mystic | 8f7ecfcea350d8e91e6bb9083833f37b57aa78d15022b68c407055e2463bd982

Analysis

max time kernel
145s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90251e43cdd68d8c070a8180eb78fdfc113d4e2ff40733af3a3332c51744eae4.exe
Size

1.5MB
MD5

06af0401aecc9790eba539a0104ee492
SHA1

aab2d55f1489d364efe7b939eadb248b5022cba1
SHA256

90251e43cdd68d8c070a8180eb78fdfc113d4e2ff40733af3a3332c51744eae4
SHA512

19561d373013c2148480b60e5682a6af820cdd9443bfd7ac31885d6f8706dbddf6a8ca823c8270e1aa71d02f85dd4bd7ced72b4923cfc6de8f57f641ff43860d
SSDEEP

24576:zykRQJVu8VgorcHsJvivI/xtXStQ+wc2ybyXaXNE74Nz5fPy+f1n7v72gEh:Gkyfu8VgorcHs9iW/yGXao+9LN7v72

Score

10^/10

mystic redline kedru infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kedru

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral11/memory/2204-35-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral11/memory/2204-38-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral11/memory/2204-36-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral11/files/0x000700000002343b-40.dat	family_redline
behavioral11/memory/1888-42-0x00000000001D0000-0x000000000020C000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
3588	PF8JS6jI.exe
3096	KT0yk3eB.exe
3276	xH9kB2vw.exe
692	Lz5bv3kP.exe
1160	1ah95nh1.exe
1888	2Qv918ty.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	xH9kB2vw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Lz5bv3kP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	90251e43cdd68d8c070a8180eb78fdfc113d4e2ff40733af3a3332c51744eae4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	PF8JS6jI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	KT0yk3eB.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1160 set thread context of 2204	1160	1ah95nh1.exe	93

Program crash 1 IoCs

pid	pid_target	Process	procid_target
460	1160	WerFault.exe	87

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4304 wrote to memory of 3588	4304	90251e43cdd68d8c070a8180eb78fdfc113d4e2ff40733af3a3332c51744eae4.exe	83
PID 4304 wrote to memory of 3588	4304	90251e43cdd68d8c070a8180eb78fdfc113d4e2ff40733af3a3332c51744eae4.exe	83
PID 4304 wrote to memory of 3588	4304	90251e43cdd68d8c070a8180eb78fdfc113d4e2ff40733af3a3332c51744eae4.exe	83
PID 3588 wrote to memory of 3096	3588	PF8JS6jI.exe	84
PID 3588 wrote to memory of 3096	3588	PF8JS6jI.exe	84
PID 3588 wrote to memory of 3096	3588	PF8JS6jI.exe	84
PID 3096 wrote to memory of 3276	3096	KT0yk3eB.exe	85
PID 3096 wrote to memory of 3276	3096	KT0yk3eB.exe	85
PID 3096 wrote to memory of 3276	3096	KT0yk3eB.exe	85
PID 3276 wrote to memory of 692	3276	xH9kB2vw.exe	86
PID 3276 wrote to memory of 692	3276	xH9kB2vw.exe	86
PID 3276 wrote to memory of 692	3276	xH9kB2vw.exe	86
PID 692 wrote to memory of 1160	692	Lz5bv3kP.exe	87
PID 692 wrote to memory of 1160	692	Lz5bv3kP.exe	87
PID 692 wrote to memory of 1160	692	Lz5bv3kP.exe	87
PID 1160 wrote to memory of 2204	1160	1ah95nh1.exe	93
PID 1160 wrote to memory of 2204	1160	1ah95nh1.exe	93
PID 1160 wrote to memory of 2204	1160	1ah95nh1.exe	93
PID 1160 wrote to memory of 2204	1160	1ah95nh1.exe	93
PID 1160 wrote to memory of 2204	1160	1ah95nh1.exe	93
PID 1160 wrote to memory of 2204	1160	1ah95nh1.exe	93
PID 1160 wrote to memory of 2204	1160	1ah95nh1.exe	93
PID 1160 wrote to memory of 2204	1160	1ah95nh1.exe	93
PID 1160 wrote to memory of 2204	1160	1ah95nh1.exe	93
PID 1160 wrote to memory of 2204	1160	1ah95nh1.exe	93
PID 692 wrote to memory of 1888	692	Lz5bv3kP.exe	97
PID 692 wrote to memory of 1888	692	Lz5bv3kP.exe	97
PID 692 wrote to memory of 1888	692	Lz5bv3kP.exe	97

C:\Users\Admin\AppData\Local\Temp\90251e43cdd68d8c070a8180eb78fdfc113d4e2ff40733af3a3332c51744eae4.exe
"C:\Users\Admin\AppData\Local\Temp\90251e43cdd68d8c070a8180eb78fdfc113d4e2ff40733af3a3332c51744eae4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4304
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PF8JS6jI.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PF8JS6jI.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3588
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KT0yk3eB.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KT0yk3eB.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3096
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xH9kB2vw.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xH9kB2vw.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3276
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Lz5bv3kP.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Lz5bv3kP.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:692
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ah95nh1.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ah95nh1.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 560
        7⤵
        Program crash
        
        PID:460
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Qv918ty.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Qv918ty.exe
        6⤵
        Executes dropped EXE
        
        PID:1888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1160 -ip 1160
1⤵
PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PF8JS6jI.exe

Filesize
1.3MB

MD5
aec7b76c8c3c954cc7e94257f31e8b8c

SHA1
97e63aac098cdf4bfb5bde92f2f46f55a294fdfd

SHA256
afe7248558713f8acf7c39c85b3a0a8f783bb2bb72cdd38aa42097906de07e1b

SHA512
1252d4843335ec830a9ba96a64f46d3e76ffb591567299bf198d15e53788187deacf94c1a7637690dbfdf056943fff84df8a57ecc2b090434fda112836d37e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KT0yk3eB.exe

Filesize
1.2MB

MD5
350b273927124dda717d49f5d4d2aa37

SHA1
102110cc33f0d520ae0edcf8c828e1931a46ab31

SHA256
5f9844aebb1a71d978d4f94b04502e7afad5bad66e85ef976f4016f9ea46717e

SHA512
bc600ef070dedbf339c73112bdb24611ddf4507c9f26eafa9d0c0e26dd1b1ba5d2d056c608139ab426179eec5b5d7771fd206d419ed3be4ee6a1f54d1d8dc2c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xH9kB2vw.exe

Filesize
768KB

MD5
407c117980d1c20fb2a317f8b71e0a5d

SHA1
2321875fcc36370030bf5884659b3ebb61a2c421

SHA256
2b94a27dfc42973064d60d19f07faf32b55ba8f5a09fd669df959b9b2f624271

SHA512
29aee90ea399fac76c68b35185d70fc0c6f28ac7287fd39bb0247a1b419592d5c818293a95eb1467d337215629ad7bac1f6147a8e39258aa02893a95f85b3740

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Lz5bv3kP.exe

Filesize
573KB

MD5
6a2a6e714adea39d232a38e93acddf4c

SHA1
f24ebc4142532ebfa82dd062c95744559f280c18

SHA256
b3f5139e53257b58bbde7b442aaed89fd04750d5fa1b1b4fdf1fbc41db609fd6

SHA512
036268fb2f1850c58361ece714a1c9708d9bf868967173ea351e3955a65276e2f576896f0e5bea50230a2af8da216d618d684cd2f6380fff1ed4949a842bbf7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ah95nh1.exe

Filesize
1.1MB

MD5
dbc35dd6e920a6317ad78a9b9c67633a

SHA1
a758c9ff62b4630266c855ba09fd32e757790ea8

SHA256
d45d227e5441db9335f21140b879a81af94d9a145b4e3a0fc740ec13f132d188

SHA512
728b5f1c043184229597d01ddf3944030b660fa84e4d9aac162adb8b0dbaf4981dc50009bf0d697b90a8e7e0d9f42722d292cff6c25406bd7caa61b3482b484c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Qv918ty.exe

Filesize
219KB

MD5
ef73b0024c8cda728f245dfe8bba4cc3

SHA1
c3a0b07af09029f9c01f09eff256ae1de0fb5196

SHA256
7a102bc16dc7769772efb6fcee29a3ee424391b337237ac088529530af560649

SHA512
81841e93173d8a3ac5dc721f5699005ef12f33bfa55a8e7ef08ddb46ffb07c0e0286752dc9886473f4c6c0af0743e061eb8bd3161e47a9de3409a3d65f55955f

Download Submit
memory/1888-42-0x00000000001D0000-0x000000000020C000-memory.dmp

Filesize
240KB

Download
memory/1888-43-0x0000000007440000-0x00000000079E4000-memory.dmp

Filesize
5.6MB

Download
memory/1888-44-0x0000000006F70000-0x0000000007002000-memory.dmp

Filesize
584KB

Download
memory/1888-45-0x0000000002520000-0x000000000252A000-memory.dmp

Filesize
40KB

Download
memory/1888-46-0x0000000008010000-0x0000000008628000-memory.dmp

Filesize
6.1MB

Download
memory/1888-47-0x00000000079F0000-0x0000000007AFA000-memory.dmp

Filesize
1.0MB

Download
memory/1888-48-0x0000000007080000-0x0000000007092000-memory.dmp

Filesize
72KB

Download
memory/1888-49-0x00000000071F0000-0x000000000722C000-memory.dmp

Filesize
240KB

Download
memory/1888-50-0x0000000007230000-0x000000000727C000-memory.dmp

Filesize
304KB

Download
memory/2204-38-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads