-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3584-27-0x0000000007860000-0x0000000007E04000-memory.dmp

Filesize
5.6MB

Download
memory/3584-34-0x00000000076A0000-0x00000000076DC000-memory.dmp

Filesize
240KB

Download
memory/3584-22-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3584-28-0x0000000007360000-0x00000000073F2000-memory.dmp

Filesize
584KB

Download
memory/3584-29-0x0000000007580000-0x0000000007590000-memory.dmp

Filesize
64KB

Download
memory/3584-30-0x0000000007560000-0x000000000756A000-memory.dmp

Filesize
40KB

Download
memory/3584-31-0x0000000008430000-0x0000000008A48000-memory.dmp

Filesize
6.1MB

Download
memory/3584-32-0x0000000007710000-0x000000000781A000-memory.dmp

Filesize
1.0MB

Download
memory/3584-33-0x0000000007640000-0x0000000007652000-memory.dmp

Filesize
72KB

Download
memory/3584-26-0x0000000074570000-0x0000000074D20000-memory.dmp

Filesize
7.7MB

Download
memory/3584-35-0x0000000007E10000-0x0000000007E5C000-memory.dmp

Filesize
304KB

Download
memory/3584-36-0x0000000074570000-0x0000000074D20000-memory.dmp

Filesize
7.7MB

Download
memory/3584-37-0x0000000007580000-0x0000000007590000-memory.dmp

Filesize
64KB

Download
memory/4348-38-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4348-39-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4348-40-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4348-42-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download