mystic | 8f7ecfcea350d8e91e6bb9083833f37b57aa78d15022b68c407055e2463bd982

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45e7028a78d903a8ece02b9d51f82b76972b2b5e64db0bc12aa6cb69f53a2291.exe
Size

755KB
MD5

a8fcd15d6414b6c08115a5e60be61b25
SHA1

830a5c4f18c0367b4670f93b8453b0db062bb1a1
SHA256

45e7028a78d903a8ece02b9d51f82b76972b2b5e64db0bc12aa6cb69f53a2291
SHA512

b7fc5d3eba1a930a4bd10f66dc0fbce764e699590bbc401bd4332ab665db0bf5b0c057b2f6ede46bad0d23faea64700a203cc869030b9bbbfdd6852b3e6db321
SSDEEP

12288:SMrMy90Di0caFI+xNOWU1lllt3m/S9nBu8sUYItU0chSrVBRXqO:iyIiPaB0lPMS9nKItrTJ

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral5/memory/4364-14-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral5/memory/4364-16-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral5/memory/4364-18-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral5/memory/4364-15-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2dX334Ae.exe	family_redline
behavioral5/memory/2012-22-0x00000000001F0000-0x000000000022E000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

ft5ab1zh.exe1on91Ip6.exe2dX334Ae.exe

pid process

3632 ft5ab1zh.exe
3900 1on91Ip6.exe
2012 2dX334Ae.exe

pid	process
3632	ft5ab1zh.exe
3900	1on91Ip6.exe
2012	2dX334Ae.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

45e7028a78d903a8ece02b9d51f82b76972b2b5e64db0bc12aa6cb69f53a2291.exeft5ab1zh.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	45e7028a78d903a8ece02b9d51f82b76972b2b5e64db0bc12aa6cb69f53a2291.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ft5ab1zh.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1on91Ip6.exe

description pid process target process

PID 3900 set thread context of 4364 3900 1on91Ip6.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1464 4364 WerFault.exe AppLaunch.exe

description	pid	process	target process
PID 3900 set thread context of 4364	3900	1on91Ip6.exe	AppLaunch.exe

pid	pid_target	process	target process
1464	4364	WerFault.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

45e7028a78d903a8ece02b9d51f82b76972b2b5e64db0bc12aa6cb69f53a2291.exeft5ab1zh.exe1on91Ip6.exe

description	pid	process	target process
PID 3096 wrote to memory of 3632	3096	45e7028a78d903a8ece02b9d51f82b76972b2b5e64db0bc12aa6cb69f53a2291.exe	ft5ab1zh.exe
PID 3096 wrote to memory of 3632	3096	45e7028a78d903a8ece02b9d51f82b76972b2b5e64db0bc12aa6cb69f53a2291.exe	ft5ab1zh.exe
PID 3096 wrote to memory of 3632	3096	45e7028a78d903a8ece02b9d51f82b76972b2b5e64db0bc12aa6cb69f53a2291.exe	ft5ab1zh.exe
PID 3632 wrote to memory of 3900	3632	ft5ab1zh.exe	1on91Ip6.exe
PID 3632 wrote to memory of 3900	3632	ft5ab1zh.exe	1on91Ip6.exe
PID 3632 wrote to memory of 3900	3632	ft5ab1zh.exe	1on91Ip6.exe
PID 3900 wrote to memory of 4364	3900	1on91Ip6.exe	AppLaunch.exe
PID 3900 wrote to memory of 4364	3900	1on91Ip6.exe	AppLaunch.exe
PID 3900 wrote to memory of 4364	3900	1on91Ip6.exe	AppLaunch.exe
PID 3900 wrote to memory of 4364	3900	1on91Ip6.exe	AppLaunch.exe
PID 3900 wrote to memory of 4364	3900	1on91Ip6.exe	AppLaunch.exe
PID 3900 wrote to memory of 4364	3900	1on91Ip6.exe	AppLaunch.exe
PID 3900 wrote to memory of 4364	3900	1on91Ip6.exe	AppLaunch.exe
PID 3900 wrote to memory of 4364	3900	1on91Ip6.exe	AppLaunch.exe
PID 3900 wrote to memory of 4364	3900	1on91Ip6.exe	AppLaunch.exe
PID 3900 wrote to memory of 4364	3900	1on91Ip6.exe	AppLaunch.exe
PID 3632 wrote to memory of 2012	3632	ft5ab1zh.exe	2dX334Ae.exe
PID 3632 wrote to memory of 2012	3632	ft5ab1zh.exe	2dX334Ae.exe
PID 3632 wrote to memory of 2012	3632	ft5ab1zh.exe	2dX334Ae.exe

C:\Users\Admin\AppData\Local\Temp\45e7028a78d903a8ece02b9d51f82b76972b2b5e64db0bc12aa6cb69f53a2291.exe
"C:\Users\Admin\AppData\Local\Temp\45e7028a78d903a8ece02b9d51f82b76972b2b5e64db0bc12aa6cb69f53a2291.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3096

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ft5ab1zh.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ft5ab1zh.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3632

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1on91Ip6.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1on91Ip6.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 540
5⤵
- Program crash
PID:1464

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2dX334Ae.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2dX334Ae.exe
3⤵
- Executes dropped EXE
PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4364 -ip 4364
1⤵
PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ft5ab1zh.exe

Filesize
559KB

MD5
abfa4785861a2e62c3d362993ca7f501

SHA1
ba33c215b9b085a98b7143ce490dff4d311805ac

SHA256
547e7ab64c28ee91628ba4ac75deb684cfa2fc9127ab1e6d94aff515e17d85ca

SHA512
7d38763c675e6223159af2ef18c5ba25b627fb8365b40617f53f58dbcc39f7ac10995546a08cc596d33a6609889023500927d468811906559309c2e2d09d7814

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1on91Ip6.exe

Filesize
1.0MB

MD5
27b6c5100365f96dcffe11b39171419d

SHA1
5fcbfdba53e3cb3650fac1aa74d10766c95ec203

SHA256
e3e693f95250d7a51c844f5789c94161ccbcfe753c99f8c25a967c1454aaa4ad

SHA512
01f8b0de97d3157e38c2e31e280afe54292308f97787d988ea6b745225d6dcdb06ba69fba7c848ddb9df56ecf105fe7a1325f908c34208cd7039184fb3e27ffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2dX334Ae.exe

Filesize
222KB

MD5
9cd5de8e5b8a765d86c0e4dcc45e463d

SHA1
0836c9d35bbc08eb3018207a01243d48cbb863d7

SHA256
81e314a10696926ade8773ee064777c6eb1bf38538d77a03bdada808d175297b

SHA512
eb95187480036417e53cf8a07fe66b6d63faa499ab17728cb61ea9f5c45b26e0c9f9dd4d0bda6c6cc453847fae87e568f31252d5f0e11efd4f67d57a1573a66c

Download Submit
memory/2012-27-0x00000000073C0000-0x00000000074CA000-memory.dmp

Filesize
1.0MB

Download
memory/2012-22-0x00000000001F0000-0x000000000022E000-memory.dmp

Filesize
248KB

Download
memory/2012-23-0x00000000075D0000-0x0000000007B74000-memory.dmp

Filesize
5.6MB

Download
memory/2012-24-0x00000000070C0000-0x0000000007152000-memory.dmp

Filesize
584KB

Download
memory/2012-25-0x00000000026C0000-0x00000000026CA000-memory.dmp

Filesize
40KB

Download
memory/2012-26-0x00000000081A0000-0x00000000087B8000-memory.dmp

Filesize
6.1MB

Download
memory/2012-28-0x00000000072F0000-0x0000000007302000-memory.dmp

Filesize
72KB

Download
memory/2012-29-0x0000000007350000-0x000000000738C000-memory.dmp

Filesize
240KB

Download
memory/2012-30-0x00000000074D0000-0x000000000751C000-memory.dmp

Filesize
304KB

Download
memory/4364-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4364-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4364-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4364-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download