mystic | 7a262ba75256096334d072d20f019c1b970b20715a2ada17c8316812a14a900c

Analysis

max time kernel
139s
max time network
153s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
14-11-2023 07:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a262ba75256096334d072d20f019c1b970b20715a2ada17c8316812a14a900c.exe
Size

887KB
MD5

9f6252389357e77883511ad48dababa4
SHA1

6593d7efb58d8c534ac67a32f50f50ab1181cdfa
SHA256

7a262ba75256096334d072d20f019c1b970b20715a2ada17c8316812a14a900c
SHA512

177f46968629d55874e9ef1cad461f402c4a0f42eb8e1fc41ea0098a034077ca7490490276e3fff6839676f95de183d307ab52abe673cfa857e58ffa32bdf75f
SSDEEP

24576:7yuU5FK0JQR5YhMG58QjhUsYd+qjkAsa:uuU5F8A58QisWoAs

Score

10^/10

mystic redline taiga infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/4056-34-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/4056-39-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/4056-40-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/4056-42-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/4332-14-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
2716	rn6RX42.exe
4652	11DY0211.exe
3384	12Ek800.exe
3984	13CA199.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7a262ba75256096334d072d20f019c1b970b20715a2ada17c8316812a14a900c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	rn6RX42.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4652 set thread context of 4332	4652	11DY0211.exe	74
PID 3384 set thread context of 4056	3384	12Ek800.exe	77
PID 3984 set thread context of 4632	3984	13CA199.exe	82

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3252	4056	WerFault.exe	77

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4632	AppLaunch.exe
4632	AppLaunch.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 4232 wrote to memory of 2716	4232	7a262ba75256096334d072d20f019c1b970b20715a2ada17c8316812a14a900c.exe	71
PID 4232 wrote to memory of 2716	4232	7a262ba75256096334d072d20f019c1b970b20715a2ada17c8316812a14a900c.exe	71
PID 4232 wrote to memory of 2716	4232	7a262ba75256096334d072d20f019c1b970b20715a2ada17c8316812a14a900c.exe	71
PID 2716 wrote to memory of 4652	2716	rn6RX42.exe	72
PID 2716 wrote to memory of 4652	2716	rn6RX42.exe	72
PID 2716 wrote to memory of 4652	2716	rn6RX42.exe	72
PID 4652 wrote to memory of 4332	4652	11DY0211.exe	74
PID 4652 wrote to memory of 4332	4652	11DY0211.exe	74
PID 4652 wrote to memory of 4332	4652	11DY0211.exe	74
PID 4652 wrote to memory of 4332	4652	11DY0211.exe	74
PID 4652 wrote to memory of 4332	4652	11DY0211.exe	74
PID 4652 wrote to memory of 4332	4652	11DY0211.exe	74
PID 4652 wrote to memory of 4332	4652	11DY0211.exe	74
PID 4652 wrote to memory of 4332	4652	11DY0211.exe	74
PID 2716 wrote to memory of 3384	2716	rn6RX42.exe	75
PID 2716 wrote to memory of 3384	2716	rn6RX42.exe	75
PID 2716 wrote to memory of 3384	2716	rn6RX42.exe	75
PID 3384 wrote to memory of 4056	3384	12Ek800.exe	77
PID 3384 wrote to memory of 4056	3384	12Ek800.exe	77
PID 3384 wrote to memory of 4056	3384	12Ek800.exe	77
PID 3384 wrote to memory of 4056	3384	12Ek800.exe	77
PID 3384 wrote to memory of 4056	3384	12Ek800.exe	77
PID 3384 wrote to memory of 4056	3384	12Ek800.exe	77
PID 3384 wrote to memory of 4056	3384	12Ek800.exe	77
PID 3384 wrote to memory of 4056	3384	12Ek800.exe	77
PID 3384 wrote to memory of 4056	3384	12Ek800.exe	77
PID 3384 wrote to memory of 4056	3384	12Ek800.exe	77
PID 4232 wrote to memory of 3984	4232	7a262ba75256096334d072d20f019c1b970b20715a2ada17c8316812a14a900c.exe	78
PID 4232 wrote to memory of 3984	4232	7a262ba75256096334d072d20f019c1b970b20715a2ada17c8316812a14a900c.exe	78
PID 4232 wrote to memory of 3984	4232	7a262ba75256096334d072d20f019c1b970b20715a2ada17c8316812a14a900c.exe	78
PID 3984 wrote to memory of 4632	3984	13CA199.exe	82
PID 3984 wrote to memory of 4632	3984	13CA199.exe	82
PID 3984 wrote to memory of 4632	3984	13CA199.exe	82
PID 3984 wrote to memory of 4632	3984	13CA199.exe	82
PID 3984 wrote to memory of 4632	3984	13CA199.exe	82
PID 3984 wrote to memory of 4632	3984	13CA199.exe	82
PID 3984 wrote to memory of 4632	3984	13CA199.exe	82
PID 3984 wrote to memory of 4632	3984	13CA199.exe	82
PID 3984 wrote to memory of 4632	3984	13CA199.exe	82

C:\Users\Admin\AppData\Local\Temp\7a262ba75256096334d072d20f019c1b970b20715a2ada17c8316812a14a900c.exe
"C:\Users\Admin\AppData\Local\Temp\7a262ba75256096334d072d20f019c1b970b20715a2ada17c8316812a14a900c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rn6RX42.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rn6RX42.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11DY0211.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11DY0211.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4652
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4332
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12Ek800.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12Ek800.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3384
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4056
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 568
        5⤵
        Program crash
        
        PID:3252
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13CA199.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13CA199.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3984
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13CA199.exe

Filesize
724KB

MD5
c6cb2f402c427d82b52067c730c11d0d

SHA1
14617980c4e45ea6ec76fe983968118e3f20e900

SHA256
6c571479af2d68c199fca724a676aa035adda6d83636767446d98f44c2c8ad24

SHA512
340fe4770600b4a9dbd0d8ca15ad603282f37266cdc376d90f94d1d155c954c37bb0a69790133586668ba1fe7a5c4ba22762e2212245af0695e8effc27e41199

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13CA199.exe

Filesize
724KB

MD5
c6cb2f402c427d82b52067c730c11d0d

SHA1
14617980c4e45ea6ec76fe983968118e3f20e900

SHA256
6c571479af2d68c199fca724a676aa035adda6d83636767446d98f44c2c8ad24

SHA512
340fe4770600b4a9dbd0d8ca15ad603282f37266cdc376d90f94d1d155c954c37bb0a69790133586668ba1fe7a5c4ba22762e2212245af0695e8effc27e41199

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rn6RX42.exe

Filesize
424KB

MD5
d88d9ed77b2dc43f185fb255cb85a460

SHA1
28d642335f4c1171b54ae3d110816a70376e668f

SHA256
2d2c6b44945eb13b33fded5a30586361e0d318c6644828b5f9028a138d09281d

SHA512
ec662a40edbc4ab04b7ebe980ab7d3263919c12d3bd23a5d2ad11cf7e772df22af4f64c3ba0490d56c1e6a44b89963983252a057dc7268867299cbcace571049

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rn6RX42.exe

Filesize
424KB

MD5
d88d9ed77b2dc43f185fb255cb85a460

SHA1
28d642335f4c1171b54ae3d110816a70376e668f

SHA256
2d2c6b44945eb13b33fded5a30586361e0d318c6644828b5f9028a138d09281d

SHA512
ec662a40edbc4ab04b7ebe980ab7d3263919c12d3bd23a5d2ad11cf7e772df22af4f64c3ba0490d56c1e6a44b89963983252a057dc7268867299cbcace571049

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11DY0211.exe

Filesize
415KB

MD5
e4434e74a995dd9c33bffcfb1aaa37aa

SHA1
389fa0b2cf122a1bc3506aaf6900894bd3576789

SHA256
f0a02290ed7688c3040403c4fd7290c6ccf311c9465ee0fc037298dd5301de9a

SHA512
418b0cbcf04d6499a343bc276483ee6a1216e4dfd47bfa967f4be5ea5fe7de050511f682b321f5ced8df4d6bf0337524e11095859ed7a94c7aad7ba1732096f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11DY0211.exe

Filesize
415KB

MD5
e4434e74a995dd9c33bffcfb1aaa37aa

SHA1
389fa0b2cf122a1bc3506aaf6900894bd3576789

SHA256
f0a02290ed7688c3040403c4fd7290c6ccf311c9465ee0fc037298dd5301de9a

SHA512
418b0cbcf04d6499a343bc276483ee6a1216e4dfd47bfa967f4be5ea5fe7de050511f682b321f5ced8df4d6bf0337524e11095859ed7a94c7aad7ba1732096f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12Ek800.exe

Filesize
378KB

MD5
169d693e1007dda3a982c09885589b9e

SHA1
a86bc4899ce20041eb25c408866cf6c744e745d1

SHA256
89531afbaf8809cbff695e720d77fafd2fd2fffdc61b147f59ae266e413957fb

SHA512
5d9c559bcdbbbdfd9d89eb023d4bfef66f2a212e156e0b9252bd04c1f28f28e33d2d7cd094a6e52b77993da6e0fe44cf61ce16acc190cc2bf6a91649bec2eab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12Ek800.exe

Filesize
378KB

MD5
169d693e1007dda3a982c09885589b9e

SHA1
a86bc4899ce20041eb25c408866cf6c744e745d1

SHA256
89531afbaf8809cbff695e720d77fafd2fd2fffdc61b147f59ae266e413957fb

SHA512
5d9c559bcdbbbdfd9d89eb023d4bfef66f2a212e156e0b9252bd04c1f28f28e33d2d7cd094a6e52b77993da6e0fe44cf61ce16acc190cc2bf6a91649bec2eab4

Download Submit
memory/4056-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4056-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4056-42-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4056-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4332-22-0x000000000BCB0000-0x000000000C1AE000-memory.dmp

Filesize
5.0MB

Download
memory/4332-25-0x000000000C7C0000-0x000000000CDC6000-memory.dmp

Filesize
6.0MB

Download
memory/4332-28-0x000000000BB10000-0x000000000BB4E000-memory.dmp

Filesize
248KB

Download
memory/4332-29-0x000000000BB50000-0x000000000BB9B000-memory.dmp

Filesize
300KB

Download
memory/4332-26-0x000000000C1B0000-0x000000000C2BA000-memory.dmp

Filesize
1.0MB

Download
memory/4332-23-0x000000000B850000-0x000000000B8E2000-memory.dmp

Filesize
584KB

Download
memory/4332-21-0x0000000073AE0000-0x00000000741CE000-memory.dmp

Filesize
6.9MB

Download
memory/4332-27-0x000000000BAB0000-0x000000000BAC2000-memory.dmp

Filesize
72KB

Download
memory/4332-24-0x000000000B9C0000-0x000000000B9CA000-memory.dmp

Filesize
40KB

Download
memory/4332-14-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4332-55-0x0000000073AE0000-0x00000000741CE000-memory.dmp

Filesize
6.9MB

Download
memory/4632-45-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4632-46-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4632-48-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4632-44-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download