mystic | 914615fc2a86a1a3aa8a108084dd30cc54e8b935b2f14f7def84c51a049c95c2

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1cfe53024b51863e86f65b542899f29902cf448eed0ef609d8fa925d11e3542.exe
Size

768KB
MD5

0bbee052c2354d201a7d39cdca4b6f85
SHA1

406a96d08c63096f8f116fd05c0b09cc78f61b0a
SHA256

f1cfe53024b51863e86f65b542899f29902cf448eed0ef609d8fa925d11e3542
SHA512

bc7e8fd8020ff79ac45c9c31545cc0a7ce203f75340d609f52261bff0d5c285b39c0ba5ceba4785ce256a59437964ccd43c55d7c853d4858408255fbaa0b1e21
SSDEEP

12288:iMr7y90zpu5JOahqQYq60RrSHVA2vJ4pBWi3HPuEgBLy7e67zh7:RyWpczYw/2vMBWWHPuEk2e67t7

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral19/memory/2496-14-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral19/memory/2496-18-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral19/memory/2496-16-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral19/memory/2496-15-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral19/files/0x000700000002342c-20.dat	family_redline
behavioral19/memory/4520-22-0x0000000000440000-0x000000000047E000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
1548	rg8fU9BA.exe
4976	1id65tZ7.exe
4520	2wu481bX.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f1cfe53024b51863e86f65b542899f29902cf448eed0ef609d8fa925d11e3542.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	rg8fU9BA.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4976 set thread context of 2496	4976	1id65tZ7.exe	90

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2716	2496	WerFault.exe	90
4376	4976	WerFault.exe	84

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4332 wrote to memory of 1548	4332	f1cfe53024b51863e86f65b542899f29902cf448eed0ef609d8fa925d11e3542.exe	83
PID 4332 wrote to memory of 1548	4332	f1cfe53024b51863e86f65b542899f29902cf448eed0ef609d8fa925d11e3542.exe	83
PID 4332 wrote to memory of 1548	4332	f1cfe53024b51863e86f65b542899f29902cf448eed0ef609d8fa925d11e3542.exe	83
PID 1548 wrote to memory of 4976	1548	rg8fU9BA.exe	84
PID 1548 wrote to memory of 4976	1548	rg8fU9BA.exe	84
PID 1548 wrote to memory of 4976	1548	rg8fU9BA.exe	84
PID 4976 wrote to memory of 2496	4976	1id65tZ7.exe	90
PID 4976 wrote to memory of 2496	4976	1id65tZ7.exe	90
PID 4976 wrote to memory of 2496	4976	1id65tZ7.exe	90
PID 4976 wrote to memory of 2496	4976	1id65tZ7.exe	90
PID 4976 wrote to memory of 2496	4976	1id65tZ7.exe	90
PID 4976 wrote to memory of 2496	4976	1id65tZ7.exe	90
PID 4976 wrote to memory of 2496	4976	1id65tZ7.exe	90
PID 4976 wrote to memory of 2496	4976	1id65tZ7.exe	90
PID 4976 wrote to memory of 2496	4976	1id65tZ7.exe	90
PID 4976 wrote to memory of 2496	4976	1id65tZ7.exe	90
PID 1548 wrote to memory of 4520	1548	rg8fU9BA.exe	96
PID 1548 wrote to memory of 4520	1548	rg8fU9BA.exe	96
PID 1548 wrote to memory of 4520	1548	rg8fU9BA.exe	96

C:\Users\Admin\AppData\Local\Temp\f1cfe53024b51863e86f65b542899f29902cf448eed0ef609d8fa925d11e3542.exe
"C:\Users\Admin\AppData\Local\Temp\f1cfe53024b51863e86f65b542899f29902cf448eed0ef609d8fa925d11e3542.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4332
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rg8fU9BA.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rg8fU9BA.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1id65tZ7.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1id65tZ7.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4976
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2496
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 196
        5⤵
        Program crash
        
        PID:2716
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 568
      4⤵
      Program crash
      PID:4376
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2wu481bX.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2wu481bX.exe
    3⤵
    - Executes dropped EXE
    PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2496 -ip 2496
1⤵
PID:1076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4976 -ip 4976
1⤵
PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rg8fU9BA.exe

Filesize
573KB

MD5
d88ae3bbeff227aac95748a79d68d336

SHA1
6d7726029ca52fc65098ce91ad68dc4f1a8714c8

SHA256
61720c7c7d5e70c201edbc1012861e48076b80ca0f8668616d9b96886ab74216

SHA512
0baf4ec1ed07d46d45e42afb5302c6e59ea9c9a615a7b5d1b292eff5067037b248a4731863a5bbcb8563be43de041aa4395988a99d08ab55af2aa293bcc1bf48

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1id65tZ7.exe

Filesize
1.1MB

MD5
440018b78c90248bfa6a3abeb81e99e9

SHA1
af71136d25bea56da10ddba0bc4fffd802b1c345

SHA256
4e09e3f416ea5031dcb0c6d22309b9c08eea41c06c70e9c208a04767da3fbebd

SHA512
80442b425de28c0d23dd403e2da7dd5254fb8f48e38ef5aa279a40c4c46e9d299cbf18d01818cb27e29d2b75921d2fffdf5e08e5624c0acda508a11c1dfeee12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2wu481bX.exe

Filesize
223KB

MD5
9ea308e94d12f149ec380bd39e913310

SHA1
c312efa6b84d250a576d550230c90db1cc985b96

SHA256
e9c2cba63c348db03fe2e6a0fdc718a9b4a62e07c7e38fe2c76888804dfd6255

SHA512
31f3e93ea2e71dab0f35a14a1d545911ae2d4b442115c73afc77fb994251ca3b751dcd3d073faf30b1e6b70e5ed0e39abcfc852fd09664e1f0ccc3fbd08b1a6d

Download Submit
memory/2496-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2496-18-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2496-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2496-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-23-0x0000000007710000-0x0000000007CB4000-memory.dmp

Filesize
5.6MB

Download
memory/4520-22-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/4520-24-0x0000000007200000-0x0000000007292000-memory.dmp

Filesize
584KB

Download
memory/4520-25-0x0000000002670000-0x000000000267A000-memory.dmp

Filesize
40KB

Download
memory/4520-26-0x00000000082E0000-0x00000000088F8000-memory.dmp

Filesize
6.1MB

Download
memory/4520-27-0x00000000075C0000-0x00000000076CA000-memory.dmp

Filesize
1.0MB

Download
memory/4520-28-0x00000000072F0000-0x0000000007302000-memory.dmp

Filesize
72KB

Download
memory/4520-29-0x00000000074B0000-0x00000000074EC000-memory.dmp

Filesize
240KB

Download
memory/4520-30-0x0000000007440000-0x000000000748C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads