mystic | 692e82b585be9ac7cc8c88f2eeb475fcf42fed96a7b5572934f45018a5f7f2d1

Analysis

max time kernel
134s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64e73ef21d2b9d5819334be729f07ac670e6fa83111bc1b666abffc261bc2da1.exe
Size

563KB
MD5

b1cad70cea703c95c6bf90d74c4bfd89
SHA1

1a08e9ad7c417a5011915ccda1a1ec130cd7d3ac
SHA256

64e73ef21d2b9d5819334be729f07ac670e6fa83111bc1b666abffc261bc2da1
SHA512

4f7c7367da4b3009f5f1691832f88de0a7df9103ba16ff43c92fb3d0eec813005a6f6f31e0b3853b2ce07e2d5c9d0be331f1e60bed9bf8f3b3ebcbcab9a4b2de
SSDEEP

12288:KMrxy90uoiqvTegFhHXzNOI+74h82WRiHJ1CVVVV:nyKEgXHDNn+487Ry4VV

Score

10^/10

mystic redline kendo infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kendo

77.91.124.82:19071

Attributes

auth_value
5a22a881561d49941415902859b51f14

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral7/memory/2668-14-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral7/memory/2668-15-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral7/memory/2668-18-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral7/memory/2668-16-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7567252.exe	family_redline
behavioral7/memory/4624-22-0x00000000006D0000-0x0000000000700000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

x5112215.exeg1240082.exeh7567252.exe

pid process

2892 x5112215.exe
2856 g1240082.exe
4624 h7567252.exe

pid	process
2892	x5112215.exe
2856	g1240082.exe
4624	h7567252.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

64e73ef21d2b9d5819334be729f07ac670e6fa83111bc1b666abffc261bc2da1.exex5112215.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	64e73ef21d2b9d5819334be729f07ac670e6fa83111bc1b666abffc261bc2da1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5112215.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

g1240082.exe

description pid process target process

PID 2856 set thread context of 2668 2856 g1240082.exe AppLaunch.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

5044 2668 WerFault.exe AppLaunch.exe
1196 2856 WerFault.exe g1240082.exe

description	pid	process	target process
PID 2856 set thread context of 2668	2856	g1240082.exe	AppLaunch.exe

pid	pid_target	process	target process
5044	2668	WerFault.exe	AppLaunch.exe
1196	2856	WerFault.exe	g1240082.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

64e73ef21d2b9d5819334be729f07ac670e6fa83111bc1b666abffc261bc2da1.exex5112215.exeg1240082.exe

description	pid	process	target process
PID 2200 wrote to memory of 2892	2200	64e73ef21d2b9d5819334be729f07ac670e6fa83111bc1b666abffc261bc2da1.exe	x5112215.exe
PID 2200 wrote to memory of 2892	2200	64e73ef21d2b9d5819334be729f07ac670e6fa83111bc1b666abffc261bc2da1.exe	x5112215.exe
PID 2200 wrote to memory of 2892	2200	64e73ef21d2b9d5819334be729f07ac670e6fa83111bc1b666abffc261bc2da1.exe	x5112215.exe
PID 2892 wrote to memory of 2856	2892	x5112215.exe	g1240082.exe
PID 2892 wrote to memory of 2856	2892	x5112215.exe	g1240082.exe
PID 2892 wrote to memory of 2856	2892	x5112215.exe	g1240082.exe
PID 2856 wrote to memory of 4460	2856	g1240082.exe	AppLaunch.exe
PID 2856 wrote to memory of 4460	2856	g1240082.exe	AppLaunch.exe
PID 2856 wrote to memory of 4460	2856	g1240082.exe	AppLaunch.exe
PID 2856 wrote to memory of 2668	2856	g1240082.exe	AppLaunch.exe
PID 2856 wrote to memory of 2668	2856	g1240082.exe	AppLaunch.exe
PID 2856 wrote to memory of 2668	2856	g1240082.exe	AppLaunch.exe
PID 2856 wrote to memory of 2668	2856	g1240082.exe	AppLaunch.exe
PID 2856 wrote to memory of 2668	2856	g1240082.exe	AppLaunch.exe
PID 2856 wrote to memory of 2668	2856	g1240082.exe	AppLaunch.exe
PID 2856 wrote to memory of 2668	2856	g1240082.exe	AppLaunch.exe
PID 2856 wrote to memory of 2668	2856	g1240082.exe	AppLaunch.exe
PID 2856 wrote to memory of 2668	2856	g1240082.exe	AppLaunch.exe
PID 2856 wrote to memory of 2668	2856	g1240082.exe	AppLaunch.exe
PID 2892 wrote to memory of 4624	2892	x5112215.exe	h7567252.exe
PID 2892 wrote to memory of 4624	2892	x5112215.exe	h7567252.exe
PID 2892 wrote to memory of 4624	2892	x5112215.exe	h7567252.exe

C:\Users\Admin\AppData\Local\Temp\64e73ef21d2b9d5819334be729f07ac670e6fa83111bc1b666abffc261bc2da1.exe
"C:\Users\Admin\AppData\Local\Temp\64e73ef21d2b9d5819334be729f07ac670e6fa83111bc1b666abffc261bc2da1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2200

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5112215.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5112215.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2892

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1240082.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1240082.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:4460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 540
5⤵
- Program crash
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 588
4⤵
- Program crash
PID:1196

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7567252.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7567252.exe
3⤵
- Executes dropped EXE
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2856 -ip 2856
1⤵
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2668 -ip 2668
1⤵
PID:4108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4200,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=3464 /prefetch:8
1⤵
PID:4968

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5112215.exe
Filesize
397KB

MD5
b2df6c5958efbdbc123148c627bb41d3

SHA1
fee833e9d20ba95a4fcad101b661315c65c0a4da

SHA256
101390dd16f1eac4157fdecbec16f38454803a89cf0599bfeef301bc6f0ca7a9

SHA512
a584aeae7d51d998e6a3f4803863b1aa7c867b5a6db90a64318ab8ceb5db54233b165394e324f52e0a0296ef35cb216a72a82be632f41c9963d698d3b3a0fec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1240082.exe
Filesize
379KB

MD5
d5cf94dd77a8375c5145e566609bb0c9

SHA1
ae8dba7cb8ebf33368aab97ec5f150831fd40823

SHA256
b36053dda1b1c85bde6a04a395a6e5b08d76298beaa32183eaed4b9d26787ba1

SHA512
1dffe0772e113fb38515755d4f3fb5938e24698bc26efccc38547e8f08c4673b7e7dd2c26f4af628c7c1745d41f59d26a0f269062638b9ec1ec60a5daf2dec00

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7567252.exe
Filesize
174KB

MD5
8e1c9385ea1a727897547ab26f729562

SHA1
52e8c50fded14c4b40a303af8b2e730d8ea40879

SHA256
2abb2c0b109b138ffbdd22abdb8921dca6790eabf870405bd491c4194d34ec07

SHA512
b5f60aab2c3f7ed632adebf5f71a77b3606df9da283219b965151d99e9173d4e2d02eb8d0ea514f13ff7c9f5e44ecb6325d8f7b24ee7b0c67dc707dd19a8778f

Download Submit
memory/2668-15-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2668-18-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2668-16-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2668-14-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4624-22-0x00000000006D0000-0x0000000000700000-memory.dmp

Filesize
192KB

Download
memory/4624-23-0x00000000028B0000-0x00000000028B6000-memory.dmp

Filesize
24KB

Download
memory/4624-24-0x0000000005740000-0x0000000005D58000-memory.dmp

Filesize
6.1MB

Download
memory/4624-25-0x0000000005230000-0x000000000533A000-memory.dmp

Filesize
1.0MB

Download
memory/4624-26-0x0000000004B10000-0x0000000004B22000-memory.dmp

Filesize
72KB

Download
memory/4624-27-0x00000000050B0000-0x00000000050EC000-memory.dmp

Filesize
240KB

Download
memory/4624-28-0x0000000005120000-0x000000000516C000-memory.dmp

Filesize
304KB

Download