mystic | 8e658be1287f69327c68a575863888918e1ca90e2bd09247170a81af6b3cd34b

Analysis

max time kernel
151s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
15-11-2023 16:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.8e658be1287f69327c68a575863888918e1ca90e2bd09247170a81af6b3cd34b.exe
Size

881KB
MD5

03a197cb40408aac6618e7053cfeab39
SHA1

b8a29bad9f6b58446e9b893915eb1257c491d25b
SHA256

8e658be1287f69327c68a575863888918e1ca90e2bd09247170a81af6b3cd34b
SHA512

77996add4dc1640c103d950a98f2b9af8d73b39c20af7a6a8c704452dfcc850f1e1fe3db4776ca7a5de46ade05c957c5836f1c7f639f982776b668b87908d4bf
SSDEEP

12288:bMr4y90FsqzLwuxgjDc9/0SsepUKwUhOa2oCh08Ul1rsiLBziv0KTHJYJKfdpuij:LyCzsuKj49wKrhT2bpPuKDOJKHuc

Score

10^/10

mystic redline taiga infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/4504-14-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/4504-15-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/4504-16-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/4504-18-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/2944-22-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
3988	vF9Nx17.exe
2304	11BL9727.exe
3296	12tk616.exe
4688	13cX562.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.8e658be1287f69327c68a575863888918e1ca90e2bd09247170a81af6b3cd34b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vF9Nx17.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2304 set thread context of 4504	2304	11BL9727.exe	91
PID 3296 set thread context of 2944	3296	12tk616.exe	110
PID 4688 set thread context of 2000	4688	13cX562.exe	114

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1140	4504	WerFault.exe	91

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 4732 wrote to memory of 3988	4732	NEAS.8e658be1287f69327c68a575863888918e1ca90e2bd09247170a81af6b3cd34b.exe	86
PID 4732 wrote to memory of 3988	4732	NEAS.8e658be1287f69327c68a575863888918e1ca90e2bd09247170a81af6b3cd34b.exe	86
PID 4732 wrote to memory of 3988	4732	NEAS.8e658be1287f69327c68a575863888918e1ca90e2bd09247170a81af6b3cd34b.exe	86
PID 3988 wrote to memory of 2304	3988	vF9Nx17.exe	88
PID 3988 wrote to memory of 2304	3988	vF9Nx17.exe	88
PID 3988 wrote to memory of 2304	3988	vF9Nx17.exe	88
PID 2304 wrote to memory of 4504	2304	11BL9727.exe	91
PID 2304 wrote to memory of 4504	2304	11BL9727.exe	91
PID 2304 wrote to memory of 4504	2304	11BL9727.exe	91
PID 2304 wrote to memory of 4504	2304	11BL9727.exe	91
PID 2304 wrote to memory of 4504	2304	11BL9727.exe	91
PID 2304 wrote to memory of 4504	2304	11BL9727.exe	91
PID 2304 wrote to memory of 4504	2304	11BL9727.exe	91
PID 2304 wrote to memory of 4504	2304	11BL9727.exe	91
PID 2304 wrote to memory of 4504	2304	11BL9727.exe	91
PID 2304 wrote to memory of 4504	2304	11BL9727.exe	91
PID 3988 wrote to memory of 3296	3988	vF9Nx17.exe	92
PID 3988 wrote to memory of 3296	3988	vF9Nx17.exe	92
PID 3988 wrote to memory of 3296	3988	vF9Nx17.exe	92
PID 3296 wrote to memory of 1424	3296	12tk616.exe	107
PID 3296 wrote to memory of 1424	3296	12tk616.exe	107
PID 3296 wrote to memory of 1424	3296	12tk616.exe	107
PID 3296 wrote to memory of 2980	3296	12tk616.exe	108
PID 3296 wrote to memory of 2980	3296	12tk616.exe	108
PID 3296 wrote to memory of 2980	3296	12tk616.exe	108
PID 3296 wrote to memory of 4552	3296	12tk616.exe	109
PID 3296 wrote to memory of 4552	3296	12tk616.exe	109
PID 3296 wrote to memory of 4552	3296	12tk616.exe	109
PID 3296 wrote to memory of 2944	3296	12tk616.exe	110
PID 3296 wrote to memory of 2944	3296	12tk616.exe	110
PID 3296 wrote to memory of 2944	3296	12tk616.exe	110
PID 3296 wrote to memory of 2944	3296	12tk616.exe	110
PID 3296 wrote to memory of 2944	3296	12tk616.exe	110
PID 3296 wrote to memory of 2944	3296	12tk616.exe	110
PID 3296 wrote to memory of 2944	3296	12tk616.exe	110
PID 3296 wrote to memory of 2944	3296	12tk616.exe	110
PID 4732 wrote to memory of 4688	4732	NEAS.8e658be1287f69327c68a575863888918e1ca90e2bd09247170a81af6b3cd34b.exe	111
PID 4732 wrote to memory of 4688	4732	NEAS.8e658be1287f69327c68a575863888918e1ca90e2bd09247170a81af6b3cd34b.exe	111
PID 4732 wrote to memory of 4688	4732	NEAS.8e658be1287f69327c68a575863888918e1ca90e2bd09247170a81af6b3cd34b.exe	111
PID 4688 wrote to memory of 2000	4688	13cX562.exe	114
PID 4688 wrote to memory of 2000	4688	13cX562.exe	114
PID 4688 wrote to memory of 2000	4688	13cX562.exe	114
PID 4688 wrote to memory of 2000	4688	13cX562.exe	114
PID 4688 wrote to memory of 2000	4688	13cX562.exe	114
PID 4688 wrote to memory of 2000	4688	13cX562.exe	114
PID 4688 wrote to memory of 2000	4688	13cX562.exe	114
PID 4688 wrote to memory of 2000	4688	13cX562.exe	114
PID 4688 wrote to memory of 2000	4688	13cX562.exe	114

C:\Users\Admin\AppData\Local\Temp\NEAS.8e658be1287f69327c68a575863888918e1ca90e2bd09247170a81af6b3cd34b.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.8e658be1287f69327c68a575863888918e1ca90e2bd09247170a81af6b3cd34b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4732
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vF9Nx17.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vF9Nx17.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3988
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11BL9727.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11BL9727.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4504
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 540
        5⤵
        Program crash
        
        PID:1140
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12tk616.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12tk616.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3296
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:1424
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2980
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4552
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2944
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13cX562.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13cX562.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4688
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:2000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4504 -ip 4504
1⤵
PID:5092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13cX562.exe

Filesize
717KB

MD5
abeb6f26d115c1945b535481d774d1f7

SHA1
4c643e851c9425c4288001a59f8cfb327a366f8a

SHA256
bfa494ce5893b837c5dc4ca1bcc600435fb128978bd7ac5712a6b0fa01f465f9

SHA512
9ef68ba9e7372c4ef5ae1c2638962522b8c990632a97c48035d750273b427f6b41f389900ef9a6f95346966d6c99af2f9ff3509681554cdd9714f23c3e1f54b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13cX562.exe

Filesize
717KB

MD5
abeb6f26d115c1945b535481d774d1f7

SHA1
4c643e851c9425c4288001a59f8cfb327a366f8a

SHA256
bfa494ce5893b837c5dc4ca1bcc600435fb128978bd7ac5712a6b0fa01f465f9

SHA512
9ef68ba9e7372c4ef5ae1c2638962522b8c990632a97c48035d750273b427f6b41f389900ef9a6f95346966d6c99af2f9ff3509681554cdd9714f23c3e1f54b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vF9Nx17.exe

Filesize
420KB

MD5
d838a33ead6ba3f7a92a86075908f19d

SHA1
b55ecb3e78e8071b9d97307a179ea39d582bb654

SHA256
7311928cb5087a170ab29bdf8e1032498a81c9912a127c8a6dca4e9b14c4a908

SHA512
bf34aa1d56d017091e4d43dbf997f70c343427d7b20fb3694a214d0d756d58f9deaf2eb007492f8661e8d5fd4d7ac5df1d36e77bc3a7e00051a0cd552b03a6de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vF9Nx17.exe

Filesize
420KB

MD5
d838a33ead6ba3f7a92a86075908f19d

SHA1
b55ecb3e78e8071b9d97307a179ea39d582bb654

SHA256
7311928cb5087a170ab29bdf8e1032498a81c9912a127c8a6dca4e9b14c4a908

SHA512
bf34aa1d56d017091e4d43dbf997f70c343427d7b20fb3694a214d0d756d58f9deaf2eb007492f8661e8d5fd4d7ac5df1d36e77bc3a7e00051a0cd552b03a6de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11BL9727.exe

Filesize
369KB

MD5
b19dacdb67e44e42ba2b4ccac41b691b

SHA1
b4a844436ce4320a55c6bc0fdc0cb0ea30450053

SHA256
323f43372d48ac0d1028fda1f4a09bb48a39596296b7de7eed41c31ed300e5b5

SHA512
a6ea941473e3ec5f5879819ee7d8356b9316acf5ea9a56de1727bcaea8c44e567dd6aba6b5dabaf3bf126e074720c14f6453ebdcaa86b3981477c51148caccfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11BL9727.exe

Filesize
369KB

MD5
b19dacdb67e44e42ba2b4ccac41b691b

SHA1
b4a844436ce4320a55c6bc0fdc0cb0ea30450053

SHA256
323f43372d48ac0d1028fda1f4a09bb48a39596296b7de7eed41c31ed300e5b5

SHA512
a6ea941473e3ec5f5879819ee7d8356b9316acf5ea9a56de1727bcaea8c44e567dd6aba6b5dabaf3bf126e074720c14f6453ebdcaa86b3981477c51148caccfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12tk616.exe

Filesize
408KB

MD5
ee415f4d7fbf97df9f695c78417c7065

SHA1
56c0f43b5898ada7f49ace85015601ca5ba180c6

SHA256
23c1d2a29421afc11c3bf89ac44fe414108c1f88f284f3d205b735ee335a1836

SHA512
e0adb235a081c461942c11c8f7496c9d4791e37a01e57c7811bac3f36e755a887617bb8c2ed58dbbc573e48cccd1d30f3e6d4934e078166027fe73f14c88fa61

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12tk616.exe

Filesize
408KB

MD5
ee415f4d7fbf97df9f695c78417c7065

SHA1
56c0f43b5898ada7f49ace85015601ca5ba180c6

SHA256
23c1d2a29421afc11c3bf89ac44fe414108c1f88f284f3d205b735ee335a1836

SHA512
e0adb235a081c461942c11c8f7496c9d4791e37a01e57c7811bac3f36e755a887617bb8c2ed58dbbc573e48cccd1d30f3e6d4934e078166027fe73f14c88fa61

Download Submit
memory/2000-42-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2000-40-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2000-39-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2000-38-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2944-34-0x00000000079F0000-0x0000000007A2C000-memory.dmp

Filesize
240KB

Download
memory/2944-22-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2944-27-0x0000000007B60000-0x0000000008104000-memory.dmp

Filesize
5.6MB

Download
memory/2944-28-0x00000000076B0000-0x0000000007742000-memory.dmp

Filesize
584KB

Download
memory/2944-29-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2944-30-0x00000000078C0000-0x00000000078CA000-memory.dmp

Filesize
40KB

Download
memory/2944-31-0x0000000008730000-0x0000000008D48000-memory.dmp

Filesize
6.1MB

Download
memory/2944-32-0x0000000008110000-0x000000000821A000-memory.dmp

Filesize
1.0MB

Download
memory/2944-33-0x0000000007990000-0x00000000079A2000-memory.dmp

Filesize
72KB

Download
memory/2944-26-0x0000000073CD0000-0x0000000074480000-memory.dmp

Filesize
7.7MB

Download
memory/2944-35-0x0000000007A30000-0x0000000007A7C000-memory.dmp

Filesize
304KB

Download
memory/2944-36-0x0000000073CD0000-0x0000000074480000-memory.dmp

Filesize
7.7MB

Download
memory/2944-37-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/4504-18-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4504-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4504-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4504-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads