mystic | 999de58f75aa7b5bf23692a429c0edf590719f4a58ace16d057f9a871946ba4e

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
14-11-2023 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

999de58f75aa7b5bf23692a429c0edf590719f4a58ace16d057f9a871946ba4e.exe
Size

894KB
MD5

a987c8d828f7ce0a99a246aea6fcdcc0
SHA1

8e28268f4b1c09418b7cddb03eab412ac04b286b
SHA256

999de58f75aa7b5bf23692a429c0edf590719f4a58ace16d057f9a871946ba4e
SHA512

328c9d1b597b72250a8a020285f30e69c7e3cb5cb6e40e48ffb2ca07918c62390324609e0d223ed4c6d88838936daf42715d9069d84709bca4c155557117c751
SSDEEP

24576:ByVUJKu14qC8qxGKd8xmvhAvMYry/uxmLD/5XwhBPe:0ypVaGvmvhAPrAn/5XwDP

Score

10^/10

mystic redline taiga infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/4140-28-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/4140-29-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/4140-30-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/4140-32-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/224-14-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
3688	pL6YM27.exe
1096	11Dz2564.exe
4880	12Ce441.exe
2788	13sO806.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	999de58f75aa7b5bf23692a429c0edf590719f4a58ace16d057f9a871946ba4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	pL6YM27.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1096 set thread context of 224	1096	11Dz2564.exe	104
PID 4880 set thread context of 4140	4880	12Ce441.exe	107
PID 2788 set thread context of 2824	2788	13sO806.exe	121

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3176	4140	WerFault.exe	107

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2824	AppLaunch.exe
2824	AppLaunch.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 3688	1200	999de58f75aa7b5bf23692a429c0edf590719f4a58ace16d057f9a871946ba4e.exe	88
PID 1200 wrote to memory of 3688	1200	999de58f75aa7b5bf23692a429c0edf590719f4a58ace16d057f9a871946ba4e.exe	88
PID 1200 wrote to memory of 3688	1200	999de58f75aa7b5bf23692a429c0edf590719f4a58ace16d057f9a871946ba4e.exe	88
PID 3688 wrote to memory of 1096	3688	pL6YM27.exe	89
PID 3688 wrote to memory of 1096	3688	pL6YM27.exe	89
PID 3688 wrote to memory of 1096	3688	pL6YM27.exe	89
PID 1096 wrote to memory of 224	1096	11Dz2564.exe	104
PID 1096 wrote to memory of 224	1096	11Dz2564.exe	104
PID 1096 wrote to memory of 224	1096	11Dz2564.exe	104
PID 1096 wrote to memory of 224	1096	11Dz2564.exe	104
PID 1096 wrote to memory of 224	1096	11Dz2564.exe	104
PID 1096 wrote to memory of 224	1096	11Dz2564.exe	104
PID 1096 wrote to memory of 224	1096	11Dz2564.exe	104
PID 1096 wrote to memory of 224	1096	11Dz2564.exe	104
PID 3688 wrote to memory of 4880	3688	pL6YM27.exe	105
PID 3688 wrote to memory of 4880	3688	pL6YM27.exe	105
PID 3688 wrote to memory of 4880	3688	pL6YM27.exe	105
PID 4880 wrote to memory of 4140	4880	12Ce441.exe	107
PID 4880 wrote to memory of 4140	4880	12Ce441.exe	107
PID 4880 wrote to memory of 4140	4880	12Ce441.exe	107
PID 4880 wrote to memory of 4140	4880	12Ce441.exe	107
PID 4880 wrote to memory of 4140	4880	12Ce441.exe	107
PID 4880 wrote to memory of 4140	4880	12Ce441.exe	107
PID 4880 wrote to memory of 4140	4880	12Ce441.exe	107
PID 4880 wrote to memory of 4140	4880	12Ce441.exe	107
PID 4880 wrote to memory of 4140	4880	12Ce441.exe	107
PID 4880 wrote to memory of 4140	4880	12Ce441.exe	107
PID 1200 wrote to memory of 2788	1200	999de58f75aa7b5bf23692a429c0edf590719f4a58ace16d057f9a871946ba4e.exe	110
PID 1200 wrote to memory of 2788	1200	999de58f75aa7b5bf23692a429c0edf590719f4a58ace16d057f9a871946ba4e.exe	110
PID 1200 wrote to memory of 2788	1200	999de58f75aa7b5bf23692a429c0edf590719f4a58ace16d057f9a871946ba4e.exe	110
PID 2788 wrote to memory of 2824	2788	13sO806.exe	121
PID 2788 wrote to memory of 2824	2788	13sO806.exe	121
PID 2788 wrote to memory of 2824	2788	13sO806.exe	121
PID 2788 wrote to memory of 2824	2788	13sO806.exe	121
PID 2788 wrote to memory of 2824	2788	13sO806.exe	121
PID 2788 wrote to memory of 2824	2788	13sO806.exe	121
PID 2788 wrote to memory of 2824	2788	13sO806.exe	121
PID 2788 wrote to memory of 2824	2788	13sO806.exe	121
PID 2788 wrote to memory of 2824	2788	13sO806.exe	121

C:\Users\Admin\AppData\Local\Temp\999de58f75aa7b5bf23692a429c0edf590719f4a58ace16d057f9a871946ba4e.exe
"C:\Users\Admin\AppData\Local\Temp\999de58f75aa7b5bf23692a429c0edf590719f4a58ace16d057f9a871946ba4e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pL6YM27.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pL6YM27.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3688
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11Dz2564.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11Dz2564.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1096
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:224
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12Ce441.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12Ce441.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4880
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4140
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 540
        5⤵
        Program crash
        
        PID:3176
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13sO806.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13sO806.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4140 -ip 4140
1⤵
PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13sO806.exe

Filesize
724KB

MD5
ba1d6dfeb5bbc9939302ebf24048a5f8

SHA1
9cd566df43cc33c98af09aba22f21a32c11fc8e5

SHA256
68e4c47f32b6a8722263e486054129f80334d30b26fc0d9060b429984d197330

SHA512
c547f97e92737dd9a2b83c8a92b4d543393b9555a193a7a1313f5d7c17be1029b8fab063ca99809ba2ad05e239db53ffd31601514960e2257f316dd3d6da1c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13sO806.exe

Filesize
724KB

MD5
ba1d6dfeb5bbc9939302ebf24048a5f8

SHA1
9cd566df43cc33c98af09aba22f21a32c11fc8e5

SHA256
68e4c47f32b6a8722263e486054129f80334d30b26fc0d9060b429984d197330

SHA512
c547f97e92737dd9a2b83c8a92b4d543393b9555a193a7a1313f5d7c17be1029b8fab063ca99809ba2ad05e239db53ffd31601514960e2257f316dd3d6da1c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pL6YM27.exe

Filesize
430KB

MD5
a80a0ca9ed3b315b68399dcc0783853d

SHA1
9a939b12a437608b3f9bf1fd9c3c9a5d9a59c221

SHA256
299c23d064cfcb294edcbb0dc485d218b1ed9e33820988b27078adcb9db358ba

SHA512
67fa7c7741d10eb4daa127b9253052a86cee39d016ff450d6ad5401acea255ec3c31703656c902bd1cf6c84e22bc5e63996d2b2fb635af664183d927fc34c4da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pL6YM27.exe

Filesize
430KB

MD5
a80a0ca9ed3b315b68399dcc0783853d

SHA1
9a939b12a437608b3f9bf1fd9c3c9a5d9a59c221

SHA256
299c23d064cfcb294edcbb0dc485d218b1ed9e33820988b27078adcb9db358ba

SHA512
67fa7c7741d10eb4daa127b9253052a86cee39d016ff450d6ad5401acea255ec3c31703656c902bd1cf6c84e22bc5e63996d2b2fb635af664183d927fc34c4da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11Dz2564.exe

Filesize
415KB

MD5
71fca203361e8ff835325f197d0ea0b3

SHA1
d7ee7957d23cb7a2d6bf6cd32fec72b2050b8d75

SHA256
b1591c7aa2db38ae5be025fc4a78306ebbeae611f1dd77ebec5d267e01068032

SHA512
2fe2c5652c2a7d2a37c98067b472333becf9a7af5ddc792d655d4fc17277473c18b5561c3a6f186a79361d23c49a9620c5727ac5078dba4564406c55626dedee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11Dz2564.exe

Filesize
415KB

MD5
71fca203361e8ff835325f197d0ea0b3

SHA1
d7ee7957d23cb7a2d6bf6cd32fec72b2050b8d75

SHA256
b1591c7aa2db38ae5be025fc4a78306ebbeae611f1dd77ebec5d267e01068032

SHA512
2fe2c5652c2a7d2a37c98067b472333becf9a7af5ddc792d655d4fc17277473c18b5561c3a6f186a79361d23c49a9620c5727ac5078dba4564406c55626dedee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12Ce441.exe

Filesize
378KB

MD5
4cb95b989dc055a2ff4c7935440644a8

SHA1
155d5a4b1e8574fe813e690c94650f8b7bceb500

SHA256
1c88cc75d920d016c0ac16feb34460fa03c6d1f6c1ca0c2db2d1d6ddd58b417a

SHA512
e0446edb7366867343e6497e2464bf17774805db55b0f9fc278e0f313b4153137c5e30e45b367b4c39251acbbc452d91a7fc716e34af30c537c0cf0094fefdc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12Ce441.exe

Filesize
378KB

MD5
4cb95b989dc055a2ff4c7935440644a8

SHA1
155d5a4b1e8574fe813e690c94650f8b7bceb500

SHA256
1c88cc75d920d016c0ac16feb34460fa03c6d1f6c1ca0c2db2d1d6ddd58b417a

SHA512
e0446edb7366867343e6497e2464bf17774805db55b0f9fc278e0f313b4153137c5e30e45b367b4c39251acbbc452d91a7fc716e34af30c537c0cf0094fefdc4

Download Submit
memory/224-18-0x0000000074390000-0x0000000074B40000-memory.dmp

Filesize
7.7MB

Download
memory/224-37-0x0000000007C10000-0x0000000007C20000-memory.dmp

Filesize
64KB

Download
memory/224-21-0x0000000007C10000-0x0000000007C20000-memory.dmp

Filesize
64KB

Download
memory/224-22-0x0000000007A80000-0x0000000007A8A000-memory.dmp

Filesize
40KB

Download
memory/224-23-0x0000000008A20000-0x0000000009038000-memory.dmp

Filesize
6.1MB

Download
memory/224-24-0x0000000007D30000-0x0000000007E3A000-memory.dmp

Filesize
1.0MB

Download
memory/224-25-0x0000000007C60000-0x0000000007C72000-memory.dmp

Filesize
72KB

Download
memory/224-26-0x0000000007CC0000-0x0000000007CFC000-memory.dmp

Filesize
240KB

Download
memory/224-27-0x0000000008400000-0x000000000844C000-memory.dmp

Filesize
304KB

Download
memory/224-20-0x0000000007980000-0x0000000007A12000-memory.dmp

Filesize
584KB

Download
memory/224-36-0x0000000074390000-0x0000000074B40000-memory.dmp

Filesize
7.7MB

Download
memory/224-14-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/224-19-0x0000000007E50000-0x00000000083F4000-memory.dmp

Filesize
5.6MB

Download
memory/2824-38-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2824-39-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2824-40-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2824-42-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4140-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4140-30-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4140-29-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4140-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download