mystic | 8f7ecfcea350d8e91e6bb9083833f37b57aa78d15022b68c407055e2463bd982

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4cd2f124dfaf247a46d235c0823069c1056a2efb67c0f74547fb75dcfb603748.exe
Size

1.5MB
MD5

6f45d427a511cc1ecf60a30abb1e1937
SHA1

c4b5ad5e2ed6234265afd495f4e18f768890f9f7
SHA256

4cd2f124dfaf247a46d235c0823069c1056a2efb67c0f74547fb75dcfb603748
SHA512

871117b4e8dd4da8e0274cfc55945fefa937c6fd4909634fe1343d10901e82a47afe652f06de03934eba8ea0c8cfbe12e48090ef56363d2fb3e047cd9080bab7
SSDEEP

24576:cycO+kKIkuEmaVIL4Seir0YcaeC9XDhSv/6/BUqt7Ho8uQJpVD63Lq/SXD:LYPFmvveix9NQ69c8uQoG

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral6/memory/5088-35-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral6/memory/5088-38-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral6/memory/5088-36-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2fy130ai.exe	family_redline
behavioral6/memory/3772-42-0x0000000000C00000-0x0000000000C3E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

CF2pc5bP.execz9Wg0Zi.exech6mF0Rv.exelT9br1cR.exe1Zv90wl0.exe2fy130ai.exe

pid process

1120 CF2pc5bP.exe
32 cz9Wg0Zi.exe
1796 ch6mF0Rv.exe
4972 lT9br1cR.exe
2040 1Zv90wl0.exe
3772 2fy130ai.exe

pid	process
1120	CF2pc5bP.exe
32	cz9Wg0Zi.exe
1796	ch6mF0Rv.exe
4972	lT9br1cR.exe
2040	1Zv90wl0.exe
3772	2fy130ai.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4cd2f124dfaf247a46d235c0823069c1056a2efb67c0f74547fb75dcfb603748.exeCF2pc5bP.execz9Wg0Zi.exech6mF0Rv.exelT9br1cR.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4cd2f124dfaf247a46d235c0823069c1056a2efb67c0f74547fb75dcfb603748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	CF2pc5bP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	cz9Wg0Zi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	ch6mF0Rv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	lT9br1cR.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1Zv90wl0.exe

description pid process target process

PID 2040 set thread context of 5088 2040 1Zv90wl0.exe AppLaunch.exe

description	pid	process	target process
PID 2040 set thread context of 5088	2040	1Zv90wl0.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

4cd2f124dfaf247a46d235c0823069c1056a2efb67c0f74547fb75dcfb603748.exeCF2pc5bP.execz9Wg0Zi.exech6mF0Rv.exelT9br1cR.exe1Zv90wl0.exe

description	pid	process	target process
PID 216 wrote to memory of 1120	216	4cd2f124dfaf247a46d235c0823069c1056a2efb67c0f74547fb75dcfb603748.exe	CF2pc5bP.exe
PID 216 wrote to memory of 1120	216	4cd2f124dfaf247a46d235c0823069c1056a2efb67c0f74547fb75dcfb603748.exe	CF2pc5bP.exe
PID 216 wrote to memory of 1120	216	4cd2f124dfaf247a46d235c0823069c1056a2efb67c0f74547fb75dcfb603748.exe	CF2pc5bP.exe
PID 1120 wrote to memory of 32	1120	CF2pc5bP.exe	cz9Wg0Zi.exe
PID 1120 wrote to memory of 32	1120	CF2pc5bP.exe	cz9Wg0Zi.exe
PID 1120 wrote to memory of 32	1120	CF2pc5bP.exe	cz9Wg0Zi.exe
PID 32 wrote to memory of 1796	32	cz9Wg0Zi.exe	ch6mF0Rv.exe
PID 32 wrote to memory of 1796	32	cz9Wg0Zi.exe	ch6mF0Rv.exe
PID 32 wrote to memory of 1796	32	cz9Wg0Zi.exe	ch6mF0Rv.exe
PID 1796 wrote to memory of 4972	1796	ch6mF0Rv.exe	lT9br1cR.exe
PID 1796 wrote to memory of 4972	1796	ch6mF0Rv.exe	lT9br1cR.exe
PID 1796 wrote to memory of 4972	1796	ch6mF0Rv.exe	lT9br1cR.exe
PID 4972 wrote to memory of 2040	4972	lT9br1cR.exe	1Zv90wl0.exe
PID 4972 wrote to memory of 2040	4972	lT9br1cR.exe	1Zv90wl0.exe
PID 4972 wrote to memory of 2040	4972	lT9br1cR.exe	1Zv90wl0.exe
PID 2040 wrote to memory of 5048	2040	1Zv90wl0.exe	AppLaunch.exe
PID 2040 wrote to memory of 5048	2040	1Zv90wl0.exe	AppLaunch.exe
PID 2040 wrote to memory of 5048	2040	1Zv90wl0.exe	AppLaunch.exe
PID 2040 wrote to memory of 5088	2040	1Zv90wl0.exe	AppLaunch.exe
PID 2040 wrote to memory of 5088	2040	1Zv90wl0.exe	AppLaunch.exe
PID 2040 wrote to memory of 5088	2040	1Zv90wl0.exe	AppLaunch.exe
PID 2040 wrote to memory of 5088	2040	1Zv90wl0.exe	AppLaunch.exe
PID 2040 wrote to memory of 5088	2040	1Zv90wl0.exe	AppLaunch.exe
PID 2040 wrote to memory of 5088	2040	1Zv90wl0.exe	AppLaunch.exe
PID 2040 wrote to memory of 5088	2040	1Zv90wl0.exe	AppLaunch.exe
PID 2040 wrote to memory of 5088	2040	1Zv90wl0.exe	AppLaunch.exe
PID 2040 wrote to memory of 5088	2040	1Zv90wl0.exe	AppLaunch.exe
PID 2040 wrote to memory of 5088	2040	1Zv90wl0.exe	AppLaunch.exe
PID 4972 wrote to memory of 3772	4972	lT9br1cR.exe	2fy130ai.exe
PID 4972 wrote to memory of 3772	4972	lT9br1cR.exe	2fy130ai.exe
PID 4972 wrote to memory of 3772	4972	lT9br1cR.exe	2fy130ai.exe

C:\Users\Admin\AppData\Local\Temp\4cd2f124dfaf247a46d235c0823069c1056a2efb67c0f74547fb75dcfb603748.exe
"C:\Users\Admin\AppData\Local\Temp\4cd2f124dfaf247a46d235c0823069c1056a2efb67c0f74547fb75dcfb603748.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:216

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CF2pc5bP.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CF2pc5bP.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1120

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cz9Wg0Zi.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cz9Wg0Zi.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:32

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ch6mF0Rv.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ch6mF0Rv.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1796

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\lT9br1cR.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\lT9br1cR.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4972

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zv90wl0.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zv90wl0.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:5048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:5088

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2fy130ai.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2fy130ai.exe
6⤵
- Executes dropped EXE
PID:3772

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CF2pc5bP.exe
Filesize
1.3MB

MD5
aa7ddaf84f7f1897e2cba56701eed2b1

SHA1
5fea25549b4253bc6c65cbb98c9e2589c56d116e

SHA256
b52cf15090b2665ea703a4c80cb6b7166c85fe7a1d061b8dc4caf26be341019e

SHA512
dab480444255db2e4c6d8ad597eeb8d0ca91cd14e10c56c5a1c152970bac8e11702f4b7c45eb064877308819dd392cc177b3959e7a459279070c302a9305d215

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cz9Wg0Zi.exe
Filesize
1.1MB

MD5
26cdd4b898343d3c3651d22f8d5ad0b8

SHA1
129f83cb9035629a8dd6cb5c258b72ae361db205

SHA256
b53ea29fcfe4ea901d1f2c0967d1b82922b6af1e4fc3230e72170e4a6a6011d9

SHA512
1574d3c45f493b0fb98e8baf79e366eaa59103bf9b962cf16884bfc10300a08d86f76682e15807fb7126d1557ec4a1e40611a8545bc6549c2731698ab85afbb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ch6mF0Rv.exe
Filesize
757KB

MD5
b69bb2a0dc2cd9d9bd2a1729d3229d0c

SHA1
522aa8967abc9e2781c7c5854369be899628172b

SHA256
8c139344ef68354530e895daf402a0afc9bbc10f6e27d1ee5880d205fe5e619d

SHA512
e885fdbf71ede1f0d123132d6ad8876d54e3405812a4a71eaf537d7228fd9a22f96eb5d0022b4d73990366dd59f54bf6ec27021b77f2fbea188157e7457cfb4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\lT9br1cR.exe
Filesize
561KB

MD5
1ad700462b489a173d2c0dd0b8315fcb

SHA1
19b88841e44327b5a7b57955329114dcb08c5bff

SHA256
34b648b89d83ac3b0dc7bb91eb84a0269d8e41c99fc2ded7508e63261eae2575

SHA512
9dbfa974f5343839f47db4f0b6e2a96d66e0354ff63abe1c30f678e5c5b3ff2b9965294e2ec2a1df25fb0147bbc930ef8b4cf0b1e1cef504b65297a3f64c5e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zv90wl0.exe
Filesize
1.1MB

MD5
7e88670e893f284a13a2d88af7295317

SHA1
4bc0d76245e9d6ca8fe69daa23c46b2b8f770f1a

SHA256
d5e9e8612572f4586bc94b4475503558b7c4cd9329d3ade5b86f45018957deb9

SHA512
01541840ee2aa44de1f5f41bee31409560c481c10ed07d854239c0c9bdb648c86857a6a83a907e23f3b2865043b175689aa5f4f13fd0fd5f5444756b9ddfcdc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2fy130ai.exe
Filesize
222KB

MD5
f75fad9460fbf4d6ff1d1ea67f6a329f

SHA1
c10659b3220965272327c4a6af30c9aecaaad388

SHA256
88d7fe84731ed0e85b16b8e33392f589ae6f6df0d88d48510eeedb3059d6294c

SHA512
1afcd50cc121ef548c75da25355ca88b9e80d64fa9917bfea71750855a199886a5ac16b26efe0f5f5bb38d3c473b49ddf54d4a269bf604a2e5abd671b8eb50f6

Download Submit
memory/3772-42-0x0000000000C00000-0x0000000000C3E000-memory.dmp

Filesize
248KB

Download
memory/3772-43-0x0000000007F20000-0x00000000084C4000-memory.dmp

Filesize
5.6MB

Download
memory/3772-44-0x0000000007A10000-0x0000000007AA2000-memory.dmp

Filesize
584KB

Download
memory/3772-45-0x0000000002E10000-0x0000000002E1A000-memory.dmp

Filesize
40KB

Download
memory/3772-46-0x0000000008AF0000-0x0000000009108000-memory.dmp

Filesize
6.1MB

Download
memory/3772-47-0x0000000007CB0000-0x0000000007DBA000-memory.dmp

Filesize
1.0MB

Download
memory/3772-48-0x0000000007BC0000-0x0000000007BD2000-memory.dmp

Filesize
72KB

Download
memory/3772-49-0x0000000007C20000-0x0000000007C5C000-memory.dmp

Filesize
240KB

Download
memory/3772-50-0x0000000007C60000-0x0000000007CAC000-memory.dmp

Filesize
304KB

Download
memory/5088-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5088-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5088-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download