mystic | 914615fc2a86a1a3aa8a108084dd30cc54e8b935b2f14f7def84c51a049c95c2

Analysis

max time kernel
135s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f726f9f1096ec4de08baa4d02b85caf3855704f948bf62de21cebf55aa17c9ad.exe
Size

761KB
MD5

aacb1084e9efa1204cedcaa63bcee7b0
SHA1

e3f44fc51f3e7aec444fdfbb8aaf26ab64ac2564
SHA256

f726f9f1096ec4de08baa4d02b85caf3855704f948bf62de21cebf55aa17c9ad
SHA512

832e133e36ece38f5fa0c5d8efe52ef3ecccb60203c594d1f3ac34f44a11ddb59d318ca181d6381bc7811d0e28f798c856cfb8815a971d756326e0a89f55efff
SSDEEP

12288:8MrAy90hZQSIC7Euz5dfRIqgJCCQgsEdms5FrWHujZA1Db+1z+Yb0BPY:UyIZQS5EulXIqO5xZcmWOjZkDIzPb0g

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral20/memory/4984-14-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral20/memory/4984-18-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral20/memory/4984-16-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral20/memory/4984-15-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral20/files/0x000700000002340c-20.dat	family_redline
behavioral20/memory/3368-22-0x0000000000BB0000-0x0000000000BEE000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
4440	ju2XK8Bx.exe
3560	1UG08wg5.exe
3368	2TE653sk.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f726f9f1096ec4de08baa4d02b85caf3855704f948bf62de21cebf55aa17c9ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ju2XK8Bx.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3560 set thread context of 4984	3560	1UG08wg5.exe	88

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1612	4984	WerFault.exe	88

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 4440	1428	f726f9f1096ec4de08baa4d02b85caf3855704f948bf62de21cebf55aa17c9ad.exe	83
PID 1428 wrote to memory of 4440	1428	f726f9f1096ec4de08baa4d02b85caf3855704f948bf62de21cebf55aa17c9ad.exe	83
PID 1428 wrote to memory of 4440	1428	f726f9f1096ec4de08baa4d02b85caf3855704f948bf62de21cebf55aa17c9ad.exe	83
PID 4440 wrote to memory of 3560	4440	ju2XK8Bx.exe	84
PID 4440 wrote to memory of 3560	4440	ju2XK8Bx.exe	84
PID 4440 wrote to memory of 3560	4440	ju2XK8Bx.exe	84
PID 3560 wrote to memory of 4984	3560	1UG08wg5.exe	88
PID 3560 wrote to memory of 4984	3560	1UG08wg5.exe	88
PID 3560 wrote to memory of 4984	3560	1UG08wg5.exe	88
PID 3560 wrote to memory of 4984	3560	1UG08wg5.exe	88
PID 3560 wrote to memory of 4984	3560	1UG08wg5.exe	88
PID 3560 wrote to memory of 4984	3560	1UG08wg5.exe	88
PID 3560 wrote to memory of 4984	3560	1UG08wg5.exe	88
PID 3560 wrote to memory of 4984	3560	1UG08wg5.exe	88
PID 3560 wrote to memory of 4984	3560	1UG08wg5.exe	88
PID 3560 wrote to memory of 4984	3560	1UG08wg5.exe	88
PID 4440 wrote to memory of 3368	4440	ju2XK8Bx.exe	91
PID 4440 wrote to memory of 3368	4440	ju2XK8Bx.exe	91
PID 4440 wrote to memory of 3368	4440	ju2XK8Bx.exe	91

C:\Users\Admin\AppData\Local\Temp\f726f9f1096ec4de08baa4d02b85caf3855704f948bf62de21cebf55aa17c9ad.exe
"C:\Users\Admin\AppData\Local\Temp\f726f9f1096ec4de08baa4d02b85caf3855704f948bf62de21cebf55aa17c9ad.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ju2XK8Bx.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ju2XK8Bx.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4440
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1UG08wg5.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1UG08wg5.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3560
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4984
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 540
        5⤵
        Program crash
        
        PID:1612
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2TE653sk.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2TE653sk.exe
    3⤵
    - Executes dropped EXE
    PID:3368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4984 -ip 4984
1⤵
PID:3912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ju2XK8Bx.exe

Filesize
565KB

MD5
cd3188b0a2d2e711da7f704452482145

SHA1
e8d4232543335afda535a84b068b34fc1184c38e

SHA256
6184e4089e0efeef132909ff9c56ea1bd82229e8a04c0b27da5c39c2756b5141

SHA512
bed8d1e5ac16311cf9b5ad44adb7dab70d3cf2c3ae6871f0650834f6bffa938fff1963cebd0fedb22515e32dd0366cbbe38a402674b23fc51aba12fdc0cd11c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1UG08wg5.exe

Filesize
1.1MB

MD5
de00104b4e77eea4e58281af59175f0c

SHA1
ab0d5e0969bc519d3d4e0caa7a9af1024cb17084

SHA256
294258caaa3d88496cd28970d46744941d9023a441e8cfcd816db7f0b0d764c1

SHA512
cb401bf5f322b9086fd84b170eb8e64379f6d5200668f5903098d35f5ca812e9e9045cd8c277af8ed5a438f9f2695fec24313ac0e31ee7db33d0ca0790b361ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2TE653sk.exe

Filesize
221KB

MD5
5f3d777c26f22df2cf57212a3ae42fe4

SHA1
23ddc795b39a9a840081c3e229c99d8f6121ddf0

SHA256
50655c7080a892f42544c472e72081c456e65437dd4277fcfc5ac2bdba668e63

SHA512
5b3e03cc0b0bda7f1a4d4a3a5ad93441abc337cbdf680e72634d7cc4509355067aebb70eecadbe41b64a46469cc03b3875a8e7f246f470a00c9b6dc699188241

Download Submit
memory/3368-23-0x0000000007E50000-0x00000000083F4000-memory.dmp

Filesize
5.6MB

Download
memory/3368-22-0x0000000000BB0000-0x0000000000BEE000-memory.dmp

Filesize
248KB

Download
memory/3368-24-0x0000000007940000-0x00000000079D2000-memory.dmp

Filesize
584KB

Download
memory/3368-25-0x0000000004F20000-0x0000000004F2A000-memory.dmp

Filesize
40KB

Download
memory/3368-26-0x0000000008A20000-0x0000000009038000-memory.dmp

Filesize
6.1MB

Download
memory/3368-27-0x0000000008400000-0x000000000850A000-memory.dmp

Filesize
1.0MB

Download
memory/3368-28-0x0000000007BA0000-0x0000000007BB2000-memory.dmp

Filesize
72KB

Download
memory/3368-29-0x0000000007D10000-0x0000000007D4C000-memory.dmp

Filesize
240KB

Download
memory/3368-30-0x0000000007D50000-0x0000000007D9C000-memory.dmp

Filesize
304KB

Download
memory/4984-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4984-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4984-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4984-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads