mystic | 9f4cee8892544b3b9090f5a7288e0a353e34bada2f75253f19bfebaefa1f0f53

Analysis

max time kernel
138s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b74e820a68dd1debb652cc1750992f001f4f19c4e98e9c2bbce0139f6c42f32.exe
Size

1.3MB
MD5

5fd4292227679641bd077b5860cc1b20
SHA1

6d16d9ed9789439a53edcb08fc29c94dc333ddec
SHA256

2b74e820a68dd1debb652cc1750992f001f4f19c4e98e9c2bbce0139f6c42f32
SHA512

18a29392c34b6cf2efec0cd7c8fe3d1c46ef140eee726ec2a6bcc78cdabbce19b7ba74d434e1bfed37acc40ad1e91146ad56a011dc670bf696469dc8723021f8
SSDEEP

24576:nyuoJKNzEOwgX1dtUiF7y3rnffcn+CnHREo6MsW:yuxwgWKy3rffcnlLT

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral7/memory/2948-28-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral7/memory/2948-31-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral7/memory/2948-29-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral7/files/0x0007000000023449-33.dat	family_redline
behavioral7/memory/3540-35-0x0000000000DA0000-0x0000000000DDE000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
2944	uh4rV1qT.exe
4076	Ve2OH5Tx.exe
1320	jd4Sg0gI.exe
4488	1fW61iv0.exe
3540	2YL576Rf.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2b74e820a68dd1debb652cc1750992f001f4f19c4e98e9c2bbce0139f6c42f32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	uh4rV1qT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Ve2OH5Tx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	jd4Sg0gI.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4488 set thread context of 2948	4488	1fW61iv0.exe	92

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4700 wrote to memory of 2944	4700	2b74e820a68dd1debb652cc1750992f001f4f19c4e98e9c2bbce0139f6c42f32.exe	85
PID 4700 wrote to memory of 2944	4700	2b74e820a68dd1debb652cc1750992f001f4f19c4e98e9c2bbce0139f6c42f32.exe	85
PID 4700 wrote to memory of 2944	4700	2b74e820a68dd1debb652cc1750992f001f4f19c4e98e9c2bbce0139f6c42f32.exe	85
PID 2944 wrote to memory of 4076	2944	uh4rV1qT.exe	86
PID 2944 wrote to memory of 4076	2944	uh4rV1qT.exe	86
PID 2944 wrote to memory of 4076	2944	uh4rV1qT.exe	86
PID 4076 wrote to memory of 1320	4076	Ve2OH5Tx.exe	87
PID 4076 wrote to memory of 1320	4076	Ve2OH5Tx.exe	87
PID 4076 wrote to memory of 1320	4076	Ve2OH5Tx.exe	87
PID 1320 wrote to memory of 4488	1320	jd4Sg0gI.exe	88
PID 1320 wrote to memory of 4488	1320	jd4Sg0gI.exe	88
PID 1320 wrote to memory of 4488	1320	jd4Sg0gI.exe	88
PID 4488 wrote to memory of 2948	4488	1fW61iv0.exe	92
PID 4488 wrote to memory of 2948	4488	1fW61iv0.exe	92
PID 4488 wrote to memory of 2948	4488	1fW61iv0.exe	92
PID 4488 wrote to memory of 2948	4488	1fW61iv0.exe	92
PID 4488 wrote to memory of 2948	4488	1fW61iv0.exe	92
PID 4488 wrote to memory of 2948	4488	1fW61iv0.exe	92
PID 4488 wrote to memory of 2948	4488	1fW61iv0.exe	92
PID 4488 wrote to memory of 2948	4488	1fW61iv0.exe	92
PID 4488 wrote to memory of 2948	4488	1fW61iv0.exe	92
PID 4488 wrote to memory of 2948	4488	1fW61iv0.exe	92
PID 1320 wrote to memory of 3540	1320	jd4Sg0gI.exe	93
PID 1320 wrote to memory of 3540	1320	jd4Sg0gI.exe	93
PID 1320 wrote to memory of 3540	1320	jd4Sg0gI.exe	93

C:\Users\Admin\AppData\Local\Temp\2b74e820a68dd1debb652cc1750992f001f4f19c4e98e9c2bbce0139f6c42f32.exe
"C:\Users\Admin\AppData\Local\Temp\2b74e820a68dd1debb652cc1750992f001f4f19c4e98e9c2bbce0139f6c42f32.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4700
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uh4rV1qT.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uh4rV1qT.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ve2OH5Tx.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ve2OH5Tx.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4076
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jd4Sg0gI.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jd4Sg0gI.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1320
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1fW61iv0.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1fW61iv0.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4488
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2948
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2YL576Rf.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2YL576Rf.exe
        5⤵
        Executes dropped EXE
        
        PID:3540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uh4rV1qT.exe

Filesize
1.2MB

MD5
1d33cc7609f50018e430042ea4cc87ee

SHA1
bb93fd0194e4115fc9161d0858797f1a815d3712

SHA256
64a523cf9fe8d787427c9327b8511cbeb9ebee47870a542c2105ce09b42b6cd4

SHA512
40589d27b5afa341f3a94373e09f2cf2317c3a8a9181c9ec2ad071e955aa962a1f03c9af30999957693b769ff1ec92af86d6c0416ad78d5b219263bc42abd0d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ve2OH5Tx.exe

Filesize
761KB

MD5
8228d2ba5624d8f6a6b58ce79f3f9055

SHA1
e68f3762a51f303fbc9b6c5aa1bc6261baa920a1

SHA256
3dc9c0f23ea25df9bd1eedae5f9468c962c355bd5dfbe921c81c61517eaf8be6

SHA512
866a7347765b63fb6039dce9a54ef8d321cb7355db922734bf03c7881177a4f971ca68db1ae6fd0ba58c85829146cb67cac153b5016d2c2f4890751199ebbf48

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jd4Sg0gI.exe

Filesize
565KB

MD5
09cd7f113fac6343927a2742ca938a95

SHA1
9f6349efe4257d5991919fa87b8fd275f9f8d3e4

SHA256
0786c7c85047b6a0ed4803ca25de9afc92a869438b2c73a85bcf77e66bee5a27

SHA512
8681aa6163809d8b8c31da9d6b3b857857a33afd9ea3d08fc727562b145176115a8095c5f29e47c24a99ecf5e6085377292bd9c8b2cd630e4d4a736d7b4aa605

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1fW61iv0.exe

Filesize
1.1MB

MD5
69c71d45f13e1a096ca26926c7181c6f

SHA1
c868ce38355ba22b46fefc6e7240a675efff97e7

SHA256
5f4e55e97fabbc5b675b4cdea2dae74832afe6590c36e19d40ef6b0a20a385c8

SHA512
cf7f3278837d007de125209d8945fd1871ee4708b31f669bde553db9a9f11826f25c4ae98143da1ad5816a928948f671f2cfa9a59a3bc68494ead4dedf6a2d4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2YL576Rf.exe

Filesize
222KB

MD5
a153557c89c6703b2a5a19c38b25aa35

SHA1
3ce93aed76490c42c91a5bc83b8d94fe918b7729

SHA256
9a00772644aa54ed1e8971d18831a6418efdab651091198176662cb66e4999e7

SHA512
029214ccaa772b7a3a50b20a66ab83e1a7698a3bb30b28f7fcd5cd3691b0ba503eb00cd882080945c39cb2fde598318a2cd75c322eb65fd8af8f24748200c349

Download Submit
memory/2948-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2948-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2948-29-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3540-35-0x0000000000DA0000-0x0000000000DDE000-memory.dmp

Filesize
248KB

Download
memory/3540-36-0x0000000008120000-0x00000000086C4000-memory.dmp

Filesize
5.6MB

Download
memory/3540-37-0x0000000007B70000-0x0000000007C02000-memory.dmp

Filesize
584KB

Download
memory/3540-38-0x0000000001610000-0x000000000161A000-memory.dmp

Filesize
40KB

Download
memory/3540-39-0x0000000008CF0000-0x0000000009308000-memory.dmp

Filesize
6.1MB

Download
memory/3540-40-0x0000000007E40000-0x0000000007F4A000-memory.dmp

Filesize
1.0MB

Download
memory/3540-41-0x0000000007D60000-0x0000000007D72000-memory.dmp

Filesize
72KB

Download
memory/3540-42-0x0000000007DC0000-0x0000000007DFC000-memory.dmp

Filesize
240KB

Download
memory/3540-43-0x0000000007F50000-0x0000000007F9C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads