mystic | 7ff6a49f96ee12c80e38690aebc7c75af8fb8290b9276ff134b336334d505d91

Analysis

max time kernel
138s
max time network
156s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
14-11-2023 00:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ff6a49f96ee12c80e38690aebc7c75af8fb8290b9276ff134b336334d505d91.exe
Size

893KB
MD5

eb8b1431c704a181b65c0810fc530b3a
SHA1

b6e297908f603edb7a88e18f3c9437e6d3f2beca
SHA256

7ff6a49f96ee12c80e38690aebc7c75af8fb8290b9276ff134b336334d505d91
SHA512

bfa1d19c0566bcdb78040c631a5f54aefbcf194c590a3d2290e7b28b41163df7b1d59a0509db5b01bb95b0833fef13c1edec05b85e23f3538f2881ce88f0e150
SSDEEP

12288:0Mr1y905FQdYeZ+Z/nKRDLaT/gebpDGgszJ5YuGb/PFPailasnKy8EHS6qD4Ic8d:ZydTZs/2LMhyrzJBu/plwYHS6+91

Score

10^/10

mystic redline taiga infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/5020-34-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/5020-39-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/5020-40-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/5020-42-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/2664-14-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
4432	aV7KM16.exe
4220	11og7681.exe
3888	12sG535.exe
3508	13bT422.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7ff6a49f96ee12c80e38690aebc7c75af8fb8290b9276ff134b336334d505d91.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	aV7KM16.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4220 set thread context of 2664	4220	11og7681.exe	74
PID 3888 set thread context of 5020	3888	12sG535.exe	78
PID 3508 set thread context of 4324	3508	13bT422.exe	83

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1544	5020	WerFault.exe	78

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4324	AppLaunch.exe
4324	AppLaunch.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3440 wrote to memory of 4432	3440	7ff6a49f96ee12c80e38690aebc7c75af8fb8290b9276ff134b336334d505d91.exe	71
PID 3440 wrote to memory of 4432	3440	7ff6a49f96ee12c80e38690aebc7c75af8fb8290b9276ff134b336334d505d91.exe	71
PID 3440 wrote to memory of 4432	3440	7ff6a49f96ee12c80e38690aebc7c75af8fb8290b9276ff134b336334d505d91.exe	71
PID 4432 wrote to memory of 4220	4432	aV7KM16.exe	72
PID 4432 wrote to memory of 4220	4432	aV7KM16.exe	72
PID 4432 wrote to memory of 4220	4432	aV7KM16.exe	72
PID 4220 wrote to memory of 2664	4220	11og7681.exe	74
PID 4220 wrote to memory of 2664	4220	11og7681.exe	74
PID 4220 wrote to memory of 2664	4220	11og7681.exe	74
PID 4220 wrote to memory of 2664	4220	11og7681.exe	74
PID 4220 wrote to memory of 2664	4220	11og7681.exe	74
PID 4220 wrote to memory of 2664	4220	11og7681.exe	74
PID 4220 wrote to memory of 2664	4220	11og7681.exe	74
PID 4220 wrote to memory of 2664	4220	11og7681.exe	74
PID 4432 wrote to memory of 3888	4432	aV7KM16.exe	75
PID 4432 wrote to memory of 3888	4432	aV7KM16.exe	75
PID 4432 wrote to memory of 3888	4432	aV7KM16.exe	75
PID 3888 wrote to memory of 2336	3888	12sG535.exe	77
PID 3888 wrote to memory of 2336	3888	12sG535.exe	77
PID 3888 wrote to memory of 2336	3888	12sG535.exe	77
PID 3888 wrote to memory of 5020	3888	12sG535.exe	78
PID 3888 wrote to memory of 5020	3888	12sG535.exe	78
PID 3888 wrote to memory of 5020	3888	12sG535.exe	78
PID 3888 wrote to memory of 5020	3888	12sG535.exe	78
PID 3888 wrote to memory of 5020	3888	12sG535.exe	78
PID 3888 wrote to memory of 5020	3888	12sG535.exe	78
PID 3888 wrote to memory of 5020	3888	12sG535.exe	78
PID 3888 wrote to memory of 5020	3888	12sG535.exe	78
PID 3888 wrote to memory of 5020	3888	12sG535.exe	78
PID 3888 wrote to memory of 5020	3888	12sG535.exe	78
PID 3440 wrote to memory of 3508	3440	7ff6a49f96ee12c80e38690aebc7c75af8fb8290b9276ff134b336334d505d91.exe	79
PID 3440 wrote to memory of 3508	3440	7ff6a49f96ee12c80e38690aebc7c75af8fb8290b9276ff134b336334d505d91.exe	79
PID 3440 wrote to memory of 3508	3440	7ff6a49f96ee12c80e38690aebc7c75af8fb8290b9276ff134b336334d505d91.exe	79
PID 3508 wrote to memory of 4324	3508	13bT422.exe	83
PID 3508 wrote to memory of 4324	3508	13bT422.exe	83
PID 3508 wrote to memory of 4324	3508	13bT422.exe	83
PID 3508 wrote to memory of 4324	3508	13bT422.exe	83
PID 3508 wrote to memory of 4324	3508	13bT422.exe	83
PID 3508 wrote to memory of 4324	3508	13bT422.exe	83
PID 3508 wrote to memory of 4324	3508	13bT422.exe	83
PID 3508 wrote to memory of 4324	3508	13bT422.exe	83
PID 3508 wrote to memory of 4324	3508	13bT422.exe	83

C:\Users\Admin\AppData\Local\Temp\7ff6a49f96ee12c80e38690aebc7c75af8fb8290b9276ff134b336334d505d91.exe
"C:\Users\Admin\AppData\Local\Temp\7ff6a49f96ee12c80e38690aebc7c75af8fb8290b9276ff134b336334d505d91.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3440
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aV7KM16.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aV7KM16.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4432
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11og7681.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11og7681.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4220
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2664
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12sG535.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12sG535.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3888
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2336
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:5020
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 568
        5⤵
        Program crash
        
        PID:1544
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13bT422.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13bT422.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3508
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13bT422.exe

Filesize
724KB

MD5
146b34a92d1e0f8cc36b8bcfd9c79a5d

SHA1
eef05c92761382e1929f3e1aba6625a3f4a81242

SHA256
235c07758cdad8f68ebb8a2e925cd386de973685896c7bec04b4bd264d1085ea

SHA512
821f776d2dc582f6fbb1c2f97200a5e7c7e7e608d3154960eeedd3a0bbf0136cce29e7b5598adb171e268ad125bcc85c064c491ed409d6dd724c083eb9daed4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13bT422.exe

Filesize
724KB

MD5
146b34a92d1e0f8cc36b8bcfd9c79a5d

SHA1
eef05c92761382e1929f3e1aba6625a3f4a81242

SHA256
235c07758cdad8f68ebb8a2e925cd386de973685896c7bec04b4bd264d1085ea

SHA512
821f776d2dc582f6fbb1c2f97200a5e7c7e7e608d3154960eeedd3a0bbf0136cce29e7b5598adb171e268ad125bcc85c064c491ed409d6dd724c083eb9daed4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aV7KM16.exe

Filesize
430KB

MD5
10aee63ff7e3b510672bd0c9e8810267

SHA1
65b8ae0093ed83f32cccbdabb3b71876eceac8f4

SHA256
4d396b054b4959c000b7fafa8b2449834115621ce3614fbbe3391f19f0e980fa

SHA512
c7ed1592f1ae686ef8d53069660b12827bd872ecc19dda3e18eb5139831d22cd0d3070df3dedcef74be719eb991b8662f62f34be63f829aabd12da68db8c6c5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aV7KM16.exe

Filesize
430KB

MD5
10aee63ff7e3b510672bd0c9e8810267

SHA1
65b8ae0093ed83f32cccbdabb3b71876eceac8f4

SHA256
4d396b054b4959c000b7fafa8b2449834115621ce3614fbbe3391f19f0e980fa

SHA512
c7ed1592f1ae686ef8d53069660b12827bd872ecc19dda3e18eb5139831d22cd0d3070df3dedcef74be719eb991b8662f62f34be63f829aabd12da68db8c6c5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11og7681.exe

Filesize
415KB

MD5
0b6fb15a1fe2036414accc38d3c49801

SHA1
e32516697c74fb91461c159f24a3534ae8e70383

SHA256
6083c9f77254ee7af479c4cd5535e67491739506b809edc0a82e51786a9feebc

SHA512
b7081b584c7b615a1fe4b2a678658c73d5dda1cc2d4b4fbc532cf516147d58b3efc3e22ee4ab24a8d8f216892c22b3aeae33f497d9c5989a6cd4b2d4876b5b9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11og7681.exe

Filesize
415KB

MD5
0b6fb15a1fe2036414accc38d3c49801

SHA1
e32516697c74fb91461c159f24a3534ae8e70383

SHA256
6083c9f77254ee7af479c4cd5535e67491739506b809edc0a82e51786a9feebc

SHA512
b7081b584c7b615a1fe4b2a678658c73d5dda1cc2d4b4fbc532cf516147d58b3efc3e22ee4ab24a8d8f216892c22b3aeae33f497d9c5989a6cd4b2d4876b5b9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12sG535.exe

Filesize
378KB

MD5
550ffbeac1a32eb61c231477e397ce96

SHA1
0020349f7eebc220331e17ef6997ee0086534a6e

SHA256
2dd78437fa01e9270d8b2f52719d54f4f28a3e94980ce6fd73abb31e70915b96

SHA512
82ee97879bdb68bab52919ebfbff767cf6dc9204ca82c2317cfbf2c8047d96894f025caa0d7477be135c03c257427f4cb11fadf7f6b8592c45cf822f963972d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12sG535.exe

Filesize
378KB

MD5
550ffbeac1a32eb61c231477e397ce96

SHA1
0020349f7eebc220331e17ef6997ee0086534a6e

SHA256
2dd78437fa01e9270d8b2f52719d54f4f28a3e94980ce6fd73abb31e70915b96

SHA512
82ee97879bdb68bab52919ebfbff767cf6dc9204ca82c2317cfbf2c8047d96894f025caa0d7477be135c03c257427f4cb11fadf7f6b8592c45cf822f963972d7

Download Submit
memory/2664-26-0x000000000BE70000-0x000000000BF7A000-memory.dmp

Filesize
1.0MB

Download
memory/2664-21-0x0000000073600000-0x0000000073CEE000-memory.dmp

Filesize
6.9MB

Download
memory/2664-24-0x000000000B480000-0x000000000B48A000-memory.dmp

Filesize
40KB

Download
memory/2664-25-0x000000000C480000-0x000000000CA86000-memory.dmp

Filesize
6.0MB

Download
memory/2664-22-0x000000000B970000-0x000000000BE6E000-memory.dmp

Filesize
5.0MB

Download
memory/2664-27-0x000000000B600000-0x000000000B612000-memory.dmp

Filesize
72KB

Download
memory/2664-28-0x000000000B670000-0x000000000B6AE000-memory.dmp

Filesize
248KB

Download
memory/2664-29-0x000000000B6B0000-0x000000000B6FB000-memory.dmp

Filesize
300KB

Download
memory/2664-55-0x0000000073600000-0x0000000073CEE000-memory.dmp

Filesize
6.9MB

Download
memory/2664-23-0x000000000B510000-0x000000000B5A2000-memory.dmp

Filesize
584KB

Download
memory/2664-14-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4324-44-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4324-45-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4324-46-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4324-48-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/5020-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5020-42-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5020-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5020-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download