mystic | 168af7c166211cdc9b549fd748c7ad2e314b18b5df021eb3aeb0c2fdef09ab00

Analysis

max time kernel
149s
max time network
154s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
14-11-2023 01:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

168af7c166211cdc9b549fd748c7ad2e314b18b5df021eb3aeb0c2fdef09ab00.exe
Size

896KB
MD5

b031663aedb8bd30e7e642bfb5596b0d
SHA1

fd4deefb6a437e47c7023c126d8bef981eb31e17
SHA256

168af7c166211cdc9b549fd748c7ad2e314b18b5df021eb3aeb0c2fdef09ab00
SHA512

c93c67f05f0c6e307efb2dfa3205a7ac76a72d46b74c63dadfaf95d494888858776691c2ddc2ead18bab27378ed5ae5e3c0a0f6048e983629dd8aabbb3d1f245
SSDEEP

12288:9Mr6y90i9GrZN7WAwG0kCHzT6yuhbE2XAljW39Z/oa3Ucqe9z8LBNOOMma0vLfVe:jyK2GM6BE41bkcqgz8LBN/DfpXUGWb

Score

10^/10

mystic redline taiga infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/772-34-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/772-41-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/772-39-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/772-43-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/4832-14-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
2440	YC2If63.exe
2052	11xa1819.exe
4964	12xj920.exe
1964	13CZ075.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	YC2If63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	168af7c166211cdc9b549fd748c7ad2e314b18b5df021eb3aeb0c2fdef09ab00.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2052 set thread context of 4832	2052	11xa1819.exe	76
PID 4964 set thread context of 772	4964	12xj920.exe	79
PID 1964 set thread context of 524	1964	13CZ075.exe	84

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4912	772	WerFault.exe	79

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
524	AppLaunch.exe
524	AppLaunch.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 4244 wrote to memory of 2440	4244	168af7c166211cdc9b549fd748c7ad2e314b18b5df021eb3aeb0c2fdef09ab00.exe	71
PID 4244 wrote to memory of 2440	4244	168af7c166211cdc9b549fd748c7ad2e314b18b5df021eb3aeb0c2fdef09ab00.exe	71
PID 4244 wrote to memory of 2440	4244	168af7c166211cdc9b549fd748c7ad2e314b18b5df021eb3aeb0c2fdef09ab00.exe	71
PID 2440 wrote to memory of 2052	2440	YC2If63.exe	72
PID 2440 wrote to memory of 2052	2440	YC2If63.exe	72
PID 2440 wrote to memory of 2052	2440	YC2If63.exe	72
PID 2052 wrote to memory of 3008	2052	11xa1819.exe	74
PID 2052 wrote to memory of 3008	2052	11xa1819.exe	74
PID 2052 wrote to memory of 3008	2052	11xa1819.exe	74
PID 2052 wrote to memory of 4812	2052	11xa1819.exe	75
PID 2052 wrote to memory of 4812	2052	11xa1819.exe	75
PID 2052 wrote to memory of 4812	2052	11xa1819.exe	75
PID 2052 wrote to memory of 4832	2052	11xa1819.exe	76
PID 2052 wrote to memory of 4832	2052	11xa1819.exe	76
PID 2052 wrote to memory of 4832	2052	11xa1819.exe	76
PID 2052 wrote to memory of 4832	2052	11xa1819.exe	76
PID 2052 wrote to memory of 4832	2052	11xa1819.exe	76
PID 2052 wrote to memory of 4832	2052	11xa1819.exe	76
PID 2052 wrote to memory of 4832	2052	11xa1819.exe	76
PID 2052 wrote to memory of 4832	2052	11xa1819.exe	76
PID 2440 wrote to memory of 4964	2440	YC2If63.exe	77
PID 2440 wrote to memory of 4964	2440	YC2If63.exe	77
PID 2440 wrote to memory of 4964	2440	YC2If63.exe	77
PID 4964 wrote to memory of 772	4964	12xj920.exe	79
PID 4964 wrote to memory of 772	4964	12xj920.exe	79
PID 4964 wrote to memory of 772	4964	12xj920.exe	79
PID 4964 wrote to memory of 772	4964	12xj920.exe	79
PID 4964 wrote to memory of 772	4964	12xj920.exe	79
PID 4964 wrote to memory of 772	4964	12xj920.exe	79
PID 4964 wrote to memory of 772	4964	12xj920.exe	79
PID 4964 wrote to memory of 772	4964	12xj920.exe	79
PID 4964 wrote to memory of 772	4964	12xj920.exe	79
PID 4964 wrote to memory of 772	4964	12xj920.exe	79
PID 4244 wrote to memory of 1964	4244	168af7c166211cdc9b549fd748c7ad2e314b18b5df021eb3aeb0c2fdef09ab00.exe	80
PID 4244 wrote to memory of 1964	4244	168af7c166211cdc9b549fd748c7ad2e314b18b5df021eb3aeb0c2fdef09ab00.exe	80
PID 4244 wrote to memory of 1964	4244	168af7c166211cdc9b549fd748c7ad2e314b18b5df021eb3aeb0c2fdef09ab00.exe	80
PID 1964 wrote to memory of 524	1964	13CZ075.exe	84
PID 1964 wrote to memory of 524	1964	13CZ075.exe	84
PID 1964 wrote to memory of 524	1964	13CZ075.exe	84
PID 1964 wrote to memory of 524	1964	13CZ075.exe	84
PID 1964 wrote to memory of 524	1964	13CZ075.exe	84
PID 1964 wrote to memory of 524	1964	13CZ075.exe	84
PID 1964 wrote to memory of 524	1964	13CZ075.exe	84
PID 1964 wrote to memory of 524	1964	13CZ075.exe	84
PID 1964 wrote to memory of 524	1964	13CZ075.exe	84

C:\Users\Admin\AppData\Local\Temp\168af7c166211cdc9b549fd748c7ad2e314b18b5df021eb3aeb0c2fdef09ab00.exe
"C:\Users\Admin\AppData\Local\Temp\168af7c166211cdc9b549fd748c7ad2e314b18b5df021eb3aeb0c2fdef09ab00.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YC2If63.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YC2If63.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11xa1819.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11xa1819.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:3008
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4812
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4832
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12xj920.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12xj920.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4964
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:772
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 568
        5⤵
        Program crash
        
        PID:4912
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13CZ075.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13CZ075.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13CZ075.exe

Filesize
724KB

MD5
7d09c4af134fb0eb985ce69c9f1d7871

SHA1
a46eb8bf38baebf2fb553dd95d7a6ac5f3a89b3b

SHA256
081effc41a5a4ee9517a6daa3479c8e247464a523b6a3d1beed3ecba434e35ba

SHA512
2392d9f8766252f3ea772e41c2c91d59308ffc0c28cf7a89f7c00ef492c690b4ea4ccf3e05cce966575a758a7bbdeedcc1f5029496193d0aff12e337469fb2d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13CZ075.exe

Filesize
724KB

MD5
7d09c4af134fb0eb985ce69c9f1d7871

SHA1
a46eb8bf38baebf2fb553dd95d7a6ac5f3a89b3b

SHA256
081effc41a5a4ee9517a6daa3479c8e247464a523b6a3d1beed3ecba434e35ba

SHA512
2392d9f8766252f3ea772e41c2c91d59308ffc0c28cf7a89f7c00ef492c690b4ea4ccf3e05cce966575a758a7bbdeedcc1f5029496193d0aff12e337469fb2d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YC2If63.exe

Filesize
431KB

MD5
33c7049df86ae1ddbaf641b98332f3a6

SHA1
9a021ef00c500f385a88349563a4319b468c4402

SHA256
99e60052d7f7c6f2a255826fbf60bb105b8275fcd59da49b0782df94e6b954d9

SHA512
d051b3f414da5cf539bb4fa11bc460f1c2838f8af6c31e190f39549cfb4d2cb3739bdfff2d319aeabf6b15254a0b8ac294d2a91c977fbdc342dd8cbfa0d3a1f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YC2If63.exe

Filesize
431KB

MD5
33c7049df86ae1ddbaf641b98332f3a6

SHA1
9a021ef00c500f385a88349563a4319b468c4402

SHA256
99e60052d7f7c6f2a255826fbf60bb105b8275fcd59da49b0782df94e6b954d9

SHA512
d051b3f414da5cf539bb4fa11bc460f1c2838f8af6c31e190f39549cfb4d2cb3739bdfff2d319aeabf6b15254a0b8ac294d2a91c977fbdc342dd8cbfa0d3a1f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11xa1819.exe

Filesize
415KB

MD5
83a1cf8aadf50571d00a9a927c0348e0

SHA1
cdeec8d50a4ca240849f235acfccadabca51bb56

SHA256
9bbc4a273a942d59fdd3b3e065d90f85b39c57b5a3b8bc7698879b4805e58e68

SHA512
02ee8e23fa46d0a8d4e6cd44cc025e6653e39ddd40aeef5d7f1f47c091218eee6a73fe30163b4fd4ddf124cea036e20ff485a66945fa94f4eb36c4efc2202009

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11xa1819.exe

Filesize
415KB

MD5
83a1cf8aadf50571d00a9a927c0348e0

SHA1
cdeec8d50a4ca240849f235acfccadabca51bb56

SHA256
9bbc4a273a942d59fdd3b3e065d90f85b39c57b5a3b8bc7698879b4805e58e68

SHA512
02ee8e23fa46d0a8d4e6cd44cc025e6653e39ddd40aeef5d7f1f47c091218eee6a73fe30163b4fd4ddf124cea036e20ff485a66945fa94f4eb36c4efc2202009

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12xj920.exe

Filesize
378KB

MD5
ef5270c8edb1004dddcd656a1b60852f

SHA1
95690f53a0058dac9e554c9f22837b1c149c9e06

SHA256
c07e51b5a851055652677d4907a12b3ea5a620cc63ac98cd2e114113ba4acf0c

SHA512
012c003bf1a760bf082d095a6c9e82ab1da3847d00f96cf472301b5cc3907f22222692824d29032aa71aff54f04f3110f9f48f7331e30edfacbbb038438ccc48

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12xj920.exe

Filesize
378KB

MD5
ef5270c8edb1004dddcd656a1b60852f

SHA1
95690f53a0058dac9e554c9f22837b1c149c9e06

SHA256
c07e51b5a851055652677d4907a12b3ea5a620cc63ac98cd2e114113ba4acf0c

SHA512
012c003bf1a760bf082d095a6c9e82ab1da3847d00f96cf472301b5cc3907f22222692824d29032aa71aff54f04f3110f9f48f7331e30edfacbbb038438ccc48

Download Submit
memory/524-44-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/524-48-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/524-46-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/524-45-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/772-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/772-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/772-43-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/772-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4832-29-0x000000000C050000-0x000000000C09B000-memory.dmp

Filesize
300KB

Download
memory/4832-21-0x0000000073160000-0x000000007384E000-memory.dmp

Filesize
6.9MB

Download
memory/4832-14-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4832-27-0x000000000B960000-0x000000000B972000-memory.dmp

Filesize
72KB

Download
memory/4832-22-0x000000000BB50000-0x000000000C04E000-memory.dmp

Filesize
5.0MB

Download
memory/4832-28-0x000000000B9C0000-0x000000000B9FE000-memory.dmp

Filesize
248KB

Download
memory/4832-26-0x000000000BA30000-0x000000000BB3A000-memory.dmp

Filesize
1.0MB

Download
memory/4832-25-0x000000000C660000-0x000000000CC66000-memory.dmp

Filesize
6.0MB

Download
memory/4832-24-0x000000000B710000-0x000000000B71A000-memory.dmp

Filesize
40KB

Download
memory/4832-23-0x000000000B730000-0x000000000B7C2000-memory.dmp

Filesize
584KB

Download
memory/4832-55-0x0000000073160000-0x000000007384E000-memory.dmp

Filesize
6.9MB

Download