mystic | 5f91d6c7801f696f48229bca55617d78a3bed1fec03801148bd6cf8b01b9e53c

General

Target

c05591f745cbabd44158ae3823bb58f230c0d8acb2210502d626e1724265d0b7.exe
Size

373KB
MD5

896200690a2a6ace88febc8b4ecb59f7
SHA1

d3eb645567d656612bf76cd42a510bbd5fa8196b
SHA256

c05591f745cbabd44158ae3823bb58f230c0d8acb2210502d626e1724265d0b7
SHA512

dad6d27cc465d112d5e8dd4ac2f1ae20e20ac474b33088945207084586173dd8a270647352850b121c2168f116845a343be314ce5f088c4308aa9809bae373e3
SSDEEP

6144:K3y+bnr+Vp0yN90QEEsrTqIhsgUGsz7ceTP7qvH84+IgRq9EoDCKff5KJSP9jF2y:NMrxy90zlhlUJzXiU4+LqlewP2LO

Score

10^/10

mystic redline taiga infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/3280-7-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/3280-8-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/3280-9-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/3280-11-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/4812-15-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

pid	Process
3524	3Ab800Bd.exe
4884	5yA16Xw.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c05591f745cbabd44158ae3823bb58f230c0d8acb2210502d626e1724265d0b7.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3524 set thread context of 3280	3524	3Ab800Bd.exe	86
PID 4884 set thread context of 4812	4884	5yA16Xw.exe	95

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2768	3280	WerFault.exe	86

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 552 wrote to memory of 3524	552	c05591f745cbabd44158ae3823bb58f230c0d8acb2210502d626e1724265d0b7.exe	84
PID 552 wrote to memory of 3524	552	c05591f745cbabd44158ae3823bb58f230c0d8acb2210502d626e1724265d0b7.exe	84
PID 552 wrote to memory of 3524	552	c05591f745cbabd44158ae3823bb58f230c0d8acb2210502d626e1724265d0b7.exe	84
PID 3524 wrote to memory of 3280	3524	3Ab800Bd.exe	86
PID 3524 wrote to memory of 3280	3524	3Ab800Bd.exe	86
PID 3524 wrote to memory of 3280	3524	3Ab800Bd.exe	86
PID 3524 wrote to memory of 3280	3524	3Ab800Bd.exe	86
PID 3524 wrote to memory of 3280	3524	3Ab800Bd.exe	86
PID 3524 wrote to memory of 3280	3524	3Ab800Bd.exe	86
PID 3524 wrote to memory of 3280	3524	3Ab800Bd.exe	86
PID 3524 wrote to memory of 3280	3524	3Ab800Bd.exe	86
PID 3524 wrote to memory of 3280	3524	3Ab800Bd.exe	86
PID 3524 wrote to memory of 3280	3524	3Ab800Bd.exe	86
PID 552 wrote to memory of 4884	552	c05591f745cbabd44158ae3823bb58f230c0d8acb2210502d626e1724265d0b7.exe	90
PID 552 wrote to memory of 4884	552	c05591f745cbabd44158ae3823bb58f230c0d8acb2210502d626e1724265d0b7.exe	90
PID 552 wrote to memory of 4884	552	c05591f745cbabd44158ae3823bb58f230c0d8acb2210502d626e1724265d0b7.exe	90
PID 4884 wrote to memory of 4812	4884	5yA16Xw.exe	95
PID 4884 wrote to memory of 4812	4884	5yA16Xw.exe	95
PID 4884 wrote to memory of 4812	4884	5yA16Xw.exe	95
PID 4884 wrote to memory of 4812	4884	5yA16Xw.exe	95
PID 4884 wrote to memory of 4812	4884	5yA16Xw.exe	95
PID 4884 wrote to memory of 4812	4884	5yA16Xw.exe	95
PID 4884 wrote to memory of 4812	4884	5yA16Xw.exe	95
PID 4884 wrote to memory of 4812	4884	5yA16Xw.exe	95

C:\Users\Admin\AppData\Local\Temp\c05591f745cbabd44158ae3823bb58f230c0d8acb2210502d626e1724265d0b7.exe
"C:\Users\Admin\AppData\Local\Temp\c05591f745cbabd44158ae3823bb58f230c0d8acb2210502d626e1724265d0b7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:552
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Ab800Bd.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Ab800Bd.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3524
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:3280
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 540
      4⤵
      Program crash
      PID:2768
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5yA16Xw.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5yA16Xw.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4884
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:4812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3280 -ip 3280
1⤵
PID:1156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Ab800Bd.exe

Filesize
276KB

MD5
46a1cccb22ff83973d7613ec41cc30a8

SHA1
782ad709284f5e39f726f694186258ea90afd469

SHA256
ff8b3c2650cc92971963a2d03fef8acec4ca9f2f6564a6850ae1d60cf53a0bef

SHA512
26e71da3e144d3b60adfb75c556d9dfaa5ffb9b1f4aab5690157cf9588aa13a17cda62f506169a7a089bd2a5ee45b8f303e263e7ef2c1366dcb5a4111ca9f833

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Ab800Bd.exe

Filesize
276KB

MD5
46a1cccb22ff83973d7613ec41cc30a8

SHA1
782ad709284f5e39f726f694186258ea90afd469

SHA256
ff8b3c2650cc92971963a2d03fef8acec4ca9f2f6564a6850ae1d60cf53a0bef

SHA512
26e71da3e144d3b60adfb75c556d9dfaa5ffb9b1f4aab5690157cf9588aa13a17cda62f506169a7a089bd2a5ee45b8f303e263e7ef2c1366dcb5a4111ca9f833

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5yA16Xw.exe

Filesize
315KB

MD5
2d5d1d321ed12e197ccc8374dcd756cd

SHA1
630240304b96ddb34b862ed906d9805f7ef5cdd9

SHA256
cba2f58c33f02b73b27a8793dc8e7757fc3df34642f226ff49d25a742acd1b07

SHA512
19966e3e1479e0b537848c71c20a744fba05adf38ecfb150a898ed058a8f757988f9a4bf99d060661ed9cd5ab87bc57e83d7d9069670cee43fb9b9968f54517d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5yA16Xw.exe

Filesize
315KB

MD5
2d5d1d321ed12e197ccc8374dcd756cd

SHA1
630240304b96ddb34b862ed906d9805f7ef5cdd9

SHA256
cba2f58c33f02b73b27a8793dc8e7757fc3df34642f226ff49d25a742acd1b07

SHA512
19966e3e1479e0b537848c71c20a744fba05adf38ecfb150a898ed058a8f757988f9a4bf99d060661ed9cd5ab87bc57e83d7d9069670cee43fb9b9968f54517d

Download Submit
memory/3280-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3280-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3280-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3280-11-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4812-17-0x0000000007780000-0x0000000007D24000-memory.dmp

Filesize
5.6MB

Download
memory/4812-16-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/4812-15-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4812-18-0x0000000007270000-0x0000000007302000-memory.dmp

Filesize
584KB

Download
memory/4812-19-0x0000000007450000-0x0000000007460000-memory.dmp

Filesize
64KB

Download
memory/4812-20-0x0000000007440000-0x000000000744A000-memory.dmp

Filesize
40KB

Download
memory/4812-21-0x0000000008350000-0x0000000008968000-memory.dmp

Filesize
6.1MB

Download
memory/4812-22-0x00000000075F0000-0x00000000076FA000-memory.dmp

Filesize
1.0MB

Download
memory/4812-23-0x0000000007520000-0x0000000007532000-memory.dmp

Filesize
72KB

Download
memory/4812-24-0x0000000007580000-0x00000000075BC000-memory.dmp

Filesize
240KB

Download
memory/4812-25-0x0000000007700000-0x000000000774C000-memory.dmp

Filesize
304KB

Download
memory/4812-26-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/4812-27-0x0000000007450000-0x0000000007460000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads