mystic | 371178f2c72748b41e33d1862f900e09d955f884f4b59857073c409e61b254ce

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
14-11-2023 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

671f677114ca5a4015889185520ac4fd.exe
Size

894KB
MD5

671f677114ca5a4015889185520ac4fd
SHA1

ee6c0402d18d324f9ff5e108d2feea23368c7308
SHA256

371178f2c72748b41e33d1862f900e09d955f884f4b59857073c409e61b254ce
SHA512

e05f8e8da54d8bcd94c87d7d23449b8410baa4a73fff8ecf1c9ad02108f5ce5b28bced96a4663ac69623097bd71400d4c504d341793edcbc08ed20d61f201f13
SSDEEP

24576:Iy415FlI4VNE1BhBy5JPBPkA8ArVo8BljJ+7568vW:Pu5FlT8P8JPydC1B9J+7

Score

10^/10

mystic redline taiga infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/2432-28-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/2432-29-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/2432-32-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/2432-34-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/1884-14-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
1656	hx8DV91.exe
5032	11MS0110.exe
2172	12vR029.exe
4984	13py862.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	671f677114ca5a4015889185520ac4fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	hx8DV91.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 5032 set thread context of 1884	5032	11MS0110.exe	104
PID 2172 set thread context of 2432	2172	12vR029.exe	107
PID 4984 set thread context of 4296	4984	13py862.exe	120

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3512	2432	WerFault.exe	107

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4296	AppLaunch.exe
4296	AppLaunch.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4748 wrote to memory of 1656	4748	671f677114ca5a4015889185520ac4fd.exe	89
PID 4748 wrote to memory of 1656	4748	671f677114ca5a4015889185520ac4fd.exe	89
PID 4748 wrote to memory of 1656	4748	671f677114ca5a4015889185520ac4fd.exe	89
PID 1656 wrote to memory of 5032	1656	hx8DV91.exe	90
PID 1656 wrote to memory of 5032	1656	hx8DV91.exe	90
PID 1656 wrote to memory of 5032	1656	hx8DV91.exe	90
PID 5032 wrote to memory of 1276	5032	11MS0110.exe	103
PID 5032 wrote to memory of 1276	5032	11MS0110.exe	103
PID 5032 wrote to memory of 1276	5032	11MS0110.exe	103
PID 5032 wrote to memory of 1884	5032	11MS0110.exe	104
PID 5032 wrote to memory of 1884	5032	11MS0110.exe	104
PID 5032 wrote to memory of 1884	5032	11MS0110.exe	104
PID 5032 wrote to memory of 1884	5032	11MS0110.exe	104
PID 5032 wrote to memory of 1884	5032	11MS0110.exe	104
PID 5032 wrote to memory of 1884	5032	11MS0110.exe	104
PID 5032 wrote to memory of 1884	5032	11MS0110.exe	104
PID 5032 wrote to memory of 1884	5032	11MS0110.exe	104
PID 1656 wrote to memory of 2172	1656	hx8DV91.exe	105
PID 1656 wrote to memory of 2172	1656	hx8DV91.exe	105
PID 1656 wrote to memory of 2172	1656	hx8DV91.exe	105
PID 2172 wrote to memory of 2432	2172	12vR029.exe	107
PID 2172 wrote to memory of 2432	2172	12vR029.exe	107
PID 2172 wrote to memory of 2432	2172	12vR029.exe	107
PID 2172 wrote to memory of 2432	2172	12vR029.exe	107
PID 2172 wrote to memory of 2432	2172	12vR029.exe	107
PID 2172 wrote to memory of 2432	2172	12vR029.exe	107
PID 2172 wrote to memory of 2432	2172	12vR029.exe	107
PID 2172 wrote to memory of 2432	2172	12vR029.exe	107
PID 2172 wrote to memory of 2432	2172	12vR029.exe	107
PID 2172 wrote to memory of 2432	2172	12vR029.exe	107
PID 4748 wrote to memory of 4984	4748	671f677114ca5a4015889185520ac4fd.exe	108
PID 4748 wrote to memory of 4984	4748	671f677114ca5a4015889185520ac4fd.exe	108
PID 4748 wrote to memory of 4984	4748	671f677114ca5a4015889185520ac4fd.exe	108
PID 4984 wrote to memory of 4296	4984	13py862.exe	120
PID 4984 wrote to memory of 4296	4984	13py862.exe	120
PID 4984 wrote to memory of 4296	4984	13py862.exe	120
PID 4984 wrote to memory of 4296	4984	13py862.exe	120
PID 4984 wrote to memory of 4296	4984	13py862.exe	120
PID 4984 wrote to memory of 4296	4984	13py862.exe	120
PID 4984 wrote to memory of 4296	4984	13py862.exe	120
PID 4984 wrote to memory of 4296	4984	13py862.exe	120
PID 4984 wrote to memory of 4296	4984	13py862.exe	120

C:\Users\Admin\AppData\Local\Temp\671f677114ca5a4015889185520ac4fd.exe
"C:\Users\Admin\AppData\Local\Temp\671f677114ca5a4015889185520ac4fd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hx8DV91.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hx8DV91.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11MS0110.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11MS0110.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:5032
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:1276
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:1884
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12vR029.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12vR029.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2432
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 540
        5⤵
        Program crash
        
        PID:3512
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13py862.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13py862.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2432 -ip 2432
1⤵
PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13py862.exe

Filesize
724KB

MD5
6bf246283c584205793f81279c8f066c

SHA1
390ac01024013b80021c933c7aa1e14386db82e8

SHA256
5f5aef9558bd37030967e4637eafd30f457baa7081eb3c9d57ab4e7acb754e02

SHA512
b726885174b102588026fa7613827b3d6c8001075fd05df0552ae6359a5da4c8ad7a4bf7f082f8acae6064bd055e7dadf60899f540ace18efb673d56eae83369

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13py862.exe

Filesize
724KB

MD5
6bf246283c584205793f81279c8f066c

SHA1
390ac01024013b80021c933c7aa1e14386db82e8

SHA256
5f5aef9558bd37030967e4637eafd30f457baa7081eb3c9d57ab4e7acb754e02

SHA512
b726885174b102588026fa7613827b3d6c8001075fd05df0552ae6359a5da4c8ad7a4bf7f082f8acae6064bd055e7dadf60899f540ace18efb673d56eae83369

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hx8DV91.exe

Filesize
430KB

MD5
07c172b23520c07dfca96e6893b5d0cd

SHA1
a658b770c197c79cb815400252867d69c123de06

SHA256
c7e664b02446bbacd6203f7e52ca753993733b97194a11156b00803234030af9

SHA512
b1ddd45d89a595f1736f7d4e61666ce2f810b1f608be3ce63ec5ad8578b193a068e8547672dda6e6c347845d0175f7222679e8ee3e87f4c1ef758f8fa2b4a034

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hx8DV91.exe

Filesize
430KB

MD5
07c172b23520c07dfca96e6893b5d0cd

SHA1
a658b770c197c79cb815400252867d69c123de06

SHA256
c7e664b02446bbacd6203f7e52ca753993733b97194a11156b00803234030af9

SHA512
b1ddd45d89a595f1736f7d4e61666ce2f810b1f608be3ce63ec5ad8578b193a068e8547672dda6e6c347845d0175f7222679e8ee3e87f4c1ef758f8fa2b4a034

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11MS0110.exe

Filesize
415KB

MD5
561632a4aa0b490d36c7ea89a43abcf1

SHA1
2e56c517128c44eca0f447939aa38e46c4e8f625

SHA256
170329b0720fea1564438cff6598c1095c1452fffcb17871efbe30089300dbe4

SHA512
f71005b4631b7b8b919719ccb58fd518a85bdcf5c7f3d81dfb4003f15580e04f68e746741d65d1c6bc2c6e80801c154446acdb26d7916ba1d9fe7df0fea3f7d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11MS0110.exe

Filesize
415KB

MD5
561632a4aa0b490d36c7ea89a43abcf1

SHA1
2e56c517128c44eca0f447939aa38e46c4e8f625

SHA256
170329b0720fea1564438cff6598c1095c1452fffcb17871efbe30089300dbe4

SHA512
f71005b4631b7b8b919719ccb58fd518a85bdcf5c7f3d81dfb4003f15580e04f68e746741d65d1c6bc2c6e80801c154446acdb26d7916ba1d9fe7df0fea3f7d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12vR029.exe

Filesize
378KB

MD5
5f752f6d43a8fc2e34783f21c6f4c6c3

SHA1
5f3e6b2d2791f9a1fd6036944dc2859f0b000c4b

SHA256
db15832d4a07c5e86107d2a818fd2c4c05cf755e7ce6d2496fe98b544b23f4eb

SHA512
89ae9ea964cc953fe42dd7512c0afb969a74c659e8a1337ca3c72d96f7ca4d7610c236adab412a73b43259f6da66c39de09cf2ca96d1df68e46e30982af72a75

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12vR029.exe

Filesize
378KB

MD5
5f752f6d43a8fc2e34783f21c6f4c6c3

SHA1
5f3e6b2d2791f9a1fd6036944dc2859f0b000c4b

SHA256
db15832d4a07c5e86107d2a818fd2c4c05cf755e7ce6d2496fe98b544b23f4eb

SHA512
89ae9ea964cc953fe42dd7512c0afb969a74c659e8a1337ca3c72d96f7ca4d7610c236adab412a73b43259f6da66c39de09cf2ca96d1df68e46e30982af72a75

Download Submit
memory/1884-25-0x0000000007E10000-0x0000000007E22000-memory.dmp

Filesize
72KB

Download
memory/1884-18-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/1884-21-0x0000000007D50000-0x0000000007D60000-memory.dmp

Filesize
64KB

Download
memory/1884-22-0x0000000007D30000-0x0000000007D3A000-memory.dmp

Filesize
40KB

Download
memory/1884-23-0x0000000008C80000-0x0000000009298000-memory.dmp

Filesize
6.1MB

Download
memory/1884-24-0x0000000007F90000-0x000000000809A000-memory.dmp

Filesize
1.0MB

Download
memory/1884-19-0x00000000080B0000-0x0000000008654000-memory.dmp

Filesize
5.6MB

Download
memory/1884-26-0x0000000007E80000-0x0000000007EBC000-memory.dmp

Filesize
240KB

Download
memory/1884-27-0x0000000007EC0000-0x0000000007F0C000-memory.dmp

Filesize
304KB

Download
memory/1884-37-0x0000000007D50000-0x0000000007D60000-memory.dmp

Filesize
64KB

Download
memory/1884-36-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/1884-20-0x0000000007BA0000-0x0000000007C32000-memory.dmp

Filesize
584KB

Download
memory/1884-14-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2432-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-29-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4296-38-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4296-39-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4296-40-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4296-42-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download