mystic | 8cc6679c34691a07ca82dfa2e42bb4cb80b8f3283bad650d6e3818ac030c32d3

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7a1c6bd3aba15347d3f975781da052144282ff4be210a7d47fa919718a09d74.exe
Size

942KB
MD5

bba52e4949076e23493f303121140f12
SHA1

68fac8b6f4abca233af3fe66f8f956137d7e8bda
SHA256

e7a1c6bd3aba15347d3f975781da052144282ff4be210a7d47fa919718a09d74
SHA512

72bc8de3843e7100720b604e3156fe884f8f2b4a02d2c5b9b01c61caf6d1339b012ae339625e2032eeae6ef8bb90dcf6f87368830e193a3e6adb5b13efcb0911
SSDEEP

12288:1MrWy90qwwTA4eeGo83wqmLwhZ+tRnJlDXKmmp2zWuc+UNd0+u3zDOB2KtEJ4N6l:zyT/4PmsrgjlDXMoWD/gD3V40g088x

Score

10^/10

mystic redline kendo infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kendo

77.91.124.82:19071

Attributes

auth_value
5a22a881561d49941415902859b51f14

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral19/memory/1500-28-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral19/memory/1500-29-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral19/memory/1500-31-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral19/files/0x0007000000023414-33.dat	family_redline
behavioral19/memory/4744-35-0x0000000000870000-0x00000000008A0000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
3148	x3041458.exe
1972	x0935809.exe
1748	x3855419.exe
3416	g6636474.exe
4744	h5231884.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x0935809.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x3855419.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e7a1c6bd3aba15347d3f975781da052144282ff4be210a7d47fa919718a09d74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3041458.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3416 set thread context of 1500	3416	g6636474.exe	90

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4104	3416	WerFault.exe	86

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 3148	1792	e7a1c6bd3aba15347d3f975781da052144282ff4be210a7d47fa919718a09d74.exe	82
PID 1792 wrote to memory of 3148	1792	e7a1c6bd3aba15347d3f975781da052144282ff4be210a7d47fa919718a09d74.exe	82
PID 1792 wrote to memory of 3148	1792	e7a1c6bd3aba15347d3f975781da052144282ff4be210a7d47fa919718a09d74.exe	82
PID 3148 wrote to memory of 1972	3148	x3041458.exe	83
PID 3148 wrote to memory of 1972	3148	x3041458.exe	83
PID 3148 wrote to memory of 1972	3148	x3041458.exe	83
PID 1972 wrote to memory of 1748	1972	x0935809.exe	84
PID 1972 wrote to memory of 1748	1972	x0935809.exe	84
PID 1972 wrote to memory of 1748	1972	x0935809.exe	84
PID 1748 wrote to memory of 3416	1748	x3855419.exe	86
PID 1748 wrote to memory of 3416	1748	x3855419.exe	86
PID 1748 wrote to memory of 3416	1748	x3855419.exe	86
PID 3416 wrote to memory of 1756	3416	g6636474.exe	89
PID 3416 wrote to memory of 1756	3416	g6636474.exe	89
PID 3416 wrote to memory of 1756	3416	g6636474.exe	89
PID 3416 wrote to memory of 1500	3416	g6636474.exe	90
PID 3416 wrote to memory of 1500	3416	g6636474.exe	90
PID 3416 wrote to memory of 1500	3416	g6636474.exe	90
PID 3416 wrote to memory of 1500	3416	g6636474.exe	90
PID 3416 wrote to memory of 1500	3416	g6636474.exe	90
PID 3416 wrote to memory of 1500	3416	g6636474.exe	90
PID 3416 wrote to memory of 1500	3416	g6636474.exe	90
PID 3416 wrote to memory of 1500	3416	g6636474.exe	90
PID 3416 wrote to memory of 1500	3416	g6636474.exe	90
PID 3416 wrote to memory of 1500	3416	g6636474.exe	90
PID 1748 wrote to memory of 4744	1748	x3855419.exe	94
PID 1748 wrote to memory of 4744	1748	x3855419.exe	94
PID 1748 wrote to memory of 4744	1748	x3855419.exe	94

C:\Users\Admin\AppData\Local\Temp\e7a1c6bd3aba15347d3f975781da052144282ff4be210a7d47fa919718a09d74.exe
"C:\Users\Admin\AppData\Local\Temp\e7a1c6bd3aba15347d3f975781da052144282ff4be210a7d47fa919718a09d74.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3041458.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3041458.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3148
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0935809.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0935809.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3855419.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3855419.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1748
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6636474.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6636474.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3416
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1756
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1500
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 596
        6⤵
        Program crash
        
        PID:4104
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5231884.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5231884.exe
        5⤵
        Executes dropped EXE
        
        PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3416 -ip 3416
1⤵
PID:4936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3041458.exe

Filesize
840KB

MD5
d8050c8deeee7e32b9e1590cdacc9ce9

SHA1
1a453059b20191fffb80cb3df50a8c4d86655c27

SHA256
1ec1a4407e6e89e354e98b2e71c01699a558b1162a260ec8044c3227f79b212e

SHA512
d0065c931220cdd9fa9daa2791cbbd3c286f56b15223e698d3323627664d093b5a864e8062328af99288889ec7431ea82a7d1207fa858965db6ba40b79352332

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0935809.exe

Filesize
563KB

MD5
84c11718043a7223489608e0cf1d3862

SHA1
00125c2ecf62a9ab378b98209ba564086d2d2ce8

SHA256
d25d74570e847f853a1de2eb7506f01af1aa9050317a32bf57f1fdcf6cd94b57

SHA512
a55f55998efdada222d37fa768f76e99f81ea25cf92a3d1c76aa3eb1057e48f30885f35db5f31a23e7d506f36f5e348eae02491580482bebc1aa020b4799ba5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3855419.exe

Filesize
397KB

MD5
fd6937a5b9d790da61447ada24ce64c6

SHA1
dcd7f9e341ae313a516ace24be4c58a5d873c945

SHA256
ee77d51fe149445ee6356ec003930deb130922bc485a86044d9eb8da5eaec2ea

SHA512
60cdde8c717f20e04d9e70254e3d3457bf7f74fd2eaec4b29d27c1e405a82494d9ef4165b792c6028044a35d12f3f08261c0ec1bca8bbc8a4a525a60c49ed18d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6636474.exe

Filesize
379KB

MD5
68d306db94ed0c2c3368c7f1996eebe4

SHA1
ff29e458999dc872d779f1ff4a66edd87fd45158

SHA256
36bb33f3f21f9b5f8dff30bc6a9b5b21108dab5dd6b03d29a15f1d39572a786c

SHA512
0c35e6f3b908472799a37860c866f7cbf9fdbb8c1df9b6ff8b612fca168116be714a880eac5791522e91803028cb4be22aa13951d2a364cb63c24384898f5c0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5231884.exe

Filesize
174KB

MD5
abeb13889416156609b938e05143441f

SHA1
76264e6c711f89fd8e96f6bb12be2a9867678259

SHA256
ad04617501d41fb2040b041a74f0787b15932b1899e6a0dec2d1ae9ecbe05bc4

SHA512
fe8832141d8e2a1d9fa6962f242a85a22ea07695615f31d8017a3bfbeeab65c9d5c0680180aa8feee5b453a473fa056d9da0638e27fe84894741c892554484b5

Download Submit
memory/1500-31-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1500-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1500-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4744-35-0x0000000000870000-0x00000000008A0000-memory.dmp

Filesize
192KB

Download
memory/4744-36-0x0000000005190000-0x0000000005196000-memory.dmp

Filesize
24KB

Download
memory/4744-37-0x0000000005870000-0x0000000005E88000-memory.dmp

Filesize
6.1MB

Download
memory/4744-38-0x0000000005360000-0x000000000546A000-memory.dmp

Filesize
1.0MB

Download
memory/4744-39-0x00000000051F0000-0x0000000005202000-memory.dmp

Filesize
72KB

Download
memory/4744-40-0x0000000005290000-0x00000000052CC000-memory.dmp

Filesize
240KB

Download
memory/4744-41-0x00000000052D0000-0x000000000531C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads