mystic | d46af5ae12f87f0d86b276445f342c68925fe1762dc4ab781f8d1e74c0ce0770

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
14-11-2023 04:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d46af5ae12f87f0d86b276445f342c68925fe1762dc4ab781f8d1e74c0ce0770.exe
Size

896KB
MD5

80ad382ea28edac79405322302c3bd05
SHA1

c43b57109f2a21bf4f59d4a7585fba26e719d6d8
SHA256

d46af5ae12f87f0d86b276445f342c68925fe1762dc4ab781f8d1e74c0ce0770
SHA512

51bb77367465b36b3b0662c5da3287e8f625bd7043c62d3e0fc5e52b1fe432659ea243fed65a78bd2f2fd9b47dae7d46a92ce19358910953e25ceace728b0173
SSDEEP

24576:Vy1zNrmGZS2vFJggoO/dC1UCcaChBH/p6I:wRc2vFJr4OC6/0

Score

10^/10

mystic redline taiga infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/2084-28-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/2084-31-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/2084-32-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/2084-34-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/1144-14-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
3320	sM3WU23.exe
4120	11Kn9586.exe
4696	12PQ866.exe
1064	13cf706.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d46af5ae12f87f0d86b276445f342c68925fe1762dc4ab781f8d1e74c0ce0770.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	sM3WU23.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4120 set thread context of 1144	4120	11Kn9586.exe	103
PID 4696 set thread context of 2084	4696	12PQ866.exe	106
PID 1064 set thread context of 3976	1064	13cf706.exe	119

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1368	2084	WerFault.exe	106

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3976	AppLaunch.exe
3976	AppLaunch.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4680 wrote to memory of 3320	4680	d46af5ae12f87f0d86b276445f342c68925fe1762dc4ab781f8d1e74c0ce0770.exe	89
PID 4680 wrote to memory of 3320	4680	d46af5ae12f87f0d86b276445f342c68925fe1762dc4ab781f8d1e74c0ce0770.exe	89
PID 4680 wrote to memory of 3320	4680	d46af5ae12f87f0d86b276445f342c68925fe1762dc4ab781f8d1e74c0ce0770.exe	89
PID 3320 wrote to memory of 4120	3320	sM3WU23.exe	90
PID 3320 wrote to memory of 4120	3320	sM3WU23.exe	90
PID 3320 wrote to memory of 4120	3320	sM3WU23.exe	90
PID 4120 wrote to memory of 3924	4120	11Kn9586.exe	102
PID 4120 wrote to memory of 3924	4120	11Kn9586.exe	102
PID 4120 wrote to memory of 3924	4120	11Kn9586.exe	102
PID 4120 wrote to memory of 1144	4120	11Kn9586.exe	103
PID 4120 wrote to memory of 1144	4120	11Kn9586.exe	103
PID 4120 wrote to memory of 1144	4120	11Kn9586.exe	103
PID 4120 wrote to memory of 1144	4120	11Kn9586.exe	103
PID 4120 wrote to memory of 1144	4120	11Kn9586.exe	103
PID 4120 wrote to memory of 1144	4120	11Kn9586.exe	103
PID 4120 wrote to memory of 1144	4120	11Kn9586.exe	103
PID 4120 wrote to memory of 1144	4120	11Kn9586.exe	103
PID 3320 wrote to memory of 4696	3320	sM3WU23.exe	104
PID 3320 wrote to memory of 4696	3320	sM3WU23.exe	104
PID 3320 wrote to memory of 4696	3320	sM3WU23.exe	104
PID 4696 wrote to memory of 2084	4696	12PQ866.exe	106
PID 4696 wrote to memory of 2084	4696	12PQ866.exe	106
PID 4696 wrote to memory of 2084	4696	12PQ866.exe	106
PID 4696 wrote to memory of 2084	4696	12PQ866.exe	106
PID 4696 wrote to memory of 2084	4696	12PQ866.exe	106
PID 4696 wrote to memory of 2084	4696	12PQ866.exe	106
PID 4696 wrote to memory of 2084	4696	12PQ866.exe	106
PID 4696 wrote to memory of 2084	4696	12PQ866.exe	106
PID 4696 wrote to memory of 2084	4696	12PQ866.exe	106
PID 4696 wrote to memory of 2084	4696	12PQ866.exe	106
PID 4680 wrote to memory of 1064	4680	d46af5ae12f87f0d86b276445f342c68925fe1762dc4ab781f8d1e74c0ce0770.exe	107
PID 4680 wrote to memory of 1064	4680	d46af5ae12f87f0d86b276445f342c68925fe1762dc4ab781f8d1e74c0ce0770.exe	107
PID 4680 wrote to memory of 1064	4680	d46af5ae12f87f0d86b276445f342c68925fe1762dc4ab781f8d1e74c0ce0770.exe	107
PID 1064 wrote to memory of 3976	1064	13cf706.exe	119
PID 1064 wrote to memory of 3976	1064	13cf706.exe	119
PID 1064 wrote to memory of 3976	1064	13cf706.exe	119
PID 1064 wrote to memory of 3976	1064	13cf706.exe	119
PID 1064 wrote to memory of 3976	1064	13cf706.exe	119
PID 1064 wrote to memory of 3976	1064	13cf706.exe	119
PID 1064 wrote to memory of 3976	1064	13cf706.exe	119
PID 1064 wrote to memory of 3976	1064	13cf706.exe	119
PID 1064 wrote to memory of 3976	1064	13cf706.exe	119

C:\Users\Admin\AppData\Local\Temp\d46af5ae12f87f0d86b276445f342c68925fe1762dc4ab781f8d1e74c0ce0770.exe
"C:\Users\Admin\AppData\Local\Temp\d46af5ae12f87f0d86b276445f342c68925fe1762dc4ab781f8d1e74c0ce0770.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sM3WU23.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sM3WU23.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3320
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11Kn9586.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11Kn9586.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4120
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:3924
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:1144
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12PQ866.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12PQ866.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4696
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2084
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 540
        5⤵
        Program crash
        
        PID:1368
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13cf706.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13cf706.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2084 -ip 2084
1⤵
PID:3208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13cf706.exe

Filesize
724KB

MD5
55bbda889f5fcc22da876ac1430f5326

SHA1
150ec0d77ee9502f518703f2cc44e6a70f5e9586

SHA256
dcf7ad959e6baddc86f7a09ddad03b0cc538bb301b43c69a5551031f800067e8

SHA512
8bb1461e4517b3bdd6293f5e463c10050a070c2b73a2002ada4679c58beb3f26b9cd98d48a469b829de15e72390539822b31e1ec374fb49850da18e590f9da38

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13cf706.exe

Filesize
724KB

MD5
55bbda889f5fcc22da876ac1430f5326

SHA1
150ec0d77ee9502f518703f2cc44e6a70f5e9586

SHA256
dcf7ad959e6baddc86f7a09ddad03b0cc538bb301b43c69a5551031f800067e8

SHA512
8bb1461e4517b3bdd6293f5e463c10050a070c2b73a2002ada4679c58beb3f26b9cd98d48a469b829de15e72390539822b31e1ec374fb49850da18e590f9da38

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sM3WU23.exe

Filesize
432KB

MD5
76ff317b6aa2bf914eeaa1be808b2d8d

SHA1
f928f7f9a79c3e737b12cbfd2293d27e98c08e25

SHA256
f54c694897bffe2f3262cc608411403da1030d34f18c4583c6b1f32d1a678b42

SHA512
8a45e4fc273d12f4773bf22dae283925d437c78e26af4aaf7345e2c0b5340bf04e8b6cf6d34758fb52d49d00af99e8f364c98bc153dcaf6fdb24a2424c7d8ea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sM3WU23.exe

Filesize
432KB

MD5
76ff317b6aa2bf914eeaa1be808b2d8d

SHA1
f928f7f9a79c3e737b12cbfd2293d27e98c08e25

SHA256
f54c694897bffe2f3262cc608411403da1030d34f18c4583c6b1f32d1a678b42

SHA512
8a45e4fc273d12f4773bf22dae283925d437c78e26af4aaf7345e2c0b5340bf04e8b6cf6d34758fb52d49d00af99e8f364c98bc153dcaf6fdb24a2424c7d8ea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11Kn9586.exe

Filesize
415KB

MD5
0920646199b237fd935e69fde34cb7a9

SHA1
cbf095b6a23a3416354a81fd53859f8db68f0490

SHA256
75079213a6f7402d9213db951c71974242fbf60ae9a06bddfe135c7b53f2cc42

SHA512
8004e9cf333c6d8ee11927d7515e08c8b6b5acb6a0fa2e7ef75f1f51981e7187368876d9ea7584b20e0b90f2af7ab19bfc1771475d264b13041ca826f3874470

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11Kn9586.exe

Filesize
415KB

MD5
0920646199b237fd935e69fde34cb7a9

SHA1
cbf095b6a23a3416354a81fd53859f8db68f0490

SHA256
75079213a6f7402d9213db951c71974242fbf60ae9a06bddfe135c7b53f2cc42

SHA512
8004e9cf333c6d8ee11927d7515e08c8b6b5acb6a0fa2e7ef75f1f51981e7187368876d9ea7584b20e0b90f2af7ab19bfc1771475d264b13041ca826f3874470

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12PQ866.exe

Filesize
378KB

MD5
583bf6a0f56a1ca27b225aecf3be68ce

SHA1
31499f53547f494bdcd43cfefb9c753a5458ecb9

SHA256
4005eeda6994ce4a85dcfeb2b36b731545076a18410a5a03d002611215fca79d

SHA512
1db9db8fc38e61a44f9456b95e8c137f15649b4ee6b4a85155e64a3c0c1ab046786d2e6b72941e2131d0445c49c5d46ba30f5828628097d2fe88a9e4167b8e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12PQ866.exe

Filesize
378KB

MD5
583bf6a0f56a1ca27b225aecf3be68ce

SHA1
31499f53547f494bdcd43cfefb9c753a5458ecb9

SHA256
4005eeda6994ce4a85dcfeb2b36b731545076a18410a5a03d002611215fca79d

SHA512
1db9db8fc38e61a44f9456b95e8c137f15649b4ee6b4a85155e64a3c0c1ab046786d2e6b72941e2131d0445c49c5d46ba30f5828628097d2fe88a9e4167b8e4f

Download Submit
memory/1144-25-0x0000000007A50000-0x0000000007A62000-memory.dmp

Filesize
72KB

Download
memory/1144-37-0x0000000007700000-0x0000000007710000-memory.dmp

Filesize
64KB

Download
memory/1144-21-0x0000000007700000-0x0000000007710000-memory.dmp

Filesize
64KB

Download
memory/1144-22-0x0000000007880000-0x000000000788A000-memory.dmp

Filesize
40KB

Download
memory/1144-23-0x0000000008880000-0x0000000008E98000-memory.dmp

Filesize
6.1MB

Download
memory/1144-24-0x0000000007B20000-0x0000000007C2A000-memory.dmp

Filesize
1.0MB

Download
memory/1144-19-0x0000000007CB0000-0x0000000008254000-memory.dmp

Filesize
5.6MB

Download
memory/1144-26-0x0000000007AB0000-0x0000000007AEC000-memory.dmp

Filesize
240KB

Download
memory/1144-27-0x0000000007C30000-0x0000000007C7C000-memory.dmp

Filesize
304KB

Download
memory/1144-20-0x00000000077A0000-0x0000000007832000-memory.dmp

Filesize
584KB

Download
memory/1144-36-0x0000000073DF0000-0x00000000745A0000-memory.dmp

Filesize
7.7MB

Download
memory/1144-14-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1144-18-0x0000000073DF0000-0x00000000745A0000-memory.dmp

Filesize
7.7MB

Download
memory/2084-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2084-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2084-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2084-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3976-38-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/3976-39-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/3976-40-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/3976-42-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download