mystic | 914615fc2a86a1a3aa8a108084dd30cc54e8b935b2f14f7def84c51a049c95c2

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1c0aed941c5429f8f293ac0efea5efc12bafcadd77be2033716f222b3f38402.exe
Size

769KB
MD5

6ad5acba9fac115f556dd12719ff1ecc
SHA1

e5d3c8919857d1b053d68ee513361499abe964ca
SHA256

f1c0aed941c5429f8f293ac0efea5efc12bafcadd77be2033716f222b3f38402
SHA512

d0e325d4d94240f220c01c4f5af333d9aa9e8619f8d0519985de51a7ac447c8e6a5ec2cdb83ee476bf419b47021327412ad3d0396bf42f254e5f18fb13f3414e
SSDEEP

24576:jyOEMwZw45iGlA0erOKdEsDoAopUz7F98HY2QgL:2OnwZViGlLJKEMopUz7FSd

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral18/memory/4224-14-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral18/memory/4224-18-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral18/memory/4224-17-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral18/memory/4224-15-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral18/files/0x0007000000023450-20.dat	family_redline
behavioral18/memory/2944-22-0x00000000001A0000-0x00000000001DE000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
1248	iT0tJ5oO.exe
4496	1oL28Co3.exe
2944	2QX857Rl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f1c0aed941c5429f8f293ac0efea5efc12bafcadd77be2033716f222b3f38402.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	iT0tJ5oO.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4496 set thread context of 4224	4496	1oL28Co3.exe	88

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1196	4224	WerFault.exe	88
2988	4496	WerFault.exe	84

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 1248	4724	f1c0aed941c5429f8f293ac0efea5efc12bafcadd77be2033716f222b3f38402.exe	83
PID 4724 wrote to memory of 1248	4724	f1c0aed941c5429f8f293ac0efea5efc12bafcadd77be2033716f222b3f38402.exe	83
PID 4724 wrote to memory of 1248	4724	f1c0aed941c5429f8f293ac0efea5efc12bafcadd77be2033716f222b3f38402.exe	83
PID 1248 wrote to memory of 4496	1248	iT0tJ5oO.exe	84
PID 1248 wrote to memory of 4496	1248	iT0tJ5oO.exe	84
PID 1248 wrote to memory of 4496	1248	iT0tJ5oO.exe	84
PID 4496 wrote to memory of 4224	4496	1oL28Co3.exe	88
PID 4496 wrote to memory of 4224	4496	1oL28Co3.exe	88
PID 4496 wrote to memory of 4224	4496	1oL28Co3.exe	88
PID 4496 wrote to memory of 4224	4496	1oL28Co3.exe	88
PID 4496 wrote to memory of 4224	4496	1oL28Co3.exe	88
PID 4496 wrote to memory of 4224	4496	1oL28Co3.exe	88
PID 4496 wrote to memory of 4224	4496	1oL28Co3.exe	88
PID 4496 wrote to memory of 4224	4496	1oL28Co3.exe	88
PID 4496 wrote to memory of 4224	4496	1oL28Co3.exe	88
PID 4496 wrote to memory of 4224	4496	1oL28Co3.exe	88
PID 1248 wrote to memory of 2944	1248	iT0tJ5oO.exe	94
PID 1248 wrote to memory of 2944	1248	iT0tJ5oO.exe	94
PID 1248 wrote to memory of 2944	1248	iT0tJ5oO.exe	94

C:\Users\Admin\AppData\Local\Temp\f1c0aed941c5429f8f293ac0efea5efc12bafcadd77be2033716f222b3f38402.exe
"C:\Users\Admin\AppData\Local\Temp\f1c0aed941c5429f8f293ac0efea5efc12bafcadd77be2033716f222b3f38402.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iT0tJ5oO.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iT0tJ5oO.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1oL28Co3.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1oL28Co3.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4496
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4224
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 540
        5⤵
        Program crash
        
        PID:1196
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 592
      4⤵
      Program crash
      PID:2988
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2QX857Rl.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2QX857Rl.exe
    3⤵
    - Executes dropped EXE
    PID:2944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4224 -ip 4224
1⤵
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4496 -ip 4496
1⤵
PID:4424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iT0tJ5oO.exe

Filesize
573KB

MD5
224ea300f5dd18ce530f98eb77989c94

SHA1
ebb2ca55ddc9bf97893bf963e4de00273a39a02b

SHA256
dc2563ee1adfe2acb1b1f7e6e5212905db52b9cb8a2e87096fbec6b7c7279e54

SHA512
e39b2a4d4d95b21f7baf57cc7fe9b27661ed2b28b61c5bae6aea22085dad1043b43709292b1270472943c51ac693aaa365e475f25e572a799790ce9b6bb65927

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1oL28Co3.exe

Filesize
1.1MB

MD5
d9e3bb4ce0427b7ed5f0444cba4a8e47

SHA1
c2ca8fc2fb9f1c23e14bb34ca8313fe9d254c390

SHA256
8a04babc0d0b8016573431db1657411de13083bfedc7a46c7ed05b330d17bd00

SHA512
eba07b5eedae8bca74ea66e232c34550750e8dd27f9be2ea5496655479a9e62107718ad1c4dde491a0cfc48f2ec59e4b348ade8ccdb62c27d22ec6ad87efd92d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2QX857Rl.exe

Filesize
223KB

MD5
997cce05d305f92c2944f051149668a6

SHA1
3440d9dd863ddf69d0fc66298c6d79ac753f8a3c

SHA256
ce1096c0fa993305f41eda19ec7779c7946ac367145337d4988b15e7e1ecb267

SHA512
f1280b5affbcb021ec83face32ad44b9181d8477002ac5e3c8ee268e7dcd4ae86e903eaab267cc174405d081b830f82c8ca4184d1b6501800d206d702cdb4a40

Download Submit
memory/2944-27-0x0000000007390000-0x000000000749A000-memory.dmp

Filesize
1.0MB

Download
memory/2944-22-0x00000000001A0000-0x00000000001DE000-memory.dmp

Filesize
248KB

Download
memory/2944-23-0x0000000007580000-0x0000000007B24000-memory.dmp

Filesize
5.6MB

Download
memory/2944-24-0x00000000070B0000-0x0000000007142000-memory.dmp

Filesize
584KB

Download
memory/2944-25-0x0000000004660000-0x000000000466A000-memory.dmp

Filesize
40KB

Download
memory/2944-26-0x0000000008150000-0x0000000008768000-memory.dmp

Filesize
6.1MB

Download
memory/2944-28-0x00000000072A0000-0x00000000072B2000-memory.dmp

Filesize
72KB

Download
memory/2944-29-0x0000000007300000-0x000000000733C000-memory.dmp

Filesize
240KB

Download
memory/2944-30-0x0000000007340000-0x000000000738C000-memory.dmp

Filesize
304KB

Download
memory/4224-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4224-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4224-18-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4224-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads