mystic | 72a194ce09ab3c83ef3ca921476d23917984354feb35ee602f02d9aa2d55b33a

Analysis

max time kernel
138s
max time network
155s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
14-11-2023 03:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72a194ce09ab3c83ef3ca921476d23917984354feb35ee602f02d9aa2d55b33a.exe
Size

892KB
MD5

cec9b75217ac69ead61a286c4ee1927c
SHA1

e7db2ee95ddd6c9c9eff536558baa2959fa2f297
SHA256

72a194ce09ab3c83ef3ca921476d23917984354feb35ee602f02d9aa2d55b33a
SHA512

5f39a74bea174a4018b500cf35bff5a74ed45519809d929e53e879eba157bbdb019fb484e73107fd53ee41f46fa71c3ec3c758fbbe362683de4feda73b6836c2
SSDEEP

24576:by4yfLhmffQhvvb7oFmyE73CvtUvPpMrFns6pkeyYd69S:O44FeQ9vbkFmpDCvt8PSrFs6pFyy6

Score

10^/10

mystic redline taiga infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/2316-34-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/2316-39-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/2316-40-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/2316-42-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/3596-14-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
4976	zW5Mu68.exe
3656	11Ol7429.exe
4312	12ag671.exe
600	13Xg723.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	72a194ce09ab3c83ef3ca921476d23917984354feb35ee602f02d9aa2d55b33a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zW5Mu68.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3656 set thread context of 3596	3656	11Ol7429.exe	74
PID 4312 set thread context of 2316	4312	12ag671.exe	77
PID 600 set thread context of 4524	600	13Xg723.exe	83

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3224	2316	WerFault.exe	77

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4524	AppLaunch.exe
4524	AppLaunch.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 4976	2140	72a194ce09ab3c83ef3ca921476d23917984354feb35ee602f02d9aa2d55b33a.exe	71
PID 2140 wrote to memory of 4976	2140	72a194ce09ab3c83ef3ca921476d23917984354feb35ee602f02d9aa2d55b33a.exe	71
PID 2140 wrote to memory of 4976	2140	72a194ce09ab3c83ef3ca921476d23917984354feb35ee602f02d9aa2d55b33a.exe	71
PID 4976 wrote to memory of 3656	4976	zW5Mu68.exe	72
PID 4976 wrote to memory of 3656	4976	zW5Mu68.exe	72
PID 4976 wrote to memory of 3656	4976	zW5Mu68.exe	72
PID 3656 wrote to memory of 3596	3656	11Ol7429.exe	74
PID 3656 wrote to memory of 3596	3656	11Ol7429.exe	74
PID 3656 wrote to memory of 3596	3656	11Ol7429.exe	74
PID 3656 wrote to memory of 3596	3656	11Ol7429.exe	74
PID 3656 wrote to memory of 3596	3656	11Ol7429.exe	74
PID 3656 wrote to memory of 3596	3656	11Ol7429.exe	74
PID 3656 wrote to memory of 3596	3656	11Ol7429.exe	74
PID 3656 wrote to memory of 3596	3656	11Ol7429.exe	74
PID 4976 wrote to memory of 4312	4976	zW5Mu68.exe	75
PID 4976 wrote to memory of 4312	4976	zW5Mu68.exe	75
PID 4976 wrote to memory of 4312	4976	zW5Mu68.exe	75
PID 4312 wrote to memory of 2316	4312	12ag671.exe	77
PID 4312 wrote to memory of 2316	4312	12ag671.exe	77
PID 4312 wrote to memory of 2316	4312	12ag671.exe	77
PID 4312 wrote to memory of 2316	4312	12ag671.exe	77
PID 4312 wrote to memory of 2316	4312	12ag671.exe	77
PID 4312 wrote to memory of 2316	4312	12ag671.exe	77
PID 4312 wrote to memory of 2316	4312	12ag671.exe	77
PID 4312 wrote to memory of 2316	4312	12ag671.exe	77
PID 4312 wrote to memory of 2316	4312	12ag671.exe	77
PID 4312 wrote to memory of 2316	4312	12ag671.exe	77
PID 2140 wrote to memory of 600	2140	72a194ce09ab3c83ef3ca921476d23917984354feb35ee602f02d9aa2d55b33a.exe	78
PID 2140 wrote to memory of 600	2140	72a194ce09ab3c83ef3ca921476d23917984354feb35ee602f02d9aa2d55b33a.exe	78
PID 2140 wrote to memory of 600	2140	72a194ce09ab3c83ef3ca921476d23917984354feb35ee602f02d9aa2d55b33a.exe	78
PID 600 wrote to memory of 5028	600	13Xg723.exe	82
PID 600 wrote to memory of 5028	600	13Xg723.exe	82
PID 600 wrote to memory of 5028	600	13Xg723.exe	82
PID 600 wrote to memory of 4524	600	13Xg723.exe	83
PID 600 wrote to memory of 4524	600	13Xg723.exe	83
PID 600 wrote to memory of 4524	600	13Xg723.exe	83
PID 600 wrote to memory of 4524	600	13Xg723.exe	83
PID 600 wrote to memory of 4524	600	13Xg723.exe	83
PID 600 wrote to memory of 4524	600	13Xg723.exe	83
PID 600 wrote to memory of 4524	600	13Xg723.exe	83
PID 600 wrote to memory of 4524	600	13Xg723.exe	83
PID 600 wrote to memory of 4524	600	13Xg723.exe	83

C:\Users\Admin\AppData\Local\Temp\72a194ce09ab3c83ef3ca921476d23917984354feb35ee602f02d9aa2d55b33a.exe
"C:\Users\Admin\AppData\Local\Temp\72a194ce09ab3c83ef3ca921476d23917984354feb35ee602f02d9aa2d55b33a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zW5Mu68.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zW5Mu68.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4976
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11Ol7429.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11Ol7429.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3656
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:3596
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12ag671.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12ag671.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4312
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2316
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 568
        5⤵
        Program crash
        
        PID:3224
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13Xg723.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13Xg723.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:600
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:5028
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13Xg723.exe

Filesize
724KB

MD5
498974aaf4f43b47c3d2bd405039ff26

SHA1
adbebff69c008beeedcfc05fae4b676f093d0a40

SHA256
d891f3985edda861573a6cdd19a90450a7a790814e5cf72b689756af51b978d2

SHA512
4d44da6c240c06e072e7697f37a29e9eefa0280c823098838d31ee5d742e7c167c760f624f1e632ebe31da1c7339fe3bfe8f4d4fd15d2ded62420b8049471d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13Xg723.exe

Filesize
724KB

MD5
498974aaf4f43b47c3d2bd405039ff26

SHA1
adbebff69c008beeedcfc05fae4b676f093d0a40

SHA256
d891f3985edda861573a6cdd19a90450a7a790814e5cf72b689756af51b978d2

SHA512
4d44da6c240c06e072e7697f37a29e9eefa0280c823098838d31ee5d742e7c167c760f624f1e632ebe31da1c7339fe3bfe8f4d4fd15d2ded62420b8049471d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zW5Mu68.exe

Filesize
429KB

MD5
1dd8479dc1ee954026b79eddf4df57b1

SHA1
da71db1e1b9db6da64368af1d2f1bb2df0dbe02a

SHA256
c49b70c36d49f0f6aeca67168f73c2bcef25f8a860914a54cd8972e78d674f38

SHA512
a53b8a2813608bbccd1df50260f4254ddd25150f28927d3772b45965e232904a915ef6d039a28a331c6103414cb8f79a3875359424b717294d358cdc12f2bd7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zW5Mu68.exe

Filesize
429KB

MD5
1dd8479dc1ee954026b79eddf4df57b1

SHA1
da71db1e1b9db6da64368af1d2f1bb2df0dbe02a

SHA256
c49b70c36d49f0f6aeca67168f73c2bcef25f8a860914a54cd8972e78d674f38

SHA512
a53b8a2813608bbccd1df50260f4254ddd25150f28927d3772b45965e232904a915ef6d039a28a331c6103414cb8f79a3875359424b717294d358cdc12f2bd7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11Ol7429.exe

Filesize
415KB

MD5
a03cdbb06c92be2107479b1d3bab97d1

SHA1
c1bbd0a76847216e83692defb96f1b5330c33f66

SHA256
730c76fa72c419bd1a206d03f33c0f6954e728ae35698c74aa961c7a22504549

SHA512
cebb5deef76026d9221c58472a4af0897392462447663f18dacf08941d6f56f098f7c350bc6fdbc3f7b3f9e93e968928f27803eaa870c8e5ec901a16f9152e68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11Ol7429.exe

Filesize
415KB

MD5
a03cdbb06c92be2107479b1d3bab97d1

SHA1
c1bbd0a76847216e83692defb96f1b5330c33f66

SHA256
730c76fa72c419bd1a206d03f33c0f6954e728ae35698c74aa961c7a22504549

SHA512
cebb5deef76026d9221c58472a4af0897392462447663f18dacf08941d6f56f098f7c350bc6fdbc3f7b3f9e93e968928f27803eaa870c8e5ec901a16f9152e68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12ag671.exe

Filesize
378KB

MD5
47691a48a37db2e96569cb6fd1dac940

SHA1
cad4d16edfc25808315e4a198e2ebdea579977c9

SHA256
35d764e461d1ab285e1f497593a39df44aeded50a18c6ff07a16c97e712626bb

SHA512
4511b41670bd946fe509577b60711ef56b7530e028725961e04409fa2d1765247e41fef4df0b19cee6d0a80799d43595c9a6da311b9a62d9cc2602d67436beb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12ag671.exe

Filesize
378KB

MD5
47691a48a37db2e96569cb6fd1dac940

SHA1
cad4d16edfc25808315e4a198e2ebdea579977c9

SHA256
35d764e461d1ab285e1f497593a39df44aeded50a18c6ff07a16c97e712626bb

SHA512
4511b41670bd946fe509577b60711ef56b7530e028725961e04409fa2d1765247e41fef4df0b19cee6d0a80799d43595c9a6da311b9a62d9cc2602d67436beb2

Download Submit
memory/2316-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2316-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2316-42-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2316-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3596-22-0x000000000BE00000-0x000000000C2FE000-memory.dmp

Filesize
5.0MB

Download
memory/3596-25-0x000000000C910000-0x000000000CF16000-memory.dmp

Filesize
6.0MB

Download
memory/3596-28-0x000000000BC80000-0x000000000BCBE000-memory.dmp

Filesize
248KB

Download
memory/3596-29-0x000000000C300000-0x000000000C34B000-memory.dmp

Filesize
300KB

Download
memory/3596-26-0x000000000BCF0000-0x000000000BDFA000-memory.dmp

Filesize
1.0MB

Download
memory/3596-23-0x000000000B9B0000-0x000000000BA42000-memory.dmp

Filesize
584KB

Download
memory/3596-21-0x00000000739F0000-0x00000000740DE000-memory.dmp

Filesize
6.9MB

Download
memory/3596-27-0x000000000BC20000-0x000000000BC32000-memory.dmp

Filesize
72KB

Download
memory/3596-24-0x000000000BB30000-0x000000000BB3A000-memory.dmp

Filesize
40KB

Download
memory/3596-14-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3596-55-0x00000000739F0000-0x00000000740DE000-memory.dmp

Filesize
6.9MB

Download
memory/4524-45-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4524-46-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4524-48-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4524-44-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download