mystic | 4d201919a0ebca66c9444a66f9324fb870e4af25252f27aa405255cca0167379

Analysis

max time kernel
62s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
14-11-2023 09:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60b345feed921142d86737e3c6897b0f.exe
Size

896KB
MD5

60b345feed921142d86737e3c6897b0f
SHA1

34956700dd049b0d91cad261f0053aa14a2c95a0
SHA256

4d201919a0ebca66c9444a66f9324fb870e4af25252f27aa405255cca0167379
SHA512

456da362b0f0825b3219f4913d209a4fe931d643ebce0eb985205b6f1b3c1da93ab11a88f49da2433d55f925848dd8668f83a8e9eb1c9867fd73888f64355e16
SSDEEP

12288:+MrHy90LW8MrTI+xEBRju2M4iFA1ejxeeuzxQikhOEufTJlnGYJjr6bycGDTFyQs:5yFI+xmju2gO4KQ9hfqzHgy0Qpyo8

Score

10^/10

mystic redline taiga infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/3960-34-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/3960-32-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/3960-29-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/3960-28-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/3948-14-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
4520	JB3MI50.exe
2176	11ph5847.exe
4952	12qc250.exe
2372	13ZX560.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	60b345feed921142d86737e3c6897b0f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	JB3MI50.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2176 set thread context of 3948	2176	11ph5847.exe	98
PID 4952 set thread context of 3960	4952	12qc250.exe	107
PID 2372 set thread context of 4840	2372	13ZX560.exe	115

Program crash 1 IoCs

pid	pid_target	Process
3384	3960	WerFault.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 320 wrote to memory of 4520	320	60b345feed921142d86737e3c6897b0f.exe	88
PID 320 wrote to memory of 4520	320	60b345feed921142d86737e3c6897b0f.exe	88
PID 320 wrote to memory of 4520	320	60b345feed921142d86737e3c6897b0f.exe	88
PID 4520 wrote to memory of 2176	4520	JB3MI50.exe	90
PID 4520 wrote to memory of 2176	4520	JB3MI50.exe	90
PID 4520 wrote to memory of 2176	4520	JB3MI50.exe	90
PID 2176 wrote to memory of 3948	2176	11ph5847.exe	98
PID 2176 wrote to memory of 3948	2176	11ph5847.exe	98
PID 2176 wrote to memory of 3948	2176	11ph5847.exe	98
PID 2176 wrote to memory of 3948	2176	11ph5847.exe	98
PID 2176 wrote to memory of 3948	2176	11ph5847.exe	98
PID 2176 wrote to memory of 3948	2176	11ph5847.exe	98
PID 2176 wrote to memory of 3948	2176	11ph5847.exe	98
PID 2176 wrote to memory of 3948	2176	11ph5847.exe	98
PID 4520 wrote to memory of 4952	4520	JB3MI50.exe	99
PID 4520 wrote to memory of 4952	4520	JB3MI50.exe	99
PID 4520 wrote to memory of 4952	4520	JB3MI50.exe	99
PID 4952 wrote to memory of 3960	4952	12qc250.exe	107
PID 4952 wrote to memory of 3960	4952	12qc250.exe	107
PID 4952 wrote to memory of 3960	4952	12qc250.exe	107
PID 4952 wrote to memory of 3960	4952	12qc250.exe	107
PID 4952 wrote to memory of 3960	4952	12qc250.exe	107
PID 4952 wrote to memory of 3960	4952	12qc250.exe	107
PID 4952 wrote to memory of 3960	4952	12qc250.exe	107
PID 4952 wrote to memory of 3960	4952	12qc250.exe	107
PID 4952 wrote to memory of 3960	4952	12qc250.exe	107
PID 4952 wrote to memory of 3960	4952	12qc250.exe	107
PID 320 wrote to memory of 2372	320	60b345feed921142d86737e3c6897b0f.exe	102
PID 320 wrote to memory of 2372	320	60b345feed921142d86737e3c6897b0f.exe	102
PID 320 wrote to memory of 2372	320	60b345feed921142d86737e3c6897b0f.exe	102
PID 2372 wrote to memory of 4840	2372	13ZX560.exe	115
PID 2372 wrote to memory of 4840	2372	13ZX560.exe	115
PID 2372 wrote to memory of 4840	2372	13ZX560.exe	115
PID 2372 wrote to memory of 4840	2372	13ZX560.exe	115
PID 2372 wrote to memory of 4840	2372	13ZX560.exe	115
PID 2372 wrote to memory of 4840	2372	13ZX560.exe	115
PID 2372 wrote to memory of 4840	2372	13ZX560.exe	115
PID 2372 wrote to memory of 4840	2372	13ZX560.exe	115
PID 2372 wrote to memory of 4840	2372	13ZX560.exe	115

C:\Users\Admin\AppData\Local\Temp\60b345feed921142d86737e3c6897b0f.exe
"C:\Users\Admin\AppData\Local\Temp\60b345feed921142d86737e3c6897b0f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:320
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JB3MI50.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JB3MI50.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4520
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11ph5847.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11ph5847.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2176
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:3948
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12qc250.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12qc250.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4952
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:3960
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13ZX560.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13ZX560.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3960 -ip 3960
1⤵
PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 540
1⤵
- Program crash
PID:3384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13ZX560.exe

Filesize
724KB

MD5
737e2205c3ae1d658bd7ee6f4194d143

SHA1
30a221a649e66bebb709e7cdf9aa7bcedc7c0c50

SHA256
8f30df64ccfc0b40f146ac1c690410810b05859091ea5eee0cdfefebe18c8411

SHA512
32959ab0c4f23e4f08889164f95a71eff0a521033b3fab3725ba7c83dd5c4c07aca80f7285b5e3f676b0df283de2cd8081c01f3eb378d57371a6421a9729d4d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13ZX560.exe

Filesize
724KB

MD5
737e2205c3ae1d658bd7ee6f4194d143

SHA1
30a221a649e66bebb709e7cdf9aa7bcedc7c0c50

SHA256
8f30df64ccfc0b40f146ac1c690410810b05859091ea5eee0cdfefebe18c8411

SHA512
32959ab0c4f23e4f08889164f95a71eff0a521033b3fab3725ba7c83dd5c4c07aca80f7285b5e3f676b0df283de2cd8081c01f3eb378d57371a6421a9729d4d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JB3MI50.exe

Filesize
432KB

MD5
4f3458f4049ed931f8731f873585c32f

SHA1
cac5f40b05b973bea5a0236d24172b025dcaec1f

SHA256
83b97fbe288d3032c0278b4e821cb9b25f483e19da891503c10f9bcb7d2db0e2

SHA512
bf424aad78225eae0e743dd5702c089fe02be0bd653d53e8595b5779d9985f4b50587f1d3543634f8e548ca9b5afa9962942d36ec20ebe087824ce5a15f490f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JB3MI50.exe

Filesize
432KB

MD5
4f3458f4049ed931f8731f873585c32f

SHA1
cac5f40b05b973bea5a0236d24172b025dcaec1f

SHA256
83b97fbe288d3032c0278b4e821cb9b25f483e19da891503c10f9bcb7d2db0e2

SHA512
bf424aad78225eae0e743dd5702c089fe02be0bd653d53e8595b5779d9985f4b50587f1d3543634f8e548ca9b5afa9962942d36ec20ebe087824ce5a15f490f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11ph5847.exe

Filesize
415KB

MD5
d326755bd6fcd9287551f4c44db72950

SHA1
b27aa4d54c88da8a91538a2bb31e004ad605390a

SHA256
143613d5bc6133bc163519b6868180f90c24ad5d91b575439a4d96aad706e3d4

SHA512
8591d5b7837204672cb8bdaab95c408b73a0c23b3772b581eeb4e9ad15ffb22a74626fdff8b0c7724e5691a004b437ece09db6409a45ec676d035a1273090b0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11ph5847.exe

Filesize
415KB

MD5
d326755bd6fcd9287551f4c44db72950

SHA1
b27aa4d54c88da8a91538a2bb31e004ad605390a

SHA256
143613d5bc6133bc163519b6868180f90c24ad5d91b575439a4d96aad706e3d4

SHA512
8591d5b7837204672cb8bdaab95c408b73a0c23b3772b581eeb4e9ad15ffb22a74626fdff8b0c7724e5691a004b437ece09db6409a45ec676d035a1273090b0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12qc250.exe

Filesize
378KB

MD5
163a39059ae5add2c01ccde6696f254d

SHA1
fb612437360dab5ca795e2b816cc55adad5e521c

SHA256
e74b19f6d3fd7a4eb825e83da412fc76b3483955140f8f1d914b383f49d8f7dd

SHA512
4830880925816533d83a0835fc963f8a4147adbadc1be0c9322032ddbc5561af01846951d5a51efc70cc73b072f15da71a7d0a26c6b216dad741d65d59dcc0f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12qc250.exe

Filesize
378KB

MD5
163a39059ae5add2c01ccde6696f254d

SHA1
fb612437360dab5ca795e2b816cc55adad5e521c

SHA256
e74b19f6d3fd7a4eb825e83da412fc76b3483955140f8f1d914b383f49d8f7dd

SHA512
4830880925816533d83a0835fc963f8a4147adbadc1be0c9322032ddbc5561af01846951d5a51efc70cc73b072f15da71a7d0a26c6b216dad741d65d59dcc0f3

Download Submit
memory/3948-25-0x0000000007CE0000-0x0000000007CF2000-memory.dmp

Filesize
72KB

Download
memory/3948-37-0x0000000007CB0000-0x0000000007CC0000-memory.dmp

Filesize
64KB

Download
memory/3948-21-0x0000000007CB0000-0x0000000007CC0000-memory.dmp

Filesize
64KB

Download
memory/3948-22-0x0000000007B00000-0x0000000007B0A000-memory.dmp

Filesize
40KB

Download
memory/3948-23-0x0000000008AD0000-0x00000000090E8000-memory.dmp

Filesize
6.1MB

Download
memory/3948-24-0x0000000007DD0000-0x0000000007EDA000-memory.dmp

Filesize
1.0MB

Download
memory/3948-19-0x0000000007F00000-0x00000000084A4000-memory.dmp

Filesize
5.6MB

Download
memory/3948-26-0x0000000007D40000-0x0000000007D7C000-memory.dmp

Filesize
240KB

Download
memory/3948-27-0x0000000007D80000-0x0000000007DCC000-memory.dmp

Filesize
304KB

Download
memory/3948-20-0x0000000007A30000-0x0000000007AC2000-memory.dmp

Filesize
584KB

Download
memory/3948-14-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3948-36-0x0000000074050000-0x0000000074800000-memory.dmp

Filesize
7.7MB

Download
memory/3948-18-0x0000000074050000-0x0000000074800000-memory.dmp

Filesize
7.7MB

Download
memory/3960-29-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3960-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3960-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3960-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4840-39-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4840-42-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4840-40-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4840-38-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads