mystic | 1f8f2e9e28f50f64ea2b24fed246c89072904096e4bc15a3595013e3b34c7867

General

Target

NEAS.eca9b6f977d54b1c080b2457ca6c6390.exe
Size

768KB
MD5

eca9b6f977d54b1c080b2457ca6c6390
SHA1

e6528636fd826b4181bc0b1a203837853d6faf7b
SHA256

1f8f2e9e28f50f64ea2b24fed246c89072904096e4bc15a3595013e3b34c7867
SHA512

2d2defa7e29cde5e66f4721fcd9e376413a304469eb270c432c51e483912eaa6b898a0d2bd35c68258d3ea16aeb7a01a93e5ae33647be8abe4e3f1c1ca2321a9
SSDEEP

12288:KMrvy90WGL1MbXI/tgCdgmL6+I3JPYzxJTZkBvu2kvVc+c/QaOq1ywz2HEmZZ7:VyxGuY1gug5+8JPKJy9oVGlywVWZ7

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

C2

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/3752-14-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/3752-15-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/3752-16-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/3752-18-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0006000000022ce7-20.dat	family_redline
behavioral1/files/0x0006000000022ce7-21.dat	family_redline
behavioral1/memory/384-23-0x0000000000DE0000-0x0000000000E1E000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
4536	Eu5Dq5ze.exe
940	1Ty79aW0.exe
384	2hG522Sz.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.eca9b6f977d54b1c080b2457ca6c6390.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Eu5Dq5ze.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 940 set thread context of 3752	940	1Ty79aW0.exe	92

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2508	940	WerFault.exe	89
4532	3752	WerFault.exe	92

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 4536	2036	NEAS.eca9b6f977d54b1c080b2457ca6c6390.exe	87
PID 2036 wrote to memory of 4536	2036	NEAS.eca9b6f977d54b1c080b2457ca6c6390.exe	87
PID 2036 wrote to memory of 4536	2036	NEAS.eca9b6f977d54b1c080b2457ca6c6390.exe	87
PID 4536 wrote to memory of 940	4536	Eu5Dq5ze.exe	89
PID 4536 wrote to memory of 940	4536	Eu5Dq5ze.exe	89
PID 4536 wrote to memory of 940	4536	Eu5Dq5ze.exe	89
PID 940 wrote to memory of 3752	940	1Ty79aW0.exe	92
PID 940 wrote to memory of 3752	940	1Ty79aW0.exe	92
PID 940 wrote to memory of 3752	940	1Ty79aW0.exe	92
PID 940 wrote to memory of 3752	940	1Ty79aW0.exe	92
PID 940 wrote to memory of 3752	940	1Ty79aW0.exe	92
PID 940 wrote to memory of 3752	940	1Ty79aW0.exe	92
PID 940 wrote to memory of 3752	940	1Ty79aW0.exe	92
PID 940 wrote to memory of 3752	940	1Ty79aW0.exe	92
PID 940 wrote to memory of 3752	940	1Ty79aW0.exe	92
PID 940 wrote to memory of 3752	940	1Ty79aW0.exe	92
PID 4536 wrote to memory of 384	4536	Eu5Dq5ze.exe	98
PID 4536 wrote to memory of 384	4536	Eu5Dq5ze.exe	98
PID 4536 wrote to memory of 384	4536	Eu5Dq5ze.exe	98

C:\Users\Admin\AppData\Local\Temp\NEAS.eca9b6f977d54b1c080b2457ca6c6390.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.eca9b6f977d54b1c080b2457ca6c6390.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Eu5Dq5ze.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Eu5Dq5ze.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4536
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ty79aW0.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ty79aW0.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:940
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:3752
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 540
        5⤵
        Program crash
        
        PID:4532
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 940 -s 572
      4⤵
      Program crash
      PID:2508
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2hG522Sz.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2hG522Sz.exe
    3⤵
    - Executes dropped EXE
    PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 940 -ip 940
1⤵
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3752 -ip 3752
1⤵
PID:4628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Eu5Dq5ze.exe

Filesize
573KB

MD5
19725419f1171a61ee7bdf3b5f667af4

SHA1
dc865d151e9fb514fb6d0a568c0df5b6ad8a54c3

SHA256
3189adb57073b7ec4a1fbc462cf92fb60d95b0b68b8d976a401bb2dad45d0312

SHA512
2d5585639b93e9f32596cf1805c9d9004e658120b21c71cad25f32cc66b0510d28e765f7993fc44c903da419322ca7789175a9444f9ed4cb866e8846ad2420ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Eu5Dq5ze.exe

Filesize
573KB

MD5
19725419f1171a61ee7bdf3b5f667af4

SHA1
dc865d151e9fb514fb6d0a568c0df5b6ad8a54c3

SHA256
3189adb57073b7ec4a1fbc462cf92fb60d95b0b68b8d976a401bb2dad45d0312

SHA512
2d5585639b93e9f32596cf1805c9d9004e658120b21c71cad25f32cc66b0510d28e765f7993fc44c903da419322ca7789175a9444f9ed4cb866e8846ad2420ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ty79aW0.exe

Filesize
1.1MB

MD5
f2b14fa14c24d0541b2f800f30f9b03d

SHA1
73ae154b65848a1de6e70af4a10a0a0a04b69c69

SHA256
24d2afd703ea7f0f5372d6f7a3b11302fcef060577942c3aa3e5026efdbf62a4

SHA512
5240c4c995d33644f0cd829bf8afd5765edb3dc5b288bab1aaf9e43552e373c51d498f27853a2070e19bee2005c18d51742ab8fe75928a7e41b80128ee9a2d2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ty79aW0.exe

Filesize
1.1MB

MD5
f2b14fa14c24d0541b2f800f30f9b03d

SHA1
73ae154b65848a1de6e70af4a10a0a0a04b69c69

SHA256
24d2afd703ea7f0f5372d6f7a3b11302fcef060577942c3aa3e5026efdbf62a4

SHA512
5240c4c995d33644f0cd829bf8afd5765edb3dc5b288bab1aaf9e43552e373c51d498f27853a2070e19bee2005c18d51742ab8fe75928a7e41b80128ee9a2d2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2hG522Sz.exe

Filesize
223KB

MD5
3da6682a8d48a8335a5d20d3b216732a

SHA1
fb9d46c9fdcad26b6385063ce8c93bb11e4c602f

SHA256
823caabdab6acfa4971cea05563d829505c347a3204564ffb7697402b8de84cb

SHA512
76f58409241519deed25e886a173e5d613fb0488160dc2fa5084be362dbbebb4af285cbdb816b7bc9942dd211b3133619a1aef12311500d2bac1a46894b6a7da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2hG522Sz.exe

Filesize
223KB

MD5
3da6682a8d48a8335a5d20d3b216732a

SHA1
fb9d46c9fdcad26b6385063ce8c93bb11e4c602f

SHA256
823caabdab6acfa4971cea05563d829505c347a3204564ffb7697402b8de84cb

SHA512
76f58409241519deed25e886a173e5d613fb0488160dc2fa5084be362dbbebb4af285cbdb816b7bc9942dd211b3133619a1aef12311500d2bac1a46894b6a7da

Download Submit
memory/384-27-0x0000000007D70000-0x0000000007D7A000-memory.dmp

Filesize
40KB

Download
memory/384-31-0x0000000007EA0000-0x0000000007EDC000-memory.dmp

Filesize
240KB

Download
memory/384-34-0x0000000007B10000-0x0000000007B20000-memory.dmp

Filesize
64KB

Download
memory/384-33-0x00000000742D0000-0x0000000074A80000-memory.dmp

Filesize
7.7MB

Download
memory/384-22-0x00000000742D0000-0x0000000074A80000-memory.dmp

Filesize
7.7MB

Download
memory/384-23-0x0000000000DE0000-0x0000000000E1E000-memory.dmp

Filesize
248KB

Download
memory/384-24-0x0000000008080000-0x0000000008624000-memory.dmp

Filesize
5.6MB

Download
memory/384-25-0x0000000007B70000-0x0000000007C02000-memory.dmp

Filesize
584KB

Download
memory/384-26-0x0000000007B10000-0x0000000007B20000-memory.dmp

Filesize
64KB

Download
memory/384-32-0x0000000008020000-0x000000000806C000-memory.dmp

Filesize
304KB

Download
memory/384-28-0x0000000008C50000-0x0000000009268000-memory.dmp

Filesize
6.1MB

Download
memory/384-29-0x0000000007F10000-0x000000000801A000-memory.dmp

Filesize
1.0MB

Download
memory/384-30-0x0000000007E40000-0x0000000007E52000-memory.dmp

Filesize
72KB

Download
memory/3752-18-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3752-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3752-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3752-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads