mystic | 0a5034ebd807bcc7ce919cdc43b786b3ed42d24d32aaf161b51a421d1fcd02d8

Analysis

max time kernel
145s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
14-11-2023 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a5034ebd807bcc7ce919cdc43b786b3ed42d24d32aaf161b51a421d1fcd02d8.exe
Size

894KB
MD5

414e49550b93456297e51d9ce441fda1
SHA1

600d503341ccfcf69053d58364b3c553d940e76d
SHA256

0a5034ebd807bcc7ce919cdc43b786b3ed42d24d32aaf161b51a421d1fcd02d8
SHA512

1a1e4b78f44f6683746e7510c2bd3ed3d57a4c2dd60fb1eb0471d8246205103c0649dc55577a73477c780721fa08fd9dfd3aa73d795fd6a63a75eadd52fb413e
SSDEEP

12288:/Mrdy90MbqTiUihuGPxR91E70d7H5+vGqrS818TSffKM3wVu4b:ayK2UiMGPxR914i5+vGqh8Tiyg4b

Score

10^/10

mystic redline taiga infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/444-28-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/444-31-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/444-32-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/444-34-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/3536-14-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
1536	Rk0Mi07.exe
3792	11eo0582.exe
2372	12MD724.exe
3012	13Lp213.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0a5034ebd807bcc7ce919cdc43b786b3ed42d24d32aaf161b51a421d1fcd02d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Rk0Mi07.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3792 set thread context of 3536	3792	11eo0582.exe	103
PID 2372 set thread context of 444	2372	12MD724.exe	106
PID 3012 set thread context of 4916	3012	13Lp213.exe	118

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2536	444	WerFault.exe	106

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4916	AppLaunch.exe
4916	AppLaunch.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4840 wrote to memory of 1536	4840	0a5034ebd807bcc7ce919cdc43b786b3ed42d24d32aaf161b51a421d1fcd02d8.exe	87
PID 4840 wrote to memory of 1536	4840	0a5034ebd807bcc7ce919cdc43b786b3ed42d24d32aaf161b51a421d1fcd02d8.exe	87
PID 4840 wrote to memory of 1536	4840	0a5034ebd807bcc7ce919cdc43b786b3ed42d24d32aaf161b51a421d1fcd02d8.exe	87
PID 1536 wrote to memory of 3792	1536	Rk0Mi07.exe	88
PID 1536 wrote to memory of 3792	1536	Rk0Mi07.exe	88
PID 1536 wrote to memory of 3792	1536	Rk0Mi07.exe	88
PID 3792 wrote to memory of 4032	3792	11eo0582.exe	102
PID 3792 wrote to memory of 4032	3792	11eo0582.exe	102
PID 3792 wrote to memory of 4032	3792	11eo0582.exe	102
PID 3792 wrote to memory of 3536	3792	11eo0582.exe	103
PID 3792 wrote to memory of 3536	3792	11eo0582.exe	103
PID 3792 wrote to memory of 3536	3792	11eo0582.exe	103
PID 3792 wrote to memory of 3536	3792	11eo0582.exe	103
PID 3792 wrote to memory of 3536	3792	11eo0582.exe	103
PID 3792 wrote to memory of 3536	3792	11eo0582.exe	103
PID 3792 wrote to memory of 3536	3792	11eo0582.exe	103
PID 3792 wrote to memory of 3536	3792	11eo0582.exe	103
PID 1536 wrote to memory of 2372	1536	Rk0Mi07.exe	105
PID 1536 wrote to memory of 2372	1536	Rk0Mi07.exe	105
PID 1536 wrote to memory of 2372	1536	Rk0Mi07.exe	105
PID 2372 wrote to memory of 444	2372	12MD724.exe	106
PID 2372 wrote to memory of 444	2372	12MD724.exe	106
PID 2372 wrote to memory of 444	2372	12MD724.exe	106
PID 2372 wrote to memory of 444	2372	12MD724.exe	106
PID 2372 wrote to memory of 444	2372	12MD724.exe	106
PID 2372 wrote to memory of 444	2372	12MD724.exe	106
PID 2372 wrote to memory of 444	2372	12MD724.exe	106
PID 2372 wrote to memory of 444	2372	12MD724.exe	106
PID 2372 wrote to memory of 444	2372	12MD724.exe	106
PID 2372 wrote to memory of 444	2372	12MD724.exe	106
PID 4840 wrote to memory of 3012	4840	0a5034ebd807bcc7ce919cdc43b786b3ed42d24d32aaf161b51a421d1fcd02d8.exe	107
PID 4840 wrote to memory of 3012	4840	0a5034ebd807bcc7ce919cdc43b786b3ed42d24d32aaf161b51a421d1fcd02d8.exe	107
PID 4840 wrote to memory of 3012	4840	0a5034ebd807bcc7ce919cdc43b786b3ed42d24d32aaf161b51a421d1fcd02d8.exe	107
PID 3012 wrote to memory of 4916	3012	13Lp213.exe	118
PID 3012 wrote to memory of 4916	3012	13Lp213.exe	118
PID 3012 wrote to memory of 4916	3012	13Lp213.exe	118
PID 3012 wrote to memory of 4916	3012	13Lp213.exe	118
PID 3012 wrote to memory of 4916	3012	13Lp213.exe	118
PID 3012 wrote to memory of 4916	3012	13Lp213.exe	118
PID 3012 wrote to memory of 4916	3012	13Lp213.exe	118
PID 3012 wrote to memory of 4916	3012	13Lp213.exe	118
PID 3012 wrote to memory of 4916	3012	13Lp213.exe	118

C:\Users\Admin\AppData\Local\Temp\0a5034ebd807bcc7ce919cdc43b786b3ed42d24d32aaf161b51a421d1fcd02d8.exe
"C:\Users\Admin\AppData\Local\Temp\0a5034ebd807bcc7ce919cdc43b786b3ed42d24d32aaf161b51a421d1fcd02d8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rk0Mi07.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rk0Mi07.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11eo0582.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11eo0582.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3792
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4032
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:3536
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12MD724.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12MD724.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:444
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 444 -s 540
        5⤵
        Program crash
        
        PID:2536
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13Lp213.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13Lp213.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 444 -ip 444
1⤵
PID:1360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13Lp213.exe

Filesize
724KB

MD5
bea6aa796354fb39d2f5f1878db0139d

SHA1
0561aeefe698c6d561264bc8b1881cca07fa12e3

SHA256
ef37f0271bb98bde62ed9a0f84dc04a3acc550573a7cd90435ff5329b1a5a3a4

SHA512
9bc144415ec1de8fc5d5dcba5977a113a3629b3de1e7bde59fd9178f69e703d59192c27c3a79a68a8c54ed62cf45b11c463363148dece74b074367cec566ab33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13Lp213.exe

Filesize
724KB

MD5
bea6aa796354fb39d2f5f1878db0139d

SHA1
0561aeefe698c6d561264bc8b1881cca07fa12e3

SHA256
ef37f0271bb98bde62ed9a0f84dc04a3acc550573a7cd90435ff5329b1a5a3a4

SHA512
9bc144415ec1de8fc5d5dcba5977a113a3629b3de1e7bde59fd9178f69e703d59192c27c3a79a68a8c54ed62cf45b11c463363148dece74b074367cec566ab33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rk0Mi07.exe

Filesize
430KB

MD5
5382f718403b5585ccbaae7b43bc19a2

SHA1
b7d7b4e9be84aa5090e54c082ff818161c63aa69

SHA256
34f3b6e2ae30f331400b78b614bb33a075c5f81f98773d22abfefe0953128b5c

SHA512
0a360ae9ab39e0f2ec0b44a222021700eea92c3aecb68e0d2041bf726d815003ee011fa85abac6eae32304e24812199f45ec9086b71433bccf862cebf0b9cdc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rk0Mi07.exe

Filesize
430KB

MD5
5382f718403b5585ccbaae7b43bc19a2

SHA1
b7d7b4e9be84aa5090e54c082ff818161c63aa69

SHA256
34f3b6e2ae30f331400b78b614bb33a075c5f81f98773d22abfefe0953128b5c

SHA512
0a360ae9ab39e0f2ec0b44a222021700eea92c3aecb68e0d2041bf726d815003ee011fa85abac6eae32304e24812199f45ec9086b71433bccf862cebf0b9cdc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11eo0582.exe

Filesize
415KB

MD5
f0450bc3f51f92f92851071ab94dd15b

SHA1
a4378001792041ba88770c606d23dbee44e32368

SHA256
035ee684b14d946f3821d86ea1bc618d816e10b90912dddc2356ad5af286eba1

SHA512
1b18f1496b7a3e703b049a6f6a8f1269db8772f1386c355c16b40e6c7cb2b509655aae73a0bb0ea5dfa7699eefbd15df2dbed131993b1eda6a0d312d76a7835b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11eo0582.exe

Filesize
415KB

MD5
f0450bc3f51f92f92851071ab94dd15b

SHA1
a4378001792041ba88770c606d23dbee44e32368

SHA256
035ee684b14d946f3821d86ea1bc618d816e10b90912dddc2356ad5af286eba1

SHA512
1b18f1496b7a3e703b049a6f6a8f1269db8772f1386c355c16b40e6c7cb2b509655aae73a0bb0ea5dfa7699eefbd15df2dbed131993b1eda6a0d312d76a7835b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12MD724.exe

Filesize
378KB

MD5
06ba44c1ce805bbad78473502b235d6a

SHA1
7996ae56fe8f94a5e1ec8f2290105ae2439d2241

SHA256
39276a561874023c123faaece7f8c0db0a6a20d50129eedeaf9c91e6a54f1814

SHA512
ad82bf7844a3bea0ff2f39ddbcfe071a2378753b506eee766868441970da50f0c18abdc0e402a729862b7a68508ac47d20d4c71026ffa59a370cfa9472bdff17

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12MD724.exe

Filesize
378KB

MD5
06ba44c1ce805bbad78473502b235d6a

SHA1
7996ae56fe8f94a5e1ec8f2290105ae2439d2241

SHA256
39276a561874023c123faaece7f8c0db0a6a20d50129eedeaf9c91e6a54f1814

SHA512
ad82bf7844a3bea0ff2f39ddbcfe071a2378753b506eee766868441970da50f0c18abdc0e402a729862b7a68508ac47d20d4c71026ffa59a370cfa9472bdff17

Download Submit
memory/444-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/444-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/444-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/444-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3536-18-0x0000000073F10000-0x00000000746C0000-memory.dmp

Filesize
7.7MB

Download
memory/3536-19-0x00000000084B0000-0x0000000008A54000-memory.dmp

Filesize
5.6MB

Download
memory/3536-25-0x0000000008020000-0x0000000008032000-memory.dmp

Filesize
72KB

Download
memory/3536-26-0x00000000080C0000-0x00000000080FC000-memory.dmp

Filesize
240KB

Download
memory/3536-27-0x0000000008100000-0x000000000814C000-memory.dmp

Filesize
304KB

Download
memory/3536-23-0x0000000009080000-0x0000000009698000-memory.dmp

Filesize
6.1MB

Download
memory/3536-22-0x0000000005B20000-0x0000000005B2A000-memory.dmp

Filesize
40KB

Download
memory/3536-21-0x0000000008070000-0x0000000008080000-memory.dmp

Filesize
64KB

Download
memory/3536-20-0x0000000007F00000-0x0000000007F92000-memory.dmp

Filesize
584KB

Download
memory/3536-24-0x0000000008360000-0x000000000846A000-memory.dmp

Filesize
1.0MB

Download
memory/3536-14-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3536-36-0x0000000073F10000-0x00000000746C0000-memory.dmp

Filesize
7.7MB

Download
memory/3536-37-0x0000000008070000-0x0000000008080000-memory.dmp

Filesize
64KB

Download
memory/4916-38-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4916-39-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4916-40-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4916-42-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download