mystic | 8cc6679c34691a07ca82dfa2e42bb4cb80b8f3283bad650d6e3818ac030c32d3

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9634fd1ba8044a7eab6578eb584c6d9fb03ce50d998b0cd9babf4950e75e22f.exe
Size

942KB
MD5

3fdc937eceb5ad2ecf4e396a6ead0c62
SHA1

cd9e91ec3f83c7d87289790c0bc6e52b795bae18
SHA256

a9634fd1ba8044a7eab6578eb584c6d9fb03ce50d998b0cd9babf4950e75e22f
SHA512

66a3f34db4b616e1a77cc3052064b65edb1154c2c993dc13da19304d15c9144ca295d993b1642f3ecc61154d7955e312b0ff75d94a53df4859dd75162cd8d8c5
SSDEEP

12288:/MrIy90QpDWElKUjKE+QJ8yjQ/+8iDpvZeqkR+O4Sml3+nujijjorQRLtIHZQU5F:fy7sUj3+QT8xupsNKlQyijRthY

Score

10^/10

mystic redline kendo infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kendo

77.91.124.82:19071

Attributes

auth_value
5a22a881561d49941415902859b51f14

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral15/memory/532-28-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral15/memory/532-29-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral15/memory/532-31-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7503051.exe	family_redline
behavioral15/memory/3344-35-0x00000000007E0000-0x0000000000810000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

Processes:

x9025137.exex2423191.exex6404257.exeg7351243.exeh7503051.exe

pid process

2624 x9025137.exe
4156 x2423191.exe
3772 x6404257.exe
1364 g7351243.exe
3344 h7503051.exe

pid	process
2624	x9025137.exe
4156	x2423191.exe
3772	x6404257.exe
1364	g7351243.exe
3344	h7503051.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a9634fd1ba8044a7eab6578eb584c6d9fb03ce50d998b0cd9babf4950e75e22f.exex9025137.exex2423191.exex6404257.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a9634fd1ba8044a7eab6578eb584c6d9fb03ce50d998b0cd9babf4950e75e22f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9025137.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x2423191.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x6404257.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

g7351243.exe

description pid process target process

PID 1364 set thread context of 532 1364 g7351243.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2760 1364 WerFault.exe g7351243.exe

description	pid	process	target process
PID 1364 set thread context of 532	1364	g7351243.exe	AppLaunch.exe

pid	pid_target	process	target process
2760	1364	WerFault.exe	g7351243.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

a9634fd1ba8044a7eab6578eb584c6d9fb03ce50d998b0cd9babf4950e75e22f.exex9025137.exex2423191.exex6404257.exeg7351243.exe

description	pid	process	target process
PID 2728 wrote to memory of 2624	2728	a9634fd1ba8044a7eab6578eb584c6d9fb03ce50d998b0cd9babf4950e75e22f.exe	x9025137.exe
PID 2728 wrote to memory of 2624	2728	a9634fd1ba8044a7eab6578eb584c6d9fb03ce50d998b0cd9babf4950e75e22f.exe	x9025137.exe
PID 2728 wrote to memory of 2624	2728	a9634fd1ba8044a7eab6578eb584c6d9fb03ce50d998b0cd9babf4950e75e22f.exe	x9025137.exe
PID 2624 wrote to memory of 4156	2624	x9025137.exe	x2423191.exe
PID 2624 wrote to memory of 4156	2624	x9025137.exe	x2423191.exe
PID 2624 wrote to memory of 4156	2624	x9025137.exe	x2423191.exe
PID 4156 wrote to memory of 3772	4156	x2423191.exe	x6404257.exe
PID 4156 wrote to memory of 3772	4156	x2423191.exe	x6404257.exe
PID 4156 wrote to memory of 3772	4156	x2423191.exe	x6404257.exe
PID 3772 wrote to memory of 1364	3772	x6404257.exe	g7351243.exe
PID 3772 wrote to memory of 1364	3772	x6404257.exe	g7351243.exe
PID 3772 wrote to memory of 1364	3772	x6404257.exe	g7351243.exe
PID 1364 wrote to memory of 532	1364	g7351243.exe	AppLaunch.exe
PID 1364 wrote to memory of 532	1364	g7351243.exe	AppLaunch.exe
PID 1364 wrote to memory of 532	1364	g7351243.exe	AppLaunch.exe
PID 1364 wrote to memory of 532	1364	g7351243.exe	AppLaunch.exe
PID 1364 wrote to memory of 532	1364	g7351243.exe	AppLaunch.exe
PID 1364 wrote to memory of 532	1364	g7351243.exe	AppLaunch.exe
PID 1364 wrote to memory of 532	1364	g7351243.exe	AppLaunch.exe
PID 1364 wrote to memory of 532	1364	g7351243.exe	AppLaunch.exe
PID 1364 wrote to memory of 532	1364	g7351243.exe	AppLaunch.exe
PID 1364 wrote to memory of 532	1364	g7351243.exe	AppLaunch.exe
PID 3772 wrote to memory of 3344	3772	x6404257.exe	h7503051.exe
PID 3772 wrote to memory of 3344	3772	x6404257.exe	h7503051.exe
PID 3772 wrote to memory of 3344	3772	x6404257.exe	h7503051.exe

C:\Users\Admin\AppData\Local\Temp\a9634fd1ba8044a7eab6578eb584c6d9fb03ce50d998b0cd9babf4950e75e22f.exe
"C:\Users\Admin\AppData\Local\Temp\a9634fd1ba8044a7eab6578eb584c6d9fb03ce50d998b0cd9babf4950e75e22f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9025137.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9025137.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2423191.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2423191.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4156
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x6404257.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x6404257.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3772
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7351243.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7351243.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1364
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:532
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 564
        6⤵
        Program crash
        
        PID:2760
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7503051.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7503051.exe
        5⤵
        Executes dropped EXE
        
        PID:3344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1364 -ip 1364
1⤵
PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9025137.exe

Filesize
841KB

MD5
258b8c3eb70ab217e25a0ba43f40ddd9

SHA1
748a726ccace23c5b47b7e07e9d6a7b1b3abc161

SHA256
44370120aa5b08c18c269aff9f53929c01013672080fcb1ce0336169ae59ff1b

SHA512
c65a5f9630b5421eb42d1c7dd5453b67325a6adfc1ec16e521f3860066a7288420c44fd0dc8878fcec7c8eb025c34cacb80234f6e0cb26ffd8f42822bcbfd1fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2423191.exe

Filesize
563KB

MD5
275fe3ea745fa7791c41c139cb1280fe

SHA1
b5060dc82ba8628f7c9e21e55675ba3fd5801e00

SHA256
8daa8e210a8e9b22b2550c3013d8c9f8c7b2fefebe26ed3c26ccdf7a30df5c98

SHA512
278e23300f7a3d5cef3cd601a0d36b62faa94ce0bb2f6ec26c6202e5c9cabb728ba032aaf6bc1506ce4bd5e465135e7df2c7576299d199c9fed6079a2e800ca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x6404257.exe

Filesize
397KB

MD5
ba67958b31a13f507441a9474a54440a

SHA1
f2e36b90055e21f57b36f334a77a6f65152bf43b

SHA256
26ac346f832299512951e7ca765d59e95e4417e8681c21b5ef937b038782c082

SHA512
f112454c517dc7712072b2b4efb406606521d9e76f04342b091afa0ab30a3275c3d5854c0df4ca8cb8ec03fa00679ccf89b44308b882b31942a5ede66b2063f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7351243.exe

Filesize
379KB

MD5
1ce9ce1dbb5810bf5e0d841427cb2788

SHA1
dcd8291cb852b2154a3cad81df9b030c9dcebc3c

SHA256
27885c09d41cb1654ba2db5333d50ca642ef42d8716502272e8c26876fcf507a

SHA512
1909aca73b34935a653a4f944f4d4a66821dd468797c1e4d9d14a9225420fc39c7353511f624cda90ff612b9e15863ae77beccb8f338d28b8b174c342061c488

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7503051.exe

Filesize
174KB

MD5
7ff140fb4bb5b2ea41ab633189ee4e3a

SHA1
0bf05d65a1f8c34443f8f4aa40c7b54c25359c38

SHA256
cceca179efa4421777eb911814155d4f3769e86c754c5e991af7b523f265d2fc

SHA512
e268e4e65b57641b9f097ab1c1648761f00c62f8f2bb061ec02fc43eafa3ec116519172c758a667ec22596163ca7b2978b6501b0c1616e1bac30fd11094c25d9

Download Submit
memory/532-31-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/532-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/532-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3344-35-0x00000000007E0000-0x0000000000810000-memory.dmp

Filesize
192KB

Download
memory/3344-36-0x0000000002B10000-0x0000000002B16000-memory.dmp

Filesize
24KB

Download
memory/3344-37-0x0000000005960000-0x0000000005F78000-memory.dmp

Filesize
6.1MB

Download
memory/3344-38-0x0000000005450000-0x000000000555A000-memory.dmp

Filesize
1.0MB

Download
memory/3344-39-0x00000000051A0000-0x00000000051B2000-memory.dmp

Filesize
72KB

Download
memory/3344-40-0x0000000005340000-0x000000000537C000-memory.dmp

Filesize
240KB

Download
memory/3344-41-0x0000000005380000-0x00000000053CC000-memory.dmp

Filesize
304KB

Download