mystic | 692e82b585be9ac7cc8c88f2eeb475fcf42fed96a7b5572934f45018a5f7f2d1

Analysis

max time kernel
133s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64e73ef21d2b9d5819334be729f07ac670e6fa83111bc1b666abffc261bc2da1.exe
Size

563KB
MD5

b1cad70cea703c95c6bf90d74c4bfd89
SHA1

1a08e9ad7c417a5011915ccda1a1ec130cd7d3ac
SHA256

64e73ef21d2b9d5819334be729f07ac670e6fa83111bc1b666abffc261bc2da1
SHA512

4f7c7367da4b3009f5f1691832f88de0a7df9103ba16ff43c92fb3d0eec813005a6f6f31e0b3853b2ce07e2d5c9d0be331f1e60bed9bf8f3b3ebcbcab9a4b2de
SSDEEP

12288:KMrxy90uoiqvTegFhHXzNOI+74h82WRiHJ1CVVVV:nyKEgXHDNn+487Ry4VV

Score

10^/10

mystic redline kendo infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kendo

77.91.124.82:19071

Attributes

auth_value
5a22a881561d49941415902859b51f14

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral7/memory/1456-14-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral7/memory/1456-15-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral7/memory/1456-18-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral7/memory/1456-16-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral7/files/0x00070000000233d6-20.dat	family_redline
behavioral7/memory/3140-22-0x0000000000720000-0x0000000000750000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
1440	x5112215.exe
4504	g1240082.exe
3140	h7567252.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	64e73ef21d2b9d5819334be729f07ac670e6fa83111bc1b666abffc261bc2da1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5112215.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4504 set thread context of 1456	4504	g1240082.exe	87

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3688	4504	WerFault.exe	84
752	1456	WerFault.exe	87

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 1440	5096	64e73ef21d2b9d5819334be729f07ac670e6fa83111bc1b666abffc261bc2da1.exe	83
PID 5096 wrote to memory of 1440	5096	64e73ef21d2b9d5819334be729f07ac670e6fa83111bc1b666abffc261bc2da1.exe	83
PID 5096 wrote to memory of 1440	5096	64e73ef21d2b9d5819334be729f07ac670e6fa83111bc1b666abffc261bc2da1.exe	83
PID 1440 wrote to memory of 4504	1440	x5112215.exe	84
PID 1440 wrote to memory of 4504	1440	x5112215.exe	84
PID 1440 wrote to memory of 4504	1440	x5112215.exe	84
PID 4504 wrote to memory of 1456	4504	g1240082.exe	87
PID 4504 wrote to memory of 1456	4504	g1240082.exe	87
PID 4504 wrote to memory of 1456	4504	g1240082.exe	87
PID 4504 wrote to memory of 1456	4504	g1240082.exe	87
PID 4504 wrote to memory of 1456	4504	g1240082.exe	87
PID 4504 wrote to memory of 1456	4504	g1240082.exe	87
PID 4504 wrote to memory of 1456	4504	g1240082.exe	87
PID 4504 wrote to memory of 1456	4504	g1240082.exe	87
PID 4504 wrote to memory of 1456	4504	g1240082.exe	87
PID 4504 wrote to memory of 1456	4504	g1240082.exe	87
PID 1440 wrote to memory of 3140	1440	x5112215.exe	94
PID 1440 wrote to memory of 3140	1440	x5112215.exe	94
PID 1440 wrote to memory of 3140	1440	x5112215.exe	94

C:\Users\Admin\AppData\Local\Temp\64e73ef21d2b9d5819334be729f07ac670e6fa83111bc1b666abffc261bc2da1.exe
"C:\Users\Admin\AppData\Local\Temp\64e73ef21d2b9d5819334be729f07ac670e6fa83111bc1b666abffc261bc2da1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5112215.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5112215.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1240082.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1240082.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4504
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:1456
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 540
        5⤵
        Program crash
        
        PID:752
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 568
      4⤵
      Program crash
      PID:3688
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7567252.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7567252.exe
    3⤵
    - Executes dropped EXE
    PID:3140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4504 -ip 4504
1⤵
PID:3860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1456 -ip 1456
1⤵
PID:828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5112215.exe

Filesize
397KB

MD5
b2df6c5958efbdbc123148c627bb41d3

SHA1
fee833e9d20ba95a4fcad101b661315c65c0a4da

SHA256
101390dd16f1eac4157fdecbec16f38454803a89cf0599bfeef301bc6f0ca7a9

SHA512
a584aeae7d51d998e6a3f4803863b1aa7c867b5a6db90a64318ab8ceb5db54233b165394e324f52e0a0296ef35cb216a72a82be632f41c9963d698d3b3a0fec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1240082.exe

Filesize
379KB

MD5
d5cf94dd77a8375c5145e566609bb0c9

SHA1
ae8dba7cb8ebf33368aab97ec5f150831fd40823

SHA256
b36053dda1b1c85bde6a04a395a6e5b08d76298beaa32183eaed4b9d26787ba1

SHA512
1dffe0772e113fb38515755d4f3fb5938e24698bc26efccc38547e8f08c4673b7e7dd2c26f4af628c7c1745d41f59d26a0f269062638b9ec1ec60a5daf2dec00

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7567252.exe

Filesize
174KB

MD5
8e1c9385ea1a727897547ab26f729562

SHA1
52e8c50fded14c4b40a303af8b2e730d8ea40879

SHA256
2abb2c0b109b138ffbdd22abdb8921dca6790eabf870405bd491c4194d34ec07

SHA512
b5f60aab2c3f7ed632adebf5f71a77b3606df9da283219b965151d99e9173d4e2d02eb8d0ea514f13ff7c9f5e44ecb6325d8f7b24ee7b0c67dc707dd19a8778f

Download Submit
memory/1456-15-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1456-18-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1456-16-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1456-14-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3140-22-0x0000000000720000-0x0000000000750000-memory.dmp

Filesize
192KB

Download
memory/3140-23-0x0000000002A90000-0x0000000002A96000-memory.dmp

Filesize
24KB

Download
memory/3140-24-0x000000000AC30000-0x000000000B248000-memory.dmp

Filesize
6.1MB

Download
memory/3140-25-0x000000000A720000-0x000000000A82A000-memory.dmp

Filesize
1.0MB

Download
memory/3140-26-0x000000000A610000-0x000000000A622000-memory.dmp

Filesize
72KB

Download
memory/3140-27-0x000000000A670000-0x000000000A6AC000-memory.dmp

Filesize
240KB

Download
memory/3140-28-0x0000000004BE0000-0x0000000004C2C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads