mystic | 9f4cee8892544b3b9090f5a7288e0a353e34bada2f75253f19bfebaefa1f0f53

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0975745886991171c59c0c9a7b781238f54c7dbc7be68e29315487b94f3cafe.exe
Size

762KB
MD5

cce0e6653ee5fa0a395399fe8afaf08c
SHA1

4a4de5189ff93859b4021df87baa7b2978be0dae
SHA256

e0975745886991171c59c0c9a7b781238f54c7dbc7be68e29315487b94f3cafe
SHA512

ff882db3fc989c2fc6bfa3e3cb93210564a1bf4ddf2a2e670e5b33566e49f7d12239097350014b2b0f746dab55324cff2daae792c00b1c2a37c18dc72d585855
SSDEEP

12288:VMrXy90LmNlxfXHTA+RpYhaaKPDXuct1VfGdrAUKhzx4ot1Qj:uyGCt0LIaiPTRGqdtM

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral17/memory/3544-18-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral17/memory/3544-16-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral17/memory/3544-15-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral17/memory/3544-14-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2on701Xb.exe	family_redline
behavioral17/memory/4928-22-0x0000000000D70000-0x0000000000DAE000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

Ox8Af2AB.exe1cL48jR4.exe2on701Xb.exe

pid process

4960 Ox8Af2AB.exe
4776 1cL48jR4.exe
4928 2on701Xb.exe

pid	process
4960	Ox8Af2AB.exe
4776	1cL48jR4.exe
4928	2on701Xb.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e0975745886991171c59c0c9a7b781238f54c7dbc7be68e29315487b94f3cafe.exeOx8Af2AB.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e0975745886991171c59c0c9a7b781238f54c7dbc7be68e29315487b94f3cafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Ox8Af2AB.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1cL48jR4.exe

description pid process target process

PID 4776 set thread context of 3544 4776 1cL48jR4.exe AppLaunch.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2260 3544 WerFault.exe AppLaunch.exe
2832 4776 WerFault.exe 1cL48jR4.exe

description	pid	process	target process
PID 4776 set thread context of 3544	4776	1cL48jR4.exe	AppLaunch.exe

pid	pid_target	process	target process
2260	3544	WerFault.exe	AppLaunch.exe
2832	4776	WerFault.exe	1cL48jR4.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

e0975745886991171c59c0c9a7b781238f54c7dbc7be68e29315487b94f3cafe.exeOx8Af2AB.exe1cL48jR4.exe

description	pid	process	target process
PID 4456 wrote to memory of 4960	4456	e0975745886991171c59c0c9a7b781238f54c7dbc7be68e29315487b94f3cafe.exe	Ox8Af2AB.exe
PID 4456 wrote to memory of 4960	4456	e0975745886991171c59c0c9a7b781238f54c7dbc7be68e29315487b94f3cafe.exe	Ox8Af2AB.exe
PID 4456 wrote to memory of 4960	4456	e0975745886991171c59c0c9a7b781238f54c7dbc7be68e29315487b94f3cafe.exe	Ox8Af2AB.exe
PID 4960 wrote to memory of 4776	4960	Ox8Af2AB.exe	1cL48jR4.exe
PID 4960 wrote to memory of 4776	4960	Ox8Af2AB.exe	1cL48jR4.exe
PID 4960 wrote to memory of 4776	4960	Ox8Af2AB.exe	1cL48jR4.exe
PID 4776 wrote to memory of 3544	4776	1cL48jR4.exe	AppLaunch.exe
PID 4776 wrote to memory of 3544	4776	1cL48jR4.exe	AppLaunch.exe
PID 4776 wrote to memory of 3544	4776	1cL48jR4.exe	AppLaunch.exe
PID 4776 wrote to memory of 3544	4776	1cL48jR4.exe	AppLaunch.exe
PID 4776 wrote to memory of 3544	4776	1cL48jR4.exe	AppLaunch.exe
PID 4776 wrote to memory of 3544	4776	1cL48jR4.exe	AppLaunch.exe
PID 4776 wrote to memory of 3544	4776	1cL48jR4.exe	AppLaunch.exe
PID 4776 wrote to memory of 3544	4776	1cL48jR4.exe	AppLaunch.exe
PID 4776 wrote to memory of 3544	4776	1cL48jR4.exe	AppLaunch.exe
PID 4776 wrote to memory of 3544	4776	1cL48jR4.exe	AppLaunch.exe
PID 4960 wrote to memory of 4928	4960	Ox8Af2AB.exe	2on701Xb.exe
PID 4960 wrote to memory of 4928	4960	Ox8Af2AB.exe	2on701Xb.exe
PID 4960 wrote to memory of 4928	4960	Ox8Af2AB.exe	2on701Xb.exe

C:\Users\Admin\AppData\Local\Temp\e0975745886991171c59c0c9a7b781238f54c7dbc7be68e29315487b94f3cafe.exe
"C:\Users\Admin\AppData\Local\Temp\e0975745886991171c59c0c9a7b781238f54c7dbc7be68e29315487b94f3cafe.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4456

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ox8Af2AB.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ox8Af2AB.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4960

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1cL48jR4.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1cL48jR4.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 200
5⤵
- Program crash
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 596
4⤵
- Program crash
PID:2832

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2on701Xb.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2on701Xb.exe
3⤵
- Executes dropped EXE
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3544 -ip 3544
1⤵
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4776 -ip 4776
1⤵
PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ox8Af2AB.exe
Filesize
566KB

MD5
c6954c790a31363fb2e1b2a1ba2b5f2c

SHA1
8fc3e9f8838edc2020814013bf44a11d8d6ff1c6

SHA256
d3115c4c7eb7a7aaf705926be5abda89c761e93f71f4ed154cc6889ca65b884c

SHA512
2191442213f88718e76c96977b7f8f84b0210c8967094e323d55adcbf94af2da1ab075506db5ec2ed8cc9695cf2ce25189acdafcf171daa5307d455673d9f571

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1cL48jR4.exe
Filesize
1.1MB

MD5
e2974232c7104516fa1fafa6edca4644

SHA1
9ad3c94bbfec224d9882c147fdc8d68cef481c2f

SHA256
81de8a5f9c66e3b1e7f877f821bb39fdc279a4d0970457fb7cac57599a8b2b2a

SHA512
d4115a2d2f34c613c134189e791bb60996b5214a4563e9ce917cb62efb872a10139acf9c238b41437c0045ca4a1b1e135aaf86550f151129beba8c1dd31cb9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2on701Xb.exe
Filesize
222KB

MD5
b137c6fdf594e3f65c15f668b98acdda

SHA1
1b3bf6689169b3eb1747eeccba7ba1fcbf504be1

SHA256
0fad045a93ca614c6c896a28ced633790e017432700ed849ea5cf199a4244e71

SHA512
75db7024feb5e9ca29e426396c1910b90dde27a4646e59e8273f7c51ec1d84b5c0082a5079f66c7fcc7974d9d65089d15636372a0c6ed8166db41f552981ec9d

Download Submit
memory/3544-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3544-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3544-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3544-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4928-23-0x0000000008150000-0x00000000086F4000-memory.dmp

Filesize
5.6MB

Download
memory/4928-22-0x0000000000D70000-0x0000000000DAE000-memory.dmp

Filesize
248KB

Download
memory/4928-24-0x0000000007C40000-0x0000000007CD2000-memory.dmp

Filesize
584KB

Download
memory/4928-25-0x0000000003060000-0x000000000306A000-memory.dmp

Filesize
40KB

Download
memory/4928-26-0x0000000008D20000-0x0000000009338000-memory.dmp

Filesize
6.1MB

Download
memory/4928-27-0x0000000007FB0000-0x00000000080BA000-memory.dmp

Filesize
1.0MB

Download
memory/4928-28-0x0000000007E60000-0x0000000007E72000-memory.dmp

Filesize
72KB

Download
memory/4928-29-0x0000000007EC0000-0x0000000007EFC000-memory.dmp

Filesize
240KB

Download
memory/4928-30-0x0000000007F00000-0x0000000007F4C000-memory.dmp

Filesize
304KB

Download