mystic | b0707ded6960936877cf4a2a4a5a7191894ea5c19ee70296e7004b5431f5044e

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92288ddafeaa0f77357b90005f63961458788f6cd7af44be378bd1de6a725c85.exe
Size

1.5MB
MD5

425c8308ba915888c763598588323ac2
SHA1

9410ce870c4ce520e471918f4aae9483b41c6b07
SHA256

92288ddafeaa0f77357b90005f63961458788f6cd7af44be378bd1de6a725c85
SHA512

01ab83ce85b80e525c78b09b80092154fb7546340e848706e1ca2d4133b41e04725bbca849fa5c2c1e9eab4fbcf2a181e2eb86a7e8d5ec190f1caf25da3a7436
SSDEEP

24576:ZyRdA6tQPlsQxiyNcQwRZxDbV8Gubb2XY04aiWWcREuLBu1uAhzOkZ86+Hy:MRdAHlsQxiMwfRJ8Gkw4HtYBu1ucCy8n

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral13/memory/4932-36-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral13/memory/4932-35-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral13/memory/4932-38-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nV349DO.exe	family_redline
behavioral13/memory/2180-42-0x0000000000950000-0x000000000098E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

xM5zw6Ii.exePD7nI5CD.exeEl2Fn6xo.exezM0Xm0bU.exe1UM42uf1.exe2nV349DO.exe

pid process

4848 xM5zw6Ii.exe
3796 PD7nI5CD.exe
428 El2Fn6xo.exe
4340 zM0Xm0bU.exe
2140 1UM42uf1.exe
2180 2nV349DO.exe

pid	process
4848	xM5zw6Ii.exe
3796	PD7nI5CD.exe
428	El2Fn6xo.exe
4340	zM0Xm0bU.exe
2140	1UM42uf1.exe
2180	2nV349DO.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

PD7nI5CD.exeEl2Fn6xo.exezM0Xm0bU.exe92288ddafeaa0f77357b90005f63961458788f6cd7af44be378bd1de6a725c85.exexM5zw6Ii.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	PD7nI5CD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	El2Fn6xo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	zM0Xm0bU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	92288ddafeaa0f77357b90005f63961458788f6cd7af44be378bd1de6a725c85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	xM5zw6Ii.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1UM42uf1.exe

description pid process target process

PID 2140 set thread context of 4932 2140 1UM42uf1.exe AppLaunch.exe

description	pid	process	target process
PID 2140 set thread context of 4932	2140	1UM42uf1.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

92288ddafeaa0f77357b90005f63961458788f6cd7af44be378bd1de6a725c85.exexM5zw6Ii.exePD7nI5CD.exeEl2Fn6xo.exezM0Xm0bU.exe1UM42uf1.exe

description	pid	process	target process
PID 2932 wrote to memory of 4848	2932	92288ddafeaa0f77357b90005f63961458788f6cd7af44be378bd1de6a725c85.exe	xM5zw6Ii.exe
PID 2932 wrote to memory of 4848	2932	92288ddafeaa0f77357b90005f63961458788f6cd7af44be378bd1de6a725c85.exe	xM5zw6Ii.exe
PID 2932 wrote to memory of 4848	2932	92288ddafeaa0f77357b90005f63961458788f6cd7af44be378bd1de6a725c85.exe	xM5zw6Ii.exe
PID 4848 wrote to memory of 3796	4848	xM5zw6Ii.exe	PD7nI5CD.exe
PID 4848 wrote to memory of 3796	4848	xM5zw6Ii.exe	PD7nI5CD.exe
PID 4848 wrote to memory of 3796	4848	xM5zw6Ii.exe	PD7nI5CD.exe
PID 3796 wrote to memory of 428	3796	PD7nI5CD.exe	El2Fn6xo.exe
PID 3796 wrote to memory of 428	3796	PD7nI5CD.exe	El2Fn6xo.exe
PID 3796 wrote to memory of 428	3796	PD7nI5CD.exe	El2Fn6xo.exe
PID 428 wrote to memory of 4340	428	El2Fn6xo.exe	zM0Xm0bU.exe
PID 428 wrote to memory of 4340	428	El2Fn6xo.exe	zM0Xm0bU.exe
PID 428 wrote to memory of 4340	428	El2Fn6xo.exe	zM0Xm0bU.exe
PID 4340 wrote to memory of 2140	4340	zM0Xm0bU.exe	1UM42uf1.exe
PID 4340 wrote to memory of 2140	4340	zM0Xm0bU.exe	1UM42uf1.exe
PID 4340 wrote to memory of 2140	4340	zM0Xm0bU.exe	1UM42uf1.exe
PID 2140 wrote to memory of 4932	2140	1UM42uf1.exe	AppLaunch.exe
PID 2140 wrote to memory of 4932	2140	1UM42uf1.exe	AppLaunch.exe
PID 2140 wrote to memory of 4932	2140	1UM42uf1.exe	AppLaunch.exe
PID 2140 wrote to memory of 4932	2140	1UM42uf1.exe	AppLaunch.exe
PID 2140 wrote to memory of 4932	2140	1UM42uf1.exe	AppLaunch.exe
PID 2140 wrote to memory of 4932	2140	1UM42uf1.exe	AppLaunch.exe
PID 2140 wrote to memory of 4932	2140	1UM42uf1.exe	AppLaunch.exe
PID 2140 wrote to memory of 4932	2140	1UM42uf1.exe	AppLaunch.exe
PID 2140 wrote to memory of 4932	2140	1UM42uf1.exe	AppLaunch.exe
PID 2140 wrote to memory of 4932	2140	1UM42uf1.exe	AppLaunch.exe
PID 4340 wrote to memory of 2180	4340	zM0Xm0bU.exe	2nV349DO.exe
PID 4340 wrote to memory of 2180	4340	zM0Xm0bU.exe	2nV349DO.exe
PID 4340 wrote to memory of 2180	4340	zM0Xm0bU.exe	2nV349DO.exe

C:\Users\Admin\AppData\Local\Temp\92288ddafeaa0f77357b90005f63961458788f6cd7af44be378bd1de6a725c85.exe
"C:\Users\Admin\AppData\Local\Temp\92288ddafeaa0f77357b90005f63961458788f6cd7af44be378bd1de6a725c85.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2932

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xM5zw6Ii.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xM5zw6Ii.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4848

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PD7nI5CD.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PD7nI5CD.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3796

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\El2Fn6xo.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\El2Fn6xo.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:428

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zM0Xm0bU.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zM0Xm0bU.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4340

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UM42uf1.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UM42uf1.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:4932

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nV349DO.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nV349DO.exe
6⤵
- Executes dropped EXE
PID:2180

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xM5zw6Ii.exe
Filesize
1.3MB

MD5
e70923307d10721689c5561892f8c55f

SHA1
4e532bfdb5a295402a0bb47afa7f68b83550d723

SHA256
2d385a948fe63e837541d02d401177251cff9194d59b7e0c619264f0dab64b02

SHA512
cc868634491ea7e3cb69af41c37558017bc42ac843477a4db734188333871a3797d936ada11aa14abfe957b19fb3842f6daf85fd255a7af8470c610639aabbb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PD7nI5CD.exe
Filesize
1.1MB

MD5
be53836db15b8dfc390ce7957889f3a4

SHA1
cb8e9bdb97b8b31dd476f91a7f26d43f96050237

SHA256
d092e25ae7bea9f604bd113798d663474f73dc51adc9b5a5d7eaa847f33dbe9b

SHA512
8f876faecab2e77065d5cf4b1c251723767ad0e8ced84f69bab34ca099848da4c42be46945abf77cd9e5a0858724ecd0828e8bbca4c3335dc7569b2aa342b90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\El2Fn6xo.exe
Filesize
758KB

MD5
9e94ef1b931f68f722a69465756bbe30

SHA1
f32835ba07cd05bbc2311939ce3b4117f67f21ab

SHA256
c4250eab48d9405545214da261a19ccd6e3e4652a5bde20d9e585bf9e80f2201

SHA512
890469d459e8743b9dbda8b23cf140b4f650c3a6de8c8727f80fa0f776f95102c65d1d1f7076fb21a92c816ca090bae141e104ba1a6b8f6c4102355d45739b40

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zM0Xm0bU.exe
Filesize
562KB

MD5
bb4821e16408061fd669b608ba7914e6

SHA1
2a82f9a9d07bcec6d6a05514a492d6f58c9746f7

SHA256
730c808381a1f128a4f6f1004ea0156e2c76731f7cdb44781b8f2286024427a1

SHA512
7eafb112c9a36207ac01e99185474190334901d196f7fcdcc74f0a4d1e043e9a7aace065a3a46dbd4d854df8ba92593847a00a7517947b11c6df1d6c62144f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UM42uf1.exe
Filesize
1.1MB

MD5
a07c046be4d31f27ce12d25923953f66

SHA1
f7647894a3eff651fd9b5c58bdef50dd753ac3f0

SHA256
b0de5b7b284346e3d289e11608df560463a4235371a357caba7500af40d6eca8

SHA512
1877bf0fc1a1d477cdeec7a06ead33d8a113c877a9ed371ad966c9b405ff0354ffa5c49a138b86eed31e9fe4c92342ce9c693abc88174833f85f2a4720eeca4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nV349DO.exe
Filesize
222KB

MD5
d1b3b07728c3768f9c0871c4cc6e0738

SHA1
ef37d8cb41d26dedcaf6c9645dc343f0fdf7b567

SHA256
b567bc4b9b529a67ea1c785cfe0541df26c68b037219f58d0a00baca429903b9

SHA512
69f31b063e7b6e5a737c0fc4ab32d8af62fa844e9f80e316b1c82c79d80274993857d5c0629456c243ea7d48fbbea0bfb889112ec35687c8d655119c3a09061f

Download Submit
memory/2180-42-0x0000000000950000-0x000000000098E000-memory.dmp

Filesize
248KB

Download
memory/2180-43-0x0000000007DC0000-0x0000000008364000-memory.dmp

Filesize
5.6MB

Download
memory/2180-44-0x00000000078B0000-0x0000000007942000-memory.dmp

Filesize
584KB

Download
memory/2180-45-0x0000000004E60000-0x0000000004E6A000-memory.dmp

Filesize
40KB

Download
memory/2180-46-0x0000000008990000-0x0000000008FA8000-memory.dmp

Filesize
6.1MB

Download
memory/2180-47-0x0000000007C40000-0x0000000007D4A000-memory.dmp

Filesize
1.0MB

Download
memory/2180-48-0x0000000007950000-0x0000000007962000-memory.dmp

Filesize
72KB

Download
memory/2180-49-0x00000000079B0000-0x00000000079EC000-memory.dmp

Filesize
240KB

Download
memory/2180-50-0x0000000007B30000-0x0000000007B7C000-memory.dmp

Filesize
304KB

Download
memory/4932-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4932-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4932-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download