mystic | c0aa8aafb0b69a184b128bb4ec669b08970553647ae9d3741da511beb938c391

Analysis

max time kernel
138s
max time network
155s
platform
windows10-1703_x64
resource
win10-20231023-en
resource tags

arch:x64arch:x86image:win10-20231023-enlocale:en-usos:windows10-1703-x64system
submitted
14-11-2023 02:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0aa8aafb0b69a184b128bb4ec669b08970553647ae9d3741da511beb938c391.exe
Size

894KB
MD5

28bf6d7dfb8cd9da7db94b2628f94230
SHA1

5880277376b15b2fbf221451487bf62f2907adeb
SHA256

c0aa8aafb0b69a184b128bb4ec669b08970553647ae9d3741da511beb938c391
SHA512

6443b0f0fc2ff60077b8d974d869006f32e5c8860dc3960c758cd6b3d0487151df02495a84a10abd1a60b631a808e1d9af224efe1808a6165c435dc5be8df2ef
SSDEEP

24576:Gytn4iDgakf7DDEpMmA59Fg8l2FZ7OF0fp4MGRVRlC:VeQgd7DgpMmAoZzh4MGFl

Score

10^/10

mystic redline taiga infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/1088-34-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/1088-39-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/1088-40-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/1088-42-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/4276-14-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
1172	LW5bU84.exe
4024	11Sa5646.exe
2652	12Fw942.exe
304	13dE819.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	LW5bU84.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c0aa8aafb0b69a184b128bb4ec669b08970553647ae9d3741da511beb938c391.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4024 set thread context of 4276	4024	11Sa5646.exe	74
PID 2652 set thread context of 1088	2652	12Fw942.exe	77
PID 304 set thread context of 3276	304	13dE819.exe	82

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4532	1088	WerFault.exe	77

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3276	AppLaunch.exe
3276	AppLaunch.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 4120 wrote to memory of 1172	4120	c0aa8aafb0b69a184b128bb4ec669b08970553647ae9d3741da511beb938c391.exe	71
PID 4120 wrote to memory of 1172	4120	c0aa8aafb0b69a184b128bb4ec669b08970553647ae9d3741da511beb938c391.exe	71
PID 4120 wrote to memory of 1172	4120	c0aa8aafb0b69a184b128bb4ec669b08970553647ae9d3741da511beb938c391.exe	71
PID 1172 wrote to memory of 4024	1172	LW5bU84.exe	72
PID 1172 wrote to memory of 4024	1172	LW5bU84.exe	72
PID 1172 wrote to memory of 4024	1172	LW5bU84.exe	72
PID 4024 wrote to memory of 4276	4024	11Sa5646.exe	74
PID 4024 wrote to memory of 4276	4024	11Sa5646.exe	74
PID 4024 wrote to memory of 4276	4024	11Sa5646.exe	74
PID 4024 wrote to memory of 4276	4024	11Sa5646.exe	74
PID 4024 wrote to memory of 4276	4024	11Sa5646.exe	74
PID 4024 wrote to memory of 4276	4024	11Sa5646.exe	74
PID 4024 wrote to memory of 4276	4024	11Sa5646.exe	74
PID 4024 wrote to memory of 4276	4024	11Sa5646.exe	74
PID 1172 wrote to memory of 2652	1172	LW5bU84.exe	75
PID 1172 wrote to memory of 2652	1172	LW5bU84.exe	75
PID 1172 wrote to memory of 2652	1172	LW5bU84.exe	75
PID 2652 wrote to memory of 1088	2652	12Fw942.exe	77
PID 2652 wrote to memory of 1088	2652	12Fw942.exe	77
PID 2652 wrote to memory of 1088	2652	12Fw942.exe	77
PID 2652 wrote to memory of 1088	2652	12Fw942.exe	77
PID 2652 wrote to memory of 1088	2652	12Fw942.exe	77
PID 2652 wrote to memory of 1088	2652	12Fw942.exe	77
PID 2652 wrote to memory of 1088	2652	12Fw942.exe	77
PID 2652 wrote to memory of 1088	2652	12Fw942.exe	77
PID 2652 wrote to memory of 1088	2652	12Fw942.exe	77
PID 2652 wrote to memory of 1088	2652	12Fw942.exe	77
PID 4120 wrote to memory of 304	4120	c0aa8aafb0b69a184b128bb4ec669b08970553647ae9d3741da511beb938c391.exe	78
PID 4120 wrote to memory of 304	4120	c0aa8aafb0b69a184b128bb4ec669b08970553647ae9d3741da511beb938c391.exe	78
PID 4120 wrote to memory of 304	4120	c0aa8aafb0b69a184b128bb4ec669b08970553647ae9d3741da511beb938c391.exe	78
PID 304 wrote to memory of 3276	304	13dE819.exe	82
PID 304 wrote to memory of 3276	304	13dE819.exe	82
PID 304 wrote to memory of 3276	304	13dE819.exe	82
PID 304 wrote to memory of 3276	304	13dE819.exe	82
PID 304 wrote to memory of 3276	304	13dE819.exe	82
PID 304 wrote to memory of 3276	304	13dE819.exe	82
PID 304 wrote to memory of 3276	304	13dE819.exe	82
PID 304 wrote to memory of 3276	304	13dE819.exe	82
PID 304 wrote to memory of 3276	304	13dE819.exe	82

C:\Users\Admin\AppData\Local\Temp\c0aa8aafb0b69a184b128bb4ec669b08970553647ae9d3741da511beb938c391.exe
"C:\Users\Admin\AppData\Local\Temp\c0aa8aafb0b69a184b128bb4ec669b08970553647ae9d3741da511beb938c391.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4120
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LW5bU84.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LW5bU84.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11Sa5646.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11Sa5646.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4024
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4276
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12Fw942.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12Fw942.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:1088
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 568
        5⤵
        Program crash
        
        PID:4532
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13dE819.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13dE819.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:304
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13dE819.exe

Filesize
724KB

MD5
8169af45511fcf8cd6897385d2a858a5

SHA1
8a2d3e9b9e764f4f474fde707462c799c24e24c4

SHA256
88ad7d63c7d7524608dc26d1d37958391151828d52a2d8137deb500db2ca50fe

SHA512
6723339cb568d8a9e74168486eddc66e391e8511f3caa2e667c064de4f8bbfe32d151188777406ed6cba0c894f5403646d65f81556e311c392fba02764aff7e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13dE819.exe

Filesize
724KB

MD5
8169af45511fcf8cd6897385d2a858a5

SHA1
8a2d3e9b9e764f4f474fde707462c799c24e24c4

SHA256
88ad7d63c7d7524608dc26d1d37958391151828d52a2d8137deb500db2ca50fe

SHA512
6723339cb568d8a9e74168486eddc66e391e8511f3caa2e667c064de4f8bbfe32d151188777406ed6cba0c894f5403646d65f81556e311c392fba02764aff7e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LW5bU84.exe

Filesize
430KB

MD5
0c6c51a92fe766563fe771278ffa7a3d

SHA1
729608578ff1ed0ddc79d27b14f9057d2eb9740b

SHA256
c95d8191a7f836a9f6a060df438a59a30851e2a2b046033a4715f9ac90682387

SHA512
71eb33a8d48dbe5eeb9f33f8875a756aaa2baeea2ea1021459ada37181f39d2480f4aeed6e8e8f4ba2c1a455aca799f288bbf23226a3a1103242c493ebed2dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LW5bU84.exe

Filesize
430KB

MD5
0c6c51a92fe766563fe771278ffa7a3d

SHA1
729608578ff1ed0ddc79d27b14f9057d2eb9740b

SHA256
c95d8191a7f836a9f6a060df438a59a30851e2a2b046033a4715f9ac90682387

SHA512
71eb33a8d48dbe5eeb9f33f8875a756aaa2baeea2ea1021459ada37181f39d2480f4aeed6e8e8f4ba2c1a455aca799f288bbf23226a3a1103242c493ebed2dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11Sa5646.exe

Filesize
415KB

MD5
37710df985c10740e32afacc089eee52

SHA1
77378b9eed81cbc1bfcd3fb78c7a91f685139bcd

SHA256
d4ca68d5b10f638728ff361c71bcac220286f9d21a217b6d9700540dedc804de

SHA512
1d6e7d128efddc7adf27e18c092414ef75fb2e40f4cb6b0d47d449c6a2f3b5771842669fffd29f7c45f06b115173e645619c5de2979c8cfd33d945ee95557ccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11Sa5646.exe

Filesize
415KB

MD5
37710df985c10740e32afacc089eee52

SHA1
77378b9eed81cbc1bfcd3fb78c7a91f685139bcd

SHA256
d4ca68d5b10f638728ff361c71bcac220286f9d21a217b6d9700540dedc804de

SHA512
1d6e7d128efddc7adf27e18c092414ef75fb2e40f4cb6b0d47d449c6a2f3b5771842669fffd29f7c45f06b115173e645619c5de2979c8cfd33d945ee95557ccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12Fw942.exe

Filesize
378KB

MD5
5054a69b734786c2b891256d62532c58

SHA1
2f26747c544e7651c685c5956895f4b667389727

SHA256
1af8db7bbf4e0ffa9af3958c2f9299706537e2beb055eb6a2a338cde71055f47

SHA512
72f11f9821281d8cb074cbc4870da9707ec9090cd9f9fb63311b4262de60f71551704d91c4a719c272dce8981f66966770b4db94358139062ea91ba5ecf0d4c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12Fw942.exe

Filesize
378KB

MD5
5054a69b734786c2b891256d62532c58

SHA1
2f26747c544e7651c685c5956895f4b667389727

SHA256
1af8db7bbf4e0ffa9af3958c2f9299706537e2beb055eb6a2a338cde71055f47

SHA512
72f11f9821281d8cb074cbc4870da9707ec9090cd9f9fb63311b4262de60f71551704d91c4a719c272dce8981f66966770b4db94358139062ea91ba5ecf0d4c3

Download Submit
memory/1088-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1088-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1088-42-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1088-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3276-48-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/3276-46-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/3276-45-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/3276-44-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4276-22-0x000000000BE60000-0x000000000C35E000-memory.dmp

Filesize
5.0MB

Download
memory/4276-23-0x000000000BA00000-0x000000000BA92000-memory.dmp

Filesize
584KB

Download
memory/4276-21-0x0000000072F20000-0x000000007360E000-memory.dmp

Filesize
6.9MB

Download
memory/4276-29-0x000000000BDF0000-0x000000000BE3B000-memory.dmp

Filesize
300KB

Download
memory/4276-28-0x000000000BC70000-0x000000000BCAE000-memory.dmp

Filesize
248KB

Download
memory/4276-14-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4276-27-0x000000000BC10000-0x000000000BC22000-memory.dmp

Filesize
72KB

Download
memory/4276-26-0x000000000BCE0000-0x000000000BDEA000-memory.dmp

Filesize
1.0MB

Download
memory/4276-25-0x000000000C970000-0x000000000CF76000-memory.dmp

Filesize
6.0MB

Download
memory/4276-24-0x000000000B9B0000-0x000000000B9BA000-memory.dmp

Filesize
40KB

Download
memory/4276-55-0x0000000072F20000-0x000000007360E000-memory.dmp

Filesize
6.9MB

Download