mystic | 09d9ead98677cbc6f36f6ee0761fd9957c2c849bd35989990f220cec24f39918

General

Target

44088360d2a85b605505472cff282320_NEIKI.exe
Size

1.5MB
MD5

44088360d2a85b605505472cff282320
SHA1

55996324c41a0507205395fe2bd3939c1f69499b
SHA256

09d9ead98677cbc6f36f6ee0761fd9957c2c849bd35989990f220cec24f39918
SHA512

a69a41fa0267358162d927e89574679e47a41c440fc6c298c197fba1c314ec80bc647be6d9964dc23357054423aad22fda869e0e658f82b6f35ea6d93d074045
SSDEEP

24576:eyUQBKaUoqjr16ZSUuxLWNEWE0k8g04mAGm/YpA+AK/zU:tqaUoqn1601xLWNxxkV9mAW

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4912-35-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral1/memory/4912-39-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral1/memory/4912-37-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Bz767ek.exe	family_redline
behavioral1/memory/2948-42-0x00000000006A0000-0x00000000006DE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

mH2Cw3ly.exeHS6Xx1Us.exeeq5Qa6mI.exePf3wc1hs.exe1dF99Ew8.exe2Bz767ek.exe

pid process

4024 mH2Cw3ly.exe
1096 HS6Xx1Us.exe
1276 eq5Qa6mI.exe
3660 Pf3wc1hs.exe
4540 1dF99Ew8.exe
2948 2Bz767ek.exe

pid	process
4024	mH2Cw3ly.exe
1096	HS6Xx1Us.exe
1276	eq5Qa6mI.exe
3660	Pf3wc1hs.exe
4540	1dF99Ew8.exe
2948	2Bz767ek.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

44088360d2a85b605505472cff282320_NEIKI.exemH2Cw3ly.exeHS6Xx1Us.exeeq5Qa6mI.exePf3wc1hs.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	44088360d2a85b605505472cff282320_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	mH2Cw3ly.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	HS6Xx1Us.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	eq5Qa6mI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Pf3wc1hs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1dF99Ew8.exe

description pid process target process

PID 4540 set thread context of 4912 4540 1dF99Ew8.exe AppLaunch.exe

description	pid	process	target process
PID 4540 set thread context of 4912	4540	1dF99Ew8.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

44088360d2a85b605505472cff282320_NEIKI.exemH2Cw3ly.exeHS6Xx1Us.exeeq5Qa6mI.exePf3wc1hs.exe1dF99Ew8.exe

description	pid	process	target process
PID 3900 wrote to memory of 4024	3900	44088360d2a85b605505472cff282320_NEIKI.exe	mH2Cw3ly.exe
PID 3900 wrote to memory of 4024	3900	44088360d2a85b605505472cff282320_NEIKI.exe	mH2Cw3ly.exe
PID 3900 wrote to memory of 4024	3900	44088360d2a85b605505472cff282320_NEIKI.exe	mH2Cw3ly.exe
PID 4024 wrote to memory of 1096	4024	mH2Cw3ly.exe	HS6Xx1Us.exe
PID 4024 wrote to memory of 1096	4024	mH2Cw3ly.exe	HS6Xx1Us.exe
PID 4024 wrote to memory of 1096	4024	mH2Cw3ly.exe	HS6Xx1Us.exe
PID 1096 wrote to memory of 1276	1096	HS6Xx1Us.exe	eq5Qa6mI.exe
PID 1096 wrote to memory of 1276	1096	HS6Xx1Us.exe	eq5Qa6mI.exe
PID 1096 wrote to memory of 1276	1096	HS6Xx1Us.exe	eq5Qa6mI.exe
PID 1276 wrote to memory of 3660	1276	eq5Qa6mI.exe	Pf3wc1hs.exe
PID 1276 wrote to memory of 3660	1276	eq5Qa6mI.exe	Pf3wc1hs.exe
PID 1276 wrote to memory of 3660	1276	eq5Qa6mI.exe	Pf3wc1hs.exe
PID 3660 wrote to memory of 4540	3660	Pf3wc1hs.exe	1dF99Ew8.exe
PID 3660 wrote to memory of 4540	3660	Pf3wc1hs.exe	1dF99Ew8.exe
PID 3660 wrote to memory of 4540	3660	Pf3wc1hs.exe	1dF99Ew8.exe
PID 4540 wrote to memory of 4912	4540	1dF99Ew8.exe	AppLaunch.exe
PID 4540 wrote to memory of 4912	4540	1dF99Ew8.exe	AppLaunch.exe
PID 4540 wrote to memory of 4912	4540	1dF99Ew8.exe	AppLaunch.exe
PID 4540 wrote to memory of 4912	4540	1dF99Ew8.exe	AppLaunch.exe
PID 4540 wrote to memory of 4912	4540	1dF99Ew8.exe	AppLaunch.exe
PID 4540 wrote to memory of 4912	4540	1dF99Ew8.exe	AppLaunch.exe
PID 4540 wrote to memory of 4912	4540	1dF99Ew8.exe	AppLaunch.exe
PID 4540 wrote to memory of 4912	4540	1dF99Ew8.exe	AppLaunch.exe
PID 4540 wrote to memory of 4912	4540	1dF99Ew8.exe	AppLaunch.exe
PID 4540 wrote to memory of 4912	4540	1dF99Ew8.exe	AppLaunch.exe
PID 3660 wrote to memory of 2948	3660	Pf3wc1hs.exe	2Bz767ek.exe
PID 3660 wrote to memory of 2948	3660	Pf3wc1hs.exe	2Bz767ek.exe
PID 3660 wrote to memory of 2948	3660	Pf3wc1hs.exe	2Bz767ek.exe

C:\Users\Admin\AppData\Local\Temp\44088360d2a85b605505472cff282320_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\44088360d2a85b605505472cff282320_NEIKI.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3900

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mH2Cw3ly.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mH2Cw3ly.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4024

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HS6Xx1Us.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HS6Xx1Us.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1096

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eq5Qa6mI.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eq5Qa6mI.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1276

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Pf3wc1hs.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Pf3wc1hs.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3660

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dF99Ew8.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dF99Ew8.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:4912

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Bz767ek.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Bz767ek.exe
6⤵
- Executes dropped EXE
PID:2948

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mH2Cw3ly.exe
Filesize
1.4MB

MD5
eddaa19cba5e5a461836fea9c818e47e

SHA1
88b07a8086d5bce4c1983fb06c8ed176944d521d

SHA256
12345b47490007edacc9d5c89750c284ac350ee50bea6d8272873e09239c4b2c

SHA512
a3b767628723d1c5110b1ba7df971f7d6381183e40b6fe2b716472d4164bc9d97e2f1d41a389d0ffc77b55fe829c610b12cbf176ea2d350157bc56e2921f9fee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HS6Xx1Us.exe
Filesize
1.2MB

MD5
248498138f28a8777ca0b425dd22e402

SHA1
13d101a2cab1002da2d805f9a23d949e14fcb479

SHA256
1a5cabd286a38ccf01db26ea47e69fd78b648a43c585e3545577ca14d047c731

SHA512
9f688063c4696800aeea3522b76b9ac46429df5d39aae5371d3068843bcf3c806d7c8efca6a9a930d371c5e7e61e65764f62c9c44a659aa3c6201ea4f195a00c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eq5Qa6mI.exe
Filesize
782KB

MD5
20ea3ee98286733c45881f3b9db76258

SHA1
0c6dea911f1025c0243fb823da566fcf31d40319

SHA256
90acf1f3ba27a87e977f335c42a7365880ecf8e181602302ce1cbe8e98f8b6f3

SHA512
306dca979e176d3a9806996c8461c5e9204edc43bdc5cd99993dac6b1a02f007cdcce654f9e6562a3016516f43b8aba8b229a7dbfce36d47a1b2a1775dc25ad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Pf3wc1hs.exe
Filesize
581KB

MD5
3a95e994a0f4392f2ba092b3f96e8a3c

SHA1
b87233a97511fc256d5ea10b87bba102bde708db

SHA256
67d7b47693d1ccc04b610b671f96fdfcc11de4dd203d34243660d7aed8a31fa6

SHA512
446cadb2d6d5072510f39e155571192f7e6c1229a08e1cf46200be0a9431fd562f4a6aa5d816b48790f553d269e9aaf5bcc675fffcebffdf44ccfcd20b819f11

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dF99Ew8.exe
Filesize
1.1MB

MD5
6ef68ec5b2d91cbc9c66fa0553e527ec

SHA1
8d8ab02a5f2433cf12ba62336e4d774f2bbf21d2

SHA256
8ffa8c6bcf0b38b229ac57e8a8eacfad2d27bd2b6ec971af827609bfb919495f

SHA512
1a02ccdf3d1be279169bc25eb2a4452be337389b78050811ea4367ca624d5d169c7c7e157a73fe3be13378412e8d94606f41c157b5892cc76c4344ee85d204a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Bz767ek.exe
Filesize
222KB

MD5
7571d182950b60c0e630be9ff98a4bc8

SHA1
c16c1143847578e1091a1dfe683809d4065c7fe4

SHA256
8dbe6448a202ac688d945c9f891c540409708517b529f607c20bd87128fd7f75

SHA512
63d03c4d6d341ee5ead1bdfbea8ead55073d45263970aa742cab278c7f08b3fa2e49babc8c0057a7791fef16570213382f18f9a12b87f75bf6fa43097f6d1143

Download Submit
memory/2948-45-0x0000000004B40000-0x0000000004B4A000-memory.dmp

Filesize
40KB

Download
memory/2948-42-0x00000000006A0000-0x00000000006DE000-memory.dmp

Filesize
248KB

Download
memory/2948-43-0x0000000007AC0000-0x0000000008064000-memory.dmp

Filesize
5.6MB

Download
memory/2948-44-0x00000000075B0000-0x0000000007642000-memory.dmp

Filesize
584KB

Download
memory/2948-46-0x0000000008690000-0x0000000008CA8000-memory.dmp

Filesize
6.1MB

Download
memory/2948-47-0x0000000007900000-0x0000000007A0A000-memory.dmp

Filesize
1.0MB

Download
memory/2948-48-0x0000000007790000-0x00000000077A2000-memory.dmp

Filesize
72KB

Download
memory/2948-49-0x0000000007830000-0x000000000786C000-memory.dmp

Filesize
240KB

Download
memory/2948-50-0x0000000007870000-0x00000000078BC000-memory.dmp

Filesize
304KB

Download
memory/4912-39-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4912-37-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4912-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads