mystic | 692e82b585be9ac7cc8c88f2eeb475fcf42fed96a7b5572934f45018a5f7f2d1

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0805913f5039b1097cf6d0b178560036e0b99e52f86b3990bf7bd4b663d15513.exe
Size

1.5MB
MD5

99fbd30f8f297404375178545e9a5671
SHA1

eb2faa70c32320bdfd5bab75e879a2883bef1f59
SHA256

0805913f5039b1097cf6d0b178560036e0b99e52f86b3990bf7bd4b663d15513
SHA512

e30e2053d363b1eedec5a5493e4304b18e1418944ce5cea2dd1336bdaaff621e86b29877189b383baaf64987099cce625f12785b690c63ae284179aacd880801
SSDEEP

24576:dy8BJhfdaB7d47P6cDYqgmrw5dR9rYT1gIZU6G2U/RbQ6LoEWklTHDv+oR9efG9:4ugB767ScD82w/R2Tj7uGZEWk9zHjc

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3772-35-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/3772-36-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/3772-38-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2jd460ie.exe	family_redline
behavioral1/memory/3768-42-0x0000000000620000-0x000000000065E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

eR8CW4FM.exeDe3KX8Mi.exeOu1rk1Lm.exebV2tn3Yw.exe1Kv40Ht5.exe2jd460ie.exe

pid process

4184 eR8CW4FM.exe
3720 De3KX8Mi.exe
1408 Ou1rk1Lm.exe
3096 bV2tn3Yw.exe
1620 1Kv40Ht5.exe
3768 2jd460ie.exe

pid	process
4184	eR8CW4FM.exe
3720	De3KX8Mi.exe
1408	Ou1rk1Lm.exe
3096	bV2tn3Yw.exe
1620	1Kv40Ht5.exe
3768	2jd460ie.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0805913f5039b1097cf6d0b178560036e0b99e52f86b3990bf7bd4b663d15513.exeeR8CW4FM.exeDe3KX8Mi.exeOu1rk1Lm.exebV2tn3Yw.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0805913f5039b1097cf6d0b178560036e0b99e52f86b3990bf7bd4b663d15513.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	eR8CW4FM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	De3KX8Mi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Ou1rk1Lm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	bV2tn3Yw.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1Kv40Ht5.exe

description pid process target process

PID 1620 set thread context of 3772 1620 1Kv40Ht5.exe AppLaunch.exe

description	pid	process	target process
PID 1620 set thread context of 3772	1620	1Kv40Ht5.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

0805913f5039b1097cf6d0b178560036e0b99e52f86b3990bf7bd4b663d15513.exeeR8CW4FM.exeDe3KX8Mi.exeOu1rk1Lm.exebV2tn3Yw.exe1Kv40Ht5.exe

description	pid	process	target process
PID 1288 wrote to memory of 4184	1288	0805913f5039b1097cf6d0b178560036e0b99e52f86b3990bf7bd4b663d15513.exe	eR8CW4FM.exe
PID 1288 wrote to memory of 4184	1288	0805913f5039b1097cf6d0b178560036e0b99e52f86b3990bf7bd4b663d15513.exe	eR8CW4FM.exe
PID 1288 wrote to memory of 4184	1288	0805913f5039b1097cf6d0b178560036e0b99e52f86b3990bf7bd4b663d15513.exe	eR8CW4FM.exe
PID 4184 wrote to memory of 3720	4184	eR8CW4FM.exe	De3KX8Mi.exe
PID 4184 wrote to memory of 3720	4184	eR8CW4FM.exe	De3KX8Mi.exe
PID 4184 wrote to memory of 3720	4184	eR8CW4FM.exe	De3KX8Mi.exe
PID 3720 wrote to memory of 1408	3720	De3KX8Mi.exe	Ou1rk1Lm.exe
PID 3720 wrote to memory of 1408	3720	De3KX8Mi.exe	Ou1rk1Lm.exe
PID 3720 wrote to memory of 1408	3720	De3KX8Mi.exe	Ou1rk1Lm.exe
PID 1408 wrote to memory of 3096	1408	Ou1rk1Lm.exe	bV2tn3Yw.exe
PID 1408 wrote to memory of 3096	1408	Ou1rk1Lm.exe	bV2tn3Yw.exe
PID 1408 wrote to memory of 3096	1408	Ou1rk1Lm.exe	bV2tn3Yw.exe
PID 3096 wrote to memory of 1620	3096	bV2tn3Yw.exe	1Kv40Ht5.exe
PID 3096 wrote to memory of 1620	3096	bV2tn3Yw.exe	1Kv40Ht5.exe
PID 3096 wrote to memory of 1620	3096	bV2tn3Yw.exe	1Kv40Ht5.exe
PID 1620 wrote to memory of 3772	1620	1Kv40Ht5.exe	AppLaunch.exe
PID 1620 wrote to memory of 3772	1620	1Kv40Ht5.exe	AppLaunch.exe
PID 1620 wrote to memory of 3772	1620	1Kv40Ht5.exe	AppLaunch.exe
PID 1620 wrote to memory of 3772	1620	1Kv40Ht5.exe	AppLaunch.exe
PID 1620 wrote to memory of 3772	1620	1Kv40Ht5.exe	AppLaunch.exe
PID 1620 wrote to memory of 3772	1620	1Kv40Ht5.exe	AppLaunch.exe
PID 1620 wrote to memory of 3772	1620	1Kv40Ht5.exe	AppLaunch.exe
PID 1620 wrote to memory of 3772	1620	1Kv40Ht5.exe	AppLaunch.exe
PID 1620 wrote to memory of 3772	1620	1Kv40Ht5.exe	AppLaunch.exe
PID 1620 wrote to memory of 3772	1620	1Kv40Ht5.exe	AppLaunch.exe
PID 3096 wrote to memory of 3768	3096	bV2tn3Yw.exe	2jd460ie.exe
PID 3096 wrote to memory of 3768	3096	bV2tn3Yw.exe	2jd460ie.exe
PID 3096 wrote to memory of 3768	3096	bV2tn3Yw.exe	2jd460ie.exe

C:\Users\Admin\AppData\Local\Temp\0805913f5039b1097cf6d0b178560036e0b99e52f86b3990bf7bd4b663d15513.exe
"C:\Users\Admin\AppData\Local\Temp\0805913f5039b1097cf6d0b178560036e0b99e52f86b3990bf7bd4b663d15513.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1288

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eR8CW4FM.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eR8CW4FM.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4184

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\De3KX8Mi.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\De3KX8Mi.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3720

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ou1rk1Lm.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ou1rk1Lm.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1408

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bV2tn3Yw.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bV2tn3Yw.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3096

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Kv40Ht5.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Kv40Ht5.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:3772

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2jd460ie.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2jd460ie.exe
6⤵
- Executes dropped EXE
PID:3768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eR8CW4FM.exe

Filesize
1.3MB

MD5
b061024f27d9e8f99b2e3541b713e9d3

SHA1
6ec5c19992ee5e7e8e95726248160de558c139bd

SHA256
90e7bd6c2a9e1ae584d02d2d0bcfa25892e16cb53ab42c7a201cf64f8ca3836b

SHA512
ebd54e0c32b04c8fbc30d90e3bb298dc207fe9e81d4b6750dcf869860d2bcb3481f4dc5dfb2219309e8142a50a9e647f0c64f65230da6c69013f92af5f44ae5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\De3KX8Mi.exe

Filesize
1.1MB

MD5
f727ff603d7bd759b688e8c35d430f30

SHA1
3c8eb1c67a8c32a4f795c09efea7cde0c29ff341

SHA256
b66725caae1472aa9984ede50de4b3e79a6678527a5db04e6d973391430c204e

SHA512
f50941856576c0d300f527371e509043345c054de54e56acb505becfaec7046c7f49f9b81b8ebc169c8027915ad1be78cb3a78e5fb6ff48976e53196701c2db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ou1rk1Lm.exe

Filesize
758KB

MD5
5bf695f89b25383638a119a08ac5f503

SHA1
5bfab4e8e75e2faca6740369af9b58a7dfe99ecf

SHA256
f21f995742c2c587927c0b9dd5261aaf9117b7e418d57007b43db856af220457

SHA512
8c8b3c324dc84968c06f6efcd33e06500dd4e9190f2c019b0319747509511464b411bfb6596426bcaaed2bd6991bd23f882cf7e8609ce5327a838caa12f74e4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bV2tn3Yw.exe

Filesize
562KB

MD5
2d134a22c711c471de4e17b4a118bb96

SHA1
8f5e88aec95e2897b703ed673f4508afd86a0ca9

SHA256
130d0ee41a952c79845c56c928acf2e155aa372dcdb0ab48d42ca677998703ae

SHA512
2b0c788af9e0ce8dc12bb076434301580415f4d5e18aec160339182787c0b013e8607515860c6deace5f068fe7958e416bf45a5cc5a41df54efb095952d4b2ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Kv40Ht5.exe

Filesize
1.1MB

MD5
cb230d62d722ddc48739af4088775882

SHA1
ff0be771c7897158733e8e3b83c17bac9a8916c9

SHA256
2fdb2b80652109341b1c48d97d8cfb490b564381a73c287fb3323869829156bf

SHA512
64d5e81941a6738515f5a486a19440470d6493dcac7914176f36de07a0731697bf6d39170bd8b55e1a45147fdc8ecc81ff0bf2c5ef066d7cc4d1508312d8a1f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2jd460ie.exe

Filesize
222KB

MD5
f736af944649f7bddef162db65d81fe3

SHA1
c357268a1f1a05eb38a9977e0f8e079d63065ccb

SHA256
9011d632a5486993d4b15630d0cde89dd106f11f65a0b394204249edd373d5d2

SHA512
dd45ccbd932d470b44e2392f88e66885c6271dee60e04561506bfc655b4897ab321901da4cf951e799086e18ec42be41ffd57dc66bdb2dd44b2c50b2e4d548ac

Download Submit
memory/3768-42-0x0000000000620000-0x000000000065E000-memory.dmp

Filesize
248KB

Download
memory/3768-43-0x00000000078F0000-0x0000000007E94000-memory.dmp

Filesize
5.6MB

Download
memory/3768-44-0x0000000007420000-0x00000000074B2000-memory.dmp

Filesize
584KB

Download
memory/3768-45-0x0000000002970000-0x000000000297A000-memory.dmp

Filesize
40KB

Download
memory/3768-46-0x00000000084C0000-0x0000000008AD8000-memory.dmp

Filesize
6.1MB

Download
memory/3768-47-0x00000000076E0000-0x00000000077EA000-memory.dmp

Filesize
1.0MB

Download
memory/3768-48-0x00000000075F0000-0x0000000007602000-memory.dmp

Filesize
72KB

Download
memory/3768-49-0x0000000007650000-0x000000000768C000-memory.dmp

Filesize
240KB

Download
memory/3768-50-0x0000000007690000-0x00000000076DC000-memory.dmp

Filesize
304KB

Download
memory/3772-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3772-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3772-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download