mystic | 371178f2c72748b41e33d1862f900e09d955f884f4b59857073c409e61b254ce

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
15/11/2023, 16:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.371178f2c72748b41e33d1862f900e09d955f884f4b59857073c409e61b254ce.exe
Size

894KB
MD5

671f677114ca5a4015889185520ac4fd
SHA1

ee6c0402d18d324f9ff5e108d2feea23368c7308
SHA256

371178f2c72748b41e33d1862f900e09d955f884f4b59857073c409e61b254ce
SHA512

e05f8e8da54d8bcd94c87d7d23449b8410baa4a73fff8ecf1c9ad02108f5ce5b28bced96a4663ac69623097bd71400d4c504d341793edcbc08ed20d61f201f13
SSDEEP

24576:Iy415FlI4VNE1BhBy5JPBPkA8ArVo8BljJ+7568vW:Pu5FlT8P8JPydC1B9J+7

Score

10^/10

mystic redline taiga infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/384-24-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/384-25-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/384-26-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/384-28-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/4512-14-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
4080	hx8DV91.exe
860	11MS0110.exe
4860	12vR029.exe
4528	13py862.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.371178f2c72748b41e33d1862f900e09d955f884f4b59857073c409e61b254ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	hx8DV91.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 860 set thread context of 4512	860	11MS0110.exe	103
PID 4860 set thread context of 384	4860	12vR029.exe	107
PID 4528 set thread context of 4500	4528	13py862.exe	116

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4196	384	WerFault.exe	107

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	4628	svchost.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 4256 wrote to memory of 4080	4256	NEAS.371178f2c72748b41e33d1862f900e09d955f884f4b59857073c409e61b254ce.exe	88
PID 4256 wrote to memory of 4080	4256	NEAS.371178f2c72748b41e33d1862f900e09d955f884f4b59857073c409e61b254ce.exe	88
PID 4256 wrote to memory of 4080	4256	NEAS.371178f2c72748b41e33d1862f900e09d955f884f4b59857073c409e61b254ce.exe	88
PID 4080 wrote to memory of 860	4080	hx8DV91.exe	89
PID 4080 wrote to memory of 860	4080	hx8DV91.exe	89
PID 4080 wrote to memory of 860	4080	hx8DV91.exe	89
PID 860 wrote to memory of 4912	860	11MS0110.exe	102
PID 860 wrote to memory of 4912	860	11MS0110.exe	102
PID 860 wrote to memory of 4912	860	11MS0110.exe	102
PID 860 wrote to memory of 4512	860	11MS0110.exe	103
PID 860 wrote to memory of 4512	860	11MS0110.exe	103
PID 860 wrote to memory of 4512	860	11MS0110.exe	103
PID 860 wrote to memory of 4512	860	11MS0110.exe	103
PID 860 wrote to memory of 4512	860	11MS0110.exe	103
PID 860 wrote to memory of 4512	860	11MS0110.exe	103
PID 860 wrote to memory of 4512	860	11MS0110.exe	103
PID 860 wrote to memory of 4512	860	11MS0110.exe	103
PID 4080 wrote to memory of 4860	4080	hx8DV91.exe	104
PID 4080 wrote to memory of 4860	4080	hx8DV91.exe	104
PID 4080 wrote to memory of 4860	4080	hx8DV91.exe	104
PID 4860 wrote to memory of 2628	4860	12vR029.exe	106
PID 4860 wrote to memory of 2628	4860	12vR029.exe	106
PID 4860 wrote to memory of 2628	4860	12vR029.exe	106
PID 4860 wrote to memory of 384	4860	12vR029.exe	107
PID 4860 wrote to memory of 384	4860	12vR029.exe	107
PID 4860 wrote to memory of 384	4860	12vR029.exe	107
PID 4860 wrote to memory of 384	4860	12vR029.exe	107
PID 4860 wrote to memory of 384	4860	12vR029.exe	107
PID 4860 wrote to memory of 384	4860	12vR029.exe	107
PID 4860 wrote to memory of 384	4860	12vR029.exe	107
PID 4860 wrote to memory of 384	4860	12vR029.exe	107
PID 4860 wrote to memory of 384	4860	12vR029.exe	107
PID 4860 wrote to memory of 384	4860	12vR029.exe	107
PID 4256 wrote to memory of 4528	4256	NEAS.371178f2c72748b41e33d1862f900e09d955f884f4b59857073c409e61b254ce.exe	109
PID 4256 wrote to memory of 4528	4256	NEAS.371178f2c72748b41e33d1862f900e09d955f884f4b59857073c409e61b254ce.exe	109
PID 4256 wrote to memory of 4528	4256	NEAS.371178f2c72748b41e33d1862f900e09d955f884f4b59857073c409e61b254ce.exe	109
PID 4528 wrote to memory of 984	4528	13py862.exe	115
PID 4528 wrote to memory of 984	4528	13py862.exe	115
PID 4528 wrote to memory of 984	4528	13py862.exe	115
PID 4528 wrote to memory of 4500	4528	13py862.exe	116
PID 4528 wrote to memory of 4500	4528	13py862.exe	116
PID 4528 wrote to memory of 4500	4528	13py862.exe	116
PID 4528 wrote to memory of 4500	4528	13py862.exe	116
PID 4528 wrote to memory of 4500	4528	13py862.exe	116
PID 4528 wrote to memory of 4500	4528	13py862.exe	116
PID 4528 wrote to memory of 4500	4528	13py862.exe	116
PID 4528 wrote to memory of 4500	4528	13py862.exe	116
PID 4528 wrote to memory of 4500	4528	13py862.exe	116

C:\Users\Admin\AppData\Local\Temp\NEAS.371178f2c72748b41e33d1862f900e09d955f884f4b59857073c409e61b254ce.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.371178f2c72748b41e33d1862f900e09d955f884f4b59857073c409e61b254ce.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4256
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hx8DV91.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hx8DV91.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4080
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11MS0110.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11MS0110.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:860
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4912
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4512
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12vR029.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12vR029.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4860
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2628
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:384
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 384 -s 540
        5⤵
        Program crash
        
        PID:4196
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13py862.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13py862.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4528
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:984
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 384 -ip 384
1⤵
PID:3116

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:1080

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
5cbe336c6e7e3440863d8d49f99e3206

SHA1
6c358e205fabd49f8980f455817255b642231ada

SHA256
c913a66c2bc895d5b1e92a20bedfdb4d801d43c246876cf23e03278903e366cf

SHA512
b6dbd58686d05b602fe82e6ebda77293d4653a0b75a75183b60bc83a6cdaa55647de2ac0d00f327fab8e284ca4ee1c9401cfc16f4c642ea78077519342815ff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13py862.exe

Filesize
724KB

MD5
6bf246283c584205793f81279c8f066c

SHA1
390ac01024013b80021c933c7aa1e14386db82e8

SHA256
5f5aef9558bd37030967e4637eafd30f457baa7081eb3c9d57ab4e7acb754e02

SHA512
b726885174b102588026fa7613827b3d6c8001075fd05df0552ae6359a5da4c8ad7a4bf7f082f8acae6064bd055e7dadf60899f540ace18efb673d56eae83369

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13py862.exe

Filesize
724KB

MD5
6bf246283c584205793f81279c8f066c

SHA1
390ac01024013b80021c933c7aa1e14386db82e8

SHA256
5f5aef9558bd37030967e4637eafd30f457baa7081eb3c9d57ab4e7acb754e02

SHA512
b726885174b102588026fa7613827b3d6c8001075fd05df0552ae6359a5da4c8ad7a4bf7f082f8acae6064bd055e7dadf60899f540ace18efb673d56eae83369

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hx8DV91.exe

Filesize
430KB

MD5
07c172b23520c07dfca96e6893b5d0cd

SHA1
a658b770c197c79cb815400252867d69c123de06

SHA256
c7e664b02446bbacd6203f7e52ca753993733b97194a11156b00803234030af9

SHA512
b1ddd45d89a595f1736f7d4e61666ce2f810b1f608be3ce63ec5ad8578b193a068e8547672dda6e6c347845d0175f7222679e8ee3e87f4c1ef758f8fa2b4a034

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hx8DV91.exe

Filesize
430KB

MD5
07c172b23520c07dfca96e6893b5d0cd

SHA1
a658b770c197c79cb815400252867d69c123de06

SHA256
c7e664b02446bbacd6203f7e52ca753993733b97194a11156b00803234030af9

SHA512
b1ddd45d89a595f1736f7d4e61666ce2f810b1f608be3ce63ec5ad8578b193a068e8547672dda6e6c347845d0175f7222679e8ee3e87f4c1ef758f8fa2b4a034

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11MS0110.exe

Filesize
415KB

MD5
561632a4aa0b490d36c7ea89a43abcf1

SHA1
2e56c517128c44eca0f447939aa38e46c4e8f625

SHA256
170329b0720fea1564438cff6598c1095c1452fffcb17871efbe30089300dbe4

SHA512
f71005b4631b7b8b919719ccb58fd518a85bdcf5c7f3d81dfb4003f15580e04f68e746741d65d1c6bc2c6e80801c154446acdb26d7916ba1d9fe7df0fea3f7d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11MS0110.exe

Filesize
415KB

MD5
561632a4aa0b490d36c7ea89a43abcf1

SHA1
2e56c517128c44eca0f447939aa38e46c4e8f625

SHA256
170329b0720fea1564438cff6598c1095c1452fffcb17871efbe30089300dbe4

SHA512
f71005b4631b7b8b919719ccb58fd518a85bdcf5c7f3d81dfb4003f15580e04f68e746741d65d1c6bc2c6e80801c154446acdb26d7916ba1d9fe7df0fea3f7d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12vR029.exe

Filesize
378KB

MD5
5f752f6d43a8fc2e34783f21c6f4c6c3

SHA1
5f3e6b2d2791f9a1fd6036944dc2859f0b000c4b

SHA256
db15832d4a07c5e86107d2a818fd2c4c05cf755e7ce6d2496fe98b544b23f4eb

SHA512
89ae9ea964cc953fe42dd7512c0afb969a74c659e8a1337ca3c72d96f7ca4d7610c236adab412a73b43259f6da66c39de09cf2ca96d1df68e46e30982af72a75

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12vR029.exe

Filesize
378KB

MD5
5f752f6d43a8fc2e34783f21c6f4c6c3

SHA1
5f3e6b2d2791f9a1fd6036944dc2859f0b000c4b

SHA256
db15832d4a07c5e86107d2a818fd2c4c05cf755e7ce6d2496fe98b544b23f4eb

SHA512
89ae9ea964cc953fe42dd7512c0afb969a74c659e8a1337ca3c72d96f7ca4d7610c236adab412a73b43259f6da66c39de09cf2ca96d1df68e46e30982af72a75

Download Submit
memory/384-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/384-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/384-26-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/384-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4500-39-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4500-38-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4500-42-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4500-40-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4512-35-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/4512-19-0x0000000007A10000-0x0000000007FB4000-memory.dmp

Filesize
5.6MB

Download
memory/4512-32-0x0000000007890000-0x000000000799A000-memory.dmp

Filesize
1.0MB

Download
memory/4512-33-0x00000000077C0000-0x00000000077D2000-memory.dmp

Filesize
72KB

Download
memory/4512-34-0x0000000007820000-0x000000000785C000-memory.dmp

Filesize
240KB

Download
memory/4512-23-0x00000000085E0000-0x0000000008BF8000-memory.dmp

Filesize
6.1MB

Download
memory/4512-36-0x0000000007480000-0x0000000007490000-memory.dmp

Filesize
64KB

Download
memory/4512-37-0x0000000004F40000-0x0000000004F8C000-memory.dmp

Filesize
304KB

Download
memory/4512-20-0x0000000007500000-0x0000000007592000-memory.dmp

Filesize
584KB

Download
memory/4512-18-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/4512-21-0x0000000007480000-0x0000000007490000-memory.dmp

Filesize
64KB

Download
memory/4512-22-0x00000000076F0000-0x00000000076FA000-memory.dmp

Filesize
40KB

Download
memory/4512-14-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4628-77-0x0000024862B80000-0x0000024862B81000-memory.dmp

Filesize
4KB

Download
memory/4628-86-0x0000024862B90000-0x0000024862B91000-memory.dmp

Filesize
4KB

Download
memory/4628-60-0x000002485A580000-0x000002485A590000-memory.dmp

Filesize
64KB

Download
memory/4628-78-0x0000024862B80000-0x0000024862B81000-memory.dmp

Filesize
4KB

Download
memory/4628-79-0x0000024862B80000-0x0000024862B81000-memory.dmp

Filesize
4KB

Download
memory/4628-80-0x0000024862B80000-0x0000024862B81000-memory.dmp

Filesize
4KB

Download
memory/4628-81-0x0000024862B80000-0x0000024862B81000-memory.dmp

Filesize
4KB

Download
memory/4628-82-0x0000024862B80000-0x0000024862B81000-memory.dmp

Filesize
4KB

Download
memory/4628-83-0x0000024862B80000-0x0000024862B81000-memory.dmp

Filesize
4KB

Download
memory/4628-84-0x0000024862B90000-0x0000024862B91000-memory.dmp

Filesize
4KB

Download
memory/4628-85-0x0000024862B90000-0x0000024862B91000-memory.dmp

Filesize
4KB

Download
memory/4628-76-0x0000024862B70000-0x0000024862B71000-memory.dmp

Filesize
4KB

Download
memory/4628-87-0x00000248627C0000-0x00000248627C1000-memory.dmp

Filesize
4KB

Download
memory/4628-88-0x00000248627B0000-0x00000248627B1000-memory.dmp

Filesize
4KB

Download
memory/4628-90-0x00000248627C0000-0x00000248627C1000-memory.dmp

Filesize
4KB

Download
memory/4628-93-0x00000248627B0000-0x00000248627B1000-memory.dmp

Filesize
4KB

Download
memory/4628-96-0x00000248626F0000-0x00000248626F1000-memory.dmp

Filesize
4KB

Download
memory/4628-44-0x000002485A480000-0x000002485A490000-memory.dmp

Filesize
64KB

Download
memory/4628-108-0x00000248628F0000-0x00000248628F1000-memory.dmp

Filesize
4KB

Download
memory/4628-110-0x0000024862900000-0x0000024862901000-memory.dmp

Filesize
4KB

Download
memory/4628-111-0x0000024862900000-0x0000024862901000-memory.dmp

Filesize
4KB

Download
memory/4628-112-0x0000024862A10000-0x0000024862A11000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads