mystic | b0707ded6960936877cf4a2a4a5a7191894ea5c19ee70296e7004b5431f5044e

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9697ffb24dfe38f4a40e3cf91464543c6f5a47170c56b58a949e1a93ab9df050.exe
Size

1.5MB
MD5

5b1b2dc80e055c1f9326a1559bde65a6
SHA1

ea89222071ba275583438c34bf4b4f8b3158f798
SHA256

9697ffb24dfe38f4a40e3cf91464543c6f5a47170c56b58a949e1a93ab9df050
SHA512

ebf613b3bedd1f9bb5db26415f70a35cbd03b5fd1ee0e7e1365802e39d434c8fa3324141c835ef2d0edbf47bb5e74413a1bf4f33e61148a577b082c454e31580
SSDEEP

24576:NyxMR3S1glDa50/SVv/sSf/D+JqaiuzDNV3vhwc9w8//Pkaku0bLYYddc8z:oOrlLSVvUSfyQuznpw0/cRbTQ

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral14/memory/1456-35-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral14/memory/1456-41-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral14/memory/1456-39-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Gf969Yd.exe	family_redline
behavioral14/memory/1784-42-0x0000000000180000-0x00000000001BE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

na1kC4Bb.exeZY7uv4SC.exenP8sj5RW.exeee5fj4HH.exe1Kj33LC4.exe2Gf969Yd.exe

pid process

3500 na1kC4Bb.exe
4076 ZY7uv4SC.exe
2540 nP8sj5RW.exe
1712 ee5fj4HH.exe
2000 1Kj33LC4.exe
1784 2Gf969Yd.exe

pid	process
3500	na1kC4Bb.exe
4076	ZY7uv4SC.exe
2540	nP8sj5RW.exe
1712	ee5fj4HH.exe
2000	1Kj33LC4.exe
1784	2Gf969Yd.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

na1kC4Bb.exeZY7uv4SC.exenP8sj5RW.exeee5fj4HH.exe9697ffb24dfe38f4a40e3cf91464543c6f5a47170c56b58a949e1a93ab9df050.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	na1kC4Bb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ZY7uv4SC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	nP8sj5RW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	ee5fj4HH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9697ffb24dfe38f4a40e3cf91464543c6f5a47170c56b58a949e1a93ab9df050.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1Kj33LC4.exe

description pid process target process

PID 2000 set thread context of 1456 2000 1Kj33LC4.exe AppLaunch.exe

description	pid	process	target process
PID 2000 set thread context of 1456	2000	1Kj33LC4.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

9697ffb24dfe38f4a40e3cf91464543c6f5a47170c56b58a949e1a93ab9df050.exena1kC4Bb.exeZY7uv4SC.exenP8sj5RW.exeee5fj4HH.exe1Kj33LC4.exe

description	pid	process	target process
PID 2692 wrote to memory of 3500	2692	9697ffb24dfe38f4a40e3cf91464543c6f5a47170c56b58a949e1a93ab9df050.exe	na1kC4Bb.exe
PID 2692 wrote to memory of 3500	2692	9697ffb24dfe38f4a40e3cf91464543c6f5a47170c56b58a949e1a93ab9df050.exe	na1kC4Bb.exe
PID 2692 wrote to memory of 3500	2692	9697ffb24dfe38f4a40e3cf91464543c6f5a47170c56b58a949e1a93ab9df050.exe	na1kC4Bb.exe
PID 3500 wrote to memory of 4076	3500	na1kC4Bb.exe	ZY7uv4SC.exe
PID 3500 wrote to memory of 4076	3500	na1kC4Bb.exe	ZY7uv4SC.exe
PID 3500 wrote to memory of 4076	3500	na1kC4Bb.exe	ZY7uv4SC.exe
PID 4076 wrote to memory of 2540	4076	ZY7uv4SC.exe	nP8sj5RW.exe
PID 4076 wrote to memory of 2540	4076	ZY7uv4SC.exe	nP8sj5RW.exe
PID 4076 wrote to memory of 2540	4076	ZY7uv4SC.exe	nP8sj5RW.exe
PID 2540 wrote to memory of 1712	2540	nP8sj5RW.exe	ee5fj4HH.exe
PID 2540 wrote to memory of 1712	2540	nP8sj5RW.exe	ee5fj4HH.exe
PID 2540 wrote to memory of 1712	2540	nP8sj5RW.exe	ee5fj4HH.exe
PID 1712 wrote to memory of 2000	1712	ee5fj4HH.exe	1Kj33LC4.exe
PID 1712 wrote to memory of 2000	1712	ee5fj4HH.exe	1Kj33LC4.exe
PID 1712 wrote to memory of 2000	1712	ee5fj4HH.exe	1Kj33LC4.exe
PID 2000 wrote to memory of 1456	2000	1Kj33LC4.exe	AppLaunch.exe
PID 2000 wrote to memory of 1456	2000	1Kj33LC4.exe	AppLaunch.exe
PID 2000 wrote to memory of 1456	2000	1Kj33LC4.exe	AppLaunch.exe
PID 2000 wrote to memory of 1456	2000	1Kj33LC4.exe	AppLaunch.exe
PID 2000 wrote to memory of 1456	2000	1Kj33LC4.exe	AppLaunch.exe
PID 2000 wrote to memory of 1456	2000	1Kj33LC4.exe	AppLaunch.exe
PID 2000 wrote to memory of 1456	2000	1Kj33LC4.exe	AppLaunch.exe
PID 2000 wrote to memory of 1456	2000	1Kj33LC4.exe	AppLaunch.exe
PID 2000 wrote to memory of 1456	2000	1Kj33LC4.exe	AppLaunch.exe
PID 2000 wrote to memory of 1456	2000	1Kj33LC4.exe	AppLaunch.exe
PID 1712 wrote to memory of 1784	1712	ee5fj4HH.exe	2Gf969Yd.exe
PID 1712 wrote to memory of 1784	1712	ee5fj4HH.exe	2Gf969Yd.exe
PID 1712 wrote to memory of 1784	1712	ee5fj4HH.exe	2Gf969Yd.exe

C:\Users\Admin\AppData\Local\Temp\9697ffb24dfe38f4a40e3cf91464543c6f5a47170c56b58a949e1a93ab9df050.exe
"C:\Users\Admin\AppData\Local\Temp\9697ffb24dfe38f4a40e3cf91464543c6f5a47170c56b58a949e1a93ab9df050.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\na1kC4Bb.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\na1kC4Bb.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3500
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZY7uv4SC.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZY7uv4SC.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4076
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nP8sj5RW.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nP8sj5RW.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ee5fj4HH.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ee5fj4HH.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1712
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Kj33LC4.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Kj33LC4.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1456
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Gf969Yd.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Gf969Yd.exe
        6⤵
        Executes dropped EXE
        
        PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\na1kC4Bb.exe

Filesize
1.3MB

MD5
b42441576c3fae1111cfff9b01baaf44

SHA1
6a5a543c0dc2f216e8e1f2efd3bf07ff2a3d124f

SHA256
09002c1598c9d0ecc8204f35133c15a3a0d3b26fff9b7b3ee124eb9eee66a1fb

SHA512
79e2b022db37666ca032e98b32a087468fd9086ee363f7a4a5b9a86066a4ae407c108f7fd5fb96e4596451e59be528d8b6391314da588f86b7885783e28099ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZY7uv4SC.exe

Filesize
1.2MB

MD5
6e2ca063b5ef2c46f610faf3e6fe09aa

SHA1
a8ed15cefa6936b6775cf0cfbcba73996a3f128d

SHA256
1e1436d71b16fb0c3bd243f2e3737285d7a28b8237d0905ae6e0aaa409a45c03

SHA512
793ad10847f2c2c5174e2afb9bfb77d9209d6bf2227ae2dc58e21ba74f9c026c18de8626d9a5d840cc7287da350b6f0cb8268432e56ee2953f23528c9cd989dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nP8sj5RW.exe

Filesize
761KB

MD5
bc46592f388e928f9762b5514a86ec94

SHA1
30632a3e344d9942f2585a5da38fba5b91e0114c

SHA256
228cc8716a7ddf36cadadf64441f02ad9b5cbf87a3b6b214b60f542a91786da3

SHA512
7b94ee93bb029a6c7d4581c7a8f3d080ce6890467312706761f5c5d627984a192ed051d4592171f9f2438459f16d7091572ed6e16397e65e1be2cd370ecdc8de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ee5fj4HH.exe

Filesize
565KB

MD5
88f6abea62ac6255cc733600523415ab

SHA1
6c2bb40399ab8427e0fa0e89ddf1a402ca538869

SHA256
8ff9750981d74a52b9ba98cebcb3e361c368abae0e91d66ddb1fc319d6622146

SHA512
1493b37226058b57a11ae9ed5142cfb2afd73134aa095d42e72c80b53129ea99ae36467cf8941ef07bde15db0a279da0d2a95137da640460e8514da51f439c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Kj33LC4.exe

Filesize
1.1MB

MD5
2302ab0ccaa1a21458f893e4b982e6fd

SHA1
60d30b1b123a7e337c333032224074811622e16d

SHA256
7779e272578e4a52b6ab4f20919df9d94f51808f7d2ae697f437b4f9f703db79

SHA512
a900c8c289f0782379a52e82b8787af7e6d932144f3c048c6b9981c3f1f862e7d229c6eb651f0e9e0ff9d7ab7be9b380cd51e920e96075b891753b24f830589d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Gf969Yd.exe

Filesize
221KB

MD5
2dd46fed4e062f7343714db1895371b5

SHA1
f450e8f8f5af864b26e022bb5f09aac4a33ffc04

SHA256
4bf8a364803741ead6d7b71d0fca8f46c0ef374240accc75c58798cdc09ed1af

SHA512
cf0b4a79f9ef302ed189fd47b930a38059ac8006b6662068bdf446f5db5374c5d9e619f9e2e1b790a56c2efb51b2126b053deb9590ab4d2d5586a60a0b20ed36

Download Submit
memory/1456-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1456-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1456-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1784-42-0x0000000000180000-0x00000000001BE000-memory.dmp

Filesize
248KB

Download
memory/1784-43-0x00000000074A0000-0x0000000007A44000-memory.dmp

Filesize
5.6MB

Download
memory/1784-44-0x0000000006F90000-0x0000000007022000-memory.dmp

Filesize
584KB

Download
memory/1784-45-0x00000000024D0000-0x00000000024DA000-memory.dmp

Filesize
40KB

Download
memory/1784-46-0x0000000008070000-0x0000000008688000-memory.dmp

Filesize
6.1MB

Download
memory/1784-47-0x00000000072F0000-0x00000000073FA000-memory.dmp

Filesize
1.0MB

Download
memory/1784-48-0x0000000007140000-0x0000000007152000-memory.dmp

Filesize
72KB

Download
memory/1784-49-0x00000000071E0000-0x000000000721C000-memory.dmp

Filesize
240KB

Download
memory/1784-50-0x0000000007160000-0x00000000071AC000-memory.dmp

Filesize
304KB

Download