mystic | 4ecd67d9bc3094e67e8eea4047af8e2ebca2170232ba31024ef56c744aeeaa16

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
14/11/2023, 06:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ecd67d9bc3094e67e8eea4047af8e2ebca2170232ba31024ef56c744aeeaa16.exe
Size

892KB
MD5

a27be1fe1fec2a595d19eac94389df10
SHA1

7ab1b086110f1a655714d4ed6e6403112462146e
SHA256

4ecd67d9bc3094e67e8eea4047af8e2ebca2170232ba31024ef56c744aeeaa16
SHA512

c97b59b497a8bbbce137dcd759e3edb322d3b2e6f6ddad3838b07c0f13665e49533b5bed0e96abe65531693cf130cc2d3b65c55ba86785e0f7e947414e6409df
SSDEEP

24576:wy2/6LtVGaYB0XxaddJIvLuSdvdKfOE/v:3q6FidDEL7QW

Score

10^/10

mystic redline taiga infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/4992-28-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/4992-29-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/4992-31-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/4992-34-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/4208-14-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
3268	xi6NF99.exe
3436	11yQ7267.exe
4776	12be578.exe
4780	13sh038.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4ecd67d9bc3094e67e8eea4047af8e2ebca2170232ba31024ef56c744aeeaa16.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	xi6NF99.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3436 set thread context of 4208	3436	11yQ7267.exe	94
PID 4776 set thread context of 4992	4776	12be578.exe	97
PID 4780 set thread context of 1388	4780	13sh038.exe	116

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2668	4992	WerFault.exe	97

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1388	AppLaunch.exe
1388	AppLaunch.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 3268	2868	4ecd67d9bc3094e67e8eea4047af8e2ebca2170232ba31024ef56c744aeeaa16.exe	88
PID 2868 wrote to memory of 3268	2868	4ecd67d9bc3094e67e8eea4047af8e2ebca2170232ba31024ef56c744aeeaa16.exe	88
PID 2868 wrote to memory of 3268	2868	4ecd67d9bc3094e67e8eea4047af8e2ebca2170232ba31024ef56c744aeeaa16.exe	88
PID 3268 wrote to memory of 3436	3268	xi6NF99.exe	90
PID 3268 wrote to memory of 3436	3268	xi6NF99.exe	90
PID 3268 wrote to memory of 3436	3268	xi6NF99.exe	90
PID 3436 wrote to memory of 4208	3436	11yQ7267.exe	94
PID 3436 wrote to memory of 4208	3436	11yQ7267.exe	94
PID 3436 wrote to memory of 4208	3436	11yQ7267.exe	94
PID 3436 wrote to memory of 4208	3436	11yQ7267.exe	94
PID 3436 wrote to memory of 4208	3436	11yQ7267.exe	94
PID 3436 wrote to memory of 4208	3436	11yQ7267.exe	94
PID 3436 wrote to memory of 4208	3436	11yQ7267.exe	94
PID 3436 wrote to memory of 4208	3436	11yQ7267.exe	94
PID 3268 wrote to memory of 4776	3268	xi6NF99.exe	95
PID 3268 wrote to memory of 4776	3268	xi6NF99.exe	95
PID 3268 wrote to memory of 4776	3268	xi6NF99.exe	95
PID 4776 wrote to memory of 4992	4776	12be578.exe	97
PID 4776 wrote to memory of 4992	4776	12be578.exe	97
PID 4776 wrote to memory of 4992	4776	12be578.exe	97
PID 4776 wrote to memory of 4992	4776	12be578.exe	97
PID 4776 wrote to memory of 4992	4776	12be578.exe	97
PID 4776 wrote to memory of 4992	4776	12be578.exe	97
PID 4776 wrote to memory of 4992	4776	12be578.exe	97
PID 4776 wrote to memory of 4992	4776	12be578.exe	97
PID 4776 wrote to memory of 4992	4776	12be578.exe	97
PID 4776 wrote to memory of 4992	4776	12be578.exe	97
PID 2868 wrote to memory of 4780	2868	4ecd67d9bc3094e67e8eea4047af8e2ebca2170232ba31024ef56c744aeeaa16.exe	98
PID 2868 wrote to memory of 4780	2868	4ecd67d9bc3094e67e8eea4047af8e2ebca2170232ba31024ef56c744aeeaa16.exe	98
PID 2868 wrote to memory of 4780	2868	4ecd67d9bc3094e67e8eea4047af8e2ebca2170232ba31024ef56c744aeeaa16.exe	98
PID 4780 wrote to memory of 1388	4780	13sh038.exe	116
PID 4780 wrote to memory of 1388	4780	13sh038.exe	116
PID 4780 wrote to memory of 1388	4780	13sh038.exe	116
PID 4780 wrote to memory of 1388	4780	13sh038.exe	116
PID 4780 wrote to memory of 1388	4780	13sh038.exe	116
PID 4780 wrote to memory of 1388	4780	13sh038.exe	116
PID 4780 wrote to memory of 1388	4780	13sh038.exe	116
PID 4780 wrote to memory of 1388	4780	13sh038.exe	116
PID 4780 wrote to memory of 1388	4780	13sh038.exe	116

C:\Users\Admin\AppData\Local\Temp\4ecd67d9bc3094e67e8eea4047af8e2ebca2170232ba31024ef56c744aeeaa16.exe
"C:\Users\Admin\AppData\Local\Temp\4ecd67d9bc3094e67e8eea4047af8e2ebca2170232ba31024ef56c744aeeaa16.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xi6NF99.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xi6NF99.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3268
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11yQ7267.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11yQ7267.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3436
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4208
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12be578.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12be578.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4776
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4992
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 540
        5⤵
        Program crash
        
        PID:2668
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13sh038.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13sh038.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4992 -ip 4992
1⤵
PID:3364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13sh038.exe

Filesize
724KB

MD5
32b5f2825422417044537a27eb1aa3a2

SHA1
aae2f28c1b8a0b8c670b063b4934fc2b9dcf0401

SHA256
6ab4e797e12a0e36659f3f8ddf7317e58bac945183593067e268cac965dcb64b

SHA512
7a44d8f36602e2794289c413dbe1f1700cd7e7947c504b7a945d8d94fe897cb3b4393cf81c2e50996292d9799bc6ab8ea7c8a4e215614821fe40a6adfec5174e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13sh038.exe

Filesize
724KB

MD5
32b5f2825422417044537a27eb1aa3a2

SHA1
aae2f28c1b8a0b8c670b063b4934fc2b9dcf0401

SHA256
6ab4e797e12a0e36659f3f8ddf7317e58bac945183593067e268cac965dcb64b

SHA512
7a44d8f36602e2794289c413dbe1f1700cd7e7947c504b7a945d8d94fe897cb3b4393cf81c2e50996292d9799bc6ab8ea7c8a4e215614821fe40a6adfec5174e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xi6NF99.exe

Filesize
429KB

MD5
fb96ffb7ba19f4dc49dfbffebb0f4427

SHA1
a9f2919fdfce153e6c978f361f6454eb43361bf9

SHA256
92eb76dda491c933d57e6547cb7252e42e8ff0d1fbbb3184d3bc655373beb458

SHA512
85b680ddabc70e8a662973ac9a9ae1472747a094d7c855a464eec0ac3b5c19d0c06de36d8cb8cc3734fb478be53231bb0f2d232f6e46757ba3d4bac1ee5f33de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xi6NF99.exe

Filesize
429KB

MD5
fb96ffb7ba19f4dc49dfbffebb0f4427

SHA1
a9f2919fdfce153e6c978f361f6454eb43361bf9

SHA256
92eb76dda491c933d57e6547cb7252e42e8ff0d1fbbb3184d3bc655373beb458

SHA512
85b680ddabc70e8a662973ac9a9ae1472747a094d7c855a464eec0ac3b5c19d0c06de36d8cb8cc3734fb478be53231bb0f2d232f6e46757ba3d4bac1ee5f33de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11yQ7267.exe

Filesize
415KB

MD5
bd14d7ecb18043988c0f05b3ee85dd34

SHA1
efd95d6078ab0954f18490f4a405b0d22dc9e188

SHA256
f44bf52fa24020710c973d54a2b0f8d51a7734828ccd5370fb7c0b8357893d40

SHA512
bec1130b4f4371934948d23fd71c5bfdca8a4891f49d95407063fbb03024ac5ae8fd9489df5c77c572a005966c3a94589bc5cf3be32f318f42e89ed0857989bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11yQ7267.exe

Filesize
415KB

MD5
bd14d7ecb18043988c0f05b3ee85dd34

SHA1
efd95d6078ab0954f18490f4a405b0d22dc9e188

SHA256
f44bf52fa24020710c973d54a2b0f8d51a7734828ccd5370fb7c0b8357893d40

SHA512
bec1130b4f4371934948d23fd71c5bfdca8a4891f49d95407063fbb03024ac5ae8fd9489df5c77c572a005966c3a94589bc5cf3be32f318f42e89ed0857989bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12be578.exe

Filesize
378KB

MD5
3608eecdca7c3cbca7ecf23f6af0b71c

SHA1
13e4835368650e8177b41f54fbf8ed6080f5b53d

SHA256
18bbfb7a0b21455157f53bb8be0c8788a1905b0a51e4553cb53023c32fe1438a

SHA512
f289b87f84f07692af3a834c8c048e7ae5a3404fdf58241c8d8c9b389073febdce83f18dc1d0c96e75294db33eac1b56618e32e314a125f568dfc1b8929a504b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12be578.exe

Filesize
378KB

MD5
3608eecdca7c3cbca7ecf23f6af0b71c

SHA1
13e4835368650e8177b41f54fbf8ed6080f5b53d

SHA256
18bbfb7a0b21455157f53bb8be0c8788a1905b0a51e4553cb53023c32fe1438a

SHA512
f289b87f84f07692af3a834c8c048e7ae5a3404fdf58241c8d8c9b389073febdce83f18dc1d0c96e75294db33eac1b56618e32e314a125f568dfc1b8929a504b

Download Submit
memory/1388-42-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1388-40-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1388-39-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1388-38-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4208-25-0x0000000007EE0000-0x0000000007EF2000-memory.dmp

Filesize
72KB

Download
memory/4208-20-0x0000000007C30000-0x0000000007CC2000-memory.dmp

Filesize
584KB

Download
memory/4208-23-0x0000000008CD0000-0x00000000092E8000-memory.dmp

Filesize
6.1MB

Download
memory/4208-26-0x0000000007F40000-0x0000000007F7C000-memory.dmp

Filesize
240KB

Download
memory/4208-27-0x00000000086B0000-0x00000000086FC000-memory.dmp

Filesize
304KB

Download
memory/4208-24-0x0000000007FC0000-0x00000000080CA000-memory.dmp

Filesize
1.0MB

Download
memory/4208-14-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4208-22-0x0000000007D00000-0x0000000007D0A000-memory.dmp

Filesize
40KB

Download
memory/4208-18-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/4208-19-0x0000000008100000-0x00000000086A4000-memory.dmp

Filesize
5.6MB

Download
memory/4208-21-0x0000000007D70000-0x0000000007D80000-memory.dmp

Filesize
64KB

Download
memory/4208-36-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/4208-37-0x0000000007D70000-0x0000000007D80000-memory.dmp

Filesize
64KB

Download
memory/4992-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4992-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4992-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4992-29-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download