mystic | 692e82b585be9ac7cc8c88f2eeb475fcf42fed96a7b5572934f45018a5f7f2d1

Analysis

max time kernel
138s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed2eb0d5dcf8c04d4b8381812154164abb842db1d4f3059e6d7d12293004ffbf.exe
Size

943KB
MD5

6df35c0bf802827179491a87b3fcaef6
SHA1

6c11c82d7422d46b4d1e143f25e3ae467c81eb01
SHA256

ed2eb0d5dcf8c04d4b8381812154164abb842db1d4f3059e6d7d12293004ffbf
SHA512

184e32ed3c876db2b436ed847e6e485fe836ff40ea52bea0d79fa255ebc55e20427ff55dfeb5c197591f29e83565acd533745a0fcd0f59b04e7a153279dc7e69
SSDEEP

24576:+y3lCj5PuU09H6ASUTFegI5QEpHUVDus7CY7:NI5a9HHxbUHGRCY

Score

10^/10

mystic redline kendo infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kendo

77.91.124.82:19071

Attributes

auth_value
5a22a881561d49941415902859b51f14

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral18/memory/5140-28-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral18/memory/5140-29-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral18/memory/5140-31-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral18/files/0x0007000000023421-33.dat	family_redline
behavioral18/memory/2152-35-0x0000000000B90000-0x0000000000BC0000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
4680	x9389096.exe
3596	x0004138.exe
2572	x2251657.exe
1636	g8133913.exe
2152	h6239764.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x0004138.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x2251657.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ed2eb0d5dcf8c04d4b8381812154164abb842db1d4f3059e6d7d12293004ffbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9389096.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1636 set thread context of 5140	1636	g8133913.exe	88

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2336	1636	WerFault.exe	85

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3680 wrote to memory of 4680	3680	ed2eb0d5dcf8c04d4b8381812154164abb842db1d4f3059e6d7d12293004ffbf.exe	82
PID 3680 wrote to memory of 4680	3680	ed2eb0d5dcf8c04d4b8381812154164abb842db1d4f3059e6d7d12293004ffbf.exe	82
PID 3680 wrote to memory of 4680	3680	ed2eb0d5dcf8c04d4b8381812154164abb842db1d4f3059e6d7d12293004ffbf.exe	82
PID 4680 wrote to memory of 3596	4680	x9389096.exe	83
PID 4680 wrote to memory of 3596	4680	x9389096.exe	83
PID 4680 wrote to memory of 3596	4680	x9389096.exe	83
PID 3596 wrote to memory of 2572	3596	x0004138.exe	84
PID 3596 wrote to memory of 2572	3596	x0004138.exe	84
PID 3596 wrote to memory of 2572	3596	x0004138.exe	84
PID 2572 wrote to memory of 1636	2572	x2251657.exe	85
PID 2572 wrote to memory of 1636	2572	x2251657.exe	85
PID 2572 wrote to memory of 1636	2572	x2251657.exe	85
PID 1636 wrote to memory of 5140	1636	g8133913.exe	88
PID 1636 wrote to memory of 5140	1636	g8133913.exe	88
PID 1636 wrote to memory of 5140	1636	g8133913.exe	88
PID 1636 wrote to memory of 5140	1636	g8133913.exe	88
PID 1636 wrote to memory of 5140	1636	g8133913.exe	88
PID 1636 wrote to memory of 5140	1636	g8133913.exe	88
PID 1636 wrote to memory of 5140	1636	g8133913.exe	88
PID 1636 wrote to memory of 5140	1636	g8133913.exe	88
PID 1636 wrote to memory of 5140	1636	g8133913.exe	88
PID 1636 wrote to memory of 5140	1636	g8133913.exe	88
PID 2572 wrote to memory of 2152	2572	x2251657.exe	93
PID 2572 wrote to memory of 2152	2572	x2251657.exe	93
PID 2572 wrote to memory of 2152	2572	x2251657.exe	93

C:\Users\Admin\AppData\Local\Temp\ed2eb0d5dcf8c04d4b8381812154164abb842db1d4f3059e6d7d12293004ffbf.exe
"C:\Users\Admin\AppData\Local\Temp\ed2eb0d5dcf8c04d4b8381812154164abb842db1d4f3059e6d7d12293004ffbf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9389096.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9389096.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0004138.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0004138.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3596
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2251657.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2251657.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8133913.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8133913.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1636
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:5140
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 564
        6⤵
        Program crash
        
        PID:2336
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h6239764.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h6239764.exe
        5⤵
        Executes dropped EXE
        
        PID:2152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1636 -ip 1636
1⤵
PID:5776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9389096.exe

Filesize
841KB

MD5
b2c83ae704ff4b5e21cfc731657b3b9a

SHA1
7742b1406ef7d992b7adf6fdb9011a9e0ec8578a

SHA256
4cba9cda839039348737d7a8ba19bf5c557c9292ac9353eca3b0ffc588f629eb

SHA512
6b6e81740df9ba5247cda80ac83f2b2edad79ec724ad425aa8c942db9cf99c9c043bb5b4a7d5fcf98b164e226de56c3b1564c07b17790a2bbc410fbc68185fda

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0004138.exe

Filesize
563KB

MD5
7bc0639249026e5a29de7b1c978fe181

SHA1
9d6d3c1cd70b7823f396216dc30fdf93c0d839f9

SHA256
3767ef27a0b9c9e968b63738065004153d0974b7e64d0cae87060d7b3d5491df

SHA512
9d75780aab4f862b120788807fa3cddc49c0822aedf4bcffc0e024478c4eb2043d0cd88fbda6c0c7e11b7425ad4dffa9c818ea338fff3b1b61971cb7f722ee62

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2251657.exe

Filesize
397KB

MD5
fa76b6e7273f7c05818d9d35ca5c5595

SHA1
bc74034338bd86f819a0c65d28830e06e151bf63

SHA256
d620c60c5ceadb6ceabc71237bd21dcbbf89c967eb2e5c3ccc20ff31bfdc0c08

SHA512
570e1ad2daffcd25e395a70ee7935dbeade06ca3dcafee3617a25263f07cee2f1f3893dc3fe4e281c7c63666ad6d8f6350b0a61e46109afed782e7542770da78

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8133913.exe

Filesize
379KB

MD5
897eb703a928d4225e5d0f2d4beb0ee2

SHA1
0bba11833e4dbebebeb672ab6882e5ef40999353

SHA256
1fcd9a084b8f90b5adaf3c09a30935bd1830d8a22928495e0d2b929866b3d672

SHA512
4b209e74f32f990cd7b1ab276380d82cb45f179c69e422e964a89c07621d79a40b5df1e8cd1375527ffdb1c4206abcc95c3a7a49685fdd54ce97d9341a39439f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h6239764.exe

Filesize
174KB

MD5
e466c3b3ab599efc34c1e2b92a32fec7

SHA1
79a50ad575a07fa344971f4d8f9a585073200d3a

SHA256
d7af7a724e8f457c74b970a15d47d23906c0fc93f0060a27bbf6ff4d2880e5c9

SHA512
0f0e1f380201599461183e3f480310b595dad58c05abe97bc204b48ddd098a342902a32ea528ddd695ddfe8253a6127284a3d084e264a9ac600a24761e14ffbb

Download Submit
memory/2152-36-0x00000000054B0000-0x00000000054B6000-memory.dmp

Filesize
24KB

Download
memory/2152-35-0x0000000000B90000-0x0000000000BC0000-memory.dmp

Filesize
192KB

Download
memory/2152-37-0x0000000005B80000-0x0000000006198000-memory.dmp

Filesize
6.1MB

Download
memory/2152-38-0x0000000005670000-0x000000000577A000-memory.dmp

Filesize
1.0MB

Download
memory/2152-39-0x0000000005510000-0x0000000005522000-memory.dmp

Filesize
72KB

Download
memory/2152-40-0x00000000055A0000-0x00000000055DC000-memory.dmp

Filesize
240KB

Download
memory/2152-41-0x00000000055E0000-0x000000000562C000-memory.dmp

Filesize
304KB

Download
memory/5140-31-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5140-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5140-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads