mystic | b0707ded6960936877cf4a2a4a5a7191894ea5c19ee70296e7004b5431f5044e

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e00e311d4566f8b67392f945545d0e1ea579af2fa76c416042196eea3ca75753.exe
Size

1.5MB
MD5

7964cb5a97e62e57f61be66176a87389
SHA1

1c334b41b699bd6252712e511f7304c081dce0fa
SHA256

e00e311d4566f8b67392f945545d0e1ea579af2fa76c416042196eea3ca75753
SHA512

5391152d80f48d68120f3a37018e764eca765db51766b5d7067927447fe915983e297b01da9fb9eb873a3e041d8f025c87396375ef4c49ca06c7c9364d6a8fd0
SSDEEP

24576:qyp47I/ToqZ/x8ezGGzzGuosA5Kfx1XZ5MgOVRjS5GECHcPB5KYPEyqfrm2fgNJ2:xp48z/u6jGu2Ap1XZ5LKTEAcPWYcyef8

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral20/memory/4404-35-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral20/memory/4404-38-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral20/memory/4404-36-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2GJ360Do.exe	family_redline
behavioral20/memory/4724-42-0x00000000001F0000-0x000000000022E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

xP0Kx8Ub.exeJr4Qw5sx.exetn8ur5uB.exeTs1Bc5gB.exe1hh18dd8.exe2GJ360Do.exe

pid process

980 xP0Kx8Ub.exe
3972 Jr4Qw5sx.exe
2096 tn8ur5uB.exe
3680 Ts1Bc5gB.exe
5060 1hh18dd8.exe
4724 2GJ360Do.exe

pid	process
980	xP0Kx8Ub.exe
3972	Jr4Qw5sx.exe
2096	tn8ur5uB.exe
3680	Ts1Bc5gB.exe
5060	1hh18dd8.exe
4724	2GJ360Do.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e00e311d4566f8b67392f945545d0e1ea579af2fa76c416042196eea3ca75753.exexP0Kx8Ub.exeJr4Qw5sx.exetn8ur5uB.exeTs1Bc5gB.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e00e311d4566f8b67392f945545d0e1ea579af2fa76c416042196eea3ca75753.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	xP0Kx8Ub.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Jr4Qw5sx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	tn8ur5uB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Ts1Bc5gB.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1hh18dd8.exe

description pid process target process

PID 5060 set thread context of 4404 5060 1hh18dd8.exe AppLaunch.exe

description	pid	process	target process
PID 5060 set thread context of 4404	5060	1hh18dd8.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

e00e311d4566f8b67392f945545d0e1ea579af2fa76c416042196eea3ca75753.exexP0Kx8Ub.exeJr4Qw5sx.exetn8ur5uB.exeTs1Bc5gB.exe1hh18dd8.exe

description	pid	process	target process
PID 2372 wrote to memory of 980	2372	e00e311d4566f8b67392f945545d0e1ea579af2fa76c416042196eea3ca75753.exe	xP0Kx8Ub.exe
PID 2372 wrote to memory of 980	2372	e00e311d4566f8b67392f945545d0e1ea579af2fa76c416042196eea3ca75753.exe	xP0Kx8Ub.exe
PID 2372 wrote to memory of 980	2372	e00e311d4566f8b67392f945545d0e1ea579af2fa76c416042196eea3ca75753.exe	xP0Kx8Ub.exe
PID 980 wrote to memory of 3972	980	xP0Kx8Ub.exe	Jr4Qw5sx.exe
PID 980 wrote to memory of 3972	980	xP0Kx8Ub.exe	Jr4Qw5sx.exe
PID 980 wrote to memory of 3972	980	xP0Kx8Ub.exe	Jr4Qw5sx.exe
PID 3972 wrote to memory of 2096	3972	Jr4Qw5sx.exe	tn8ur5uB.exe
PID 3972 wrote to memory of 2096	3972	Jr4Qw5sx.exe	tn8ur5uB.exe
PID 3972 wrote to memory of 2096	3972	Jr4Qw5sx.exe	tn8ur5uB.exe
PID 2096 wrote to memory of 3680	2096	tn8ur5uB.exe	Ts1Bc5gB.exe
PID 2096 wrote to memory of 3680	2096	tn8ur5uB.exe	Ts1Bc5gB.exe
PID 2096 wrote to memory of 3680	2096	tn8ur5uB.exe	Ts1Bc5gB.exe
PID 3680 wrote to memory of 5060	3680	Ts1Bc5gB.exe	1hh18dd8.exe
PID 3680 wrote to memory of 5060	3680	Ts1Bc5gB.exe	1hh18dd8.exe
PID 3680 wrote to memory of 5060	3680	Ts1Bc5gB.exe	1hh18dd8.exe
PID 5060 wrote to memory of 4404	5060	1hh18dd8.exe	AppLaunch.exe
PID 5060 wrote to memory of 4404	5060	1hh18dd8.exe	AppLaunch.exe
PID 5060 wrote to memory of 4404	5060	1hh18dd8.exe	AppLaunch.exe
PID 5060 wrote to memory of 4404	5060	1hh18dd8.exe	AppLaunch.exe
PID 5060 wrote to memory of 4404	5060	1hh18dd8.exe	AppLaunch.exe
PID 5060 wrote to memory of 4404	5060	1hh18dd8.exe	AppLaunch.exe
PID 5060 wrote to memory of 4404	5060	1hh18dd8.exe	AppLaunch.exe
PID 5060 wrote to memory of 4404	5060	1hh18dd8.exe	AppLaunch.exe
PID 5060 wrote to memory of 4404	5060	1hh18dd8.exe	AppLaunch.exe
PID 5060 wrote to memory of 4404	5060	1hh18dd8.exe	AppLaunch.exe
PID 3680 wrote to memory of 4724	3680	Ts1Bc5gB.exe	2GJ360Do.exe
PID 3680 wrote to memory of 4724	3680	Ts1Bc5gB.exe	2GJ360Do.exe
PID 3680 wrote to memory of 4724	3680	Ts1Bc5gB.exe	2GJ360Do.exe

C:\Users\Admin\AppData\Local\Temp\e00e311d4566f8b67392f945545d0e1ea579af2fa76c416042196eea3ca75753.exe
"C:\Users\Admin\AppData\Local\Temp\e00e311d4566f8b67392f945545d0e1ea579af2fa76c416042196eea3ca75753.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xP0Kx8Ub.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xP0Kx8Ub.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:980
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Jr4Qw5sx.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Jr4Qw5sx.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3972
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tn8ur5uB.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tn8ur5uB.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2096
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ts1Bc5gB.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ts1Bc5gB.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3680
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hh18dd8.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hh18dd8.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4404
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2GJ360Do.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2GJ360Do.exe
        6⤵
        Executes dropped EXE
        
        PID:4724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xP0Kx8Ub.exe

Filesize
1.3MB

MD5
921b866f11b3d7d29d311da9ec90a390

SHA1
51a5d2bc00d26d3bcd84c8011b10adb8eda581d6

SHA256
a483f5824ab01a865b1da9a65b9f7d763406bee2224abd1236228fa65975ea3c

SHA512
4802dc9970262f88ad518a7c4afeb209aaeb8ca96b83dc8ae62371aa5e2cdbc3a969e95c21c0a93d8c5cb5726ca3f5fb311a88bb34c02da4748a14f22db6d46e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Jr4Qw5sx.exe

Filesize
1.1MB

MD5
caf1de153dc5694fb611afbe91b867bb

SHA1
d4db32e6cd1d5859228f0dca7e01da1d8656b7f8

SHA256
bbc688db26924551c06bf4f32c00bd596a4320be0eb55c70f3cdce244c30d51f

SHA512
eb19a0106faaeeea2d4e3b6ffbaead419ae6fa23ff47eb7ccf63abdc362158957dd1f9eb526c5fed71dc342f6e6660bb4900d6cd34583648eafb667d81911112

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tn8ur5uB.exe

Filesize
760KB

MD5
872dca75b2974f87fdb8d98479926cb2

SHA1
9f0836096c7cf4b559d291ff8245efa54b5d791f

SHA256
a56bc38e9e355f50272cc8974e5fec842aad9924fce42fcefcb8e4d26435a5e2

SHA512
730b32157639d4e1d2055284d9e8d5813dbb574f138ebdea961ff348396e9fd6cf9db32bfb9f19872f62dbd6a1505581c2c4372ba011d07ad612698e60f6bde9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ts1Bc5gB.exe

Filesize
563KB

MD5
3b46923f8345081a5aa80d2a59f282d6

SHA1
1c7f6591d16c07dc4a6a403c7da3f7fcbd41b055

SHA256
d89a2603b0d8c4426c8595c859f3ecbe61381731ac2e8fbfa9d82a399b01e0b1

SHA512
7afdd6f404c3badf9147366fd2f324b3088c0466b7cfc42a64a253ae6a49219a636eac7d4167f80dfb1e9ad7093179ef45786b12669c8415d0f66e41f378ee8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hh18dd8.exe

Filesize
1.1MB

MD5
4479a6a6fa8b0f1a5925104730424b19

SHA1
dc012973c9d31ae058b67226fc3f350ae75366c1

SHA256
ed71169c0402cd82202627ac78b75bdbd5dadfa49715c2afdcecc6cac7f0b844

SHA512
76be8e1381fc51954adeb1b1e82509f36b433b044707a327e6508139761ff8ff3a743c37cd28ed23dd9288fa17a27481e7bf4c002bd1b98e10ceac22acb44c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2GJ360Do.exe

Filesize
221KB

MD5
a0df13c15b2f265aa1389bf5c3f3aa2f

SHA1
571d6cee614d5eb91c5125dfa485ffb76484733a

SHA256
1e2e961302ac99412388c345903cf237ecb99d2f3633ad8cbf49318da6fbcb90

SHA512
e83091247a6182aff0cbdfa35b57aa25512d54dfeaebe43c91fd54359e01beede9d0bf497d4a944b0b442876491425ecea2eb9056cd8d5d0daa0e6681cd0898e

Download Submit
memory/4404-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4404-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4404-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4724-42-0x00000000001F0000-0x000000000022E000-memory.dmp

Filesize
248KB

Download
memory/4724-43-0x00000000074C0000-0x0000000007A64000-memory.dmp

Filesize
5.6MB

Download
memory/4724-44-0x0000000006FF0000-0x0000000007082000-memory.dmp

Filesize
584KB

Download
memory/4724-45-0x00000000045E0000-0x00000000045EA000-memory.dmp

Filesize
40KB

Download
memory/4724-46-0x0000000008090000-0x00000000086A8000-memory.dmp

Filesize
6.1MB

Download
memory/4724-48-0x00000000071B0000-0x00000000071C2000-memory.dmp

Filesize
72KB

Download
memory/4724-47-0x00000000072E0000-0x00000000073EA000-memory.dmp

Filesize
1.0MB

Download
memory/4724-49-0x0000000007210000-0x000000000724C000-memory.dmp

Filesize
240KB

Download
memory/4724-50-0x0000000007250000-0x000000000729C000-memory.dmp

Filesize
304KB

Download