mystic | 914615fc2a86a1a3aa8a108084dd30cc54e8b935b2f14f7def84c51a049c95c2

Analysis

max time kernel
133s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d0a8b0afa79db37dbe567f56af169f6ab02e6ce973136343ada62eb54580f78.exe
Size

1.5MB
MD5

64f89290a64abad100d348699d1b9f44
SHA1

09d199723d53d631f91050622213908aff44c179
SHA256

9d0a8b0afa79db37dbe567f56af169f6ab02e6ce973136343ada62eb54580f78
SHA512

dd7767deedf6e5510b08661597d7b761728061108c5f5ac508462013e1e7e653ef017550dbe4ded32c4bb9927e8badb17b197fb3bd7a0673c84c188d05fc263e
SSDEEP

24576:fyOo2HDFMX0xNO2I9P8cgLXCB3slm7URSAP7nb1PD339S7wb:qOxHKJPqc6Ico+jDnb1b339S

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral10/memory/2084-35-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral10/memory/2084-36-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral10/memory/2084-39-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral10/files/0x00070000000233df-40.dat	family_redline
behavioral10/memory/4432-42-0x0000000000EF0000-0x0000000000F2E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
3904	Qw3yG4lR.exe
4048	do1Sv5Ok.exe
740	Pb9dd0VC.exe
1268	BL4sU4GJ.exe
2284	1Mt19BO9.exe
4432	2TQ978oJ.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9d0a8b0afa79db37dbe567f56af169f6ab02e6ce973136343ada62eb54580f78.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Qw3yG4lR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	do1Sv5Ok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Pb9dd0VC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	BL4sU4GJ.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2284 set thread context of 2084	2284	1Mt19BO9.exe	91

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 3904	2596	9d0a8b0afa79db37dbe567f56af169f6ab02e6ce973136343ada62eb54580f78.exe	83
PID 2596 wrote to memory of 3904	2596	9d0a8b0afa79db37dbe567f56af169f6ab02e6ce973136343ada62eb54580f78.exe	83
PID 2596 wrote to memory of 3904	2596	9d0a8b0afa79db37dbe567f56af169f6ab02e6ce973136343ada62eb54580f78.exe	83
PID 3904 wrote to memory of 4048	3904	Qw3yG4lR.exe	84
PID 3904 wrote to memory of 4048	3904	Qw3yG4lR.exe	84
PID 3904 wrote to memory of 4048	3904	Qw3yG4lR.exe	84
PID 4048 wrote to memory of 740	4048	do1Sv5Ok.exe	86
PID 4048 wrote to memory of 740	4048	do1Sv5Ok.exe	86
PID 4048 wrote to memory of 740	4048	do1Sv5Ok.exe	86
PID 740 wrote to memory of 1268	740	Pb9dd0VC.exe	88
PID 740 wrote to memory of 1268	740	Pb9dd0VC.exe	88
PID 740 wrote to memory of 1268	740	Pb9dd0VC.exe	88
PID 1268 wrote to memory of 2284	1268	BL4sU4GJ.exe	90
PID 1268 wrote to memory of 2284	1268	BL4sU4GJ.exe	90
PID 1268 wrote to memory of 2284	1268	BL4sU4GJ.exe	90
PID 2284 wrote to memory of 2084	2284	1Mt19BO9.exe	91
PID 2284 wrote to memory of 2084	2284	1Mt19BO9.exe	91
PID 2284 wrote to memory of 2084	2284	1Mt19BO9.exe	91
PID 2284 wrote to memory of 2084	2284	1Mt19BO9.exe	91
PID 2284 wrote to memory of 2084	2284	1Mt19BO9.exe	91
PID 2284 wrote to memory of 2084	2284	1Mt19BO9.exe	91
PID 2284 wrote to memory of 2084	2284	1Mt19BO9.exe	91
PID 2284 wrote to memory of 2084	2284	1Mt19BO9.exe	91
PID 2284 wrote to memory of 2084	2284	1Mt19BO9.exe	91
PID 2284 wrote to memory of 2084	2284	1Mt19BO9.exe	91
PID 1268 wrote to memory of 4432	1268	BL4sU4GJ.exe	92
PID 1268 wrote to memory of 4432	1268	BL4sU4GJ.exe	92
PID 1268 wrote to memory of 4432	1268	BL4sU4GJ.exe	92

C:\Users\Admin\AppData\Local\Temp\9d0a8b0afa79db37dbe567f56af169f6ab02e6ce973136343ada62eb54580f78.exe
"C:\Users\Admin\AppData\Local\Temp\9d0a8b0afa79db37dbe567f56af169f6ab02e6ce973136343ada62eb54580f78.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Qw3yG4lR.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Qw3yG4lR.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3904
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\do1Sv5Ok.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\do1Sv5Ok.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4048
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Pb9dd0VC.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Pb9dd0VC.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:740
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\BL4sU4GJ.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\BL4sU4GJ.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1268
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Mt19BO9.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Mt19BO9.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2084
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2TQ978oJ.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2TQ978oJ.exe
        6⤵
        Executes dropped EXE
        
        PID:4432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Qw3yG4lR.exe

Filesize
1.3MB

MD5
341488967341a386c73882ff2c5032bc

SHA1
b5ab7b498165f0c34ef2d9088852d5b954e0694b

SHA256
9d65593a9a386cfc9339b137224a1792799993451bcb75b85aa791e5cc8b8741

SHA512
b698b9bdb801a0c722e6f8e42a40f044f794362b909543e3ed5074e22c39ec3d7a19152e3736ae13107d549564a06746c3f9ada5db172e91eb25bfab779a17ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\do1Sv5Ok.exe

Filesize
1.1MB

MD5
d99b638b264a548df0b9cb257a608d81

SHA1
a5c7eb9255b217ab590fbdbf1aa7634b097ed0cc

SHA256
ce86552959fc22e30d0a7aff974fd5975ae5994eecb9139fdf6e2d2c907e88d3

SHA512
93f30dbba71d98136aa968582a05c7f7cafe4713dddf3d95cdb21c203fd00732bc0ad81e021c7e0b63b5f2dd9b8d6c6d95e6c416db2f579332c4839244fac051

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Pb9dd0VC.exe

Filesize
759KB

MD5
fedb961ccf83ebda008b0e6fca014b50

SHA1
7f36728bdc104a115e92b032f1f8027f826e4fa0

SHA256
58316a55dced5c6e6fd578569668d63088aed4f76bd6ced19a66d6c0336bbe11

SHA512
5c891c780c5f33561254242b9d1e9eab7f3f9674e9eda071cfa09bd95c7b618f35483a7782ef4d2f21c4600c0ad98043a0f7634c1b8f07fe7d8f39f4742f78b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\BL4sU4GJ.exe

Filesize
563KB

MD5
74a0395b9773b1d2d2ac9702de02db55

SHA1
d6c90bd932b666d261d6f6127f9efe02f1529c5a

SHA256
fdf409e4b9afba1811fccc16c798180ca12c7b1501b60228a05c3d449aefef24

SHA512
a7b4b364a4b61c5bbccbf3d259cf649720bd21228fcb5b572ffdda582758c0989d2d72f34e89cad1a9e26a5011452adc3efdd7dda9bb10b3d9dc3ab85145ee50

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Mt19BO9.exe

Filesize
1.1MB

MD5
0076a07f79543bedf3b4d4a68f030b26

SHA1
8ba9850b4b5aabb9bbe96a4eb5162677be30f66f

SHA256
9f2038b486ab98be401ab350faa34cbca920fef8870bc17bbf845b4d88aaac6c

SHA512
1fce42b52b77c6a96ca39678d1e68a7fe221c0af1eee43e4bab84897a8e6094a020c586a9c9329f1b280d31140703c97f751ac53ff1664a9076137b53fce5637

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2TQ978oJ.exe

Filesize
221KB

MD5
e7fc26b1385384a1af2e9f91db5f6a94

SHA1
e4ac2c59ca592037a3b53b7bea45d24866b699a8

SHA256
d16e8d02b3965baaba0a7e55aee055d634372b872d6570f00370cd444fb85944

SHA512
f0a47d7d80059b8801c582492dff7c6c76a02bc38bb09d250b7e083359fbaf2a21f8a340252062c76e6dcab383d7a2802fc9bd15de0d95292f200f1258996fdc

Download Submit
memory/2084-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2084-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2084-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4432-42-0x0000000000EF0000-0x0000000000F2E000-memory.dmp

Filesize
248KB

Download
memory/4432-43-0x0000000008140000-0x00000000086E4000-memory.dmp

Filesize
5.6MB

Download
memory/4432-44-0x0000000007C70000-0x0000000007D02000-memory.dmp

Filesize
584KB

Download
memory/4432-45-0x0000000005220000-0x000000000522A000-memory.dmp

Filesize
40KB

Download
memory/4432-46-0x0000000008D10000-0x0000000009328000-memory.dmp

Filesize
6.1MB

Download
memory/4432-47-0x0000000007F80000-0x000000000808A000-memory.dmp

Filesize
1.0MB

Download
memory/4432-48-0x0000000007EB0000-0x0000000007EC2000-memory.dmp

Filesize
72KB

Download
memory/4432-49-0x0000000007F10000-0x0000000007F4C000-memory.dmp

Filesize
240KB

Download
memory/4432-50-0x0000000008090000-0x00000000080DC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads