mystic | ea71defda48dd0a3b6cfe3401f018d8495016213b6afe96a24cbbaa0afaa36b8

Analysis

max time kernel
147s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
14/11/2023, 08:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ea71defda48dd0a3b6cfe3401f018d8495016213b6afe96a24cbbaa0afaa36b8.exe
Size

888KB
MD5

6a94128cfa49b6bca927ec11a720ba64
SHA1

1a8a7c205d93d9d3cddb6dca8ce3d3dba594e267
SHA256

ea71defda48dd0a3b6cfe3401f018d8495016213b6afe96a24cbbaa0afaa36b8
SHA512

85f4ec51b780f89391f040ca2a93b6714fbf66f45a2c1821ee4898b8b7f39151f50109bb7eba3f11350af630ad29bd36d6b813c76b318e4ae1d7fbaee375009a
SSDEEP

24576:RySJLBPzwzL79IYq7cnvbMJ0vJSKbQDKe0JA43tgxQwh:Elf7BvblvJS1DKVJ0

Score

10^/10

mystic redline taiga infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/3324-28-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/3324-31-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/3324-29-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/3324-34-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/4904-14-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
1784	Lu1Cl08.exe
1200	11xa0429.exe
4680	12nQ038.exe
2788	13hF572.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ea71defda48dd0a3b6cfe3401f018d8495016213b6afe96a24cbbaa0afaa36b8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Lu1Cl08.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1200 set thread context of 4904	1200	11xa0429.exe	101
PID 4680 set thread context of 3324	4680	12nQ038.exe	104
PID 2788 set thread context of 4388	2788	13hF572.exe	117

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1776	3324	WerFault.exe	104

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4388	AppLaunch.exe
4388	AppLaunch.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 4108 wrote to memory of 1784	4108	ea71defda48dd0a3b6cfe3401f018d8495016213b6afe96a24cbbaa0afaa36b8.exe	88
PID 4108 wrote to memory of 1784	4108	ea71defda48dd0a3b6cfe3401f018d8495016213b6afe96a24cbbaa0afaa36b8.exe	88
PID 4108 wrote to memory of 1784	4108	ea71defda48dd0a3b6cfe3401f018d8495016213b6afe96a24cbbaa0afaa36b8.exe	88
PID 1784 wrote to memory of 1200	1784	Lu1Cl08.exe	89
PID 1784 wrote to memory of 1200	1784	Lu1Cl08.exe	89
PID 1784 wrote to memory of 1200	1784	Lu1Cl08.exe	89
PID 1200 wrote to memory of 4904	1200	11xa0429.exe	101
PID 1200 wrote to memory of 4904	1200	11xa0429.exe	101
PID 1200 wrote to memory of 4904	1200	11xa0429.exe	101
PID 1200 wrote to memory of 4904	1200	11xa0429.exe	101
PID 1200 wrote to memory of 4904	1200	11xa0429.exe	101
PID 1200 wrote to memory of 4904	1200	11xa0429.exe	101
PID 1200 wrote to memory of 4904	1200	11xa0429.exe	101
PID 1200 wrote to memory of 4904	1200	11xa0429.exe	101
PID 1784 wrote to memory of 4680	1784	Lu1Cl08.exe	102
PID 1784 wrote to memory of 4680	1784	Lu1Cl08.exe	102
PID 1784 wrote to memory of 4680	1784	Lu1Cl08.exe	102
PID 4680 wrote to memory of 3324	4680	12nQ038.exe	104
PID 4680 wrote to memory of 3324	4680	12nQ038.exe	104
PID 4680 wrote to memory of 3324	4680	12nQ038.exe	104
PID 4680 wrote to memory of 3324	4680	12nQ038.exe	104
PID 4680 wrote to memory of 3324	4680	12nQ038.exe	104
PID 4680 wrote to memory of 3324	4680	12nQ038.exe	104
PID 4680 wrote to memory of 3324	4680	12nQ038.exe	104
PID 4680 wrote to memory of 3324	4680	12nQ038.exe	104
PID 4680 wrote to memory of 3324	4680	12nQ038.exe	104
PID 4680 wrote to memory of 3324	4680	12nQ038.exe	104
PID 4108 wrote to memory of 2788	4108	ea71defda48dd0a3b6cfe3401f018d8495016213b6afe96a24cbbaa0afaa36b8.exe	105
PID 4108 wrote to memory of 2788	4108	ea71defda48dd0a3b6cfe3401f018d8495016213b6afe96a24cbbaa0afaa36b8.exe	105
PID 4108 wrote to memory of 2788	4108	ea71defda48dd0a3b6cfe3401f018d8495016213b6afe96a24cbbaa0afaa36b8.exe	105
PID 2788 wrote to memory of 4388	2788	13hF572.exe	117
PID 2788 wrote to memory of 4388	2788	13hF572.exe	117
PID 2788 wrote to memory of 4388	2788	13hF572.exe	117
PID 2788 wrote to memory of 4388	2788	13hF572.exe	117
PID 2788 wrote to memory of 4388	2788	13hF572.exe	117
PID 2788 wrote to memory of 4388	2788	13hF572.exe	117
PID 2788 wrote to memory of 4388	2788	13hF572.exe	117
PID 2788 wrote to memory of 4388	2788	13hF572.exe	117
PID 2788 wrote to memory of 4388	2788	13hF572.exe	117

C:\Users\Admin\AppData\Local\Temp\ea71defda48dd0a3b6cfe3401f018d8495016213b6afe96a24cbbaa0afaa36b8.exe
"C:\Users\Admin\AppData\Local\Temp\ea71defda48dd0a3b6cfe3401f018d8495016213b6afe96a24cbbaa0afaa36b8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4108
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lu1Cl08.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lu1Cl08.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11xa0429.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11xa0429.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1200
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4904
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12nQ038.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12nQ038.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4680
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:3324
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 540
        5⤵
        Program crash
        
        PID:1776
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13hF572.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13hF572.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3324 -ip 3324
1⤵
PID:4532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13hF572.exe

Filesize
724KB

MD5
c35c7acb434a029762e42b01bcc92e4e

SHA1
398abbc3ebe279a9356b9aa0f7f0d12edee638f3

SHA256
2a979a25ad66332dc0af862f3972d9f5f24a516a4e748c95445f8ed6a5469f5d

SHA512
fe906374569a1d17057671e576289f369ff57820a0ba029ed170c313cf415849618c1eccff2489566d9ad80819aa41add598486fca4d81680e04ac64f6775367

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13hF572.exe

Filesize
724KB

MD5
c35c7acb434a029762e42b01bcc92e4e

SHA1
398abbc3ebe279a9356b9aa0f7f0d12edee638f3

SHA256
2a979a25ad66332dc0af862f3972d9f5f24a516a4e748c95445f8ed6a5469f5d

SHA512
fe906374569a1d17057671e576289f369ff57820a0ba029ed170c313cf415849618c1eccff2489566d9ad80819aa41add598486fca4d81680e04ac64f6775367

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lu1Cl08.exe

Filesize
424KB

MD5
3421ae44478587a59bf7a3fd4bb8f9be

SHA1
1fdefdc6ca8b0dcbe4b55ed48f20c5ee7ed81978

SHA256
37c0d2e39e1e62a666745857db653ac9ee3e5d253dc63e4bffb55a7f68ea4b4c

SHA512
b54b3a27ab26de15e6cb32800a7c7a28fda549dacd92faa27aa77375fe5bb55a435684b8dee70450c0352d46130ffc53088108a9bfa606abee73552c8d7d89fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lu1Cl08.exe

Filesize
424KB

MD5
3421ae44478587a59bf7a3fd4bb8f9be

SHA1
1fdefdc6ca8b0dcbe4b55ed48f20c5ee7ed81978

SHA256
37c0d2e39e1e62a666745857db653ac9ee3e5d253dc63e4bffb55a7f68ea4b4c

SHA512
b54b3a27ab26de15e6cb32800a7c7a28fda549dacd92faa27aa77375fe5bb55a435684b8dee70450c0352d46130ffc53088108a9bfa606abee73552c8d7d89fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11xa0429.exe

Filesize
415KB

MD5
8941fd2d2567f4179f021c3e948a5bf7

SHA1
0aa3f9091a3a75c7affa4f5ae44fedc37a391439

SHA256
5385c450cb98b81a2e6a20e12839045c3e8e04f2e19e33ceaacadb6122e0fd2e

SHA512
5279b2042a2e6fd3be24496635d06891ad1b55b0da80bde62c3ce2edb90e05230794b50ec5546f485aa887bfc30fb4fffee4de227e82157d86c34bdc6aa64c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11xa0429.exe

Filesize
415KB

MD5
8941fd2d2567f4179f021c3e948a5bf7

SHA1
0aa3f9091a3a75c7affa4f5ae44fedc37a391439

SHA256
5385c450cb98b81a2e6a20e12839045c3e8e04f2e19e33ceaacadb6122e0fd2e

SHA512
5279b2042a2e6fd3be24496635d06891ad1b55b0da80bde62c3ce2edb90e05230794b50ec5546f485aa887bfc30fb4fffee4de227e82157d86c34bdc6aa64c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12nQ038.exe

Filesize
378KB

MD5
3701760bf87ea6348ae265a7b3468a0b

SHA1
4678e7cd64671e1b6424a553a802b203d5890807

SHA256
e31e30ba0ed6204dc6a951163dd363550b0f21233d7732b610264f8d07b9ede3

SHA512
a12075878ed0730633b49a5fce5854aef5375b8c03ef19b63ac8273c77ab4c65bed116096265b89b0673d3f8e0f1e1dc8678df0756a27e226f0eb476627e7fba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12nQ038.exe

Filesize
378KB

MD5
3701760bf87ea6348ae265a7b3468a0b

SHA1
4678e7cd64671e1b6424a553a802b203d5890807

SHA256
e31e30ba0ed6204dc6a951163dd363550b0f21233d7732b610264f8d07b9ede3

SHA512
a12075878ed0730633b49a5fce5854aef5375b8c03ef19b63ac8273c77ab4c65bed116096265b89b0673d3f8e0f1e1dc8678df0756a27e226f0eb476627e7fba

Download Submit
memory/3324-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3324-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3324-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3324-29-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4388-38-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4388-39-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4388-42-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4388-40-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4904-18-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/4904-27-0x0000000007900000-0x000000000794C000-memory.dmp

Filesize
304KB

Download
memory/4904-26-0x00000000078C0000-0x00000000078FC000-memory.dmp

Filesize
240KB

Download
memory/4904-25-0x0000000007860000-0x0000000007872000-memory.dmp

Filesize
72KB

Download
memory/4904-24-0x0000000007970000-0x0000000007A7A000-memory.dmp

Filesize
1.0MB

Download
memory/4904-23-0x0000000008680000-0x0000000008C98000-memory.dmp

Filesize
6.1MB

Download
memory/4904-22-0x0000000007690000-0x000000000769A000-memory.dmp

Filesize
40KB

Download
memory/4904-36-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/4904-37-0x0000000007560000-0x0000000007570000-memory.dmp

Filesize
64KB

Download
memory/4904-21-0x0000000007560000-0x0000000007570000-memory.dmp

Filesize
64KB

Download
memory/4904-20-0x00000000075A0000-0x0000000007632000-memory.dmp

Filesize
584KB

Download
memory/4904-19-0x0000000007AB0000-0x0000000008054000-memory.dmp

Filesize
5.6MB

Download
memory/4904-14-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download