mystic | ac90002ec144a6c8c89c45137265a202aeef6b583cef01223b622e10b4c4b797

Analysis

max time kernel
139s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a180e910531bba2f707949af207f2fdc8ce9073f7ac314168ae29b53eedd8fe.exe
Size

760KB
MD5

41538167f8a6449df7670af2a204d623
SHA1

1d5778a5969ccf1a30f7d00dcd332490fa780549
SHA256

1a180e910531bba2f707949af207f2fdc8ce9073f7ac314168ae29b53eedd8fe
SHA512

b3532f017d0065d5ea6446c729db36a45aa5204f1cb245b8fc179eace26e5161be7bd58e5fc1ecebe215f3a428f8315066276ca7aca3ebfc508eeb7c44381363
SSDEEP

12288:jMrXy90rxDm5f/Nl9rfbFqmS0QIwJuJEu0pMwosb6y8IaD0EHQB:UyC+ff9rJqmSaaAcjos6yXEwB

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral4/memory/1020-16-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral4/memory/1020-18-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral4/memory/1020-15-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral4/memory/1020-14-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral4/files/0x0007000000023423-21.dat	family_redline
behavioral4/memory/3468-22-0x0000000000D60000-0x0000000000D9E000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
2996	rL5am2gu.exe
456	1Kq91vu0.exe
3468	2Yb240xn.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1a180e910531bba2f707949af207f2fdc8ce9073f7ac314168ae29b53eedd8fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	rL5am2gu.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 456 set thread context of 1020	456	1Kq91vu0.exe	88

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4952	1020	WerFault.exe	88

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 968 wrote to memory of 2996	968	1a180e910531bba2f707949af207f2fdc8ce9073f7ac314168ae29b53eedd8fe.exe	83
PID 968 wrote to memory of 2996	968	1a180e910531bba2f707949af207f2fdc8ce9073f7ac314168ae29b53eedd8fe.exe	83
PID 968 wrote to memory of 2996	968	1a180e910531bba2f707949af207f2fdc8ce9073f7ac314168ae29b53eedd8fe.exe	83
PID 2996 wrote to memory of 456	2996	rL5am2gu.exe	84
PID 2996 wrote to memory of 456	2996	rL5am2gu.exe	84
PID 2996 wrote to memory of 456	2996	rL5am2gu.exe	84
PID 456 wrote to memory of 1020	456	1Kq91vu0.exe	88
PID 456 wrote to memory of 1020	456	1Kq91vu0.exe	88
PID 456 wrote to memory of 1020	456	1Kq91vu0.exe	88
PID 456 wrote to memory of 1020	456	1Kq91vu0.exe	88
PID 456 wrote to memory of 1020	456	1Kq91vu0.exe	88
PID 456 wrote to memory of 1020	456	1Kq91vu0.exe	88
PID 456 wrote to memory of 1020	456	1Kq91vu0.exe	88
PID 456 wrote to memory of 1020	456	1Kq91vu0.exe	88
PID 456 wrote to memory of 1020	456	1Kq91vu0.exe	88
PID 456 wrote to memory of 1020	456	1Kq91vu0.exe	88
PID 2996 wrote to memory of 3468	2996	rL5am2gu.exe	89
PID 2996 wrote to memory of 3468	2996	rL5am2gu.exe	89
PID 2996 wrote to memory of 3468	2996	rL5am2gu.exe	89

C:\Users\Admin\AppData\Local\Temp\1a180e910531bba2f707949af207f2fdc8ce9073f7ac314168ae29b53eedd8fe.exe
"C:\Users\Admin\AppData\Local\Temp\1a180e910531bba2f707949af207f2fdc8ce9073f7ac314168ae29b53eedd8fe.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:968
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rL5am2gu.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rL5am2gu.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Kq91vu0.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Kq91vu0.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:456
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:1020
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 200
        5⤵
        Program crash
        
        PID:4952
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Yb240xn.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Yb240xn.exe
    3⤵
    - Executes dropped EXE
    PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1020 -ip 1020
1⤵
PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rL5am2gu.exe

Filesize
563KB

MD5
fdf1a6f3dc738ca3dce876b63dee6fd2

SHA1
868053d7ce1cf1e5b6ed3fa42f6e324f4ddcb0c2

SHA256
abdf09cf4591dadf7432db5e42b7e20dbc7b69eaf4a6735473e274bbe5bb73de

SHA512
af5a96bd8ef4b1817c2f4b9559ed790af27e2cc0722133c9e63ec9a415c7b15aa0825968aed229a168dca43ef3bfe171a3727769d31c1805bbe01839e30a5a08

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Kq91vu0.exe

Filesize
1.1MB

MD5
c510eaf22f0e67281ded9245158719d3

SHA1
6b1023201cd0fdbf66470b0cb5f3d1d7414bb9aa

SHA256
525366faecc3065b48be35b73c42bf2e0db0af355bd6850cab579b3065274cf2

SHA512
3ef6dbf2503bfe75394ece362a1337cb8567916ff32e8d6ad2cf72108b8f811a7e886836df0b90d0255eca81e262d4b8a8f5461c89bb5b01ed727cf004427340

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Yb240xn.exe

Filesize
221KB

MD5
9b43b28dcd8a19d01d676b3d9c40108d

SHA1
30a8549940f809205acc09e46ba99c461e495572

SHA256
18a499fe3ef938785aac272bc702f49fd7ad72c8d79f8ce97e6a55a89fd3e496

SHA512
8d1416eefed956604980cf9ef5bc50dba48e3f85f255733b4e71d898f6592632a1e8273bc40bf19ab91dd05957a166f0f2b18cbb689793c8c428e5aec4642ae1

Download Submit
memory/1020-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1020-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1020-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1020-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3468-23-0x00000000080E0000-0x0000000008684000-memory.dmp

Filesize
5.6MB

Download
memory/3468-22-0x0000000000D60000-0x0000000000D9E000-memory.dmp

Filesize
248KB

Download
memory/3468-24-0x0000000007C20000-0x0000000007CB2000-memory.dmp

Filesize
584KB

Download
memory/3468-25-0x0000000005200000-0x000000000520A000-memory.dmp

Filesize
40KB

Download
memory/3468-26-0x0000000008CB0000-0x00000000092C8000-memory.dmp

Filesize
6.1MB

Download
memory/3468-28-0x0000000007E60000-0x0000000007E72000-memory.dmp

Filesize
72KB

Download
memory/3468-27-0x0000000007F40000-0x000000000804A000-memory.dmp

Filesize
1.0MB

Download
memory/3468-29-0x0000000007EC0000-0x0000000007EFC000-memory.dmp

Filesize
240KB

Download
memory/3468-30-0x0000000008050000-0x000000000809C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads