mystic | b0707ded6960936877cf4a2a4a5a7191894ea5c19ee70296e7004b5431f5044e

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d89a0550853b7067190a4816c540a6838fc7703bf9df0665fc491c92feb72adf.exe
Size

1.5MB
MD5

e0838331cb44293a79942554f0e84be8
SHA1

3337c90644f3abd2097d4f64605500f902e7c1e5
SHA256

d89a0550853b7067190a4816c540a6838fc7703bf9df0665fc491c92feb72adf
SHA512

d66c8e738b7a8a6115fe2973778380aab22f7f57f5365c2e8a4f3de5205ab09f42ea6a0f33eb91414bed617e568bdbbe4cda1ececf437c1e2f45d03cce64d991
SSDEEP

24576:EyUZ5lFEBJT1rKp9725NozE/LY0is+KPwqih27rCy/ZkEJXqgJiqUTLw4OCTbsDf:TC5PEBJT1rK+5NozEDYvdh23hkeTiJ/D

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral17/memory/5072-35-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral17/memory/5072-38-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral17/memory/5072-40-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Bd101eP.exe	family_redline
behavioral17/memory/2028-42-0x0000000000F10000-0x0000000000F4E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

Xv9tr3ze.exeZy0XO3MO.exedw1Gh1Gm.exeyS3vD3QU.exe1dV15Qf2.exe2Bd101eP.exe

pid process

3616 Xv9tr3ze.exe
1400 Zy0XO3MO.exe
2276 dw1Gh1Gm.exe
2720 yS3vD3QU.exe
1556 1dV15Qf2.exe
2028 2Bd101eP.exe

pid	process
3616	Xv9tr3ze.exe
1400	Zy0XO3MO.exe
2276	dw1Gh1Gm.exe
2720	yS3vD3QU.exe
1556	1dV15Qf2.exe
2028	2Bd101eP.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Xv9tr3ze.exeZy0XO3MO.exedw1Gh1Gm.exeyS3vD3QU.exed89a0550853b7067190a4816c540a6838fc7703bf9df0665fc491c92feb72adf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Xv9tr3ze.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Zy0XO3MO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	dw1Gh1Gm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	yS3vD3QU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d89a0550853b7067190a4816c540a6838fc7703bf9df0665fc491c92feb72adf.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1dV15Qf2.exe

description pid process target process

PID 1556 set thread context of 5072 1556 1dV15Qf2.exe AppLaunch.exe

description	pid	process	target process
PID 1556 set thread context of 5072	1556	1dV15Qf2.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

d89a0550853b7067190a4816c540a6838fc7703bf9df0665fc491c92feb72adf.exeXv9tr3ze.exeZy0XO3MO.exedw1Gh1Gm.exeyS3vD3QU.exe1dV15Qf2.exe

description	pid	process	target process
PID 4352 wrote to memory of 3616	4352	d89a0550853b7067190a4816c540a6838fc7703bf9df0665fc491c92feb72adf.exe	Xv9tr3ze.exe
PID 4352 wrote to memory of 3616	4352	d89a0550853b7067190a4816c540a6838fc7703bf9df0665fc491c92feb72adf.exe	Xv9tr3ze.exe
PID 4352 wrote to memory of 3616	4352	d89a0550853b7067190a4816c540a6838fc7703bf9df0665fc491c92feb72adf.exe	Xv9tr3ze.exe
PID 3616 wrote to memory of 1400	3616	Xv9tr3ze.exe	Zy0XO3MO.exe
PID 3616 wrote to memory of 1400	3616	Xv9tr3ze.exe	Zy0XO3MO.exe
PID 3616 wrote to memory of 1400	3616	Xv9tr3ze.exe	Zy0XO3MO.exe
PID 1400 wrote to memory of 2276	1400	Zy0XO3MO.exe	dw1Gh1Gm.exe
PID 1400 wrote to memory of 2276	1400	Zy0XO3MO.exe	dw1Gh1Gm.exe
PID 1400 wrote to memory of 2276	1400	Zy0XO3MO.exe	dw1Gh1Gm.exe
PID 2276 wrote to memory of 2720	2276	dw1Gh1Gm.exe	yS3vD3QU.exe
PID 2276 wrote to memory of 2720	2276	dw1Gh1Gm.exe	yS3vD3QU.exe
PID 2276 wrote to memory of 2720	2276	dw1Gh1Gm.exe	yS3vD3QU.exe
PID 2720 wrote to memory of 1556	2720	yS3vD3QU.exe	1dV15Qf2.exe
PID 2720 wrote to memory of 1556	2720	yS3vD3QU.exe	1dV15Qf2.exe
PID 2720 wrote to memory of 1556	2720	yS3vD3QU.exe	1dV15Qf2.exe
PID 1556 wrote to memory of 5072	1556	1dV15Qf2.exe	AppLaunch.exe
PID 1556 wrote to memory of 5072	1556	1dV15Qf2.exe	AppLaunch.exe
PID 1556 wrote to memory of 5072	1556	1dV15Qf2.exe	AppLaunch.exe
PID 1556 wrote to memory of 5072	1556	1dV15Qf2.exe	AppLaunch.exe
PID 1556 wrote to memory of 5072	1556	1dV15Qf2.exe	AppLaunch.exe
PID 1556 wrote to memory of 5072	1556	1dV15Qf2.exe	AppLaunch.exe
PID 1556 wrote to memory of 5072	1556	1dV15Qf2.exe	AppLaunch.exe
PID 1556 wrote to memory of 5072	1556	1dV15Qf2.exe	AppLaunch.exe
PID 1556 wrote to memory of 5072	1556	1dV15Qf2.exe	AppLaunch.exe
PID 1556 wrote to memory of 5072	1556	1dV15Qf2.exe	AppLaunch.exe
PID 2720 wrote to memory of 2028	2720	yS3vD3QU.exe	2Bd101eP.exe
PID 2720 wrote to memory of 2028	2720	yS3vD3QU.exe	2Bd101eP.exe
PID 2720 wrote to memory of 2028	2720	yS3vD3QU.exe	2Bd101eP.exe

C:\Users\Admin\AppData\Local\Temp\d89a0550853b7067190a4816c540a6838fc7703bf9df0665fc491c92feb72adf.exe
"C:\Users\Admin\AppData\Local\Temp\d89a0550853b7067190a4816c540a6838fc7703bf9df0665fc491c92feb72adf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4352
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xv9tr3ze.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xv9tr3ze.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3616
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Zy0XO3MO.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Zy0XO3MO.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1400
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dw1Gh1Gm.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dw1Gh1Gm.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2276
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\yS3vD3QU.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\yS3vD3QU.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2720
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dV15Qf2.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dV15Qf2.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:5072
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Bd101eP.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Bd101eP.exe
        6⤵
        Executes dropped EXE
        
        PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xv9tr3ze.exe

Filesize
1.3MB

MD5
1a0e6204cc920423ba789c5a048953e4

SHA1
d146a963aa879a3eaae75a0ad7247c987d54f53f

SHA256
8448f4cf8fed0f239c518b39fe93769012785dfbbeae1f567ceaba5b33965770

SHA512
53be74f9382705554e0f9ecaacb54b0569071f5754870fa96c3fffe6fb4318c61bddfde0ba16f9fc9cb1cd42eb101bdd5a8a83b1b5cbbd40f6e13b9ec60ea073

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Zy0XO3MO.exe

Filesize
1.1MB

MD5
dbc81dd2d177f21c0efa183243eab182

SHA1
f8c2d9653ecf675c415f1c110fbbb4264cdd71c2

SHA256
b51d66ae508771254a82152385344321aed872e1bc2031794c9c694f67557ab8

SHA512
0d701e8eb216f91e7c37469d1ed14ae02a50b1b97b06af6c0bce897d50ff0abbaba4dbe0c16d60a65b96f95800e44122de790b80b8544e9167dfdb6535764ba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dw1Gh1Gm.exe

Filesize
755KB

MD5
b5d9cd6e58bbb7d84f6b83a19465ec44

SHA1
575a97f2382d3336903b9fccaf6c4bf28fd11272

SHA256
9baf0f8b90390b40b9a9e151ce79718366119edae7aa86f52e481fbcd46c77a4

SHA512
760afee60926a5c65672e21b2ec9adc9d7d6d236f452cea3875395e62ff9f3032d47e754eb1cc985d5f969aa27c7772340753d6be96c663035e80c417542e18c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\yS3vD3QU.exe

Filesize
559KB

MD5
199a1bd042d4e947a6ebb877d9b34932

SHA1
b65d16fcb3ad8de31a2acd28ca4602baeeafc05f

SHA256
d460654883d8837075522877e480a1e992db4c7c44bcc4211c26ea98cef22c24

SHA512
cdc56b961e154d4314f0ef36aed447c6d983a5a8de9c1f608d4d4a4715db3bd866366adfc9ee24c231ea9b07c0c8c3b3bd67b7a8a6725a0f5390c84f9fcb2d41

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dV15Qf2.exe

Filesize
1.0MB

MD5
5248ac08e25309f143f7e90d8147e778

SHA1
35d1b321c1003a1bda2db4ea6c0ed1abb19549cf

SHA256
b66a3ca092b5f46a3862fb073dfea1b55a6f495cecb588e7342b1d6e27eef49b

SHA512
12699c32ae6a98c6f231b44c9357ebcc4aaf14cb66121a09a3735a9a7ffaecc5a48c23f2fb723adad8969483ec65c650207e62e27c69a3328b9bf5e4c009a151

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Bd101eP.exe

Filesize
222KB

MD5
bcdca1cb2121fa1ccbda6ce19e8d9161

SHA1
6cc9db289655ccb0a7c56f2db306c6349aace2d7

SHA256
7a1aba433bd35a1135932eb603b3dbf095238a4f76acd65f94ee2722402f056f

SHA512
5dfd9662303691257ed6d4ef5cceea276665c7579e6e638aa61ca2c2b0b2b286ee926540bde79435802209eec55c54282a955adbc66dff23cac2be8d241f8d37

Download Submit
memory/2028-42-0x0000000000F10000-0x0000000000F4E000-memory.dmp

Filesize
248KB

Download
memory/2028-43-0x00000000082C0000-0x0000000008864000-memory.dmp

Filesize
5.6MB

Download
memory/2028-44-0x0000000007E10000-0x0000000007EA2000-memory.dmp

Filesize
584KB

Download
memory/2028-45-0x0000000005380000-0x000000000538A000-memory.dmp

Filesize
40KB

Download
memory/2028-46-0x0000000008E90000-0x00000000094A8000-memory.dmp

Filesize
6.1MB

Download
memory/2028-47-0x0000000008140000-0x000000000824A000-memory.dmp

Filesize
1.0MB

Download
memory/2028-48-0x0000000008000000-0x0000000008012000-memory.dmp

Filesize
72KB

Download
memory/2028-49-0x0000000008070000-0x00000000080AC000-memory.dmp

Filesize
240KB

Download
memory/2028-50-0x00000000080B0000-0x00000000080FC000-memory.dmp

Filesize
304KB

Download
memory/5072-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5072-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5072-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download