mystic | 1125e7c42bc7ca7a0f58a39b1d2c0cd8d3d91da36fc9b197472f56126639052d

Analysis

max time kernel
145s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
14-11-2023 07:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1125e7c42bc7ca7a0f58a39b1d2c0cd8d3d91da36fc9b197472f56126639052d.exe
Size

889KB
MD5

9689f25bb0de435511f15d9c3cb39a87
SHA1

136a1bd76b3d83c2971257aad7ced648d680054b
SHA256

1125e7c42bc7ca7a0f58a39b1d2c0cd8d3d91da36fc9b197472f56126639052d
SHA512

befdbca89b1f9aa1f70d41865dc64d2974e9c111e7b8309e629b7f3d427593a93ecd610e1302a82a16dee56b2203753f56a9c4cbc9dcb0e41ad69380f4a8d345
SSDEEP

24576:fyqLl/UZZKw+TmmNyWcLOz7rQ/8HEz2B/6P/KDM:qqLl/CcFNjcLOQ8HEz2EP/KD

Score

10^/10

mystic redline taiga infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/4744-28-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/4744-31-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/4744-32-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/4744-34-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/3128-14-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
4052	eb7rm91.exe
3332	11Yy4717.exe
1828	12zW154.exe
2292	13gS843.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1125e7c42bc7ca7a0f58a39b1d2c0cd8d3d91da36fc9b197472f56126639052d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	eb7rm91.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3332 set thread context of 3128	3332	11Yy4717.exe	101
PID 1828 set thread context of 4744	1828	12zW154.exe	105
PID 2292 set thread context of 452	2292	13gS843.exe	118

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3140	4744	WerFault.exe	105

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
452	AppLaunch.exe
452	AppLaunch.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 544 wrote to memory of 4052	544	1125e7c42bc7ca7a0f58a39b1d2c0cd8d3d91da36fc9b197472f56126639052d.exe	89
PID 544 wrote to memory of 4052	544	1125e7c42bc7ca7a0f58a39b1d2c0cd8d3d91da36fc9b197472f56126639052d.exe	89
PID 544 wrote to memory of 4052	544	1125e7c42bc7ca7a0f58a39b1d2c0cd8d3d91da36fc9b197472f56126639052d.exe	89
PID 4052 wrote to memory of 3332	4052	eb7rm91.exe	90
PID 4052 wrote to memory of 3332	4052	eb7rm91.exe	90
PID 4052 wrote to memory of 3332	4052	eb7rm91.exe	90
PID 3332 wrote to memory of 3128	3332	11Yy4717.exe	101
PID 3332 wrote to memory of 3128	3332	11Yy4717.exe	101
PID 3332 wrote to memory of 3128	3332	11Yy4717.exe	101
PID 3332 wrote to memory of 3128	3332	11Yy4717.exe	101
PID 3332 wrote to memory of 3128	3332	11Yy4717.exe	101
PID 3332 wrote to memory of 3128	3332	11Yy4717.exe	101
PID 3332 wrote to memory of 3128	3332	11Yy4717.exe	101
PID 3332 wrote to memory of 3128	3332	11Yy4717.exe	101
PID 4052 wrote to memory of 1828	4052	eb7rm91.exe	102
PID 4052 wrote to memory of 1828	4052	eb7rm91.exe	102
PID 4052 wrote to memory of 1828	4052	eb7rm91.exe	102
PID 1828 wrote to memory of 464	1828	12zW154.exe	104
PID 1828 wrote to memory of 464	1828	12zW154.exe	104
PID 1828 wrote to memory of 464	1828	12zW154.exe	104
PID 1828 wrote to memory of 4744	1828	12zW154.exe	105
PID 1828 wrote to memory of 4744	1828	12zW154.exe	105
PID 1828 wrote to memory of 4744	1828	12zW154.exe	105
PID 1828 wrote to memory of 4744	1828	12zW154.exe	105
PID 1828 wrote to memory of 4744	1828	12zW154.exe	105
PID 1828 wrote to memory of 4744	1828	12zW154.exe	105
PID 1828 wrote to memory of 4744	1828	12zW154.exe	105
PID 1828 wrote to memory of 4744	1828	12zW154.exe	105
PID 1828 wrote to memory of 4744	1828	12zW154.exe	105
PID 1828 wrote to memory of 4744	1828	12zW154.exe	105
PID 544 wrote to memory of 2292	544	1125e7c42bc7ca7a0f58a39b1d2c0cd8d3d91da36fc9b197472f56126639052d.exe	106
PID 544 wrote to memory of 2292	544	1125e7c42bc7ca7a0f58a39b1d2c0cd8d3d91da36fc9b197472f56126639052d.exe	106
PID 544 wrote to memory of 2292	544	1125e7c42bc7ca7a0f58a39b1d2c0cd8d3d91da36fc9b197472f56126639052d.exe	106
PID 2292 wrote to memory of 452	2292	13gS843.exe	118
PID 2292 wrote to memory of 452	2292	13gS843.exe	118
PID 2292 wrote to memory of 452	2292	13gS843.exe	118
PID 2292 wrote to memory of 452	2292	13gS843.exe	118
PID 2292 wrote to memory of 452	2292	13gS843.exe	118
PID 2292 wrote to memory of 452	2292	13gS843.exe	118
PID 2292 wrote to memory of 452	2292	13gS843.exe	118
PID 2292 wrote to memory of 452	2292	13gS843.exe	118
PID 2292 wrote to memory of 452	2292	13gS843.exe	118

C:\Users\Admin\AppData\Local\Temp\1125e7c42bc7ca7a0f58a39b1d2c0cd8d3d91da36fc9b197472f56126639052d.exe
"C:\Users\Admin\AppData\Local\Temp\1125e7c42bc7ca7a0f58a39b1d2c0cd8d3d91da36fc9b197472f56126639052d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:544
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eb7rm91.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eb7rm91.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4052
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11Yy4717.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11Yy4717.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3332
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:3128
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12zW154.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12zW154.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1828
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:464
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4744
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 540
        5⤵
        Program crash
        
        PID:3140
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13gS843.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13gS843.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4744 -ip 4744
1⤵
PID:3780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13gS843.exe

Filesize
724KB

MD5
e6863bc012d7d2cb552f02414620effc

SHA1
42d7e76667a8f040ece5dc129051984b7fcb0b85

SHA256
0965997f8f9d68fecfb5a2e607283d5032b923b2bb0cd197adcefd4cd40c94b8

SHA512
3b12cee9c90e50e67f36a43d475f2c3f3cedef6f84f0fd356d8bf5f3fc0b7db016ba209ef11b3f1efe866831a3f9191e55a0a6a512621871b62c449d802470f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13gS843.exe

Filesize
724KB

MD5
e6863bc012d7d2cb552f02414620effc

SHA1
42d7e76667a8f040ece5dc129051984b7fcb0b85

SHA256
0965997f8f9d68fecfb5a2e607283d5032b923b2bb0cd197adcefd4cd40c94b8

SHA512
3b12cee9c90e50e67f36a43d475f2c3f3cedef6f84f0fd356d8bf5f3fc0b7db016ba209ef11b3f1efe866831a3f9191e55a0a6a512621871b62c449d802470f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eb7rm91.exe

Filesize
425KB

MD5
f221872a188761a594201cac4c15fd69

SHA1
ca864f399f3ed1de28ea0c99aad15b8acf9e5bc1

SHA256
489fa4ad9909f6646d929f264b4cc7239d846f58f31f414d645834543e167ed8

SHA512
698029d14685112f483aba476d3d4d38c28c7a2a36b36731cee5cfdeaefa7a6144819a2423a7a8c89a567b4ceab5ea7cfde5e443f71aef5fd3cbeb3ee4dcd537

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eb7rm91.exe

Filesize
425KB

MD5
f221872a188761a594201cac4c15fd69

SHA1
ca864f399f3ed1de28ea0c99aad15b8acf9e5bc1

SHA256
489fa4ad9909f6646d929f264b4cc7239d846f58f31f414d645834543e167ed8

SHA512
698029d14685112f483aba476d3d4d38c28c7a2a36b36731cee5cfdeaefa7a6144819a2423a7a8c89a567b4ceab5ea7cfde5e443f71aef5fd3cbeb3ee4dcd537

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11Yy4717.exe

Filesize
415KB

MD5
c6c2c9cd8306ae204b2844e153edfdcd

SHA1
3d2cc11e5a4b45a0bf102d12118f1f375c4aacf1

SHA256
161862ecd9b66e36d2a44fa2e81b98f9e2c7dd477b44ac10ecad0e72abc7793f

SHA512
bb04de8e6042b15320cab7f6f39c82fac9c9dda636a16e38be456d85f7ba5f2d2569cbaa769059c69e46b297a62119804c4f2eab90965bbeac393945a5ed4c7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11Yy4717.exe

Filesize
415KB

MD5
c6c2c9cd8306ae204b2844e153edfdcd

SHA1
3d2cc11e5a4b45a0bf102d12118f1f375c4aacf1

SHA256
161862ecd9b66e36d2a44fa2e81b98f9e2c7dd477b44ac10ecad0e72abc7793f

SHA512
bb04de8e6042b15320cab7f6f39c82fac9c9dda636a16e38be456d85f7ba5f2d2569cbaa769059c69e46b297a62119804c4f2eab90965bbeac393945a5ed4c7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12zW154.exe

Filesize
378KB

MD5
b17edcb9972bf6a9256316268cd974dd

SHA1
122a63e3e9a9dcfa722f3bd49e0847db200d0187

SHA256
bc8d29a07e5a0db721f75d13e885701c38d3692b17e2847be06edc722e42fc4b

SHA512
8b39119e72414ba501ab0bc171be3e0564cf5d1ce6c7d6b61c721b33e00327eb3da4bd73881e21c96122ac4e64160d0a449e1ff7876cd5bdd6cc215de3c3d38b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12zW154.exe

Filesize
378KB

MD5
b17edcb9972bf6a9256316268cd974dd

SHA1
122a63e3e9a9dcfa722f3bd49e0847db200d0187

SHA256
bc8d29a07e5a0db721f75d13e885701c38d3692b17e2847be06edc722e42fc4b

SHA512
8b39119e72414ba501ab0bc171be3e0564cf5d1ce6c7d6b61c721b33e00327eb3da4bd73881e21c96122ac4e64160d0a449e1ff7876cd5bdd6cc215de3c3d38b

Download Submit
memory/452-42-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/452-40-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/452-39-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/452-38-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/3128-25-0x0000000007B40000-0x0000000007B52000-memory.dmp

Filesize
72KB

Download
memory/3128-20-0x0000000007870000-0x0000000007902000-memory.dmp

Filesize
584KB

Download
memory/3128-23-0x00000000088F0000-0x0000000008F08000-memory.dmp

Filesize
6.1MB

Download
memory/3128-26-0x0000000007BE0000-0x0000000007C1C000-memory.dmp

Filesize
240KB

Download
memory/3128-27-0x0000000007C20000-0x0000000007C6C000-memory.dmp

Filesize
304KB

Download
memory/3128-24-0x00000000082D0000-0x00000000083DA000-memory.dmp

Filesize
1.0MB

Download
memory/3128-14-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3128-18-0x0000000073EC0000-0x0000000074670000-memory.dmp

Filesize
7.7MB

Download
memory/3128-22-0x0000000007A70000-0x0000000007A7A000-memory.dmp

Filesize
40KB

Download
memory/3128-19-0x0000000007D20000-0x00000000082C4000-memory.dmp

Filesize
5.6MB

Download
memory/3128-21-0x0000000007A20000-0x0000000007A30000-memory.dmp

Filesize
64KB

Download
memory/3128-36-0x0000000073EC0000-0x0000000074670000-memory.dmp

Filesize
7.7MB

Download
memory/3128-37-0x0000000007A20000-0x0000000007A30000-memory.dmp

Filesize
64KB

Download
memory/4744-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4744-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4744-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4744-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download