mystic | 6a73599227e89d1b5d677a38bb8a55bf83444df22bd7231474c08a09058ec5d4

Analysis

max time kernel
138s
max time network
156s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
14-11-2023 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a73599227e89d1b5d677a38bb8a55bf83444df22bd7231474c08a09058ec5d4.exe
Size

888KB
MD5

c9a81773fe199836f9319be0af18e3ff
SHA1

5facafab3a75b840ba5fa7ed5bc1f3f1088fed06
SHA256

6a73599227e89d1b5d677a38bb8a55bf83444df22bd7231474c08a09058ec5d4
SHA512

4884d21ab3d4cf133c7c5eac75877aac925f28347b7ea621608f77d1b87e58ea9cf54f52b5260c526fca7e0e5f55d028e31ba06aca46c85de21403bc42eeed7b
SSDEEP

12288:2Mrxy90LQSoUmANoeQAgay13MYj7Mwy3ZRR82CPgDAQ3AMa9bco+/q9i5wokQ:XycpGrAwtMWMLKsAuAMmbI

Score

10^/10

mystic redline taiga infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/68-34-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/68-39-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/68-40-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/68-42-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/1016-14-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
2564	AE8Ow81.exe
1336	11fS7214.exe
4976	12hE383.exe
2676	13FH011.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6a73599227e89d1b5d677a38bb8a55bf83444df22bd7231474c08a09058ec5d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	AE8Ow81.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1336 set thread context of 1016	1336	11fS7214.exe	74
PID 4976 set thread context of 68	4976	12hE383.exe	78
PID 2676 set thread context of 4632	2676	13FH011.exe	83

Program crash 1 IoCs

pid	pid_target	Process	procid_target
528	68	WerFault.exe	78

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4632	AppLaunch.exe
4632	AppLaunch.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 2564	2900	6a73599227e89d1b5d677a38bb8a55bf83444df22bd7231474c08a09058ec5d4.exe	71
PID 2900 wrote to memory of 2564	2900	6a73599227e89d1b5d677a38bb8a55bf83444df22bd7231474c08a09058ec5d4.exe	71
PID 2900 wrote to memory of 2564	2900	6a73599227e89d1b5d677a38bb8a55bf83444df22bd7231474c08a09058ec5d4.exe	71
PID 2564 wrote to memory of 1336	2564	AE8Ow81.exe	72
PID 2564 wrote to memory of 1336	2564	AE8Ow81.exe	72
PID 2564 wrote to memory of 1336	2564	AE8Ow81.exe	72
PID 1336 wrote to memory of 1016	1336	11fS7214.exe	74
PID 1336 wrote to memory of 1016	1336	11fS7214.exe	74
PID 1336 wrote to memory of 1016	1336	11fS7214.exe	74
PID 1336 wrote to memory of 1016	1336	11fS7214.exe	74
PID 1336 wrote to memory of 1016	1336	11fS7214.exe	74
PID 1336 wrote to memory of 1016	1336	11fS7214.exe	74
PID 1336 wrote to memory of 1016	1336	11fS7214.exe	74
PID 1336 wrote to memory of 1016	1336	11fS7214.exe	74
PID 2564 wrote to memory of 4976	2564	AE8Ow81.exe	75
PID 2564 wrote to memory of 4976	2564	AE8Ow81.exe	75
PID 2564 wrote to memory of 4976	2564	AE8Ow81.exe	75
PID 4976 wrote to memory of 4536	4976	12hE383.exe	77
PID 4976 wrote to memory of 4536	4976	12hE383.exe	77
PID 4976 wrote to memory of 4536	4976	12hE383.exe	77
PID 4976 wrote to memory of 68	4976	12hE383.exe	78
PID 4976 wrote to memory of 68	4976	12hE383.exe	78
PID 4976 wrote to memory of 68	4976	12hE383.exe	78
PID 4976 wrote to memory of 68	4976	12hE383.exe	78
PID 4976 wrote to memory of 68	4976	12hE383.exe	78
PID 4976 wrote to memory of 68	4976	12hE383.exe	78
PID 4976 wrote to memory of 68	4976	12hE383.exe	78
PID 4976 wrote to memory of 68	4976	12hE383.exe	78
PID 4976 wrote to memory of 68	4976	12hE383.exe	78
PID 4976 wrote to memory of 68	4976	12hE383.exe	78
PID 2900 wrote to memory of 2676	2900	6a73599227e89d1b5d677a38bb8a55bf83444df22bd7231474c08a09058ec5d4.exe	79
PID 2900 wrote to memory of 2676	2900	6a73599227e89d1b5d677a38bb8a55bf83444df22bd7231474c08a09058ec5d4.exe	79
PID 2900 wrote to memory of 2676	2900	6a73599227e89d1b5d677a38bb8a55bf83444df22bd7231474c08a09058ec5d4.exe	79
PID 2676 wrote to memory of 4632	2676	13FH011.exe	83
PID 2676 wrote to memory of 4632	2676	13FH011.exe	83
PID 2676 wrote to memory of 4632	2676	13FH011.exe	83
PID 2676 wrote to memory of 4632	2676	13FH011.exe	83
PID 2676 wrote to memory of 4632	2676	13FH011.exe	83
PID 2676 wrote to memory of 4632	2676	13FH011.exe	83
PID 2676 wrote to memory of 4632	2676	13FH011.exe	83
PID 2676 wrote to memory of 4632	2676	13FH011.exe	83
PID 2676 wrote to memory of 4632	2676	13FH011.exe	83

C:\Users\Admin\AppData\Local\Temp\6a73599227e89d1b5d677a38bb8a55bf83444df22bd7231474c08a09058ec5d4.exe
"C:\Users\Admin\AppData\Local\Temp\6a73599227e89d1b5d677a38bb8a55bf83444df22bd7231474c08a09058ec5d4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AE8Ow81.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AE8Ow81.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11fS7214.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11fS7214.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1336
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:1016
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12hE383.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12hE383.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4976
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4536
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:68
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 68 -s 568
        5⤵
        Program crash
        
        PID:528
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13FH011.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13FH011.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13FH011.exe

Filesize
724KB

MD5
52b28f1319e413582fe578d74dea4769

SHA1
42164ed3028cb5048069ed65997b03873a55f63d

SHA256
c3cbe3e4d1e199de4528cc7b2531f630dac8b05d5e7667a565bde6896b71f4cd

SHA512
114e2745e62ac6c8464f40d6acb2ffbde7913cd2d95b0f15a5821ebbac79d6d8fb9eef542751383781f0a7ce38e431e54d8e81951a91be0a090eafc45d5efab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13FH011.exe

Filesize
724KB

MD5
52b28f1319e413582fe578d74dea4769

SHA1
42164ed3028cb5048069ed65997b03873a55f63d

SHA256
c3cbe3e4d1e199de4528cc7b2531f630dac8b05d5e7667a565bde6896b71f4cd

SHA512
114e2745e62ac6c8464f40d6acb2ffbde7913cd2d95b0f15a5821ebbac79d6d8fb9eef542751383781f0a7ce38e431e54d8e81951a91be0a090eafc45d5efab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AE8Ow81.exe

Filesize
424KB

MD5
dfc855a846aa5d72938ed0e7bf2eca85

SHA1
67bdb5064974a672c353cef457a09562482e252d

SHA256
d4fec40c80b722b2d5a173385ed021a1afa0585fb536fe76c75b7036c234b591

SHA512
2b74bae0d8521e5fe8f45b552ea83845d7c65a70a93f6b53b0c9d5b88c21ec275b193e637fb2ce87a53abcbf2304d24eb682f53504200c1d0aa9e095367e692e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AE8Ow81.exe

Filesize
424KB

MD5
dfc855a846aa5d72938ed0e7bf2eca85

SHA1
67bdb5064974a672c353cef457a09562482e252d

SHA256
d4fec40c80b722b2d5a173385ed021a1afa0585fb536fe76c75b7036c234b591

SHA512
2b74bae0d8521e5fe8f45b552ea83845d7c65a70a93f6b53b0c9d5b88c21ec275b193e637fb2ce87a53abcbf2304d24eb682f53504200c1d0aa9e095367e692e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11fS7214.exe

Filesize
415KB

MD5
e426e3f781732d36ff56f09c5c23fbcf

SHA1
729c6303a97e19f7f09548b9eef4cb105ecfa850

SHA256
ba2c94735fe440fc8210d2db643592b3ef25486143798b6ab76a6aaff9c6a8e0

SHA512
e74bba079be435fd89ff2855778d1a4aa510536cc8f0f9acd5d1538313e764141325cf1adbe69145347de06e1a02ac7303f1b1786b580ab8cec6eb627b2e8cb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11fS7214.exe

Filesize
415KB

MD5
e426e3f781732d36ff56f09c5c23fbcf

SHA1
729c6303a97e19f7f09548b9eef4cb105ecfa850

SHA256
ba2c94735fe440fc8210d2db643592b3ef25486143798b6ab76a6aaff9c6a8e0

SHA512
e74bba079be435fd89ff2855778d1a4aa510536cc8f0f9acd5d1538313e764141325cf1adbe69145347de06e1a02ac7303f1b1786b580ab8cec6eb627b2e8cb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12hE383.exe

Filesize
378KB

MD5
555cafe3a470a164fc95a00ca6a9b348

SHA1
3cb7e4485f723b5f56cf793a07fdedf4bd104f95

SHA256
8d69def89a467187dc1b5baafc4cf28f730575bae09df35efd9edade440e16c8

SHA512
7dddd501083594be47365c0e9ee31446f0957a4e7f5fbc620e00418d2d2d257521ada71d6228a9c4517dc0c8436af59b6bb9b03c32f7e61fa5dfec220c41f4e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12hE383.exe

Filesize
378KB

MD5
555cafe3a470a164fc95a00ca6a9b348

SHA1
3cb7e4485f723b5f56cf793a07fdedf4bd104f95

SHA256
8d69def89a467187dc1b5baafc4cf28f730575bae09df35efd9edade440e16c8

SHA512
7dddd501083594be47365c0e9ee31446f0957a4e7f5fbc620e00418d2d2d257521ada71d6228a9c4517dc0c8436af59b6bb9b03c32f7e61fa5dfec220c41f4e0

Download Submit
memory/68-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/68-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/68-42-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/68-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1016-22-0x000000000B8D0000-0x000000000BDCE000-memory.dmp

Filesize
5.0MB

Download
memory/1016-25-0x000000000C3E0000-0x000000000C9E6000-memory.dmp

Filesize
6.0MB

Download
memory/1016-28-0x000000000B770000-0x000000000B7AE000-memory.dmp

Filesize
248KB

Download
memory/1016-29-0x000000000B7B0000-0x000000000B7FB000-memory.dmp

Filesize
300KB

Download
memory/1016-26-0x000000000BDD0000-0x000000000BEDA000-memory.dmp

Filesize
1.0MB

Download
memory/1016-23-0x000000000B4B0000-0x000000000B542000-memory.dmp

Filesize
584KB

Download
memory/1016-21-0x0000000073AE0000-0x00000000741CE000-memory.dmp

Filesize
6.9MB

Download
memory/1016-27-0x000000000B710000-0x000000000B722000-memory.dmp

Filesize
72KB

Download
memory/1016-24-0x000000000B620000-0x000000000B62A000-memory.dmp

Filesize
40KB

Download
memory/1016-14-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1016-55-0x0000000073AE0000-0x00000000741CE000-memory.dmp

Filesize
6.9MB

Download
memory/4632-45-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4632-46-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4632-48-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4632-44-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download