mystic | 9f4cee8892544b3b9090f5a7288e0a353e34bada2f75253f19bfebaefa1f0f53

Analysis

max time kernel
148s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a68c5e94f561ee7f4e5edc6e64db2ccc6083a9a34acd478da0b5a3003a233e52.exe
Size

1.5MB
MD5

107010beec076341ed4728108616ae14
SHA1

d521c427abf30e3dea44b2e3a6715310b13d5236
SHA256

a68c5e94f561ee7f4e5edc6e64db2ccc6083a9a34acd478da0b5a3003a233e52
SHA512

c3646f0d843750387e5b839247777ae8ad2ac09c8a421f5f51f9da537de753fbe2598b172e704a1e80265305f08c66cd5e60130cbaca52774bc0451ab032ca78
SSDEEP

24576:ByyUtVJGOjT10AgnfUZqs+D5aT82lA/Z1SMU9sWdtqvO9J:0yUhRT10Lnf8Z+D5YNKR1SMUfdt0U

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral15/memory/2904-38-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral15/memory/2904-36-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral15/memory/2904-35-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nO120ja.exe	family_redline
behavioral15/memory/116-42-0x00000000000C0000-0x00000000000FE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

vS3cv7Ny.exemd5uC1Kk.exeig9ND9Br.exehW6pu6vt.exe1Ea32tu8.exe2nO120ja.exe

pid process

4592 vS3cv7Ny.exe
724 md5uC1Kk.exe
2308 ig9ND9Br.exe
5000 hW6pu6vt.exe
4924 1Ea32tu8.exe
116 2nO120ja.exe

pid	process
4592	vS3cv7Ny.exe
724	md5uC1Kk.exe
2308	ig9ND9Br.exe
5000	hW6pu6vt.exe
4924	1Ea32tu8.exe
116	2nO120ja.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

hW6pu6vt.exea68c5e94f561ee7f4e5edc6e64db2ccc6083a9a34acd478da0b5a3003a233e52.exevS3cv7Ny.exemd5uC1Kk.exeig9ND9Br.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	hW6pu6vt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a68c5e94f561ee7f4e5edc6e64db2ccc6083a9a34acd478da0b5a3003a233e52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vS3cv7Ny.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	md5uC1Kk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	ig9ND9Br.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1Ea32tu8.exe

description pid process target process

PID 4924 set thread context of 2904 4924 1Ea32tu8.exe AppLaunch.exe

description	pid	process	target process
PID 4924 set thread context of 2904	4924	1Ea32tu8.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

a68c5e94f561ee7f4e5edc6e64db2ccc6083a9a34acd478da0b5a3003a233e52.exevS3cv7Ny.exemd5uC1Kk.exeig9ND9Br.exehW6pu6vt.exe1Ea32tu8.exe

description	pid	process	target process
PID 4188 wrote to memory of 4592	4188	a68c5e94f561ee7f4e5edc6e64db2ccc6083a9a34acd478da0b5a3003a233e52.exe	vS3cv7Ny.exe
PID 4188 wrote to memory of 4592	4188	a68c5e94f561ee7f4e5edc6e64db2ccc6083a9a34acd478da0b5a3003a233e52.exe	vS3cv7Ny.exe
PID 4188 wrote to memory of 4592	4188	a68c5e94f561ee7f4e5edc6e64db2ccc6083a9a34acd478da0b5a3003a233e52.exe	vS3cv7Ny.exe
PID 4592 wrote to memory of 724	4592	vS3cv7Ny.exe	md5uC1Kk.exe
PID 4592 wrote to memory of 724	4592	vS3cv7Ny.exe	md5uC1Kk.exe
PID 4592 wrote to memory of 724	4592	vS3cv7Ny.exe	md5uC1Kk.exe
PID 724 wrote to memory of 2308	724	md5uC1Kk.exe	ig9ND9Br.exe
PID 724 wrote to memory of 2308	724	md5uC1Kk.exe	ig9ND9Br.exe
PID 724 wrote to memory of 2308	724	md5uC1Kk.exe	ig9ND9Br.exe
PID 2308 wrote to memory of 5000	2308	ig9ND9Br.exe	hW6pu6vt.exe
PID 2308 wrote to memory of 5000	2308	ig9ND9Br.exe	hW6pu6vt.exe
PID 2308 wrote to memory of 5000	2308	ig9ND9Br.exe	hW6pu6vt.exe
PID 5000 wrote to memory of 4924	5000	hW6pu6vt.exe	1Ea32tu8.exe
PID 5000 wrote to memory of 4924	5000	hW6pu6vt.exe	1Ea32tu8.exe
PID 5000 wrote to memory of 4924	5000	hW6pu6vt.exe	1Ea32tu8.exe
PID 4924 wrote to memory of 2904	4924	1Ea32tu8.exe	AppLaunch.exe
PID 4924 wrote to memory of 2904	4924	1Ea32tu8.exe	AppLaunch.exe
PID 4924 wrote to memory of 2904	4924	1Ea32tu8.exe	AppLaunch.exe
PID 4924 wrote to memory of 2904	4924	1Ea32tu8.exe	AppLaunch.exe
PID 4924 wrote to memory of 2904	4924	1Ea32tu8.exe	AppLaunch.exe
PID 4924 wrote to memory of 2904	4924	1Ea32tu8.exe	AppLaunch.exe
PID 4924 wrote to memory of 2904	4924	1Ea32tu8.exe	AppLaunch.exe
PID 4924 wrote to memory of 2904	4924	1Ea32tu8.exe	AppLaunch.exe
PID 4924 wrote to memory of 2904	4924	1Ea32tu8.exe	AppLaunch.exe
PID 4924 wrote to memory of 2904	4924	1Ea32tu8.exe	AppLaunch.exe
PID 5000 wrote to memory of 116	5000	hW6pu6vt.exe	2nO120ja.exe
PID 5000 wrote to memory of 116	5000	hW6pu6vt.exe	2nO120ja.exe
PID 5000 wrote to memory of 116	5000	hW6pu6vt.exe	2nO120ja.exe

C:\Users\Admin\AppData\Local\Temp\a68c5e94f561ee7f4e5edc6e64db2ccc6083a9a34acd478da0b5a3003a233e52.exe
"C:\Users\Admin\AppData\Local\Temp\a68c5e94f561ee7f4e5edc6e64db2ccc6083a9a34acd478da0b5a3003a233e52.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4188

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vS3cv7Ny.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vS3cv7Ny.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4592

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\md5uC1Kk.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\md5uC1Kk.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:724

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ig9ND9Br.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ig9ND9Br.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2308

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\hW6pu6vt.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\hW6pu6vt.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5000

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ea32tu8.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ea32tu8.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:2904

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nO120ja.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nO120ja.exe
6⤵
- Executes dropped EXE
PID:116

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vS3cv7Ny.exe
Filesize
1.3MB

MD5
5e5e0f3b6bd23c17863a01d7e4439671

SHA1
2ac6bbedefd43a4fb1acb1b86982ff19ea5ffe8a

SHA256
db3f5deaf908591e151bdb9b23661598a8e6fb49973908c3fcea984b53897aab

SHA512
545ca59ef97f0dc4b3ca7830e58a7845915048fc8fffa365d7b3d555f77942cd5c906f4cad384c169c1ca511f3e50a31a8a4a36a101ac6069f2f469faef6e89a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\md5uC1Kk.exe
Filesize
1.2MB

MD5
e7f0ff0fc5d8ea2d182ae44634559875

SHA1
a7b2e67408a3f1d28d494c8a28089ca6347e3bff

SHA256
d30cdc5c8dcc4fae16924de9e07d71de570b81aa8f8746fad42c4193dee99154

SHA512
cab1b57bd4ee2f32c71f9b787bc150bbfc9aeb103d1b636cbec572d543f6056b49ace8fd84a7c4d34499abcaae06a6fa4462d14a1c7a6e0e52be481c8dac729c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ig9ND9Br.exe
Filesize
761KB

MD5
ee6710d772b4fa041ae3a6f57e8d7c05

SHA1
92345b8a2ece6d56842520922dd9f656cf347e96

SHA256
73b205f448b646e118fbaf2b64497d60ae79e7c528f69dda34aef6028ef91698

SHA512
d200796376d83c7723e3a041e5a30f5e07849ced11f313b5d51f0752e2e5fb85d225bb7ffc6f309408444adb9db881e1325e8428374e44980de42f1763033d0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\hW6pu6vt.exe
Filesize
565KB

MD5
b0d76a3682645518d2343a7c7df92342

SHA1
90de95db225295476be3704dd94d086da8f7d94b

SHA256
3e91f2232f52be3d79eae8e8e20b2078c040296a73c5caf7babe12cc104e7f51

SHA512
9c2b834ce01390c25607d04ce5bd9b20260d56e1769b1bfe85865d66273bf281f86e40b7984a0da7bfd14c67d914766c8af2e695fd5212f5039b24f33f5a4a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ea32tu8.exe
Filesize
1.1MB

MD5
9046d6452dc56f767b5634b91984df5b

SHA1
2652f44290e9aa986150c1d8ab0ebfd09dbaedfc

SHA256
065c2a915f5d18dff55ae9638fe2cfd99cdbb56bad37a6e62972d41180b53d01

SHA512
fed245375b595b7a1a66bcf91cbc9407fbaa3f35ae7c270879dea494fce8a7b144a6d293af8e4416ae09477edfb2caeb929c87eaaa4ffad4077bb8a63d4fe5b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nO120ja.exe
Filesize
221KB

MD5
e9072dfff42499a824f1cbfd0f2682a2

SHA1
b9cc6ba1bf371c9f42bc29b191c9e0c3684fadea

SHA256
89a4a03c0008f71f3aa17a852c21fbd18e01e00a05a85c9367ce835d208a6bca

SHA512
4dc08c3bb5ed5d5de1e1981cb44a882874cde363dc805f6104e58b9bafedbb58764bf9727bb83b5022d10c05cb75976a85ee4f6ffd608745a4f3526101829d8f

Download Submit
memory/116-42-0x00000000000C0000-0x00000000000FE000-memory.dmp

Filesize
248KB

Download
memory/116-43-0x0000000007430000-0x00000000079D4000-memory.dmp

Filesize
5.6MB

Download
memory/116-44-0x0000000006F80000-0x0000000007012000-memory.dmp

Filesize
584KB

Download
memory/116-45-0x0000000002550000-0x000000000255A000-memory.dmp

Filesize
40KB

Download
memory/116-46-0x0000000008000000-0x0000000008618000-memory.dmp

Filesize
6.1MB

Download
memory/116-47-0x00000000072E0000-0x00000000073EA000-memory.dmp

Filesize
1.0MB

Download
memory/116-48-0x00000000071D0000-0x00000000071E2000-memory.dmp

Filesize
72KB

Download
memory/116-49-0x0000000007230000-0x000000000726C000-memory.dmp

Filesize
240KB

Download
memory/116-50-0x0000000007270000-0x00000000072BC000-memory.dmp

Filesize
304KB

Download
memory/2904-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2904-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2904-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download