mystic | 13e8bcc1746a867d5fffce461395b52430a9294ecc0b29090330165cc826dd5b

General

Target

NEAS.b2cc7177962605348c378a59f8e07ab0.exe
Size

419KB
MD5

b2cc7177962605348c378a59f8e07ab0
SHA1

8e4629b44e0fead30bdcbb058a4ddb063f73e158
SHA256

13e8bcc1746a867d5fffce461395b52430a9294ecc0b29090330165cc826dd5b
SHA512

bd61ca2cff2b1ca5d692739c39ae9fae96c27309584ecd19654ee47b2e9fd77e35f6da27900b55136261c0600d96420b2a04ccf15de81fd2c3fe4151238346ab
SSDEEP

6144:Kuy+bnr+4p0yN90QEPoenhu9LDu++iMxY4jVaQD0bP/r9nFS6ssV35N/+xJVy:WMrwy90Jn04hzVaQD0bpDsi5B+xJVy

Score

10^/10

mystic redline taiga infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/4692-7-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/4692-8-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/4692-9-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/4692-11-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/2092-15-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

pid	Process
4376	11ae3121.exe
2360	12Ro178.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.b2cc7177962605348c378a59f8e07ab0.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4376 set thread context of 4692	4376	11ae3121.exe	93
PID 2360 set thread context of 2092	2360	12Ro178.exe	103

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1592	4692	WerFault.exe	93

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 4376	1804	NEAS.b2cc7177962605348c378a59f8e07ab0.exe	87
PID 1804 wrote to memory of 4376	1804	NEAS.b2cc7177962605348c378a59f8e07ab0.exe	87
PID 1804 wrote to memory of 4376	1804	NEAS.b2cc7177962605348c378a59f8e07ab0.exe	87
PID 4376 wrote to memory of 4692	4376	11ae3121.exe	93
PID 4376 wrote to memory of 4692	4376	11ae3121.exe	93
PID 4376 wrote to memory of 4692	4376	11ae3121.exe	93
PID 4376 wrote to memory of 4692	4376	11ae3121.exe	93
PID 4376 wrote to memory of 4692	4376	11ae3121.exe	93
PID 4376 wrote to memory of 4692	4376	11ae3121.exe	93
PID 4376 wrote to memory of 4692	4376	11ae3121.exe	93
PID 4376 wrote to memory of 4692	4376	11ae3121.exe	93
PID 4376 wrote to memory of 4692	4376	11ae3121.exe	93
PID 4376 wrote to memory of 4692	4376	11ae3121.exe	93
PID 1804 wrote to memory of 2360	1804	NEAS.b2cc7177962605348c378a59f8e07ab0.exe	95
PID 1804 wrote to memory of 2360	1804	NEAS.b2cc7177962605348c378a59f8e07ab0.exe	95
PID 1804 wrote to memory of 2360	1804	NEAS.b2cc7177962605348c378a59f8e07ab0.exe	95
PID 2360 wrote to memory of 2092	2360	12Ro178.exe	103
PID 2360 wrote to memory of 2092	2360	12Ro178.exe	103
PID 2360 wrote to memory of 2092	2360	12Ro178.exe	103
PID 2360 wrote to memory of 2092	2360	12Ro178.exe	103
PID 2360 wrote to memory of 2092	2360	12Ro178.exe	103
PID 2360 wrote to memory of 2092	2360	12Ro178.exe	103
PID 2360 wrote to memory of 2092	2360	12Ro178.exe	103
PID 2360 wrote to memory of 2092	2360	12Ro178.exe	103

C:\Users\Admin\AppData\Local\Temp\NEAS.b2cc7177962605348c378a59f8e07ab0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.b2cc7177962605348c378a59f8e07ab0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\11ae3121.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\11ae3121.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4376
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:4692
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 540
      4⤵
      Program crash
      PID:1592
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\12Ro178.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\12Ro178.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:2092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4692 -ip 4692
1⤵
PID:464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\11ae3121.exe

Filesize
369KB

MD5
a2b145121c7a9e43905ada670016023c

SHA1
6e362230ff21eb2c4a602b94970151b5650c06f2

SHA256
d07ce86fb03cb100724b7ead3cfc052c977a212d88af6cb60e9841315635ad7f

SHA512
e54bd034dabdf6fac510b8f89fb8389e8d83c078c0e5dc6b12882d7751917abbb1dd4566a4e48ad7e76e50546b3f18dc0ff58fb219a99c8b80b2aadeb63c415b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\11ae3121.exe

Filesize
369KB

MD5
a2b145121c7a9e43905ada670016023c

SHA1
6e362230ff21eb2c4a602b94970151b5650c06f2

SHA256
d07ce86fb03cb100724b7ead3cfc052c977a212d88af6cb60e9841315635ad7f

SHA512
e54bd034dabdf6fac510b8f89fb8389e8d83c078c0e5dc6b12882d7751917abbb1dd4566a4e48ad7e76e50546b3f18dc0ff58fb219a99c8b80b2aadeb63c415b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\12Ro178.exe

Filesize
408KB

MD5
a14c4b3ff85a1af54541847bd2bbfb7b

SHA1
9d7b1190a52aba8c143b1756f712a0d8a003366d

SHA256
eb0f69216d07a8e50051bc34af15e4a6337bd90fb9d68e3b3a4bb779b7d9801b

SHA512
1f1daa0af85c5fcfe5587e4e75009cc187d2ecccc74cc080a5edf94dc056b5e207ef69773072553e2b3f2ffecc082ad325197f4a75b1c3e13d1e493031056acd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\12Ro178.exe

Filesize
408KB

MD5
a14c4b3ff85a1af54541847bd2bbfb7b

SHA1
9d7b1190a52aba8c143b1756f712a0d8a003366d

SHA256
eb0f69216d07a8e50051bc34af15e4a6337bd90fb9d68e3b3a4bb779b7d9801b

SHA512
1f1daa0af85c5fcfe5587e4e75009cc187d2ecccc74cc080a5edf94dc056b5e207ef69773072553e2b3f2ffecc082ad325197f4a75b1c3e13d1e493031056acd

Download Submit
memory/2092-22-0x0000000007F50000-0x000000000805A000-memory.dmp

Filesize
1.0MB

Download
memory/2092-20-0x00000000076C0000-0x00000000076CA000-memory.dmp

Filesize
40KB

Download
memory/2092-27-0x0000000007470000-0x0000000007480000-memory.dmp

Filesize
64KB

Download
memory/2092-26-0x00000000741A0000-0x0000000074950000-memory.dmp

Filesize
7.7MB

Download
memory/2092-15-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2092-16-0x00000000741A0000-0x0000000074950000-memory.dmp

Filesize
7.7MB

Download
memory/2092-17-0x00000000079A0000-0x0000000007F44000-memory.dmp

Filesize
5.6MB

Download
memory/2092-18-0x00000000074B0000-0x0000000007542000-memory.dmp

Filesize
584KB

Download
memory/2092-19-0x0000000007470000-0x0000000007480000-memory.dmp

Filesize
64KB

Download
memory/2092-25-0x0000000008060000-0x00000000080AC000-memory.dmp

Filesize
304KB

Download
memory/2092-21-0x0000000008570000-0x0000000008B88000-memory.dmp

Filesize
6.1MB

Download
memory/2092-24-0x0000000007930000-0x000000000796C000-memory.dmp

Filesize
240KB

Download
memory/2092-23-0x00000000078D0000-0x00000000078E2000-memory.dmp

Filesize
72KB

Download
memory/4692-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4692-11-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4692-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4692-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads